CCNA 200-301, Volume 2 - DHCP Snooping and ARP Inspection PDF
Document Details
Uploaded by BlamelessRhodium653
York University
Tags
Summary
This document is a chapter from a CCNA 200-301 course. It covers Layer 2 security features including DHCP Snooping, Dynamic ARP inspection, and port security in detail. It also covers the fundamentals of IPv6 Neighbor Discovery protocol.
Full Transcript
CCNA 200-301, Volume 2 Chapter 8 DHCP Snooping and ARP Inspection Objectives Configure Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security) DHCP Snooping Acts like a firewall or an ACL in many ways Watches for incoming messages on either all ports or som...
CCNA 200-301, Volume 2 Chapter 8 DHCP Snooping and ARP Inspection Objectives Configure Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security) DHCP Snooping Acts like a firewall or an ACL in many ways Watches for incoming messages on either all ports or some ports Looks for DHCP messages and ignores all non- DHCP messages DHCP snooping logic: allow the message or discard the message Acts off the concept of trusted and untrusted ports for determining which DHCP messages are allowed DHCP Snooping Basics: Client Ports are Untrusted DHCP Attack Supplies Good IP Address but Wrong Default Gateway Unfortunate Result: DHCP Attack Leads to Man-in-the-Middle Summary of Rules for DHCP Snooping DHCP Snooping Checks chaddr and Ethernet Source MAC Legitimate DHCP Client with DHCP Binding Entry Built by DHCP Snooping DHCP Snooping Defeats a DHCP RELEASE from Another Port Sample Network Used in DHCP Snooping Configuration Examples DHCP Snooping Configuration to Match Previous Graphic SW2 DHCP Snooping Status Configuring DHCP Snooping Message Rate Limits Confirming DHCP Snooping Rate Limits Legitimate ARP Tables After PC1 DHCP and ARP with Router R2 A Detailed Look at ARP Request and Reply Nefarious Use of ARP Reply Causes Incorrect ARP Data on R2 Man-in-the-Middle Attack Resulting from Gratuitous ARP DAI Filtering ARP Based on DHCP Snooping Binding Table DAI Filtering Checks for Source MAC Addresses Sample Network Used in ARP Inspection Configuration Examples IP ARP Inspection Configuration to Match Previous Graphic IP DHCP Snooping Configuration Added to Support DAI SW2 IP ARP Inspection Status Sample Results from an ARP Attack Configuring ARP Inspection Message Rate Limits Confirming ARP Inspection Rate Limits Configuring Optional DAI Message Checks 10: ICMPv6 Neighbor Discovery For more information please check out Cisco Press book and video series: IPv6 Fundamentals: A Straightforward IPv6 Fundamentals LiveLessons: A Approach to Understanding IPv6 Straightforward Approach to Understanding IPv6 By Rick Graziani By Rick Graziani ISBN-10: 1-58714-313-5 ISBN-10: 1-58720-457-6 © 10.1: Introducing ICMPv6 Neighbor Discovery ICMPv6 Neighbor Discover Protocol ICMPv6 Neighbor Discovery defines 5 different packet types: Router Solicitation Message Router Advertisement Message Router-Device Messaging Used with dynamic address allocation Neighbor Solicitation Message Neighbor Advertisement Message Device-Device Used with address resolution (IPv4 ARP) Messaging Redirect Message Similar to ICMPv4 redirect message See these processes with: Router-to-Device messaging R1# debug ipv6 nd © ICMPv6 Redirect Network X R1 R2 Destination: Network PCB X Host IPv6 Network A PCA PCB IPv6 Network B Similar functionality as ICMPv4. Like IPv4, a router informs an originating host of the IP address of a router that is on the local link and is closer to the destination. Unlike IPv4, a router informs an originating host that the destination host (on a different prefix/network) is on the same link as itself. © 10.2: Router Solicitation and Router Advertisement Messages Dynamic Address Allocation in IPv4 DHCPv4 Server 1 2 I need IPv4 addressing information. Here is everything you need. © Dynamic Address Allocation in IPv6 To all IPv6 routers: I might not be Router(config)# ipv6 unicast-routing I need IPv6 address needed. information. ICMPv6 Router Solicitation DHCPv6 Server To all IPv6 devices: ICMPv6 Router Advertisement Let me tell you how to do this … 1. SLAAC SLAAC 2. SLAAC with (Stateless Address Autoconfiguration) Stateless DHCPv6 3. Stateful DHCPv6 © RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server Option Other Configuration Managed Configuration (“O”) Flag (“M”) Flag Option 1: SLAAC – No DHCPv6 0 0 (Default on Cisco routers) Option 2: SLAAC + Stateless 1 0 DHCPv6 for DNS address Option 3: All addressing except 0 1 default gateway use DHCPv6 Configuring Flags discussed in Lesson 8. © Option 3 and the “A” Flag As a Windows host I will still use the RA prefix to create temporary (SLAAC) addresses) G 0/1 ICMPv6 RA M Flag = 1 DHCPv6 A Flag = 10 DHCPv6 Server Option Managed Address Prefix in RA can Configuration Autoconfiguration be used for (“M”) Flag (“A”) Flag SLAAC Option 3: All addressing 1 1 (default) Yes The autonomous except default gateway address configuration (A) flag tells hosts that use DHCPv6 they can create an address for themselves by combining the prefix Option in the3:RA All addressing 1 with an interface identifier. 0 No except default gateway use DHCPv6 Configuring Flags discussed in Lesson 8. © Router Solicitation / Router Advertisement 2001:DB8:CAFE:1::/64 Link-local: FE80::1 Link-local: FE80::50A5:8A35:A5BB:66E1 R1 MAC: 00-03-6b-e9-d4-80 MAC: 00-21-9b-d9-c6-44 PC1 Router Solicitation Sent when device needs IPv6 1 addressing information. To: FF02::2 (All-IPv6 Routers) Router Advertisement Sent every 200 seconds or in RS From: FE80::50A5:8A35:A5BB:66E1 response to RS ICMPv6 Router Solicitation 2 To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) RA ICMPv6 Router Advertisement © Analyzing the Router Solicitation Message © Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:00:00:00:02 Ethernet multicast MAC address – Maps to “all IPv6 routers” Internet Protocol Version 6 0110.... = Version: 6 [Traffic class and Flowlabel not shown] Payload length: 16 Next header: ICMPv6 (0x3a) Next header is an ICMPv6 header Hop limit: 255 Source: fe80::50a5:8a35:a5bb:66e1 Link-local address of PC1 Destination: ff02::2 All-IPv6-routers multicast address Internet Control Message Protocol v6 Type: 133 (Router solicitation) Router Solicitation message Code: 0 Checksum: 0x3277 [correct] ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 MAC address of PC1 but RA Link-layer address: 00:21:9b:d9:c6:44 is sent as all-IPv6-host multicast Router Solicitation Message © Analyzing the Router Advertisement Message © R1(config)# ipv6 unicast-routing An IPv6 Router R1# show ipv6 interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 All-routers multicast group FF02::1:FF00:1 MTU is 1500 bytes ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. M & O flags = 0 © Analyzing the Router Advertisement Message Ethernet II, Src: 00:03:6b:e9:d4:80, Dst: 33:33:00:00:00:01 Ethernet multicast MAC address – Maps to “All-IPv6 devices” Internet Protocol Version 6 0110.... = Version: 6.... 1110 0000.................... = Traffic class: 0x000000e0............ 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Next Header is an ICMPv6 header Hop limit: 255 Link-local address of R1. Added to hosts’ Default Router List Source: fe80::1 and is the address they will use as their default gateway. Destination: ff02::1 All-IPv6 devices multicast Continued next slide © Internet Control Message Protocol v6 Type: 134 (Router advertisement) Router Advertisement Code: 0 Cur hop limit: 64 Recommended Hop Limit value for hosts Flags: 0x00 M and O flags indicate that no information is available via DHCPv6 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:03:6b:e9:d4:80 Router R1’s MAC address ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 MTU of the link. ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix-length (/64) to be used for autoconfiguration. Prefix Length: 64 Prefix: 2001:db8:cafe:1:: Prefix of this network to be used for autoconfiguration Router Advertisement Message © 10.3: Neighbor Solicitation and Neighbor Advertisement Messages Address Resolution: IPv4 and IPv6 ARP Request: Broadcast IPv4: ARP over Ethernet Ethernet ARP Request/Reply ARP Cache Know IPv4, what My IPv4! 2 1 PC2 PC1 is the Here is the ARP Reply MAC? MAC? ARP Request 2 1 Neighbor Know My IPv6! Here is the Neighbor Neighbor Cache IPv6, what Advertisement Solicitation is the MAC? MAC? IPv6: ICMPv6 over IPv6 over Ethernet NS: Multicast NS: Solicited Node Multicast Ethernet IPv6 Header ICMPv6: Neighbor Solicitation/Advertisement © Neighbor Solicitation and Neighbor Advertisement 2001:DB8:CAFE:1::200/64 2001:DB8:CAFE:1::100/64 FF02::1:FF00:200 (Solicited Node Multicast) MAC Address MAC Address PC2 00-1B-24-04-A2-1E 00-21-9B-D9-C6-44 PC1 1 PC1> ping 2001:DB8:CAFE:1::200 4 3 Neighbor Cache 2 5 Neighbor Neighbor Advertisement Solicitation NS: Multicast NS: Solicited Node Multicast Ethernet IPv6 Header ICMPv6: Neighbor Solicitation/Advertisement NA: Unicast NA: Unicast © Neighbor Solicitation 2001:DB8:CAFE:1::200/64 2001:DB8:CAFE:1::100/64 FF02::1:FF00:200 (Solicited Node Multicast) Neighbor MAC Address MAC Address Cache PC2 00-1B-24-04-A2-1E 00-21-9B-D9-C6-44 PC1 Neighbor I know the IPv6, but Solicitation what is the MAC? © Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:ff:00:02:00 PC1 NS Internet Protocol Version 6 Mapped multicast address for PC2 0110.... = Version: 6.... 0000 0000.................... = Traffic class: 0x00000000............ 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Next header is an ICMPv6 header Hop limit: 255 Source: 2001:db8:cafe:1::100 Global unicast address of PC1 Destination: ff02::1:ff00:200 Solicited-node multicast address of PC2 Internet Control Message Protocol v6 Neighbor Solicitation message Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0xbbab [correct] Reserved: 0 (Should always be zero) Target IPv6 address, needing Target: 2001:db8:cafe:1::200 MAC address (if two devices ICMPv6 Option (Source link-layer address) have the same solicited node Type: Source link-layer address (1) address, this resolves the issue) Length: 8 Link-layer address: 00:21:9b:d9:c6:44 MAC address of the sender, PC1 © Neighbor Advertisement 2001:DB8:CAFE:1::200/64 2001:DB8:CAFE:1::100/64 FF02::1:FF00:200 (Solicited Node Multicast) MAC Address MAC Address PC2 00-1B-24-04-A2-1E 00-21-9B-D9-C6-44 PC1 Neighbor Cache It’s my IPv6 Neighbor and here is Advertisement my MAC? © Ethernet II, Src: 00:1b:24:04:a2:1e, Dst: 00:21:9b:d9:c6:44 PC2 NA Internet Protocol Version 6 Unicast MAC address of PC1 0110.... = Version: 6.... 0000 0000.................... = Traffic class: 0x00000000............ 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Next header is an ICMPv6 header Hop limit: 255 Source: 2001:db8:cafe:1::200 Global unicast address of PC2 Destination: 2001:db8:cafe:1::100 Global unicast address of PC1 Internet Control Message Protocol v6 Neighbor Advertisement message Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x1b4d [correct] Flags: 0x60000000 Target: 2001:db8:cafe:1::200 IPv6 address of the sender, PC2 ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: 00:1b:24:04:a2:1e MAC address of the sender, PC2 © ICMPv6 Duplicate Address Detection (DAD) Global Unicast - 2001:DB8:CAFE:1::200 See the process with: PC2 Link-local - FE80::1111:2222:3333:4444 R1# debug ipv6 nd Neighbor Solicitation Hopefully no Neighbor Advertisement Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link. A device will send a Neighbor Solicitation for its own unicast address (static or dynamic). After a period of time, if a NA is not received, then the address is deemed unique. Once required, RFC was updated to where it is only recommended - /64 Interface ID makes duplicates unlikely! © 10.4: Neighbor Cache Neighbor Cache Neighbor Solicitation Neighbor Advertisement PC1 Neighbor Cache IPv6 Address MAC Address 2001:DB8:ACAD:1::10 0021.9bd9.c644 IPv6 - 2001:DB8:ACAD:1::10 ? MAC - 0021.9bd9.c644 Neighbor Cache – Maps IPv6 addresses with Ethernet MAC addresses Similar to ARP Cache for IPv4 5 States (2 noticeable and 3 transitory): Reachable: Packets have recently been received providing confirmation that this device is reachable. Stale: A certain time period has elapsed since a packet has been received from this address. Transitory States: INCOMPLETE, DELAY, PROBE © Neighbor Cache R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/0 2001:DB8:AAAA:1::100 16 0021.9bd9.c644 STALE Fa0/0 R1# ping 2001:db8:aaaa:1::100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AAAA:1::100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/0 2001:DB8:AAAA:1::100 0 0021.9bd9.c644 REACH Fa0/0 R1# © Neighbor Cache FSM Neighbor Cache (“ARP Cache”) See the process with: R1# debug ipv6 nd Neighbor Solicitation (NS) sent No Entry Exists Incomplete 3 NS sent with no NA returned NA received Reachable Time exceeded (default 30 sec) Or Reachable Unsolicited NA received NS sent and Packet returned (TCP increasing ACK) NA received Stale – no action required Packet sent Delay 5 sec Probe (Requires resolution again) (Resolution pending) (Reresolution in progress) 3 NS sent with no NA returned © Neighbor Cache R1# debug ipv6 nd ICMP Neighbor Discovery events debugging is on R1# ping 2001:db8:aaaa:1::100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AAAA:1::100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms *Oct 16 01:41:51.575: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) Resolution request *Oct 16 01:41:51.575: ICMPv6-ND: Created ND Entry Chunk pool *Oct 16 01:41:51.575: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) DELETE -> INCMP *Oct 16 01:41:51.575: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) Sending NS *Oct 16 01:41:51.575: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) Queued data for resolution *Oct 16 01:41:51.579: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) Received NA from 2001:DB8:AAAA:1::100 *Oct 16 01:41:51.579: ICMPv6-ND: Validating ND packet options: valid *Oct 16 01:41:51.579: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) LLA c471.fe7d.9c29 *Oct 16 01:41:51.579: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) INCMP -> REACH *Oct 16 01:42:21.639: ICMPv6-ND: (GigabitEthernet0/1,2001:DB8:AAAA:1::100) REACH -> STALE R1# © CCNA 200-301, Volume I Chapter 18 Troubleshooting IPv4 Routing Objectives Configure and verify IPv4 addressing and subnetting Configure and verify IPv4 and IPv6 static routing Ping The ping command tests connectivity by sending packets to an IP address, expecting the device at that address to send packets back. The command sends packets that mean “if you receive this packet, and it is addressed to you, send a reply back.” Each time the ping command sends one of these packets and receives the message sent back by the other host, the ping command knows a packet made it from the source host to the destination and back. Sample Output of ping command Router R2 Pings Host B (Two Commands) Standard ping 172.6.2.101 Command Using the Source Interface IP Address Layer 3 Routes Needed for R1’s Ping 172.16.2.101 to Work Locations Where IP ACLs Could Have Filtered the Ping Messages Router and Host ARP Tables, with the Switch MAC Address Table Extended Ping Command Extended Ping Command The extended ping command does allow the user to type all the parameters on a potentially long command, but it also allows users to simply issue the ping command, press Enter, with IOS then asking the user to answer questions to complete the command, as shown in this example. Testing LAN Neighbors with Standard Ping If the ping works, it confirms the following, which rules out some potential issues: The host with address 172.16.1.51 replied. The LAN can pass unicast frames from R1 to host 172.16.1.51 and vice versa. You can reasonably assume that the switches learned the MAC addresses of the router and the host, adding those to the MAC address tables. Host A and Router R1 completed the ARP process and list each other in their respective Address Resolution Protocol (ARP) tables. If the ping fails, it can point to a variety of problems such as: IP addressing problem DHCP problems VLAN trunking problems LAN problems Testing LAN Neighbors with Extended Ping Testing WAN Neighbors with Standard Ping A successful ping of the IP address on the other end of an Ethernet WAN link that sits between two routers confirms several specific facts, such as the following: Both routers’ WAN interfaces are in an up/up state. The Layer 1 and 2 features of the link work. The routers believe that the neighboring router’s IP address is in the same subnet. Inbound ACLs on both routers do not filter the incoming packets, respectively. The remote router is configured with the expected IP address (172.16.4.2 in this case). DNS Name Resolution by Host A Problem Isolation Using the traceroute Command Like ping, the traceroute command helps network engineers isolate problems. Here is a comparison of the two: Both send messages in the network to test connectivity. Both rely on other devices to send back a reply. Both have wide support on many different operating systems. Both can use a hostname or an IP address to identify the destination. On routers, both have a standard and extended version, allowing better testing of the reverse route. IP Addresses Identified by a Successful traceroute 172.16.2.101 Command How traceroute Identifies the First Router in the Route The traceroute command sends several TTL=1 packets, checking them to see whether the TTL Exceeded messages flow from the same router, based on the source IP address of the TTL Exceeded message. Assuming the messages come from the same router, the traceroute command lists that IP address as the next line of output on the command. TTL=2 Message Sent by traceroute To find all the routers in the path, and finally confirm that packets flow all the way to the destination host, the traceroute command sends a small set of packets with TTL=1, then a small set with TTL=2, then 3, 4, and so on, until the destination host replies. Standard traceroute Command on R1 Extended traceroute Command on R1 Telnet Works from PC1 to R1 but Not to R2 or R3 Successive Telnet Connections: PC1 to R1, R1 to R2, and R2 to R3 Telnet from R1 to R2 to View Interface Status on R2 SSH Client from R1 to R2 to View Interface Status on R2 VLSM and CIDR Routing Protocols and Concepts – Chapter 6 Version 4.0 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives ▪ Compare and contrast classful and classless IP addressing. ▪ Review VLSM and explain the benefits of classless IP addressing. ▪ Describe the role of the Classless Inter-Domain Routing (CIDR) standard in making efficient use of scarce IPv4 addresses. © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Introduction ▪ Prior to 1981, IP addresses used only the first 8 bits to specify the network portion of the address ▪ In 1981, RFC 791 modified the IPv4 32-bit address to allow for three different classes ▪ IP address space was depleting rapidly – The Internet Engineering Task Force (IETF) introduced Classless Inter-Domain Routing (CIDR) CIDR uses Variable Length Subnet Masking (VLSM) to help conserve address space VLSM is simply subnetting a subnet © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Classful and Classless IP Addressing ▪ Classful IP addressing ▪ As of January 2007, there are over 433 million hosts on internet ▪ Initiatives to conserve IPv4 address space include: – VLSM & CIDR notation (1993, RFC 1519) – Network Address Translation (1994, RFC 1631) – Private Addressing (1996, RFC 1918) © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 4 Classful and Classless IP Addressing ▪ The High Order Bits – These are the leftmost bits in a 32 bit address © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Classful and Classless IP Addressing ▪ Classes of IP addresses are identified by the decimal number of the 1st octet – Class A address begin with a 0 bit Range of class A addresses = 0.0.0.0 to 127.255.255.255 – Class B address begin with a 1 bit and a 0 bit Range of class B addresses = 128.0.0.0 to 191.255.255.255 – Class C addresses begin with two 1 bits & a 0 bit Range of class C addresses = 192.0.0.0 to 223.255.255.255 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Classful and Classless IP Addressing ▪ The IPv4 Classful Addressing Structure (RFC 790) – An IP address has 2 parts: The network portion – Found on the left side of an IP address The host portion – Found on the right side of an IP address © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Classful and Classless IP Addressing © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Classful and Classless IP Addressing ▪ Purpose of a subnet mask – It is used to determine the network portion of an IP address © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 9 Classful and Classless IP Addressing ▪ Classful Routing Updates – Recall that classful routing protocols (i.e. RIPv1) do not send subnet masks in their routing updates – The reason is that the Subnet mask is directly related to the network address © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 10 Classful and Classless IP Addressing ▪ Classless Inter-domain Routing (CIDR – RFC 1517) – Advantage of CIDR : More efficient use of IPv4 address space Route summarization – Requires subnet mask to be included in routing update because address class is meaningless – Recall purpose of a subnet mask: To determine the network and host portion of an IP address © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 11 Classful and Classless IP Addressing ▪ Classless IP Addressing ▪ CIDR & Route Summarization – Variable Length Subnet Masking (VLSM) – Allows a subnet to be further sub-netted according to individual needs – Prefix Aggregation a.k.a. Route Summarization – CIDR allows for routes to be summarized as a single route © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 12 Classful and Classless IP Addressing ▪ Classless Routing Protocol ▪ Characteristics of classless routing protocols: – Routing updates include the subnet mask – Supports VLSM – Supports Route Summarization © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 13 Classful and Classless IP Addressing ▪ Classless Routing Protocol Routing Routing Supports Ability to send Protocol updates VLSM Supernet routes Include subnet Mask Classful No No No Classless Yes Yes Yes © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 14 VLSM ▪ Classful routing – Only allows for one subnet mask for all networks ▪ VLSM & Classless routing – This is the process of subnetting a subnet – More than one subnet mask can be used – More efficient use of IP addresses as compared to classful IP addressing © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 15 VLSM ▪ VLSM – the process of sub-netting a subnet to fit your needs ▪ Example: – Subnet 10.1.0.0/16, 8 more bits are borrowed again, to create 256 subnets with a /24 mask. – Mask allows for 254 host addresses per subnet – Subnets range from: 10.1.0.0 / 24 to 10.1.255.0 / 24 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 16 Classless Inter-Domain Routing (CIDR) ▪ Route summarization done by CIDR – Routes are summarized with masks that are less than that of the default classful mask – Example: 172.16.0.0 / 13 is the summarized route for the 172.16.0.0 / 16 to 172.23.0.0 / 16 classful networks © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Classless Inter-Domain Routing (CIDR) ▪ Steps to calculate a route summary – List networks in binary format – Count number of left most matching bits to determine summary route’s mask – Copy the matching bits and add zero bits to determine the summarized network address © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 18 Summary ▪ Classful IP addressing – IPv4 addresses have 2 parts: Network portion found on left side of an IP address Host portion found on right side of an IP address – Class A, B, & C addresses were designed to provide IP addresses for different sized organizations – The class of an IP address is determined by the decimal value found in the 1st octet – IP addresses are running out so the use of Classless Inter Domain Routing (CIDR) and Variable Length Subnet Mask (VLSM) are used to try and conserve address space © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 19 Summary ▪ Classful Routing Updates – Subnet masks are not sent in routing updates ▪ Classless IP addressing – Benefit of classless IP addressing Can create additional network addresses using a subnet mask that fits your needs – Uses Classless Interdomain Routing (CIDR) © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 20 Summary ▪ CIDR – Uses IP addresses more efficiently through use of VLSM VLSM is the process of subnetting a subnet – Allows for route summarization Route summarization is representing multiple contiguous routes with a single route ▪ Classless Routing Updates – Subnet masks are included in updates © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 21 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 22 Chapter 9: Multiarea OSPF CCNA Routing and Switching Scaling Networks v6.0 Chapter 9 - Sections & Objectives ▪ 9.1 Multiarea OSPF Operation Explain how multiarea OSPF operates in a small to medium-sized business network. Explain why multiarea OSPF is used. Explain how multiarea OSPFv2 uses link-state advertisements. Explain how multiarea OSPF establishes neighbor adjacencies. ▪ 9.2 Implement Multiarea OSPF Implement multiarea OSPFv2 and OSPFv3. Configure multiarea OSPFv2 and OSPFv3 in a routed network. Verify multiarea OSPFv2 and OSPFv3 operation. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 9.1 Multiarea OSPF Operation © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Why Multiarea OSPF? Single-Area OSPF ▪ Issues in a large single area OSPF: Large routing table Large link-state database (LSDB) Frequent SPF algorithm calculations ▪ To make OSPF more efficient and scalable, OSPF supports hierarchical routing using areas. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Why Multiarea OSPF? Multiarea OSPF ▪ Multiarea OSPF: Large OSPF area is divided into smaller areas. Reduces processing and memory overhead. Requires a hierarchical network design. The main area is the backbone area (area 0) and all other areas connect to it. ▪ Advantages of Multiarea OSPF: Smaller routing tables - Fewer routing table entries as network addresses can be summarized between areas. Reduced link-state update overhead. Reduced frequency of SPF calculations. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Why Multiarea OSPF? OSPF Two-Layer Area Hierarchy ▪ Multiarea OSPF is implemented in a two-layer area hierarchy. ▪ Backbone (Transit) area - An OSPF area whose primary function is the fast and efficient movement of IP packets: Interconnects with other OSPF area types. Also called OSPF area 0. ▪ Regular (nonbackbone) area - Connects users and resources: Usually set up along functional or geographical groupings All traffic from other areas must cross a transit area. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Why Multiarea OSPF? Types of OSPF Routers ▪ There are four different types of OSPF routers: Internal router –A router that has all of its interfaces in the same area. Backbone router - A router in the backbone area. The backbone area is set to area 0 Area Border Router (ABR) – A router that has interfaces attached to multiple areas. Autonomous System Boundary Router (ASBR) – A router that has at least one interface attached to an external internetwork. ▪ A router can be classified as more than one router type. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Multiarea OSPF LSA Operation OSPF LSA Types ▪ LSAs individually act as database records and provide specific OSPF network details. ▪ LSAs in combination describe the entire topology of an OSPF network or area. ▪ Any implementation of multiarea OSPF must support the first five LSAs © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Multiarea OSPF LSA Operation OSPF LSA Type 1 ▪ Routers advertise their directly connected OSPF-enabled links in a type 1 LSA. ▪ Type 1 LSAs are also referred to as router link entries. ▪ Type 1 LSAs are flooded only within the area in which they originated. ▪ ABRs advertise the networks learned from the type 1 LSAs to other areas as type 3 LSAs. ▪ The type 1 LSA link ID is identified by the router ID of the originating router. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Multiarea OSPF LSA Operation OSPF LSA Type 2 ▪ Type 2 LSAs have the following characteristics: Only found on multiaccess and nonbroadcast multiaccess (NBMA) networks Contain the router ID and IP address of the DR, along with the router ID of all other routers on the multiaccess segment Give other routers information about multiaccess networks within the same area Not forwarded outside of an area Also referred to as network link entries Link-state ID is DR router ID © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Multiarea OSPF LSA Operation OSPF LSA Type 3 ▪ Type 3 LSAs have the following characteristics: They are used by ABRs to advertise networks from other areas. The ABR creates a type 3 LSA for each of its learned OSPF networks. ABRs flood type 3 LSAs from one area to other areas. To reduce impact of flooding in a large OSPF deployment, configuration of manual route summarization on the ABR is recommended. The link-state ID is set to the network address. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Multiarea OSPF LSA Operation OSPF LSA Type 4 ▪ Type 4 LSAs have the following characteristics: They identify an ASBR and provide a route to it. They are generated by an ABR only when an ASBR exists within an area. They are flooded to other areas by ABRs. The link-state ID is set to the ASBR router ID. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Multiarea OSPF LSA Operation OSPF LSA Type 5 ▪ Type 5 LSAs have the following characteristics: They advertise external routes, also referred to as external LSA entries. They are originated by the ASBR and flooded to the entire routing domain. The link-state ID is the external network number. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 OSPF Routing Table and Types of Routes OSPF Routing Table Entries ▪ OSPF routes in an IPv4 routing table are identified using the following descriptors: O - The routing table reflects the link- state information with a designation of O, meaning that the route is intra-area O IA - Summary LSAs appear in the routing table as IA (interarea routes). O E1 or O E2 - External LSAs appear in the routing table marked as external type 1 (E1) or external type 2 (E2) routes. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 OSPF Routing Table and Types of Routes OSPF Route Calculation ▪ The order in which the best paths are calculated is as follows: All routers calculate the best path or paths to destinations within their area (intra-area). These are the type 1 and type 2 LSAs – O. All routers calculate the best path or paths to the other areas within the internetwork. Type 3 LSAs - O IA. All routers calculate the best path or paths to the external autonomous system (type 5) destinations - O E1 or an O E2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 9.2 Configuring Multiarea OSPF © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Configuring Multiarea OSPF Implementing Multiarea OSPF ▪ There are 4 steps to implementing multiarea OSPF: Step 1. Gather the network requirements and parameters Step 2. Define the OSPF parameters Single area or multiarea OSPF? IP addressing plan OSPF areas Network topology Step 3. Configure the multiarea OSPF implementation based on the parameters. Step 4. Verify the multiarea OSPF implementation © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Configuring Multiarea OSPF Configuring Multiarea OSPFv2 ▪ There are no special commands to implement multiarea OSPFv2. ▪ A router becomes an ABR when it has two network statements in different areas. ▪ R1 is an ABR because it has interfaces in area 1 and an interface in area 0. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Configuring Multiarea OSPF Configuring Multiarea OSPFv3 ▪ There are no special commands required to implement multiarea OSPFv3. ▪ A router becomes an ABR when it has two interfaces in different areas. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Verifying Multiarea OSPF Verifying Multiarea OSPFv2 ▪ Commands to verify multiarea OSPFv2 show ip ospf neighbor show ip ospf show ip ospf interface Show ip protocols show ip ospf interface brief show ip route ospf show ip ospf database Note: For the equivalent OSPFv3 command, simply substitute ipv6 for ip. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Verifying Multiarea OSPF Verify General Multiarea OSPFv2 Settings ▪ Use the show ip protocols command to verify the OSPFv2 status. Lists routing protocols configured on router, number of areas, router ID and networks included in routing protocol. ▪ Use the show ip ospf interface brief command to display OSPFv2-related information for OSPFv2-enabled interfaces. Lists the OSPFv2 process ID, area that the interfaces are in, and interface cost. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Verifying Multiarea OSPF Verify the OSPFv2 Routes ▪ Use the show ip route ospf command to verify the muliarea OSPFv2 configuration.. O represents OSPFv2 routes and IA represents interarea, which means that the route originated from another area. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Verifying Multiarea OSPF Verify the Multiarea OSPFv2 LSDB ▪ Use the show ip ospf database command to verify the contents of the OSPFv2 LSDB. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Verifying Multiarea OSPF Verify Multiarea OSPFv3 ▪ Use the show ipv6 protocols command to verifyOSPFv3. ▪ Use the show ipv6 interface brief to verify the OSPFv3- enabled interfaces and the area to which they belong. ▪ Use show ipv6 route ospf to display the routing table. ▪ Use show ipv6 ospf database to display the contents of the LSDB. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 9.3 Chapter Summary © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Conclusion Chapter 9: Multiarea OSPF ▪ Explain how multiarea OSPF operates in a small to medium-sized business network. ▪ Implement multiarea OSPFv2 and OSPFv3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Chapter 3: STP CCNA Routing and Switching Scaling Networks v6.0 Chapter 3 - Sections & Objectives ▪ 3.1 Spanning Tree Concepts Build a simple switched network with redundant links. Explain common problems in a redundant, switched network. Build a simple, switched network using STP. ▪ 3.2 Varieties of Spanning Tree Protocols Explain how different varieties of spanning tree protocols operate. Describe the different spanning tree varieties. Explain how PVST+ operates. Explain how Rapid PVST+ operates. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Chapter 3 - Sections & Objectives (Cont.) ▪ 3.3 Spanning Tree Configuration Implement PVST+ and Rapid PVST+ in a switched LAN environment. Configure PVST+ in a switched LAN environment. Configure Rapid PVST+ in a switched LAN environment. Analyze common STP configuration issues. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 3.1 STP Operation © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Spanning Tree Redundancy at OSI Layers 1 and 2 ▪ Switched networks commonly have redundant paths and even redundant links between the same two devices. Redundant paths eliminate a single point of failure in order to improve reliability and availability. Redundant paths can cause physical and logical Layer 2 loops. ▪ Spanning Tree Protocol (STP) is a Layer 2 protocol that helps especially when there are redundant links. ▪ Layer 2 loop issues Mac database instability – copies of the same frame being received on different ports. Broadcast storms – broadcasts are flooded endlessly causing network disruption. Multiple frame transmission – multiple copies of unicast frames delivered to the same destination. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Spanning Tree Issues with Layer 1 Redundancy: MAC Database Instability ▪ Ethernet frames do not have a time to live (TTL) field like the Layer 3 IP header has. This means that Ethernet has no mechanism to drop frames that propagate endlessly. This can result in MAC database instability. 1. PC1 sends a broadcast frame to S2. 2. S2 updates the MAC address table for PC1’s MAC address on port 11. 3. S2 forwards the frame out all ports except the port the frame came in on. S1 and S3 receive the frame on a trunk and update their own MAC address tables that PC1 is reachable through the trunk port. 4. S1 and S3 send the frame out all ports except the port it came in on. 5. When S1 sends the frame out port 2 (Trunk 3), S3 updates the MAC address table to reflect that PC1 is now reachable through port 1. A host caught in a network loop is not accessible to other hosts. Due to constant changes in the MAC address table, Switches S3 and S1 do not know which port to forward frames. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Spanning Tree Issues with Layer 1 Redundancy: Broadcast Storms ▪ Broadcast storm – so many broadcast frames in a Layer 2 loop that use all available bandwidth and make the network unreachable for legitimate network traffic. Causes a denial of service (DoS) Can develop in seconds and bring the network down © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Spanning Tree Issues with Layer 1 Redundancy: Duplicate Unicast Frames ▪ An unknown unicast frame is when the switch does not have the destination MAC address in its MAC address table and has to broadcast the frame out all ports except the port the frame was received on (the ingress port). ▪ Unknown unicast frames sent onto a looped network can result in duplicate frames arriving at the destination device. 1. PC1 sends a frame destined for PC4. 2. S2 does not have PC4’s MAC address in the MAC address table so it forwards the frame out all ports including the trunks that lead to S1 and S3. S1 sends the frame to PC4. S3 also sends a copy of the frame over to S1 which delivers the same frame again to PC4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Types of NAT Packet Tracer – Examining a Redundant Design © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 STP Operation Spanning Tree Algorithm: Introduction ▪ The Spanning Tree Protocol (STP) creates one logical path through the switch network (all destinations on the network). Blocks redundant paths that could cause a loop. STP sends bridge protocol data units (BPDUs) between Layer 2 devices in order to create the one logical path. ▪ A port on S2 is blocked so traffic can only flow one way between any two devices. ▪ When Trunk1 fails, the blocked port on S2 is unblocked and traffic can flow between S2 and S3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 STP Operation Spanning Tree Algorithm: Port Roles ▪ Root bridge – one Layer 2 device in a switched network. ▪ Root port – one port on a switch that has the lowest cost to reach the root bridge. ▪ Designated port – selected on a per-segment (each link) basis, based on the cost to get back to root bridge for either side of the link. ▪ Alternate port – (RSTP only) backup for the root port in case of failure and is blocked during typical operation of the root port. ▪ Backup port – (RSTP only) backup for the designated port. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 STP Operation Supports per- VLAN STP Spanning Tree Algorithm: Root Bridge operations ▪ Lowest bridge ID (BID) becomes root bridge Originally BID had two fields: bridge priority and MAC address Bridge priority default is 32,768 (can change) Lowest MAC address (if bridge priority is not changed) becomes determinant for root bridge. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 STP Operation Spanning Tree Algorithm: Root Path Cost ▪ Root path cost is used to determine the role of the port and whether or not traffic is blocked. ▪ Can be modified with the spanning-tree cost interface command. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 STP Operation Port Role Decisions for RSTP ▪ S1 is root bridge © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 STP Operation Port Role Decisions for RSTP (Cont.) Which switch (S3 or S2) has the lowest BID? ▪ After S3 and S2 exchange BPDUs, STP determines that the F0/2 port on S2 becomes the designated port and the S3 F0/2 port becomes the alternate port, thus going into the blocking state so there is only one path through the switched network. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 STP Operation Determine Designated and Alternate Ports Remember port states are based on path cost back to root bridge. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 STP Operation Field Description 802.1D BPDU Frame Protocol ID Type of protocol being used; set to 0 Version Protocol version; set to 0 Format Message Type of message; set to 0 type Flags Topology change (TC) bit signals a topology a change; topology change acknowldgment (TCA) bit used when a configuration message with the TC bit set has been received Root ID Root bridge information Root path Cost of the path from the switch sending the cost configuration message to the root bridge Bridge ID Includes priority, extended system ID, and MAC address ID of the bridge sending the message Port ID Port number from which the BPDU was sent Message age Amount of time since the root bridge sent the configuration message Max age When the current configuration message will be deleted Hello time Time interval between each Bridge Protocol Data Unit (BPDU) that is sent on a port Forward Time the bridges should wait before going to a delay new state © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 STP Operation 802.1D BPDU Propagation and Process 1. When a switch is powered on, it assumes it is the root bridge until BPDUs are sent and STP calculations are performed. S2 sends out BPDUs. 2. S3 compares its root ID with the BPDU from S2. S2 is lower so S3 updates its root ID. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 STP Operation 802.1D BPDU Propagation and Process (Cont.) 3. S1 receives the same information from S2 and because S1 has a lower BID, it ignores the information from S2. 4. S3 sends BPDUs out all ports indicating that S2 is root bridge. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 STP Operation 802.1D BPDU Propagation and Process (Cont.) 5. S2 compares the info from S3 so S2 still thinks it is root bridge. 6. S1 gets the same information from S3 (that S2 is root bridge), but because S1 has a lower BID, the switch ignores the information in the BPDU. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 STP Operation 802.1D BPDU Propagation and Process (Cont.) 7. S1 now sends out BPDUs out all ports. The BPDU contains information designated S1 as root bridge. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 STP Operation 802.1D BPDU Propagation and Process (Cont.) 8. S3 compares the info from S1 so S3 now sees that the BID from S1 is lower than its stored root bridge information which is currently showing that S2 is root bridge. S3 changes the root ID to the information received from S1. 9. S2 compares the info from S1 so S2 now sees the BID from S1 is lower than its own BID. S2 now updates its own information showing S1 as root bridge. Remember that after root bridge has been determined, the other port roles can be determined because those roles are determined by total path cost back to root bridge. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 STP Operation Remember - lowest BID Extended System ID becomes root ▪ If priorities are all set to the default, lowest MAC address is the determining factor in lowest BID. ▪ The priority value can be modified to influence root bridge elections. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 STP Operation Video Demonstration – Observing Spanning Tree Protocol Operation © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 STP Operation Building a Switched Network with Redundant Links © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 3.2 Types of Spanning Tree Protocols © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Varieties of Spanning Tree Protocols Types of Spanning Tree Protocols STP Type Description 802.1D 1998 - Original STP standard CST One spanning-tree instance PVST+ Cisco update to 802.1D; each VLAN has its own spanning-tree instance 802.1D 2004 – Updated bridging and STP standard 802.1w (RSTP) Improves convergence by adding new roles to ports and enhancing BPDU exchange Rapid PVST+ Cisco enhancement of RSTP using PVST+ 802.1s (MSTP) Multiple VLANs can have the same spanning-tree instance © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Varieties of Spanning Tree Protocols Characteristics of Spanning Tree Protocols STP Type Standard Resources Convergence Tree Calculation Needed STP 802.1D Low Slow All VLANs PVST+ Cisco High Slow Per VLAN RSTP 802.1w Medium Fast All VLANs Rapid PVST+ Cisco Very high Fast Per VLAN MSTP 802.1s Medium or high Fast Per instance © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Varieties of Spanning Tree Protocols Overview of PVST+ ▪ Original 802.1D defines a common spanning tree One spanning tree instance for the switched network (no matter how many VLANs) No load sharing One uplink must block for all VLANs Low CPU utilization because only one instance of STP is used/calculated ▪ Cisco PVST+ - each VLAN has its own spanning tree instance One port can be blocking for one VLAN and forwarding for another VLAN Can load balance Can stress the CPU if a large number of VLANs are used © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Varieties of Spanning Tree Protocols Port States and PVST+ Operation Port State Operation allowed Blocking Listening Learning Forwarding Disabled Can receive/process Yes Yes Yes Yes No BPDUs Can forward data No No No Yes No frames received on an interface Can forward data No No No Yes No frames switched from another interface Can learn MAC No No Yes Yes No addresses © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Varieties of Spanning Tree Protocols Extended System ID and PVST+ Operation Remember that the BID ▪ The extended system ID field ensures each switch has a is a unique ID unique BID for each VLAN. ▪ The VLAN number is added to the priority value. Example – VLAN 2 priority is 32770 (default value of 32768 plus the VLAN number of 2 equals 32770) Can modify the priority number to influence the root bridge decision process ▪ Reasons to select a particular switch as root bridge Switch is positioned such that most traffic patterns flow toward this particular switch Switch has more processing power (better CPU) Switch is easier to access and manage remotely © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Varieties of Spanning Tree Protocols Overview of Rapid PVST+ ▪ Rapid PVST+ speeds up STP recalculations and converges quicker Cisco version of RSTP ▪ Two new port types Alternate port (DIS) Backup port ▪ Independent instance of RSTP runs for each VLAN ▪ Cisco features such as UplinkFast and BackboneFast are not compatible with switches that run RSTP © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Varieties of Spanning Tree Protocols RSTP BPDUs ▪ RSTP uses type 2, version 2 BPDUs Original version was type 0, version 0 ▪ A switch using RSTP can work with and communicate with a switch running the original 802.1D version ▪ BPDUs are used as a keepalive mechanism 3 missed BPDUs indicates lost connectivity © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Varieties of Spanning Tree Protocols Edge Ports ▪ Has an end device connected – NEVER another switch ▪ Immediately goes to the forwarding state ▪ Functions similar to a port configured with Cisco PortFast ▪ Use the spanning-tree portfast command © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Varieties of Spanning Tree Protocols Link Types ▪ Point-to-Point – a port in full-duplex mode connecting from one switch to another switch or from a device to a switch ▪ Shared – a port in half-duplex mode connecting a hub to a switch Point-to-Point Shared © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 3.3 Spanning Tree Configuration © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 PVST+ Configuration Catalyst 2960 Default Configuration Feature Default Setting Enable state Enabled on VLAN 1 Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled) Switch priority 32768 Spanning-tree port priority (configurable on a per-interface 128 basis) Spanning-tree port cost (configurable on a per-interface basis) 1000 Mb/s: 4 100 Mb/s: 19 10 Mb/s: 100 Spanning-tree VLAN port priority (configurable on a per-VLAN 128 basis) Spanning-tree VLAN port cost (configurable on a per-VLAN 1000 Mb/s: 4 basis) 100 Mb/s: 19 10 Mb/s: 100 Spanning-tree timers Hello time: 2 seconds Forward-delay time: 15 seconds Maximum-aging time: 20 seconds © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Transmit hold count: 6 BPDUs PVST+ Configuration Configuring and Verifying the Bridge ID ▪ Two ways to influence the root bridge election process Use the spanning-tree vlan x root primary or secondary command. Change the priority value by using the spanning- tree vlan x priority x command. ▪ Verify the bridge ID and root bridge election by using the show spanning-tree command. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 PVST+ Configuration PortFast and BPDU Guard ▪ PortFast is used on ports that have end devices attached. Puts a port in the forwarding state Allows DHCP to work properly ▪ BPDU Guard disables a port that has PortFast configured on it if a BPDU is received © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 PVST+ Configuration PVST+ Load Balancing or or © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 PVST+ Configuration Packet Tracer – Configuring PVST+ © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Rapid PVST+ Configuration Spanning Tree Mode ▪ Rapid PVST+ supports RSTP on a per-VLAN basis. Default on a 2960 is PVST+. The spanning-tree mode rapid-pvst puts a switch into Rapid PVST+ mode. The spanning-tree link-type point-to-point interface command designates a particular port as a point-to- point link (does not have a hub attached). The clear spanning-tree detected-protocols privileged mode command is used to clear STP. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Rapid PVST+ Configuration Packet Tracer – Configuring Rapid PVST+ © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Rapid PVST+ Configuration Packet Tracer – Configuring Rapid PVST+, PortFast and BPDU Guard © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 STP Configuration Issues Analyzing the STP Topology © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 STP Configuration Issues Expected Topology Versus Actual Topology Use show commands ▪ Ensure that the spanning-tree topology matches what is expected. to verify STP. Do not forget to verify load balancing. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 STP Configuration Issues Overview of STP Status ▪ Use the show spanning-tree and show spanning-tree vlan x commands to verify the STP status. Ten gigabit Ethernet interface © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 STP Configuration Issues Spanning Tree Failure Consequences ▪ NEVER turn STP off; this can cause a switched network to be unusable – Remember that there is not a TTL mechanism at Layer 2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 STP Configuration Issues Repairing a Spanning Tree Problem ▪ Manually remove redundant links (physically remove the cable OR through configuration, if possible). Determine and repair the cause of the spanning tree failure. If unable to determine the problem, reinstall cables one at a time (or re-enable the ports) to locate the issue. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 Switch Stacking and Chassis Aggregation Switch Stacking Concepts ▪ Can connect up to nine 3750 switches ▪ One switch (the stack master) controls the operation of the stack If this switch goes down, a new stack master is elected ▪ Appears as one entity to the network Stack is assigned one IP address ▪ Each switch has a unique stack member number Can configure a priority value to determine which switch is stack master Highest stack member priority value is stack master ▪ The stack master has the saved and running configuration files for the entire stack. Only one configuration file to manage and maintain © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 Switch Stacking and Chassis Aggregation Spanning Tree and Switch Stacks ▪ Each stack appears as one spanning tree instance ▪ Can add switches without affecting the STP diameter (the maximum number of switches data must cross to connect between any two switches) IEEE recommends a maximum diameter of 7 switches for default STP timers Diameter of 9 from S1-4 to S3-4 Default STP timers are hello – 2 seconds, max age – 20 seconds, forward delay timer – 15 seconds With stacked switches, the diameter is now 3 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 9.4 Chapter Summary © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 Conclusion Chapter 3: STP ▪ Build a simple switched network with redundant links. ▪ Explain how different varieties of spanning tree protocols operate ▪ Implement PVST+ and Rapid PVST+ in a switched LAN environment. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 Chapter 5: Switch Configuration CCNA Routing and Switching Routing and Switching Essentials v6.0 Chapter 5 - Sections & Objectives ▪ 5.1 Basic Switch Configuration Configure basic switch settings to meet network requirements. Configure initial settings on a Cisco switch. Configure switch ports to meet network requirements. ▪ 5.2 Basic Device Configuration Configure a switch using security best practices in a small to medium-sized business network. Configure the management virtual interface on a switch. Configure the port security feature to restrict network access. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 5.1 Configure a Switch with Initial Settings © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Configure a Switch with Initial Settings Switch Boot Sequence ▪ When a switch is powered on, the boot sequence occurs. Power-on self-test (POST), a program stored in ROM, executes and checks hardware like CPU and RAM. The boot loader, also stored in ROM, runs and initializes parts within the CPU, initializes the flash file system, and then locates and loads an IOS image. The IOS image can be defined within the BOOT environment variable. If the variable is not set, the switch scours through the flash file system searching for an executable image file, loading it into RAM, and launching it if found. If an executable image file is not found, the switch shows the prompt switch: where a few commands are allowed in order to provide access to operating system files found in flash memory and files used to load or reload an operating system. If an IOS operating system loads, the switch interfaces are initialized and any commands stored in the startup-config file load. The startup-config file is stored in NVRAM. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Configure a Switch with Initial Settings Switch Boot Sequence (Cont.) ▪ The boot system command is use to set the BOOT environment variable. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Configure a Switch with Initial Settings Recovering From a System Crash ▪ The boot loader prompt can be accessed through a console connection to the switch: 1. Cable the PC to the switch console port. 2. Configure the terminal emulation software on the PC. 3. Unplug the switch power cord. 4. Reconnect the power cord and at the same time or within 15 seconds, press and hold the Mode button on the front of the switch until the System LED turns an amber color briefly and then turns a solid green. ▪ The boot loader command prompt is switch: (instead of Switch>). The commands available through the boot loader command prompt are limited. Use the help command to display the available commands. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Configure a Switch with Initial Settings Switch LED Indicators ▪ System LED shows if the switch has power applied. ▪ Port LED states: Off – no link or shut down Green – link is present Blinking green – data activity Alternating green and amber – link fault Amber – port is not sending data; common for first 30 seconds of connectivity or activation Blinking amber – port is blocking to prevent a switch loop © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Configure a Switch with Initial Settings Preparing for Basic Switch Management ▪ To configure a switch for remote access, the switch must be configured with an IP address, subnet mask, and default gateway. ▪ One particular switch virtual interface (SVI) is used to manage the switch: A switch IP address is assigned to an SVI. By default the management SVI is controlled and configured through VLAN 1. The management SVI is commonly called the management VLAN. ▪ For security reasons, it is best practice to Remember that the switch console port is on the back of the switch. use a VLAN other than VLAN 1 for the management VLAN. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Configure a Switch with Initial Settings Configuring Basic Switch Management Access with IPv4 exit Important Concept The default gateway is the router address and is used by the switch to communicate with other networks. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Configure Switch Ports Duplex Communication ▪ Gigabit Ethernet and 10Gb Ethernet NICs require full-duplex connections to operate. Bidirectional communication Unidirectional communication © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Configure Switch Ports Configure Switch Ports at the Physical Layer ▪ Some switches have the default setting of auto for both duplex and speed. ▪ Mismatched duplex and/or speed settings can cause connectivity issues. ▪ Always check duplex and speed settings using the show interface interface_id command. ▪ All fiber ports operate at one speed and are always full-duplex. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Configure Switch Ports Auto-MDIX ▪ Some switches have the automatic medium-dependent interface crossover (auto-MDIX) feature that allows an interface to detect the required cable connection type (straight-through or crossover) and configure the connection appropriately. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Configure Switch Ports Auto-MDIX (Cont.) ▪ Use the show controllers Ethernet-controller command to verify auto-MDIX settings. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Configure Switch Ports Verifying Switch Port Configuration © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Configure Switch Ports Verifying Switch Port Configuration (Cont.) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Configure Switch Ports Verifying Switch Port Configuration (Cont.) Layer 1 Layer 2 OK OK © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Configure Switch Ports Network Access Layer Issues ▪ Use the show interfaces command to detect common media issues. ▪ The first parameter refers to Layer 1, the physical layer, and indicates if the interface is receiving a carrier detect signal. ▪ The second parameter (protocol status) refers to the data link layer and indicates whether the data link layer protocol has been configured correctly and keepalives are being received. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Configure Switch Ports Network Access Layer Issues (Cont.) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Configure Switch Ports Troubleshooting Network Access Layer Issues © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 5.2 Switch Security © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Secure Remote Access SSH Operation ▪ Secure Shell (SSH) An alternative protocol to Telnet. Telnet uses unsecure plaintext of the username and password as well as the data transmitted. SSH is more secure because it provides an encrypted management connection. Wireshark Capture of Telnet Wireshark Capture of SSH © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Secure Remote Access SSH Operation (Cont.) ▪ A switch must have an IOS version (k9 at the end of the IOS file name) that includes cryptographic capabilities in order to configure and use SSH. Use the show version command to see the IOS version. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Secure Remote Access Commonly forgotten Configuring SSH command that is used in key generation 1. Verify SSH support. 2. Configure the IP domain name. 3. Generate RSA key pairs. 4. Configure user authentication. 5. Configure the vty lines. 6. Enable SSH version 2. Default is to accept both Telnet The login local command and SSH (transport input all) forces the use of the local database for username/ password. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Secure Remote Access Verifying SSH ▪ On the PC, connect to the switch using SSH. The PC is using SSH to communicate and issue commands on the switch. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Switch Port Security Secure Unused Ports The interface range command can be used to apply a configuration to several switch ports at one time. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Switch Port Security Port Security: Operation ▪ Port security limits the number of valid MAC addresses allowed to transmit data through a switch port. If a port has port security enabled and an unknown MAC address sends data, the switch presents a security violation. Default number of secure MAC addresses allowed is 1. ▪ Methods use to configure MAC addresses within port security: Static secure MAC addresses – manually configure switchport port-security mac-address mac-address Dynamic secure MAC addresses – dynamically learned and removed if the switch restarts Sticky secure MAC addresses – dynamically learned and added to the running configuration (which can later be saved to the startup-config to permanently retain the MAC addresses) switchport port-security mac-address sticky mac-address Note: Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the running-config. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Switch Port Security Port Security: Violation Modes ▪ Protect – data from unknown source MAC addresses are dropped; a security notification IS NOT presented by the switch ▪ Restrict - data from unknown source MAC addresses are dropped; a security notification IS presented by the switch and the violation counter increments. ▪ Shutdown – (default mode) interface becomes error-disabled and port LED turns off. The violation counter increments. Issues the shutdown and then the no shutdown command on the interface to bring it out of the error-disabled state. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Switch Port Security Port Security: Configuring © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Switch Port Security Port Security: Configuring (Cont.) ▪ Before configuring port-security features, place the port in access mode and use the switchport port-security interface configuration command to enable port security on an interface. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Switch Port Security Port Security: Configuring (Cont.) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Switch Port Security Port Security: Verifying ▪ Use the show port-security interface command to verify the maximum number of MAC addresses allowed on a particular port and how many of those addresses were learned dynamically using sticky. Dynamic Sticky © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Switch Port Security Port Security: Verifying (Cont.) ▪ Use the show running-config command to see learned MAC addresses added to the configuration. ▪ The show port-security address command shows how MAC addresses were learned on a particular port. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Switch Port Security Ports in Error Disabled State ▪ Switch console messages display when a port security violation occurs. Notice the port link status changes to down. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Switch Port Security Ports in Error Disabled State (Cont.) ▪ Check the port status and the port security ▪ Do not re-enable a port until the security settings. threat is investigated and eliminated. ▪ Notice that you must first shut the port down and then issue the no shutdown command in order to use the particular port again after a security violation has occurred. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 5.3 Chapter Summary © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Conclusion Packet Tracer - Skills Integration Challenge © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Conclusion Chapter 5: Switch Configuration ▪ Configure basic switch settings to meet network requirements. ▪ Configure a switch using security best practices in a small to medium-sized business network. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 CCNA Training » GRE Tunnel Tutorial GRE Tunnel Tutorial April 26th, 2018 GRE stands for Generic Routing Encapsulation, which is a very simple form of tunneling. With GRE we can easily create a virtual link between routers and allow them to be directly connected, even if they physically aren’t. Let’s have a look at the topology below: Suppose R1 and R2 are routers at two far ends of our company. They are connected to two computers who want to communicate. Although R1 and R2 are not physically connected to each other but with GRE Tunnel, they appear to be! This is great when you have multiple end points and don’t care the path between them. The routing tables of two routers show that they are directly connected via GRE Tunnel. How GRE Tunnel works When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole packet into another IP packet with two headers: one is the GRE header (4 bytes) which uses to manage the tunnel itself. The other is called “Delivery header” (20 bytes) which includes the new source and destination IP addresses of two virtual interfaces of the tunnel (called tunnel interfaces). This process is called encapsulation. In the example above when R1 receives an IP packet, it wraps the whole packet with a GRE header and a delivery header. The delivery header includes new source IP address of 63.1.27.2 (the IP address of R1’s physi