Posts from ‘Switching’

Apr
16

Last week wrapped up the first week of our new CCIE Routing & Switching Advanced Technologies Class, where I focused on Layer 2 Technologies such as Ethernet, Frame Relay, HCLC, and PPP.  Next week I will be running week 2 of the class, focusing on Layer 3 Technologies such as RIP, EIGRP, OSPF, BGP, IPv6, and Multicast.

Also we are now offering monthly subscriptions to the All Access Pass at just $159 a month!  This gives you access to all of our video training, over 800 hours, plus any new videos we release in the future.  This includes the new CCIE Routing & Switching Advanced Technologies Class.  If you have an All Access Pass subscription or purchased the live version of the R&S ATC in the past you can attend next week’s class free of charge by contacting sales. Space is limited so if you want to attend the live version you need to contact sales ASAP.

Additionally we are migrating all of our video content to a new HTML5 based streaming solution, which will allow all of our videos to be viewed on any platform and at multiple bandwidth & quality levels.  Below is a sample of last week’s class in this new format.  Try the medium or low bandwidth versions on your iPhone, Android, or Windows phone, the high or medium versions on your iPad or Android tablet, and the full HD version on your laptop or desktop.  When the solution is fully deployed you’ll be able to choose which format you want to view depending on your connection speed and device, plus have the option to download videos all the way up to the full HD versions.

Low Bandwidth Sample

Medium Bandwidth Sample

High Bandwidth Sample

HD Sample

Tags: , , ,

Jan
26

In our recent Implement Layer 2 Technologies series, we examined Q-in-Q tunneling in great detail. In this discussion, I mentioned a big caution about the Service Provider cloud with 802.1Q trunks in use for switch to switch trunking. This caution involved the use of an untagged native VLAN.

You see, this configuration could lead to what is known as the VLAN hopping attack. Here is how it works:

  1. A computer criminal at a customer site wants to send frames into a VLAN that they are not part of.
  2. The evil-doer double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.
  3. The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.
  4. The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly. Yikes!

Notice the nature of this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Admittedly, this is still NOT something we want taking place!

What are solutions for the Service Provider?

  1. Use ISL trunks in the cloud. Yuck.
  2. Use a Native VLAN that is outside of the range permitted for the customer. Yuck.
  3. Tag the native VLAN in the cloud. Awesome.

Tags: , , ,

Dec
01

Catalyst switch port security is so often recommended. This is because of a couple of important points:

  • There are many attacks that are simple to carry out at Layer 2
  • There tends to be a gross lack of security at Layer 2
  • Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few

I find when it comes to port security, however, many students cannot seem to remember two main points:

  1. What in the world is Sticky Learning and how does it work?
  2. What is the difference between the different violation modes and how can I remember them?

Sticky Learning

Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:

switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security

Continue Reading

Sep
01

Are you a CCNP or CCIE student looking to challenge your perfect knowledge of Catalyst switchport commands?

Take the latest SWITCH Command Recall exam by clicking the link below. Good luck – and let us know how you scored in the comments area of this post.

Remember to read, AND TYPE, very carefully! I failed my first attempt due to just plain sloppiness. :-(

SWITCH Command Recall Exam – L2/L3 Ports

Tags: , , ,

Jun
18

Do you want to see how a CCIE would handle a tricky EtherChannel and 802.1X scenario in the lab exam. Subscribers to the Interactive Video Companion for Volume 2 need to log in and watch the new training modules.

These tasks provide great opportunities to analyze task interpretation, diagramming strategy, and DOC-CD utilization during the CCIE lab exam.

Enjoy your studies!

Tags: , , , ,

Apr
25

Here ye, here ye, VTP experts. (We are not referring to the Vandenberg Test Program, although they are very likely experts in their field as well.  :) )

Can you predict the results of a 3 switch VTP client/server scenario?

SW1-3, are connected, as shown in the diagram.

VTP question for Blog

Here is the initial output of show VTP status, and show VLAN brief on each. Note that SW1 and SW3 are servers, while SW2 is a client.   We will be adding a failure to the network in just a moment. Continue Reading

Tags: , , ,

Apr
05

For some time, I believed a companion post to Understanding MSTP is required in order to completely cover all aspects of MSTP. The post should discuss convergence mechanisms employed in RSTP, which is a part of MSTP implementation. When I started that blog post originally, it appeared that it would be beneficial covering STP convergence mechanics beforehand. Word by word, the tutorial evolved into a document over 30 pages of size. In addition to this fact, many readers have been asking for PDF versions of my blog posts, and so I finally decided to make the new one entirely in PDF. You may find the link below:

http://blog.ine.com/wp-content/uploads/2010/04/understanding-stp-rstp-convergence.pdf

The blos post discusses many aspects affecting STP and RSTP convergence processes and outlines some problems found in RSTP. Unlike many previous post, this one is entirely theoretical, and does not feature any hands-on configuration sections. However, I believe it is still helpful in closing some gaps of fundamental Layer 2 protocol understanding. Have fun reading!

Feb
22

Introduction

Over time I was thinking of putting together the two blog posts made in the past about MSTP and adding more clarification for MSTP multi-region section. This new blog post recaps the information posted previously and provides more details this time. Additionally, it discusses some MSTP design-related questions. Both single-region and multiple-region MSTP configurations are reviewed in the post. The reader is assumed to have good understanding of classic STP and RSTP protocols as well as Cisco’s PVST/PVST+ implementations.

Table of Contents

Due to the large size of the document, a table of contents is provided for the ease of navigation.

Historical Review
Logical and Physical Topologies
Implementing MSTP
Caveats in MSTP Design
MSTP Single-Region Configuration Example
Common and Internal Spanning Tree (CIST)
Common Spanning Tree (CST)
Mapping MSTI’s to CIST
MSTP Multi Region Design Considerations
Interoperating with PVST+
Scenario 1: CIST Root and CIST Regional Root
Scenario 2: MSTIs and the Master Port
Scenario 3: PVST+ and MSTP Interoperation
Conclusions
Further Reading

Continue Reading

Tags: , , , ,

Feb
15

Introduction

Recently, there were discussions going around about Cisco’s new datacenter technology – Overlay Transport Virtualization (OTV), implemented in Nexus 7k data-center switches (limited demo deployments only). The purpose of this technology is connecting separated data-center islands over a convenient packet switched network. It is said that OTV is a better solution compared to well-known VPLS, or any other Layer 2 VPN technology. In this post we are going to give a brief comparison of two technologies and see what benefits OTV may actually bring to data-centers.

VPLS Overview

We are going to give a rather condensed overview of VPLS functionality here, just to have a baseline to compare OTV with. A reader is assumed to have solid understanding or MPLS and Layer 2 VPNs, as technology fundamentals are not described here.

otv-blog-post-vpls
Continue Reading

Tags: , , , , ,

Jan
07

We are putting the final touches together for the CCSP bootcamp that is launching soon.  (PS, it is going to ROCK! :) ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.

This blog post is to refresh your memories and provide some examples  for layer 2 security on the Catalyst switch. We will begin with DHCP snooping. Continue Reading

Tags: , , , , ,

Categories

CCIE Bloggers