Transcription

CCNA Summary NotesSpanning Tree Protocol (802.1D)NB. These notes werecreated around 2009.Newer versions of CCNAR&S have been releasedsince then, however thesenotes will still cover a largeportion of the material.Problems with redundant links- Broadcast Storms- Duplicate frame transmission- MAC database instability (Host A is on port 1, no wait port 2)Layer 2 can’t deal with these (layer 3 can with TTL etc but layer 2 can’t)Switches send broadcast packets out all of its interface except the one upon which it was received.STPs 3 stepsSTP puts some ports into a standby state where they do not listen to, forward, or flood data frames. Only one path to any given network segment at one time.1. Elect a root bridge – all ports are designed2. Selects the root port on the non-root bridges (bridge switch). Root port is closest to root bridge based on accumulated bandwidth.3. Select the designated port on each segments. This is based on lowest cost to root bridge (or BID if cost is equal).BPDUs are exchanged every 2 seconds. Lowest BID root.The Bridge ID (BID) is included in BPDUs. BID 2 btye bridge priority (32768 default) 6 byte MAC.When STP is enable all ports transition through blocking à Listening à Learning and then stabilize on forwarding or blocking.Blocking (Loss of BPU Detected)(Max Age 20 sec)Listening(Forward Delay 15 sec)Blocking(Moves to Listening after itdecides that it is the root port ora designated port)Link comes upLearning(Forward Delay 15 sec)Forwardingby Steven Crutchleywww.netquirks.co.uk

When a switch boots up it assumes that it is the root bridge and moves from the Bocking to the Listening state. If it is in the Blocking state for the Max Age andreceives no BPDUs it moves to the Listening states. Whilst in the Listening state it sends and receives the BPDUs to determine the topology. It does not pass any userdata. It does the 3 STP steps in this state. Spends 15 seconds in this state. THE LEARNING SATE REDUCES THE AMOUNT OF FLOODING REQUIRED WHEN DATABEGINS FORWARDING. After 15 seconds it moves to the forwarding (root or designated) or blocking (non designated) state. In the blocking state the port withreceive BPDUs but not send data.PortFastPortFast is used to send port straight to forwarding state (e.g. if it is attached to PC). Does not have to wait for STP convergence. It has BPDU port guard which willdisable the port if a BPDU is received to prevent routing loops.Switch(config-if)#spanning-tree portfastSwitch(config-if)#spanning-tree portfast bpdu-guard (use no command to disable)Switch(config)#spanning-tree portfast default(enable portfast on all acces ports)Switch#show run int interface(shows if portfast has been enabled)Path Costs10 Gbps1 Gbps100 Mbps10 Mbps2419100Normal time to convergence for STP is 30-50seconds.Other types of spanning TreePVST (Per VLAN Spanning Tree)Uses more CPU and bandwidth.BID has an extra VID (VLAN ID) field by taking up part of the Priority field. 12 bits of the 2 byte priority field are now for an extended system ID.Rapid Spanning Tree Protocol802.1w à faster convergence. Now has a backup state option for ports.Port Roles are as follows:Rootà forwarding port (same as STP)Designated à forwarding port elected for every switch LAN segment (same as STP)Alternateà Alternate path to the root bridge.by Steven Crutchleywww.netquirks.co.uk

Backup à Provides a redundant, less desirable, connection to another switch. Only exist where two ports are connected on a loopback by point-to-point OR where abridge has two connections to the same shared VLAN segment.Disabled à Plays no role.Learning and forwarding are identical in RSTP and STP. Everything else is RSTP is discarding.Switch(config)#spanning-tree mode rapid-pvst(enables PVRST )Switch#show spanning-tree vlan vlan number [detail](shows info per VLAN)Switch#debug spanning-tree pvst (debugs PVRST evetns)Switch#debug spanning-tree switch state(debugs port state changes)PVRST (Per VLAN Rapid Spanning Tree)Combines the above 2 methods.Multiple Spanning Tree ProtocolCan have multiple VLANs all with one spanning tree instance. Mergews 802.1Q-2003.Selecting the root bridge – make it centralised.Switch#spanning-tree vlan vlan number root [primary secondary] to set root bridge or backup (you can have multiple backups)SecurityThings to consider when inserting new equipment1. Consider current Security Policies2. Secure switch accessA well established policy has these features: You can audit the security setupFrameworkDefines how to treat unwanted electronic dataProceduresConsensus amoung decision makesIncident managementby Steven Crutchleywww.netquirks.co.uk

Enterprise wide planSecuring switching devices Enable secret passwordG00d passwordsConsole and vty security (passwords and ACLs)Use SSH not telnet (cisco used v1. No plaintext is sent)Disable integrate HTTP daemon if not used. If needed use ACLs.Warning bannersDisable unneeded services. no serice [tcp-small-servers finger config]Configure basic loggingEncrypt password (service pw-en)Securing switch protocols Managed CDP. So reconnaissance cannot attacks can’t take place. Disable globally if not needed. Disable per port if needed.Secure STP. See root and backup bridges manually. Use BPDU guard.Mitigating compromises launched through a switch Disable unused ports or put them in a “parking-lot” vlan as access ports.Disable automatic negotiation of Trunking (DoS, rediection etc are threats). PW VTP.Monitor PHYSICAL placement.Port based security. swithport host puts port in access with no channelling and STP portfast. no will reverse it . default interface returns interface back todefaultUsing “port security” featureThis is used on a switch to accept only particular MAC addresses. Dynamic – you care about how many rather than the specific MAC addresses that connect.Static – specify MAC addresses that are allowed.Combination of static and dynamic.by Steven Crutchleywww.netquirks.co.uk

Sticky Learning – dynamically learn a MAC and then add it to a static table.If unauthorised MAC attempts to connect switch can shutdown port. Or add MAC to disallowed list and log.802.1X Port-based authenticationClient requests access to switch. Switch communicates with authentication server. Until authentication takes place only Extensible Authentication Protocol over LAN(EAPOL) traffic is allowed through the switchport.Client – needs 802.1X software client (XP offers this). Port that the client is attached to is called the client/supplicant.Authentication server – Gives the permit/deny to the proxy switch. Is invisible to the client. RADIUS with EAP is the only supported server.Switch – Controls the physical access based on the authentication status.Proxy. Has a RADIUS software client. En/decapsulates EAP frames.Port is initially in authorised state. Goes to authorised once server says so. If switch asks for clients ID (authentication initiator)and client doesn’t support 802.1X tough. If client sends an EAPOL-start frame and gets no response (no 802.1X on switch) it just sends away. When a client logs out à send EAPOL-log message àchange back to unauthorised.by Steven Crutchleywww.netquirks.co.uk

Troubleshooting switchesPhysical LayerLAN/TrunksSTPVTPCable type? Cat? Length?Natives match?See VLANs in show run?Use diagramVLAN members?Trunk modes?VTP info xchngng?ID loopPorts admin up?VLAN to subnet?Inserted switch?Check logDuplex mismatch?Inter-VLAN L3?Inactive after powercycle?Verify root & RSTPEIGRP (the hybrid)Rapid covergence using DUAL. Sends periodic update about only the parts that are needed. PDMs are used. Uses multicast and unicast. NO BROADCAST. Easysummarisation anywhere in the network.EIGRP has a NEIGHBOUR TABLE and a TOPOLOGY TABLE.Successor route à Best route to destinationFeasible successor à backup routeAdvertised distance à Distance for a NEIGHBOUR to reach a networkFeasible disable à Distance to the neighbour advertised distanceby Steven Crutchleywww.netquirks.co.uk

For a route to become a feasible successor (backup), a next-hop router must have anAdvertised distance that is less that the feasible distance of the current router (i.e. theneighbour must be close to the destination than the current router).SummarisationEIGRP will automatically summarise at a classful boundary. You may not want this if you have discontiguous networks. Use the no auto summary command todisable auto-summarisation.Load balancing across unequal paths2 conditions must be met:-Next router in path must be closer- current feasible distance * variance (* ‘multiplied by’). If the alternative route does not fit under this you can’t use it.MetricBandwidth and delayConfigureRouterA(config)#router eigrp 100(100 is the AD number – no need to register)RouterA(config-router)#network 192.168.3.0RouterA(config-router)#network 192.168.4.0RouterA(config-router)#no auto-summaryRouterA(config-router)#variance 5(Metric of the alternative path as to be nterface fa0/1RouterA(config-if)#bandwidth bandwidth-in-kbpsby Steven Crutchleywww.netquirks.co.uk

Show commandsShow ip protocolsshow ip eigrp neighborsshow ip eigrp neighborsshow ip route eigrpshow ip eigrp topologydebug eigrp neighborsdebug eigrp packets(show metrics and parameters of current protocols)(show neighbours)(shows ints with EIGRP – can specify int or AS)(routing table EIGRP details)(shows all learned routes)(show neighbour states and hello packets)(view neighbour adjacency g)#interface fa0/1RouterA(config-if)#ip authentication mode eigrp process-id md5RouterA(config-if)#ip authentication key-chain eigrp process-id y chain name-of-key-chain(create the chain)RouterA(config-chain)#key number(create a key)RouterA(config-chain-key)#key-string text(text is the password)RouterA(config-chain-key)#accept-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006RouterA(config-chain-key)#send-lifetime 04:00:00 Jan 1 2006 infiniteNeighboursEIGRPAuthenticationNetworks advrt?Key mismatch?Common subnets?Route filters?Bad timingNetwork 10.0.0.0 ok?Duplicate RIDs?Int up/up?Hello packet match? (AS/K)by Steven CrutchleyRouting TableDiscontiguous?www.netquirks.co.uk

I will authenticate the SOURCEof all routing update I receiveEIGRP KeychainsRecieving router will lookOnly 1 authenticationpacket is sentthrough its table until it findsa valid keyAuthentication keyAuthentication keyKey ID (password)Key ID (password)STORED LOCALLYSTORED LOCALLYKEY CHAIN 1Key ID (password) interface Authentication KeyRouterA(config)#interface fa0/1RouterA(config-if)#ip authentication mode eigrp process-idmd5RouterA(config-if)#ip authentication key-chain eigrpprocess-id y chain name-of-key-chainRouterA(config-chain)#key numberRouterA(config-chain-key)#key-string textby Steven CrutchleyKEYSDEFINITIONSAuthentication Key1Authentication Key2Authentication Key3Authentication Key4Active from 9am – 10amActive from 9.55am – 11amActive from 10.55am – 12amActive from 11.55am – 1pmwww.netquirks.co.uk

OSPFLink (interface information) state. Collection of Link states forms a link state database.LSASent every 30 minutes or when something changes.LSAInterfacesMetricsTopological databaseAn overall view of the network. All routers in same area have identical topological DBHierarchyAutonomous System (Domain) à AreaEach AS must have a backbone. Off that backbone can hang STUB AREAS, TOTALLY STUB AREAS, NSSA to help routing table size.Area Border Routers connect multiple areas to the backbone router. ABR advertises a default router to the backbone router. ASBR is the border for an AS.Neighbour adjacenciesEstablished using the HELLO protocol. Bidirectional communication router sees itself in hello packet of neighbour.224.0.0.5 is multicast address that HELLO packets are sent out on.HELLO PACKETRouter ID – 32 bit loopback address acting as ID (no loopback highest IP)Hello interval – How often packets are sent. Default 10s (30 sec s on non-broadcast link).Dead interval – How long router will wait before declaring neighbour out of service (4 times hello)Neighbours – Adjacent routers with bi-directional communication.Area ID – Needs to be the same.Router priority – 8 bit number used to determine who is DR and BDR.IP of DR And BDRAuthentication – if enabled must swap same PW.Stub Area Flag – Helps to reduce routing table size by providing default route.by Steven Crutchleywww.netquirks.co.uk

SPF AlgorithmDijkstra’s algorithm puts router at root and calculates best path to all other nodes. LSAs are flooded.MetricMetric 100,000,000 / speed in bps (higher bandwidth lower & better cost)To change the reference bandwidth use ospf auto-cost reference-bandwidth ref-bw command.ConfigureRouterA(config)#clear ip ospf processRouterA(config)#router ospf 100RouterA(config-router)#network 192.168.3.0 0.0.0.255 area 0RouterA(config-router)#network 192.168.4.0 0.0.0.255 area 0RouterA(config-router)#maximum-paths ace lo0/1RouterA(config-if)#ip address nfig)#interface fa0/0RouterA(config-if)#ip ospf cost 10RouterA(config)#interface fa0/1RouterA(config-if)#ip ospf cost 10(restarts all OSPF processes)(100 is the process id. Need not match)(8 bit boundaries is bad)(default 4. Up to 16)(loopback interface is used as ID)(creates the router ID value)(set the OSPF cost)(set the OSPF cost)Using wild cards on non 8 bit boundaries is dangerous. Use IP for each interface with 0.0.0.0 WC to avoid this problem.Loopback interfaceUse advertised can be accessed across the network.Use unadvertised saves address space.by Steven Crutchleywww.netquirks.co.uk

Show commandsshow ip protocolsshow ip ospfshow ip ospf neighborshow ip ospf neighbour routerIDshow ip route ospfshow ip ospf interface serial