%CAM% Archives %%page%% - Network Ninja

Tag Archive for 'CAM'

Open Shortest Path First – OSPF Fundamentals – Checking or Troubleshooting OSPF Troubleshooting

Published

on June 12, 2009

in BSCI, BSCI Notes, Concepts and Constructs, Debug and Show

. 0 Comments

I’m using a Simulator and sometimes output differs from what it should be (which is happening more and more often). Make the best out of the explanations when things differ (I’ve used verbatim examples where the simulator just came up blank with output).

All the below is to test if OSPF is functioning properly and has been configured correctly.

Base the output (for examples that worked) on the show commands on the below OSPF Configuration.

Working from a functional configuration on a single router, Router_1 will be the DR on Fe1/0 unless another device on that segment has a priority greater than 100. The link attached to Fe1/0 has a cost of 1. The cost on Fe2/0 has been changed to 10.

The Config

Router_1(config)#router ospf 100 Router_1(config-router)#network 192.168.0.0 0.0.255.255 area 3 Router_1(config-router)#exit Router_1(config)#interface Ethernet 0/0 Router_1(config-if)#ip address 192.168.16.1 255.255.255.240 Router_1(config-if)#ip ospf priority 100 Router_1(config-if)#exit Router_1(config)#interface Ethernet 0/1 Router_1(config-if)#ip address 192.168.16.15 255.255.255.240 Router_1(config-if)#ip ospf priority 20 Router_1(config-if)#exit Router_1(config)#interface Ethernet 0/2 Router_1(config-if)#ip address 192.168.16.30 255.255.255.240 Router_1(config-if)#ip ospf priority 15 Router_1(config-if)#exit Router_1(config)#interface Ethernet 0/3 Router_1(config-if)#ip address 192.168.16.17 255.255.255.240 Router_1(config-if)#ip ospf cost 10

Checking the Configuration

As we’ve been through before in previous posts, the show commands are detailed and comprehensive views on the health and status of the network and hardware (there are a gazillion of them and the detail can be overwhelming same with debug commands). To understand the output from the show commands read-on.

The show-ip ospf Command

The show-ip ospf command shows how OSPF is running on a given router. Output includes the number of times that the SPF routing algorithm has run (indicates the stability of the network). From the previous posts the SPF routing Algorithm runs when there is “instability” on the network (the higher the number of “recalculations” the less stable the network).

Router_2#show ip ospf [process-id]

Output

Explanation

The show ip ospf Database Command

The show ip ospf database command when issued will display the contents of the routers topological database and the different Link State Advertisements (LSAs) that have populated the database (Internal Routers will only display router and network LSAs).

Router_2#show ip ospf database

Output

Explanation

Show ip ospf interface Command

The show ip ospf interface command shows how OSPF has been configured and how it is working on an interface. This level of detail is excellent to troubleshoot config errors.

Router_2#show ip ospf interface [type number]

The command shows information such as the Designated Router (DR) and Backup Designated Router (BDR), a list of neighbours, and the network type.

Output

Explanation

There are some things that don’t come up once again on my output. This would be because I am using a simulator when studying and not “real” kit. You can’t really expect the lab to do “Everything” you want but it does a good job of giving you the basic ideas. Use your imagination.

From here on in things are verbatim from the book. The deviations on the Simulator is so GREAT from what it should be (a.k.a a blank output) that I really can’t study from that).

Show ip ospf neighbour Command

The show ip ospf neighbour command shows OSPF neighbours (known neighbours can be viewed using this command).

Router_2#show ip ospf neighbor

Output

The command can be made more granular and the neighbours can be viewed in a per-interface method

The command can once again be expanded further to show a deep-dive per interface view in as much detail as possible. Use the command displayed below.

Router_2#show ip ospf neighbor {type number} {neighbour id} [detail]

Output

Explanation

Show ip protocols Command

The show ip protocols command shows the configuration of IP routing protocols configured on the router. The command brings up how protocols were configured and how they interact with one another (updates, interactions, etc). Great for troubleshooting configuration errors and understanding how the network is communicating about routes

Router_2#show ip protocols

Output

Explanation

Show ip route Command

The show ip route command shows the IP routing table on the router. This particular command shows how the network is known to the router and how the router discovered routes. Most of us know about this one and would have used it many times before. I know I have.

Router_2#show ip route

Debug Commands

A rather dangerous command is debug (this is because it can make a router totally freak out). This is due to the fact that the debug command has the highest process priority and can consume all resources on the router causing the router to freeze up and need a power cycle.

Good practice would be to turn on debug commands for a specific function and then turn off that debug command as soon as the needed information has been gathered.

To turn of all debug commands that could be active on the router:

Router_2#no debug all

The particular commands with relevance to OSPF:

Router_2#debug ip ospf events

This command displays information about OSPF-related events, such as adjacency, flooding information, designated router selection, and SPF calculation.

Router_2#debug ip packet

This command is IP debugging and includes packets received, generated, and forwarded. Fast-Switched packets do not generate messages.

If I added some value to your Cisco Experience with this post please add some value to my studies and leave a comment, question, suggestion, note of thanks or encouragement for me to hurry up and complete my certifications. My reasoning for wanting some interaction is that the last Recruiter said I need CCNP, Juniper and a Specialization track. The LOOOOONG Road to Cisco Indeed. Thanks Deon

Notes and Notices: This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I cannot lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

BSCI Update For August

Published

Deon Botha

on August 20, 2008

in Asides

. 3 Comments

It came as a bit of a shock to me that my last post was on the 14th of August and several days have come and gone and I haven’t touched my studies. I have had to sit down and think about what has been going on that made this happen.

The company I work for is a big-ish Hewlett Packard house and about a week ago (14th of August) I was forwarded an email stating Certification criterea required for continued partnership at our level. The email also very bluntly stated that for partnership status to roll over without side-effects in Quarter 1 Certification had to be done by September (Whether this was beginning or end September is anyones guesse but I am going to try and play it save and assume beginning September).

Most of my attention has been focused on getting everyone else prepped, ready and geared for the Exam. This has included helping with study materials, creating in-house study material that can be printed (The HP material doesn’t allow for that) because some of the people don’t have internet connections or computers at home and translating some of the more Business Jargon / IT Jargon in the material into Afrikaans for those that aren’t as strong in English.

Along with this I am also trying to get myself up to speed as I will probably be writing all the technical tracks, sales tracks and marketing tracks to take load off other employees and hedge bets should there be failures. The content for the Exams aren’t rocket science but like any Corporate Certifications they are written in special “HP Speak” and the exam will not only test your abilities but also your knowledge of “HP Speak”.

Other than that my week has been totally normal, my Cisco studies have just taken a back seat to HP studies for a little bit.

BSCI Design Foundation – Network Models

Published

Deon Botha

on July 25, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, ECNM, Enterprise Architecture, IIN and SONA

. 0 Comments

Design – Hierarchical

Where networks once were non-hierarchical (layer-1 design, layer-2 design, layer-3 design) they are generally now three-layer hierarchical in design (above). Cisco has been using this model for years and it gave a high-level overview of how a reliable network could be conceived but was largely conceptual because it did not provide specific guidance on “how-to” implement certain things, like:

Implementing redundancy,
Adding Internet Access,
Accounting for remote users,
Locating workgroup and enterprise services

Design – Enterprise Composite Network Model (ECNM)

Revisions to the hierarchical design showed redundant distribution and core devices and connections to make the hierarchical model more fault tolerant. The switch block design (above) explained how redundancy fit into a network, but still did not really adequately specify other parts of the network design. This lead to the Enterprise Composite Network Model (ECNM) development to address the failures of both the hierarchical model and switch block model.

This ECNM is broken into three large pieces:

Enterprise Campus,
Enterprise Edge,
Service Provider Edge.

Enterprise Composite Network Model

ECNM – Campus

The enterprise campus looks very much like the above switch block design with some added details:

Campus Backbone (like the core layer of the hierarchical model),
Building Distribution,
Building Access,
Management,
Server Farm (Enterprise Services).

The ECNM Campus builds onto the Switch block design but gives specific guidance as to where to place servers and management equipment. Take note that the servers look like a switch block and are redundantly attached (dual-homed) to the switches (not really shown nicely in the diagram).

ECNM – Enterprise Edge

The Enterprise edge shows the connections that the enterprise has with the wide area (other networks) and include:

E-Commerce,
Remote Access,
Internet Connectivity,
WAN (Internal links to other branches).

ECNM – Service Provider Edge

The service provider edge includes the public networks that facilitate wide area (other networks) connectivity:

Internet Service Provider (ISP),
Public Switched Telephone Network (PSTN) for dialup,
Frame Relay, ATM, and PPP for private connections.

Multiplexing

Historically voice traffic used one set of circuits and data traffic another. Also if you wanted more than one “number” the telecommunications company installed another physical line to your premises. If you wanted access to a data network they installed a data line for that purpose.

With line technologies like the T-carrier system (USA, Japan, Korea) 24 pulse-code modulated (I don’t know need to ask one the engineers about this), time-division multiplexed speech signals are carried over 2 copper pairs. This type of technology saved the telecommunications companies a lot of money in building out subscriber lines. The problem with T1 as a technology is that it cannot adjust as the customer usage requirements changes (see E-carrier system for Europe and other countries).

As technology changes so does the requirements from that technology; Modern networks are designed to carry voice, video, enterprise applications, normal LAN traffic and management traffic all on the same single secure infrastructure (convergence). The traffic is forced (statistically multiplexed) to share access to the network.

Service-Orientated Network Architecture (SONA) and Intelligent Information Network (IIN)

As covered above “Multiplexing” described the idea of a converged network as a system that integrates what was previously disparate systems (voice, video, data). The traffic types usually found on a converged network would include, but may not be limited to:

voice signalling and bearer traffic,
Core application traffic (ERP and CRM),
Transactional traffic related to database interactions (SQL),
Network management traffic for monitoring and maintaining the network structure (including routing protocol traffic),
Multicast multimedia,
Other traffic (web, e-mail, file transfer).

Each of the above traffic types has its own requirements and expectations that govern its successful execution. These requirements include security, QoS, transmission capacity, and delay.

To support this kind of multiplexed traffic, Cisco routers are able to implement filtering, compression, prioritization, and policing (dedicating network capacity). Except for the filtering process these processes are collectively known as QoS.

As an alternative to QoS, Cisco has an ideal called the Intelligent Information Network (IIN). This vision describes a network that integrates network and application functionality cooperatively allowing the network to be “smart” about how it handles traffic to minimize the footprint of applications. The IIN evolution is described in three phases:

Phase 1: Integrated Transport, deals with a converged network, built along a similar fashion of the ECNM and based on open standards (cross-compatibility)
Phase 2: Integrated Services, posits virtualization of resources such as servers, storage and network access; to move to an “on-demand” model. Don’t think marketing/advertising “virtualization” think practical virtualization the ISR routers (routing, switching, voice, network management, security and wireless) designed as an aio (all-in-one) appliance and Vitalizing Servers (if you have proper designed for the job servers) you can’t be trying this on SMB servers or try recycling 10 year old technology and thinking “bargain let’s load 5 operating systems on this”.
Phase 3: Integrated Applications, using application orientated networking (AON) to make the network “aware” allowing the network to actively monitor and participate in service delivery.

Service-Orientated Network Architecture (SONA) is the practical application or “how-to” of IIN in enterprise networks. SONA breaks down IIN into three layers;

SONA Infrastructure Layer is basically the same as IIN Phase 1,
SONA interactive Services Layer maps to IIN Phase 2,
SONA Application Layer has the same concepts as IIN Phase 3.

Resources:

Aragoen Celtdra on BSCI: Network Architecture and Design

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

BCMSN Passed

Published

Deon Botha

on July 21, 2008

in Certification and Cisco Systems

. 17 Comments

I passed the BCMSN exam this morning; I am happy to have passed the exam that being the desired result of writing an exam, yet I am extremely unhappy with myself in that I didn’t feel “on the ball” with alot of the questions.

The testing centre venue was fine by all accounts and standards and the people friendly. You know that you visit enough when the testing people recognize you and know that you are the guy coming in for the Cisco exam of the morning. The exam room air-conditioning unit was set not too high and not too cold for the exam this morning which was actually rather pleasant for a change.

My biggest complaint of most places is not really related to this test venue but a general complaint of events venues. Us Africans don’t know how to use Air-conditioning inside buildings because it’s set either too cold or too hot in relation to the outside temperature. This means that you are either wearing too much or too little clothing and sitting in a closed room for 110 minutes freezing/boiling and your hands/ears/nose are going numb while you are trying to recall information is a pain and not really conducive. Another thing with air-conditioning is that it dries out your eyes and sinuses and when there is no other ventilation in the room half way through the exam all you start caring for is to get out the room because of the headache you getting. Makes one feel that they should start advertising the “room” temperature for the day so that you can dress accordingly for the climate.

The Preparation

My thinking going in for the exam 4 months ago was that the BCMSN switching content “in theory” is fairly straight forward and that it would be easy enough to try and use as a “test” case for the future CCNP courses. That assumption paid off because I think I wouldn’t have made the BSCI exam with the hitch I came up with today.

My test case did pay dividends and I have found something that I will have to sort out post haste for the BSCI and other future exams. My approach with my notes has been up until now focused on getting to know and becoming comfortable with the core theory of the subject matter. This approach served me well enough and enabled me to “pass” the exam although I want to not just pass but pass well and without a doubt and in my opinion what I kept stumbling on (over and over and over) was the deeper technical and practical base knowledge upon which the theory builds.

Changes

Because this stumbling block was not the exception but instead the rule I am going to be adding more in-depth technical and practical “appreciation” to my notes so that these topics will hopefully become part of my knowledge base (KB) and long term memory. This hopefully will help me when I sit the next exam and similar questions come up.

Cisco Partner Enablement Training

Published

Deon Botha

on July 18, 2008

in Cisco Systems and Support

. 0 Comments

I am at the local Cisco offices today for Partner training. It’s basically Cisco letting Partners know where to find what on Cisco.com. For those of you that haven’t tried to find/navigate the Cisco Website it can be a little daunting at first (I remember how it was for me). The nuts and bolts of this training is Cisco letting Partners know what tools are available and giving us a bit of a demo (selling us on them).

I am writing this post so that I can keep these links in a central place; If you find them useful that’s cool. There are more tools available from Cisco like Quote Builder, Competitive Edge Portal, Sales Accelerator and others that I am not covering.

Most if not all of the tools I will be babbling on about will require a valid CCO login and that your CCO be linked to a valid Cisco Partner.

A good place to start if you are a new Cisco partner or just getting started on a new job at a Cisco Partner would be the Partner Enablement Page; from there you can find most of the tools that Cisco provide listen under logical headings that I will describe shortly below.

The first heading you will find is Develop whether this be business development or personal development it’s listed under here. First off the bat we have The Partner Enablement Page that gives you one click access to most of the Cisco tools that you will need under this section. Including tools like the Partner Enablement Navigator that is an online wizard for Partner enablement tools and resources to give you quick access to what you need when you need it. There is also a link to Partner Practice Builder that helps Partners create a strategic development plan for various decision making functions (i.e. whether to do Unified Communications or not?). Finally there is Partner Education Connection that provides online course content for most of their courses; the courses range from free to providing links to where training is available at Cisco Learning Partners.

Next up we have Market and this is a kind of obvious one this is links to tools that either help you market Cisco products (Campaign Builder) or give you specific and relevant information assist you to be more effective in marketing Cisco products (Cisco Customized Partner Intelligence).

Then we have Sell for those in the sales teams or supporting sales teams. Starting off with Cisco Demo Solutions which is a boxed demo solution available for purchase from Cisco. Then we have the Cisco Partner Helpline that gives partners access to technical product information, including assistance with network design and product selection.

Finally Deliver where you can find Steps to Success that has resources for selling, delivering and supporting business solutions throughout the network lifecycle.

Difference between VLAN Access-map and ACL

Published

Deon Botha

on July 10, 2008

in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs and VACL

. 1 Comment

Looking over some things before I go write the BCMSN exam this is something I wanted to waffle on about again because the reason for both aren’t so clear to me and why to use what when.

So short and sweet an Access Control List (ACL) is something that comes from the CCNA course and is something one can use to manage and control traffic that passes through a switch (mind passes through and doesn’t originate on) either in an inbound or outbound direction. Cisco Catalyst Switches filter traffic through the use of a TCAM (mentioned on this post). The reason for VLAN Access Control List (VACL) is that only traffic that passes between VLANs can be filtered using ACLs.

So this means logicaly that traffic that stays in the same VLAN doesn’t necessarily have a direction (inbound or outbound) in relation to the interface and also isn’t crossing any interface boundries. There is also the fact that the packets may also be non-IP, non-IPX, or completely bridged. VACLs are mechanisms that can directly affect packets inside a VLAN. VACLs are configured using access-maps

Cisco Tackling the Global Shortage of Skilled Network Engineers

Published

Deon Botha

on June 24, 2008

in Certification and Cisco Systems

. 0 Comments

Cisco today announced three new Cisco Certified Network Associate (CCNA®) concentrations namely Security, Voice and finally Wireless. All candidates wanting to go for the concentrations must have the CCNA first and then can specialize into one of the fields of interest.

Certguard and a Blog

Published

Deon Botha

on June 16, 2008

in Off-Topic

. 2 Comments

Since late last week there has been some waves in the online networking community about a post by Robert Williams from CertGuard. Since that post many things have happened, I am however not going to talk about the specific situation, how it is probably affecting the mentioned CCIE etc. Some notable comment can be read from members of the networking community like Colin McNamara, Arden Packeer and Greg Ferro

I have been following the situation and reading responses and trying to figure this out for myself. I am however finding myself with more questions than answers as I try and get information to make an educated decision as to the this whole story. My main questions are around Certguard.

To kick off why this whole thing is upsetting me and probably many other people. I practice what I do on my good name, If it calls for it I spend extra non-billing hours (working days without sleep) keeping my good name in tact with clients who are not happy with a product or service either I or a competitor placed because my good name and the good name of my vendor of choice is important to me. This extends into daily life where dressing appropriately for functions, being on time for meetings (early ussually) and being affable and amiable in company goes to preserving my good name. I have spent time, been careful and made sure my name is not sullied and not dragged through any mud or tarnished by schoolboy playground antics because people buy products and services from people. Basic marketing theory says that word of mouth is the best and worst marketing where one good experience brings maybe one extra customer; one bad experience sends 10 customers away forever. In the end of the day my good name is very important to me because it is my brand and my image. This situation is upsetting because it has to do directly with this concept and the sullying of someone’s good name in a disgraceful very underhanded way.

CertGuard seems to be a self appointed Information Technology (IT) Watchdog where it concerns test taking and certifications. How this is done around the back-end isn’t so clear to me at this point. I have read that they have no affiliation with Cisco or Pearson Vue (I only care about their links with Cisco I don’t much care whether Microsoft or another vendor uses their products/services). Their website isn’t exactly transparent as to all their specifics but I will outline my thoughts and findings below.

I want to know WHAT they do, they say they keep the industry clean by focusing on braindumps websites. For those who don’t know what braindumps are these are basically compiled documents of test questions that may or may not appear in the exams. A braindump is not certified study material according to the agreement you sign every time you take a Cisco exam. The fact remains to me that they aren’t affiliated with Cisco and they make a leap somewhere from “braindumps websites” to “decertifying individuals” that is a bit far fetched and I don’t know how that happens. This leap is more than just bothering me, its annoying me, I have looked through the CertGuard website, done Google Searches and tried asking others but no one knows WHAT they do other than selling a product type service.

Personally I learnt in grade school that cheating was wrong, I received a degree without trying to write crib notes on various body parts to get them into exams (a girl wrote half the theory on her breasts in one exam thinking it was the only place the invigilator wouldn’t look) and I certainly know that unless I know something outright I am not going to pass any exam (sometime down the line I am going to look stupid if I don’t know how to do something I have written an exam on). The company doesn’t seem to be closing down braindump websites but monitoring them, they dont seem affiliated with Cisco to take away a certifications from individuals and they seem to be selling information based products to end-users and not vendors. This whole thing leaves me with more questions than answers.

What CertGuard is doing is great in theory (noble and almost altruistic) protecting the intrinsic value of something like a certification (which is not like a conferred degree) is in everyones interest that is working towards getting that certification. What is rubbing me raw though is what do they actually do? Are they working for a Vendor at a higher level or are they trying to create a new economy for validating online 3rd party course content information? Are they trying to become the de facto “trusted authority” for who you can use for content and who you cant? Or are they none of the above and I’m just to stupid to see what they really do and don’t do.

One of the links in the pecking order that’s also bothering me is how CertGuard can share/give/pass information as a “trusted authority” to Cisco/Vue (other) and as a trusted authority Cisco/Vue acts on the information by tripping someone of a certification (if at all). My concern here is that I have paid a small fortune to get learning material, certifications, hardware and training from Cisco and/or Cisco Partners, I have spent countless hours in front of books, PEC, and at training losing sleep, weekends and time I could have spent focusing on other activities. If a company who is not affiliated with Cisco, recognized by Cisco and was not given a mandate by Cisco starts to act “as-if” they are working on behalf of Cisco I am going to be a very unhappy camper and would hope Cisco Systems and the community at large cuts them down to size instead of siding with them because you may be next.

I am unsure of CertGuards place in the macro network environment and how they interact with the ecosystem at this point. Is this a fear based marketing and advertising ploy in very bad taste to drum up traffic and in the end sales for their products. Network World seems to rubber stamp them and if not endorse them fully by allowing them a place from which to gather an audience. Their website doesn’t clearly state anything substantial about them, I want specifics, facts and concrete information if they are so important to the industry. I want to know that my future as a small fish in a big pond in the network industry isn’t going to be jepordized by some unknown CEO from a company who you know but also dont know what they do (I don’t trust them nor know anything about nor care about them*) turns my world upside down one sunny day.

The modus operandi of using a highly visible public platform in the network industry to blackball a blogger without prior consultation or attempted mediation is uncouth to say the least. This is something that I don’t think I can agree was/is the correct method(s) or acceptable in the least. As a person who is active online, who writes (in my case notes from various sources) and posts them to a blog, my concern is am I going to be the next lamb to slaughter (probably not but the fear is there). As rational or irrational as that is who will be the next target for Mr Williams? If you note their services they offer Blog & Forum Monitoring (feels like big brother is watching).

I certainly don’t get paid for blogging I also don’t know anyone who does, I am certainly not going to jeopardize my future so that someone can take me out at the knees for something because they feel a need to scratch something that itches.

*An online business without a complete website explaining at least Who they are, What they do, How they do it, Where they come from, How they relate to me, Why I should care, Why they should be there and have a Telephone number and Physical address FOR THE REASON I VISITED THE SITE in plain view without the need to search for it or do a whois on the domain in my experience is trying to scam me in some way.

In this case Who is Certguard to me as a Cisco Networker? What does CertGaurd have to do with Cisco? How does Certguard do what they do with relation to Cisco and Cisco Certification and the mechanics of it? Where is their value proposition with relation to Cisco and Cisco Certification? How this relates to my studies and certification process with Cisco? Why this will and will not affect me and my life? Why CertGaurd should be there and exist at all and affect my life? and where can I call someone if they make my life hell and/or buy a plane ticket to come make someones life hell if need be?

Finally I have probably edited this thing a 100 times to get it to say what I want I am adding links to the Disclaimer and if you want to know about me and finally should anyone try and muck me around thus far all posts fall under the following notice:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Followup: Ethan Banks is back in action, his blog post can be found here.

Followup: Robert Williams public apology to Ethan Banks and the Network Community.

Cisco Training Videos

Published

Deon Botha

on June 13, 2008

in Cisco Systems and Vine

. 2 Comments

Head on over to Josh Horton’s blog (blindhog.net) he has a nice post on Cisco training videos from Trainsignal pricing in at around R 4,900 ($ 597) including links to sample videos. The nice thing about training videos are that you can watch them again and again and again (this works for some people while it doesn’t for others), compared to boot camps where you need to go in thoroughly prepared (they set a frantic pace) spend your R 15,000 ($ 1,800) on the training and hope you keep up for the week.

Depending on what works for you and how you learn use what is best for you to learn and get your certifications. I have a friend that swears by CBT Nuggets he says that if it weren’t for their videos have been able to get his certifications at all.

Switch Security Layer-2 Attacks – Two

Published

Deon Botha

on May 27, 2008

in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs, Switch Spoofing, Trunk, VACL, VLAN and VLAN Hopping

. 2 Comments

VLAN Hopping

VLAN Hopping is a network attack whereby an end-device sends packets to/or collects packets from a VLAN that should not be accessible to that end-device. This is done by tagging the invasive traffic with a specific VLAN ID (VID) or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be done by switch spoofing or double tagging.

In a Switch spoofing attack the attacker configures an end-device to spoof itself as a switch (this can be a linux pc). The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunk Protocol (DTP). This is signaling to attempt to establishing a trunk connection with the company switch.

Any switch port configured with DTP auto, upon receipt of a DTP packet generated by the attacking device, will become a trunk port and then accept traffic destined for any VLAN supported on any trunk on that link. The attacker can then send/collect packets from/to any VLAN.

Double Tagging is another method of VLAN Hopping, this is when a workstation generates frames for two 802.1Q headers, this causes the switch to forward the frames onto a VLAN that would normally be inaccessible to the attacker through legitimate means.

The first switch to encounter the double tagged 802.1Q frame strips the first header frame (native VLAN), and forwards the frame out a trunk link, the second switch then forwards the frame according to the other 802.1Q frame header. Should the tag not match the native VLAN of the attacker, the frame will go untagged and flooded to only the original frame.

Best Practices to Mitigate VLAN Hopping

Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic (that means not the Native VLAN either).
When establishing a trunk link, purposefully configure arguments so that:
- The native VLAN will be different form any data VLANs
- Trunking is set up as “on” rather than as negotiated.
- The specific VLAN range will be carried on the trunk

Configuration
To Mitigate against VLAN hopping attacks the following is the config. First select a range of interfaces:
switch#configure terminal switch(config)#interface range gigabitethernet 0/1-48

Now configure the ports as access ports this in turn will turn off DTP

switch(config-if)#switchport mode access

Assign the ports to an unused VLAN (not the Native VLAN)

switch(config-if)#switchport access vlan vlan-id

NB the above commands will not work in VoIP (voice) networks. Cisco IP Phones use trunks (DTP).

VLAN Access Control Lists

There are three kinds of ACLs:

Router Access Control Lists (RACLs)supported in the TCAM hardware on Cisco Multi-layer switches (MLS). Can be applied to any router interface, such as a switch virtual interface (SVI) or Layer 3 routed port.
Port Access Control List (PACL)filters traffic at the port level. PACLs can be applied on a Layer-2 switch port, trunk port, or EtherChannel port.
Vlan Access Control Lists (VACLs)(a.k.a VLAN Access Maps) supported on software on Cisco MLS.

Cisco Catalyst switches support four ACL lookups per packet*:

ingress (1) and egress (2) security lookup
ingress (3) and egress (4) Quality of Service (QoS) look-up

This following section all went over my head or just about and I have no idea whether this works or not or is correct or not for more information.

There are cases where certain Access Control Entries (ACEs) must be combined in each ACLs due to limitations of TCAM hardware. The merge process is also responsible for other functions like expanding ACEs due to a lack of Layer 4 Operations Pointers (L4Op Pointers) or Logical Operational Units (LOUs).

Cisco catalyst Switches use two features to perform a merge

order independent algorithm merge
order dependant algorithm merge

Order Independent Merge (OIM) is based on Binary Decision Diagrams(BDD), ACLs are merged from a series of oder-dependant actions to a set of order-independent masks and patterns. The resulting ACE can be very large, and processor and memory intensive.

Order Dependant Merge (ODM) is not bit-based. The computation is much faster and is less processor intensive.

RACLs are supported in hardware through IP standard and IP extended ACSs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs access list statistics and logging are not supported.

*You can get some switches with two security lookups and 1 QoS lookup in each direction (6 total).

Configuring VACLs

VACLs apply to all traffic on a VLAN. VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs and VLAN access-maps.

VACLs follow route-map conventions, in which map sequences are check in order (top-down).

Each VLAN access map can consist of one or more map sequence, each sequence with a match clause and an action clause. The match clause specifices IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taked when a match occurs. When a flow matches a permit ACL entry, the assciated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If aflow does not match any ACL entry and at least on ACL is configured for that packet, the packet is denied.

Three VACL actions are permitted:

Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)

Two features are supported on Catalyst 6500 only:

VACL Capturewhere Forwarded packets are captured on the capture port. The capture option is only permit ACEs. The capture port can be an IDS port or an Ethernet port. The capture port must be an egress VLAN for layer-3 switched traffic.

VACL Redirect where matching packets are redirected to specific ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

Define a VLAN Access MAP

switch#configure terminal switch(config)#vlan access-map map-name seq# insert to/delete from

Configure the match clause in a VLAN access map sequence

switch(config-access-map)#match options

Configure actions

switch(config-access-map)#action options

Apply the VACL to VLANs

switch(config)#vlan filter map-name vlan-list list

Verify configuration

switch(config)#show vlan access-map map-name

Source for this Config document Section

Private VLANs

Internet Service Providers (ISP) often have devices from multiple clients, in addition to their own servers resident on a single demilitarized zone(DMZ) segment of VLAN. Cisco Catalyst 6500/4500 switches Private Virtual Local Area Networks (PVLAN) to keep some switch ports shared and some switch ports isolated, even if the ports exist in the same VLAN. The 2950 and 3550 support “protected ports”, which are functionally the same on a per-switch basis.

Traditionally ISPs used one VLAN per customer, with each VLAN having its own subnet. A layer 3 device the provides interconnectivity between VLANs and Internet destinations. Problems with this method:

Supporting a VLAN per customer may require a high number of interfaces on ISP network devices.
Spanning Tree becomes more complicated with many VLAN iterations.
Network address space must be divided into many subnets, which wastes space and increases management complexity.
Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer-2 isolation between ports within the same VLAN, thereby eliminating the need for VLAN and IP subnet per customer.

A Port in a PVLAN can be one of three types:

Isolated: port has complete Layer-2 separation from other ports within the same PVLAN, except for promiscuous ports; blocks all traffic to isolated ports except from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Promiscuous: ports can communicate with all ports within the PVLAN. The default Gateway (DG) is probably be hosted as a promiscuous port.
Community: ports communicate among themselves and their promiscuous ports. These interfaces are isolated at Layer-2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

Trunks carry all VLAN traffic so isolated, promiscuous and community PVLAN traffic may enter and leave a switch through trunks

PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure.

As a Primary VLAN: carrying traffic from promiscuous ports to isolated, community and other promiscuous ports in the same primary VLAN.
As an Isolated VLAN: carrying traffic from isolated ports to a promiscuous port.
As a Community VLAN: carrying traffic between secondary VLANs. You can extend PVLANs across multiple devices by trunking primary, isolated, and community VLANs to other devices that support PVLANs.

A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated VLAN or many community VLANs.

Configuring

Step 1: Set VTP Mode to Transparent

switch#configure terminal switch(config)#vtp mode transparent

You may also want to check VTP version, password and domain while you are at VTP configuration

Step 2: Create the secondary VLANs (Isolated and community VLANs are secondary VLANs)

switch#configure terminal switch(config)#vlan 102 switch(config-vlan)#private-vlan isolated switch(config-vlan)#end switch#show vlan private-vlan type

Step 3: Create the primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan primary switch(config-vlan)#end switch#show vlan private-vlan type

Step 4: Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan association add 102 switch(config-vlan)#end switch#show vlan private-vlan type

When associating secondary VLANs with primary VLANs use these best practices:

Make sure that the VLAN IDs contain only one isolated VLAN ID (VID)
Use the remove keyword with the secondary VID to clear association; there can only be one association.
Use the no keyword to clear all association from the primary VLAN.
Do not allow the command to take effect until you exit VLAN configuration submode.

Step 5: Configure an interface as an isolated or community port.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan host switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 6: Associate the isolated port or community port with the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 7: Configure an interface as a promiscuous port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan promiscuous switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 8: Map the promiscuous port to the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan host-association mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 9: Permit Routing of Secondary VLAN Ingress Traffic

switch#configure terminal switch(config)#interface vlan 100 switch(config-if)#private-vlan mapping add 102 switch(config-if)#end switch#show interfaces private-vlan mapping

The sources for this config section include this Cisco 4500 document and this document. Finally CCIE Blog gave me a some insight and hint as to WTF the difference between the host and promiscious ports on the interface config was.

Definition

Logical Operation Unit (LOU) are hardware registers used to store {operator, operand} tuplesfor Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers specified in an IP extended ACL, VACL, or QoS ACL. These tuples are called Layer 4 Operations (L4Op).

Source

Notes and Notices:

References I want to rememeber:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, VLAN Access Lists (page. 413-414). Indianapolis: Cisco Press.

Network Ninja

Tag Archive for 'CAM'

Open Shortest Path First – OSPF Fundamentals – Checking or Troubleshooting OSPF Troubleshooting

BSCI Update For August

BSCI Design Foundation – Network Models

BCMSN Passed

Cisco Partner Enablement Training

Difference between VLAN Access-map and ACL

Cisco Tackling the Global Shortage of Skilled Network Engineers

Certguard and a Blog

Cisco Training Videos

Switch Security Layer-2 Attacks – Two

Search

About

Latest

Archives

Categories