Posts from ‘Switching’
Last week wrapped up the first week of our new CCIE Routing & Switching Advanced Technologies Class, where I focused on Layer 2 Technologies such as Ethernet, Frame Relay, HCLC, and PPP. Next week I will be running week 2 of the class, focusing on Layer 3 Technologies such as RIP, EIGRP, OSPF, BGP, IPv6, and Multicast.
Also we are now offering monthly subscriptions to the All Access Pass at just $159 a month! This gives you access to all of our video training, over 800 hours, plus any new videos we release in the future. This includes the new CCIE Routing & Switching Advanced Technologies Class. If you have an All Access Pass subscription or purchased the live version of the R&S ATC in the past you can attend next week’s class free of charge by contacting sales. Space is limited so if you want to attend the live version you need to contact sales ASAP.
Additionally we are migrating all of our video content to a new HTML5 based streaming solution, which will allow all of our videos to be viewed on any platform and at multiple bandwidth & quality levels. Below is a sample of last week’s class in this new format. Try the medium or low bandwidth versions on your iPhone, Android, or Windows phone, the high or medium versions on your iPad or Android tablet, and the full HD version on your laptop or desktop. When the solution is fully deployed you’ll be able to choose which format you want to view depending on your connection speed and device, plus have the option to download videos all the way up to the full HD versions.
Low Bandwidth Sample
Medium Bandwidth Sample
High Bandwidth Sample
In our recent Implement Layer 2 Technologies series, we examined Q-in-Q tunneling in great detail. In this discussion, I mentioned a big caution about the Service Provider cloud with 802.1Q trunks in use for switch to switch trunking. This caution involved the use of an untagged native VLAN.
You see, this configuration could lead to what is known as the VLAN hopping attack. Here is how it works:
- A computer criminal at a customer site wants to send frames into a VLAN that they are not part of.
- The evil-doer double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.
- The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.
- The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly. Yikes!
Notice the nature of this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Admittedly, this is still NOT something we want taking place!
What are solutions for the Service Provider?
- Use ISL trunks in the cloud. Yuck.
- Use a Native VLAN that is outside of the range permitted for the customer. Yuck.
- Tag the native VLAN in the cloud. Awesome.
Catalyst switch port security is so often recommended. This is because of a couple of important points:
- There are many attacks that are simple to carry out at Layer 2
- There tends to be a gross lack of security at Layer 2
- Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few
I find when it comes to port security, however, many students cannot seem to remember two main points:
- What in the world is Sticky Learning and how does it work?
- What is the difference between the different violation modes and how can I remember them?
Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:
switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security
Take the latest SWITCH Command Recall exam by clicking the link below. Good luck – and let us know how you scored in the comments area of this post.
Remember to read, AND TYPE, very carefully! I failed my first attempt due to just plain sloppiness.
Do you want to see how a CCIE would handle a tricky EtherChannel and 802.1X scenario in the lab exam. Subscribers to the Interactive Video Companion for Volume 2 need to log in and watch the new training modules.
These tasks provide great opportunities to analyze task interpretation, diagramming strategy, and DOC-CD utilization during the CCIE lab exam.
Enjoy your studies!
Here ye, here ye, VTP experts. (We are not referring to the Vandenberg Test Program, although they are very likely experts in their field as well. )
Can you predict the results of a 3 switch VTP client/server scenario?
SW1-3, are connected, as shown in the diagram.
Here is the initial output of show VTP status, and show VLAN brief on each. Note that SW1 and SW3 are servers, while SW2 is a client. We will be adding a failure to the network in just a moment. Continue Reading
For some time, I believed a companion post to Understanding MSTP is required in order to completely cover all aspects of MSTP. The post should discuss convergence mechanisms employed in RSTP, which is a part of MSTP implementation. When I started that blog post originally, it appeared that it would be beneficial covering STP convergence mechanics beforehand. Word by word, the tutorial evolved into a document over 30 pages of size. In addition to this fact, many readers have been asking for PDF versions of my blog posts, and so I finally decided to make the new one entirely in PDF. You may find the link below:
The blos post discusses many aspects affecting STP and RSTP convergence processes and outlines some problems found in RSTP. Unlike many previous post, this one is entirely theoretical, and does not feature any hands-on configuration sections. However, I believe it is still helpful in closing some gaps of fundamental Layer 2 protocol understanding. Have fun reading!
Over time I was thinking of putting together the two blog posts made in the past about MSTP and adding more clarification for MSTP multi-region section. This new blog post recaps the information posted previously and provides more details this time. Additionally, it discusses some MSTP design-related questions. Both single-region and multiple-region MSTP configurations are reviewed in the post. The reader is assumed to have good understanding of classic STP and RSTP protocols as well as Cisco’s PVST/PVST+ implementations.
Table of Contents
Due to the large size of the document, a table of contents is provided for the ease of navigation.
Logical and Physical Topologies
Caveats in MSTP Design
MSTP Single-Region Configuration Example
Common and Internal Spanning Tree (CIST)
Common Spanning Tree (CST)
Mapping MSTI’s to CIST
MSTP Multi Region Design Considerations
Interoperating with PVST+
Scenario 1: CIST Root and CIST Regional Root
Scenario 2: MSTIs and the Master Port
Scenario 3: PVST+ and MSTP Interoperation
We are putting the final touches together for the CCSP bootcamp that is launching soon. (PS, it is going to ROCK! ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.
This blog post is to refresh your memories and provide some examples for layer 2 security on the Catalyst switch. We will begin with DHCP snooping. Continue Reading