Boot sequence:
- The POST (power-on self-test) stored in ROM tests the CPU, DRAM, and the flash device. Professional-grade devices also test the memory;
- The boot loader software is called (this is what decides if we go in recovery "ROM MON" mode);
- Boot loader initializes CPU registers handling memory;
- Boot loader initialized the flash file system;
- Boot loader loads a default IOS OS image into memory and gives it control of the switch.
On CISCO devices, a .bin file represents the whole OS. To perform updates, we download the official new version and store it in the device's flash memory.
S1(config)# boot system flash:/c2960-lanbasek9-mz.150-2.SE/c2960-lanbasek9-mz.150-2.SE.bin
A switch has multiple LED indicators for its many components.
To recover from a system crash:
- Connect via console cable;
- Unplug the power cord
- Hold the Mode button to access ROM MON Mode
switch:prompt means we are in recovery mode.
The recovery mode has different commands.
switch: set BOOT=flash:/c2960-lanbasek9-mz.122-55.SE7/c2960-lanbasek9-mz.122-55.SE7.bin
To configure remote access, a switch virtual interface must be configured with IPv4.
1: Configure a VLAN interface to give an IP address to the switch.
(warning, by default, VLAN 1 corresponds to all physical ports)
S1# configure terminal
S1(config)# interface vlan 99
S1(config-if)# ip address 172.17.99.11 255.255.255.0
S1(config-if)# ipv6 address 2001:db8:acad:99::11/64
S1(config-if)# no shutdown
S1(config-if)# end
S1# copy running-config startup-config
2: Configure the default gateway
S1# configure terminal
S1(config)# ip default-gateway 172.17.99.1
S1(config)# end
S1# copy running-config startup-config
3: Verify configuration
show ip interface brief
show ipv6 interface brief
Enable ssh.
en
conf t
ip domain-name [whatever].[tld] //necessary to get the FQDN
crypto key generate rsa
username [name] secret [password] //automatically enables SSH, but it's v1
ip ssh version 2
line vty 0 15
no password
login local
transport input ssh
end
For that, the device (Router/Switch) needs to have an address.
On a router, we can create a loopback interface on which we use any IP we want. Useful for testing without impacting other parts of the network.
interface loopback [name]
ip address [address] [subnet]
exit
Verify interface status with show ip interface brief. Allows us to quickly check typos and bad IP assignments. Allows you to check which interfaces are not up.
- Status: physical layer status (down = activated but no cable, up = activated and working, administratively down = interface is not activated)
- Protocol: L2 protocol status;
- For Ethernet, there is usually no reason for it to be down on an activated status;
- For other protocols (such as PPP), this might matter.
show ipv6 interface brief for ipv6 rundown. There will at least be a link-local (FE80) address.
show ip route shows the routing table: all the networks a router can send packets to (it can be individual devices but it's not recommended).
Warning, this command shows lots of useless data. It's safe to ignore every line that doesn't start with a code, and the L codes (since they represent the router's IP).
However, it's not always this simple (static/dynamic routing can include networks that aren't directly connected).
Reminder: code C => directly connected.
Switches use the frame header to know what to look for in their table.
(3CCNA reminder): A switch knows nothing.
When receiving a frame, a switch:
- Saves the Source MAC on the receiving port, learning step (TTL is but a few seconds, it is reset when another frame is received);
- If it cannot find the destination, it multicasts the frame for every connected port except the receiving one;
- When it gets a response, it saves its MAC address on the receiving port;
- If it's a broadcast address
fff, then it was meant for all other ports anyways.
One port can have multiple MAC addresses.
Forwarding methods.
- Store-and-forward: reads the entire frame, checks for errors;
- Cut-through switching: forwards after the destination MAC address is read. Less buffer is required.
On professional-grade switches, frames are processed by hardware rather than software.
Collisions used to happen on the physical layer. Causes signal to be lost or jumbled.
Nowadays, collisions are avoided completely using different techniques:
- Using twisted cables;
- In wireless and fiber optics, using different frequencies for in/out signals.
When a collision happens, the signal is affected.
Collision domains are areas which would be susceptible to collisions in the case of faulty hardware. For switches, there are separate collision domains for every ports, on hubs, the whole area connected to a them is a huge collision domain.
A broadcast domain is the range that can be impacted by an end device sending a broadcast message.
In a bigger local network (>100), there can be problems. Broadcast messages can be sent regularly (ARP for example), this may cause flooding the bigger the broadcast domain gets.
This can also cause organizational/security issues.
VLAN allows for segmenting the network without additional hardware. Inter-VLAN communication is not allowed by switches.
The benefits of VLANs are as follows:
- Smaller broadcast domain
- Improved security
- Improved IT efficiency
- Reduced cost
- Better performance
- Simpler project and application management
show vlan brief allows you to get a quick rundown. There are multiple types:
- Default VLAN: VLAN1, the default one on Cisco switches, all ports are on VLAN1 unless explicitly configured;
- Data VLAN: separate user-generated traffic;
- Native VLAN: VLAN1 is used for untagged traffic (tagging means adding a 4byte tag in the frame header);
- Management VLAN: data VLAN configured for network management traffic (like SSH, Telnet, HTTPS, HTTP, and SNMP). VLAN1 by default on a L2 switch;
- Voice VLAN: Separate VLAN needed for VoIP support, this is because it has delay and priority requirements, to support these, the entire network has to be designed to support VoIP.
Ex: to avoid everyone pinging a switch as they please, we can give it an ID only in a certain VLAN.
It's possible to have multiple VLANs on a single switch interface by telling it how to distinguish traffic.
A connection between two switches is called a trunk.
VLANs are identified by a switch that receives a frame: a VLAN Tag (4B) is added after the source MAC address. Because VLANs are only known by switches, the tag needs to be added if a request is to be handled by multiple switches.
The IEEE 802.1Q protocol does that (this norm also adds a 3bits priority tag).
Trunks exist in order to detect WHEN to add or remove the VLAN tag.
Untagged frames are considered to belong to the native VLAN (which is VLAN1 by default).
show vlan brief
The VLAN ranges are as follows:
- Normal range VLANs
- 1 cannot be renamed or deleted
- 2 to 1001 can be used
- 1002 to 1005 are reserved, legacy networks
- Those are stored in flash memory in a file called vlan.dat
- If Velan Trunking Protocol is used, this range is replicated across VLANs
- Extended range VLANs
- 1006 to 4094
- Saved in the running config by default
- Less features
Create a VLAN:
S1# configure terminal
S1(config)# vlan 20
S1(config-vlan)# name student
S1(config-vlan)# end
Assign an interface to a VLAN:
S1# configure terminal
S1(config)# interface fa0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# end
Create a data, then a voice VLAN
S3(config)# vlan 20
S3(config-vlan)# name student
S3(config-vlan)# vlan 150 //no need to exit there
S3(config-vlan)# name VOICE
S3(config-vlan)# exit
S3(config)# interface fa0/18
S3(config-if)# switchport mode access
S3(config-if)# switchport access vlan 20
S3(config-if)# mls qos trust cos
S3(config-if)# switchport voice vlan 150
S3(config-if)# end
S3#
Verify VLAN information with show vlan
- brief: name, status and ports
- id [vlan id]: information on one vlan
- name [vlan name]: based on name (1-32 chars)
- summary: summary infos
We can assign VLANs to an interface range
Outside of packet tracer, multiple VLANs can be created using commas/hyphens.
The no prefix can be used to unassign a port from a vlan.
S1(config)# interface fa0/18
S1(config-if)# no switchport access vlan
S1(config-if)# end
S1#
This will reset the port to the default VLAN.
no vlan [vlan id] is used to delete a VLAN.
Make sure to reassign all ports that were on this VLAN before deleting it, or they won't be able to communicate.
delete flash:vlan.dat and restarting the switch resets all VLAN configuration to its factory defaults (preceded by erase startup-config, this completely resets a switch to its factory defaults).
Assigning a non-existing VLAN to a port will create it (but not name it).
S1(config)# interface fastEthernet 0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# switchport trunk allowed vlan 10,20,30,99
S1(config-if)# end
This is to set an interface to be a trunk, then change the native vlan to something other than 1, and finally only allow some VLANs to communicate.
Warning, the allowed vlan command ALWAYS OVERWRITES, it is not additive.
show interfaces [interface] switchport
Allows you to see all existing trunk configuration.
This is a proprietary protocol by Cisco.
Normally, trunk configuration has to be done on both Switches. DTP makes it so that we only need to do it once.
To enable trunking on a Cisco device that does not support DTP, we must enable the trunk but then disable DTP.
S1(config-if)# switchport mode trunk
S1(config-if)# switchport nonegotiate
re-enabling DTP works as such.
switchport mode dynamic auto
There are multiple modes:
- Access: permanent nontrunking mode;
- Dynamic auto: interface able to convert the link to a trunk link;
- Dynamic desirable: Actively attempt to convert the link to a trunk link;
- Trunk: Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk.
| Dynamic Auto | Dynamic Desirable | Trunk | Access |
|---|---|---|---|
| Dynamic Auto | Access | Trunk | Trunk |
| Dynamic Desirable | Trunk | Trunk | Trunk |
| Trunk | Trunk | Trunk | Trunk |
| Access | Access | Access | Limited connectivity |
show dtp interface [interface] allows you to get DTP infos.
You can modify an interface range with interface range f 0/1 - 24
The first number corresponds to the "port module". In non-modular switches and non-stacked switches, it will always be "0". So the range applies to the port number, not the port module.
Multiple types of interfaces can also be modified interface range f 0/1 - 24, g 0/1 - 2
VLANs are used to segment switched layers 2. But we can use L3 to allow connectivity between different VLANs (this for example helps to allow more precise packet-filtering).
Three different options.
Legacy Inter-VLAN Routing:
A router is plugged to two ports in the switch, bridging the two VLANs together. This method doesn't scale well with more VLANs, a router doesn't have enough physical ports.
Router-on-a-stick:
A router is set to one edge of the network, whenever a VLAN change is needed, it has to go through the router. This requires the use of "Subinterfaces" for each VLAN.
Inter-VLAN routing on a layer 3 switch: a device able to handle packets.
This consists of creating subinterfaces on a router which is only connected to one single switch.
First configure the VLANs and trunks. The switch interface pointing to the router needs to be in trunk mode too.
On the router, the interface command can be used to configure subinterfaces with dot notation.
On each subinterface's config, the encapsulation method allows us to select which VLAN number to target. Encapsulations work like trunks.
Each subinterface also needs an IP.
At the very end, go back to the phyisical interface to turn it down. This is to be done last so that every single subinterface gets affected.
R1(config)# interface G0/0/1.10
R1(config-subif)# description Default Gateway for VLAN 10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip add 192.168.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1.20
R1(config-subif)# description Default Gateway for VLAN 20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip add 192.168.20.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1.99
R1(config-subif)# description Default Gateway for VLAN 99
R1(config-subif)# encapsulation dot1Q 99
R1(config-subif)# ip add 192.168.99.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1
R1(config-if)# description Trunk link to S1
R1(config-if)# no shut
R1(config-if)# end
R1#
*Sep 15 19:08:47.015: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to down
*Sep 15 19:08:50.071: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
*Sep 15 19:08:51.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up
R1#
Create the VLANs
D1(config)# vlan 10
D1(config-vlan)# name LAN10
D1(config-vlan)# vlan 20
D1(config-vlan)# name LAN20
D1(config-vlan)# exit
D1(config)#
Create SVI VLAN interfaces
D1(config)# interface vlan 10
D1(config-if)# description Default Gateway SVI for 192.168.10.0/24
D1(config-if)# ip add 192.168.10.1 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
D1(config)# int vlan 20
D1(config-if)# description Default Gateway SVI for 192.168.20.0/24
D1(config-if)# ip add 192.168.20.1 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
*Sep 17 13:52:16.053: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
*Sep 17 13:52:16.160: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
Configure access ports
D1(config)# interface GigabitEthernet1/0/6
D1(config-if)# description Access port to PC1
D1(config-if)# switchport mode access
D1(config-if)# switchport access vlan 10
D1(config-if)# exit
D1(config)#
D1(config)# interface GigabitEthernet1/0/18
D1(config-if)# description Access port to PC2
D1(config-if)# switchport mode access
D1(config-if)# switchport access vlan 20
D1(config-if)# exit
Enable IP routing
D1(config)# ip routing
D1(config)#
A switch port can be configured for routing, defining the interface as a L3 interface.
This is done by using no switchport on the interface configuration.
Routing is then configured normally, as with a router.
When we have at least 3 switches directly connected to each other, it can create an infinite loop for the frames. Frames don't have a TTL. It can also cause confusion on the source MAC address. Broadcast frames are even worse as they saturate the connections between switches.
STP fixes that. Its job is to find loops and cut them off by disabling the connection. (later, it can reenable them).
STP is the reason we see the orange dots when first creating a connection.
There are four steps that are being constantly done by every switch.
Bridge = switch
STP sends BPDU frames (bridge protocol data units). Those frames contain a bridge ID, a compound identifier composed of three components:
- Bridge priority - 4 bits, 32768 by default
- Extended System ID - 12 bits
- MAC Address - 48 bits
Bridges send BPDUs to all directly connected switches, they perform bitwise comparisons to find the bridge with the lowest priority value.
A bridge directly connected to the root bridge may inform bridges that aren't directly connected.
Important: ALL bits of the bridge ID are compared, if all bridges have the default priority, then the rest of the bits are compared too, so the MAC address helps determine it on these situations.
Determine the root path cost: STP cost is calculated inversely proportional to the link speed.
There are two norms, IEE802.1D from 1998 and IEE802.1w from 2004 for RSTP (Rapid Spanning Tree Protocol).
802.1w has higher base cost values to allow for higher link speeds without going into the negatives.
Those STP costs are calculated by each bridge, they add up for each different port that's traversed, and the port with the lowest cost is elected as the root port.
STP defines states on ports that aren't root ports.
Ports that are elected are:
- All ports of the root bridge
- All ports that face a root port
On all remaining connections between bridges, a final bridge ID comparison is done, the port with the lowest priority wins and becomes a designated port, while the loosing bridge becomes an alternate port.
Special case: on a square topology, where STP costs might be the same for both ways, the interface priorities are considered, if even that ends in a draw, then the connected port ID is considered (for example Fe0/1 > Fe0/2).
BPDUs are sent every 2 seconds.
When a switch is started, it's set to blocking (receive only) until a BPDU is sent, in which case it goes to listening state.
When processing a BPDU, set to learning state.
Depending on the 4 steps shown above, it's then either set to blocking mode again, or forwarding.
In PVST, there is a root bridge elected for each spanning tree instance. This makes it possible to have one root bridge per VLAN.
This is a proprietary implementation from Cisco.
show spanning tree can show PVST specific configurations.
Priority is changed with spanning tree vlan X priority n*4096 in config mode.
We can also configure a switch to always adapt itself to be a root bridge spanning tree vlan X root primary.
There are many different STP versions, the regular one, PVST+ (Cisco), RSTP (provides faster convergence), 802.1D-2004 (implements IEE 802.1w), Rapid PVST+, MSTP (multiple STP, imitates Cisco's PVST+), MST (Multiple ST).
RSTP merges Disabled, Blocking, and Listening step into one single "Discarding" step, quicker algorithm.
PVST+ offers two features, to be implemented on access interfaces (usually together):
- PortFast, allows us to exclude some interfaces from BPDU sending, no STP resolution means the interfaces are active as soon as they're turned on.
- BPDU Guard is a security-oriented feature, when receiving a BPDU on a designated interface, the switch will consider it an abnormal situation and set the interface to an errored state.
- Manual intervention on the switch is needed to reenable the interface (
shutdownfollowed byno shutdown)
- Manual intervention on the switch is needed to reenable the interface (
Warning, enabling PortFast on a switch connection may cause undesirable side effects.
On the interface config: spanning-tree bpduguard enable and spanning-tree portfast enable.
Nowadays, STP can be too archaic for modern networks, people might not want to have a cable that specifically won't be used.
There exist other methods, such as:
- SPB (Shortest Path Bridging)
- TRILL (Transparent Interconnect of Lots of Links)
Those look very similar to layer 3 path finding. They don't exist on all switches.
Another alternative is to have a network topology without loops.
For example a hierarchical architecture, with a loopless access layer, every switch is connected to two L3 switches on the distribution layer. Loops are moved in the distribution layer, where only L3 routing is done (worst case scenario, L3 has a TTL).
An edge port is a port at the very extremity of your network, directly linked to an end device (and not another switch).
EtherChannel is a Cisco proprietary technology for link aggregation. Made to ensure STP doesn't break redundant links.
There are certain restrictions, such as 8 channels per aggregate, they must be of the same type and configuration.
There are two possible aggregation negotiation protocols:
- LACP (Link Aggregation Control Protocol)
- 2 modes, active/passive
- PAgP (Port Aggregation Protocol), Cisco proprietary
- 2 modes, desirable/auto
Different possibilities:
PAgP
| S1 | S2 | Channel Establishment |
|---|---|---|
| On | On | Yes |
| On | Desirable/Auto | No |
| Desirable | Desirable | Yes |
| Desirable | Auto | Yes |
| Auto | Desirable | Yes |
| Auto | Auto | No |
LACP
| S1 | S2 | Channel Establishment |
|---|---|---|
| On | On | Yes |
| On | Active/Passive | No |
| Active | Active | Yes |
| Active | Passive | Yes |
| Passive | Active | Yes |
| Passive | Passive | No |
LCAP
S1(config)# interface range FastEthernet 0/1 - 2
S1(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
S1(config-if-range)# exit
S1(config)# interface port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 1,2,20
show etherchannel summary
We usually only use DHCP for non-technical end-devices, for example, servers may still be statically addressed.
4 steps:
- Discover (broadcast)
- Offer (reply by DHCP server, offers an address)
- Request (the address, broadcast)
- Ack (the address assignment)
When renewing a lease, only steps 3 and 4 are done, except the request is unicast this time.
A router can be a DHCP server, but also a client (if for example connecting to the ISP).
- Exclude IPv4 addresses (those which are meant to be static)
- Define a DHCPv4 pool name (can't be defined on a range, which is why we must exclude)
- Configure the DHCPv4 pool
R1(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.9
R1(config)# ip dhcp excluded-address 192.168.10.254
R1(config)# ip dhcp pool LAN-POOL-1
R1(dhcp-config)# network 192.168.10.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.10.1
R1(dhcp-config)# dns-server 192.168.11.5
R1(dhcp-config)# domain-name example.com
R1(dhcp-config)# end
R1#
Exclusion must be done first, because the DHCP server starts immediately once configured.
Check all leases with show ip dhcp binding and stats with show ip dhcp server statistics (meaning it's a stateful dhcp server).
Routers can also be configured as DHCP relays in order to unicast the broadcast message from one subnet to a dhcp server in another subnet.
R1(config)# interface g0/0/0
R1(config-if)# ip helper-address 192.168.11.6
R1(config-if)# end
R1#
This will allow end devices on g0/0/0 to receive DHCP replies from the server at 192.168.11.6.
For a SOHO (Small Office Home Office) router connecting to the internet
SOHO(config)# interface G0/0/1
SOHO(config-if)# ip address dhcp
SOHO(config-if)# no shutdown
Sep 12 10:01:25.773: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0/1 assigned DHCP address 209.165.201.12, mask 255.255.255.224, hostname SOHO
On IPV6, there are more technologies for addressing, such as DHCPv6 and SLAAC.
2 types of addresses:
- GUA: Global unicast address (starts with either 2 or 3)
- Can be contacted from anywhere on the internet
- LLA: Link-local address (fe80::)
- Within a local network
- Self-attributed, can't be routed
- When followed by a %X, X represents the network card number.
There are three RA (Router Advertisement) message flags:
- A flag: Address auto-configuration, uses SLAAC (Stateless Address AutoConfiguration) to create an IPv6 GUA;
- O flag: Other configuration flag. Other information provided by a stateless DHCPv6;
- M flag: Managed address configuration flag. Use a stateful DHCPv6 server to obtain an IPv6 GUA.
The router uses these flags to define how it's configured, IPv6 configuration can change depending on the flags.
The router replies with an RA whenever it receives an RS (Router Sollicitation, a multicast message) from an end device.
For SLAAC and stateless DHCPv6, both A and O flags are set for example. Stateless DHCP servers don't attribute an IP, they merely provide additional config, which is why the O flag will always be accompanied with the A flag. The O flag indicates a possibility, not an obligation.
Reminder: ff02::2 is an address for router multicast, ff02::1 is a multicast group for all nodes, ff02::1:2 represents all DHCPv6 servers.
A DHCPv6 server is not always needed. SLAAC allows end devices to create their own unique IPv6 GUA.
SLAAC uses ICMPv6 RA messages to provide addressing and other configuration normally provided by DHCP servers.
When enabling IPv6 routing, a router is added to the ff02::2 multicast pool, meaning it's able to receive RS messages. By default, routers are set to SLAAC only (A flag), so no further configuration is required.
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1#
To generate an IPv6 address by itself using SLAAC, the preferred method is for end devices to randomly generate the last 64 significant bits of the IPv6 address, and regularly renew it.
DAD (Duplicate Address Detection) allows hosts to ask their neighbors if an IPv6 address is already used through ICMPv6 NS (Neighbor Sollicitation) messages.
Another legacy method for generating IPv6 addresses is EUI-64, using the 48 bits of the MAC address to generate the significant bits. This create a security risk where the MAC address is contained in the IPV6 address. These addresses can be recognized by the presence of the ff:fe pattern in the middle of the address' second half (in order to go from 48 bits to 64 bits).
Stateless DHCPv6 servers only provide additional, shared network configuration informations (such as the DNS addresses).
Stateless config steps:
- PC: Router solicitation
- R1: Router advertisement (with the O flag)
- PC: Solicit to all DHCPv6 servers
- DHCP: Advertise (unicast)
- PC: Request or Information-request (unicast, depending on stateful or stateless)
- DHCP: Reply (unicast)
R1(config)# ipv6 unicast-routing
R1(config)#
Configure the DHCPv6 pool
R1(config)# ipv6 dhcp pool IPV6-STATELESS
R1(config-dhcpv6)#
R1(config-dhcpv6)# dns-server 2001:db8:acad:1::254
R1(config-dhcpv6)# domain-name example.com
R1(config-dhcpv6)# exit
R1(config)#
The pool name represents nothing
Bind the DHCPv6 pool to an interface. We must do this in order to let the router know which pool to serve (contrary to IPv4 where we could defined the network in the DHCP config).
R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# description Link to LAN
R1(config-if)# ipv6 address fe80::1 link-local
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# ipv6 nd other-config-flag
R1(config-if)# ipv6 dhcp server IPV6-STATELESS
R1(config-if)# no shut
R1(config-if)# end
R1#
The only thing that makes it stateless is the ipv6 nd other-config-flag
A router can also be a client:
R3(config)# ipv6 unicast-routing
R3(config)# interface g0/0/1
R3(config-if)# ipv6 enable
R3(config-if)# ipv6 address autoconfig
R3(config-if)# end
R3# show ipv6 interface brief
4 steps:
- Enable IPv6 routing
R1(config)# ipv6 unicast-routing
R1(config)#
- Define a DHCPv6 pool name
R1(config)# ipv6 dhcp pool IPV6-STATEFUL
R1(config-dhcpv6)#
The pool name represents nothing
- Configure the DHCPv6 pool
R1(config-dhcpv6)# address prefix 2001:db8:acad:1::/64
R1(config-dhcpv6)# dns-server 2001:4860:4860::8888
R1(config-dhcpv6)# domain-name example.com
R1(config-dhcpv6)#
- Bind the pool to an interface
R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# description Link to LAN
R1(config-if)# ipv6 address fe80::1 link-local
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# ipv6 nd managed-config-flag
R1(config-if)# ipv6 nd prefix default no-autoconfig
R1(config-if)# ipv6 dhcp server IPV6-STATEFUL
R1(config-if)# no shut
R1(config-if)# end
R1#
The router should now be able to act as aDHCPv6 server.
It can also be a stateful client.
R3(config)# ipv6 unicast-routing
R3(config)# interface g0/0/1
R3(config-if)# ipv6 enable
R3(config-if)# ipv6 address dhcp
R3(config-if)# end
R3# show ipv6 interface brief
You can check IPv6 configuration with show ipv6 dhcp pool and show ipv6 dhcp binding.
When a server is stateful, it maintains a database of assigned GUAs in its bindings.
When configuring a relay agent, we have to define the IPv6 address of the DHCPv6 server. If the address is a LLA, then we also must define the egress interface of the relay for the router to know on which network it is.
R1(config)# interface gigabitethernet 0/0/1
R1(config-if)# ipv6 dhcp relay destination 2001:db8:acad:1::2 G0/0/0
R1(config-if)# exit
R1(config)#
You must also set the proper nd flags for the interface.
Check the config with show ipv6 dhcp interface, show ipv6 dhcp binding, ipconfig /all (on end devices).
First Hop Redundancy Protocol. The first hop is the first router you encounter, the default gateway.
Default gateways represent a point of failure, FHRP is intended to solve this issue by assigning two routers to the same virtual address, one active router and one standby router.
Routers mutually send themselves Hello messages.
Steps for failover:
- The standby router stops seeing Hello messages from the forwarding router;
- It assumes the role of the forwarding router;
- Both IPv4 and MAC addresses are virtualized (not the case in VRRP).
There are multiple FHRP options depending on the technology used:
- HSRP (Hot Standby Router Protocol)
- Cisco proprietary FHRP for transparent failover
- HSRP for IPv6
- VRRPv2 (Virtual Router Redundancy Protocol v2)
- VRRPv3
- GLBP (Gateway Load Balancing Protocol)
- GLBP for IPv6
- IRDP (ICMP Router Discovery Protocol)
Hot Standby Router Protocol, a proprietary Cisco protocol, at any point in time, there will be only one forwarding protocol.
We set both routers to the same IP address.
standby [priority] allows us to define the priority of the router from 0 to 255. 100 by default. When the priority is the same, IPv4 addresses are compared.
Preemption is enabled with standby preempt, this will allow the active router to actively change depending on the highest-priority one. Allows a router to "recuperate" active status if it goes down and up again.
HSRP states and timers:
- Initial: on configuration change or when an interface first becomes available;
- Learn: Hasn't determined the virtual IP address, hasn't seen a hello message;
- Listen: Knows virtual IP address, neither active nor standby, listens for hello messages;
- Speak: Sends periodic hello messages and participates in the election of the active/standby router;
- Standby: Candidate to become the next active router and sends periodic hello messages;
- Active: won the election.
Hello messages are sent every 3 seconds, if by 10 seconds, no hello message has been received, the standby router assumes active router role.
Network attacks today:
- DDoS
- With zombie machines
- With DNS/NTP amplification, masquerading as the target when sending the request
- Data Breach
- Malware
Cloudflare's blog can contain reports on recent DDOS attacks.
To work securely on a remote network, we can use a VPN-Enabled Router.
There are NGFW/NGIPS (Next Generation FireWalls/Intrusion Prevention Systems) which allow stateful packet inspection.
NAC (Network Access Control) technologies allow AAA (Authentication, Authorization and Accounting) services on a network.
Cisco security appliances can be sold both as software and hardware modules.
- ESA (Email Security Appliance);
- WSA (Web Security Appliance);
- In order to intercept traffic, the WSA fakes a certificate in order to decrypt https packets and analyse them;
- Those certificates are self-signed, so it must be trusted by the browsers in the end devices;
- Can be done using internal group policies.
Those two are often attack vectors on enterprise networks.
Authentication with a local password: telnet
R1(config)# line vty 0 4
R1(config-line)# password ci5c0
R1(config-line)# login
SSH
R1(config)# ip domain-name example.com
R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username Admin secret Str0ng3rPa55w0rd
R1(config)# ip ssh version 2
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
(It's also important for clients to authentify the server, if the server certificate changes suddenly, it might be a case of spoofing by a bad actor).
The issue with local database is the lack of scalability on larger enterprises with many devices to administrate.
AAA components: Authentication, Authorization, Accounting.
Accounting can allow for viable rollbacks.
802.1X allows for authentication between an end device and a switch. This is low-level authentication, which if failed, locks the device out of the port itself.
| Category | Examples |
|---|---|
| MAC Table Attacks | Includes MAC address flooding attacks. |
| VLAN Attacks | Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN. |
| DHCP Attacks | Includes DHCP starvation and DHCP spoofing attacks. |
| ARP Attacks | Includes ARP spoofing and ARP poisoning attacks. |
| Address Spoofing Attacks | Includes MAC address and IP address spoofing attacks. |
| STP Attacks | Includes Spanning Tree Protocol manipulation attacks. |
Those risks have mitigation techniques
|Solution|Description| |Port Security|Prevents many types of attacks including MAC address flooding attacks and DHCP starvation attacks.| |DHCP Snooping|Prevents DHCP starvation and DHCP spoofing attacks.| |Dynamic ARP Inspection (DAI)|Prevents ARP spoofing and ARP poisoning attacks.| |IP Source Guard (IPSG)|Prevents MAC and IP address spoofing attacks.|
Switches have a limit of 132k addresses, but MAC address spoofing can fill it quickly (using macof for example) to generate frames with different MAC addresses every time.
When flooded, the switch realizes it's not a normal situation and sets itself in a security mode, ignoring its MAC table and acting like a hub.
Port security allows us to mitigate MAC address table flooding.
Vlan hopping attacks allows traffic from one VLAN to be seen by another VLAN without needing a router. This is done by abusing DTP in order to setup unwanted trunks.
A way to avoid them is to simply disable dtp.
Double tagging is another attack vector, it has multiple prerequisites:
- The attacker must know on which VLAN he is located, which end devices can't do;
- The VLAN the attacker is in has to be the native VLAN;
- The attacker must know the VLAN the target is in.
With these conditions met, the attacker creates a malformed frame, composed of two VLAN identifiers, his, and the target's. When the switch receives it, it processes it as coming from its port's VLAN. Because it's the native VLAN, the switch removes the attacker's VLAN number, this results in a now-properly-formed frame, which now targets the end device.
In short, the first switch is tricked into turning the frame to an unidentified one by removing the first VLAN number (which is the native VLAN), but then, the second switch believes it's an identified frame, as now, only the target VLAN remains.
This attack can be completely prevented with proper native VLAN configuration, setting it to a VLAN number that is never used in the network.
DHCP starvation is made by creating a DoS for connecting clients using tools such as Gobbler.
Gobbler looks at the entire leasable IP scope and tries to lease them all.
DHCP spoofing consists of introducing a rogue DHCP server to the network, and either provide false configuration for DoS or more malicious purposes:
- Wrong default gateway - The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
- Wrong DNS server - The rogue server provides an incorrect DNS server address pointing the user to a nefarious website.
- Wrong IP address - The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client.
The attack is successful if the attacker's DHCP offer reaches the end device first.
This can be countered by configuring the switch with packet-analysis technology.
DHCP snooping allows us to define which interfaces link to "trusted" DHCP servers (and thus define interfaces that shouldn't receive DHCP offers).
ARP attacks.
ARP is a very simple L2 protocol based on trust. It is possible to broadcast ARP announcements, called "gratuitous ARP" (in legitimate settings, those are used by loadBalancers), attackers can abuse this mechanic.
By using gratuitous ARP, attackers are able to remap IPv4 addresses to mac addresses. This kind of spoofing allows malicious traffic control.
OSes can be configured to ignore ARP broadcasts. But it's better to configure DAI (Dynamic ARP Inspections).
DAI builds an IP-MAC mapping over time, and blocks frames with a bad mapping.
Address Spoofing attacks.
Done by sending frames with a forged source MAC address.
IP and MAC address spoofing is mitigated by implementing IPSG (IP Source Guard) on the switch. A knowledge database is built, the switch then drops every mismatched frame (works better on stable networks).
STP attacks.
There is high trust given to the root bridge, disguising as a root bridge allows an attacker to spy on, and modify a lot of traffic.
Solved by using PortFast and BPDUGuard.
CDP Reconnaissance (Cisco Discovery Protocol). This is a protocol for Cisco devices to find each-other. Because this protocol reveals a lot of information, it's better to hide it on certain parts of the network.
Discovery protocols in general talk a lot to the network.
Secure unused ports, layer 2 devices are the weakest link in security infrastructure. Interfaces can be turned off with the shutdown command. Using interface range commands, we're able to shutdown many interfaces and move them to an unused "storage" vlan.
We can use Port Security to limit the maximum number of MAC addresses a switch can learn. This limit is done per-port
S1(config)# interface f0/1
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#
This only works for interfaces in access mode (since trunk/dtp interfaces can expect a lot of traffic).
We can use show port security interface XXXX in order to see the maximum number of MAC addresses, it also gives other infos such as the violation mode, aging time and type (threshold for forgetting addresses), security violation count, etc.
All of those can be configured per interface by giving more information in the switchport port-security command.
A way for a switch to forget all interfaces (except the ones defined statically) is to unplug the port.
switchport port-security mac-address sticky allows the switch to automatically store all mac addresses in running-config, that way, intruders can't bypass port-security by just unplugging the port.
Consult all learnt addresses with show port-security address.
- shutdown: errored mode
- restrict: only drops the extra frames, still processes authorized ones, executes logging
- protect: least secure, same as restrict but without logging
You can show the running config of a specific interface to get all of its port security configuration.
show run interface XXXX
However, if an accepted MAC address is known by the attacker, he can easily spoof it on his device.
Done in multiple steps:
- Disable DTP on non-trunking ports by setting them to access mode;
- Disable unused ports and put them in an unused VLAN;
- Manually enable the trunk link on trunking ports;
- Disable DTP on trunking ports with
switchport nonegotiate; - Set the native VLAN to a VLAN other than 1.
S1(config)# interface range fa0/1 - 16
S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# shutdown
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#
This is implemented on the switch-level, DHCP snooping allows switches to define some ports as trusted. Other ports won't acknowledge.
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#
This limits the rate to 6 leases per second and sets the port to trusted.
show ip dhcp snooping
DHCP snooping is necessary for other security options (DAI and IPSG).
DHCP snooping is required.
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust
We can trust some technical interfaces (for example between switch and port) in order to not perform DAI and reduce the load on the switch.
There is a technique called proxy ARP consisting responding to ARP messages that weren't sent to us non-maliciously.
PortFast and BPDU Guard.
PortFast is mostly for Optimization, BPDU Guard is for security.
Both can be installed individually on each interface
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
S1(config)# exit
S1(config)# interface fa0/1
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# exit
show running-config | begin span
But we can also activate both at once for every access interface.
S1(config)# spanning-tree portfast bpduguard default
WLAN != WAN, common mistake.
Different types of Wireless networks:
- WPAN: Personal (ex: bluetooth)
- WLAN: Local (Wi fi)
- WMAN: Metropolitan (A few square kilometers, for cities, 3g/4g)
- WWAN: Wide (Global scale)
Wireless technologies
- Bluetooth: IEE 802.15 WPAN standard using a pairing process
- BLE (Bluetooth Low Energy) Supports multiple network technologies;
- Bluetooth Basic Rate/Enhanced Rate for audio streaming;
- WiMAX: Worldwide Interoperability for Microwave Access, WiFi at the scale of a city, requires an antenna;
- Cellular Broadband: 3g/4g/5g
- Satellite Broadband: Network access to remote sites through precisely positioned geostationary satellites.
802.11 standards.
WiFi versions are defined by IEE 802.11 standards. Variants (letters added after) change the specs (ex: 802.11ax is WiFi 6 released in 2019, supports 2.4GHz and 5GHz, WiFi 6e adds a 6GHe frequency band).
WiFi frequency bands aren't regulated.
Not all frequencies are equal, frequency is inversely proportional to wavelength, and lower frequencies have higher penetration (5G is very sensitive to obstacles). Mobile operators prefer to use lower frequencies to have higher coverage, but those are highly contested, making the frequency bands very small.
The anfr website has a frequency graph, showing how frequency bands are organized. Only certain bands are normalized by the EU, most are still per-country. This actor can occasionally intervene whenever someone uses an illegal amplificator or a jammer.
https://www.cartoradio.fr is also a good mapping resource.
In order to do WiFi, a wireless NIC is needed, those are composed of the interface, and an antenna (most devices don't have a visible antenna, they are embedded inside the devices).
Wireless home routers can serve multiple roles:
- Access point: just 802.11 WiFi
- Switch: provides a four-port, full-duplex, 10/100/1000 Ethernet switch
- Router: provides a default access
Access points can be autonomous (manual AP configuration) or controller-based. A WLAN controller provides communication to the APs, allows us to centralize configuration on a single device, we don't have to (and can't) configure the access points manually.
There are multiple types of antennas:
- Omnidirectional
- 360° horizontal coverage (very poor vertical reception, only a 120° azimuth);
- Directional
- Stronger, but unidirectional;
- MIMO (Multiple Input Multiple Output)
- Multiple antennas to increase bandwidth.
802.11 Wireless Topology Modes:
- Ad hoc
- P2P between two devices without an AP or router. Refered to as an IBSS (Independent Basic Service Set);
- Infrastructure mode
- Clients interconnect via a wireless router or AP (like in WLANS), APs themselves are wired;
- Tethering: ad hoc variation, when cellular data of a mobile device is used to create a hotspot.
Those topologies are exclusive, we can't be in infrastructure and ad hoc mode at the same time with just one NIC.
There are two topologies building blocks:
- BSS (Basic Service Set)
- single AP interconnecting all wireless clients, the coverage areas is called BSA (Basic Service Area). The MAC address of the AP identifies the BSS, it's called BSSID;
- ESS (Extended Service Set)
- Two BSSs can be joined through a DS (Distribution System), forming an ESS. Each ESS is identified by a SSID. The same seeings are used, allowing clients to contact clients in other BSAs, their connection is uninterrupted as they move between BSAs.
802.11 frame structure.
802.11 is an L2 standard.
- Header
- Frame Control
- Duration
- Address1
- Address2
- Address3
- Sequence control
- Address4
- Payload
- FCS
Unlike wired frames, we don't know where the AP is physically located.
When sent from the client, the addresses are the following:
- MAC of the AP
- MAC of the sender
- MAC of the destination, wireless or wired
When sent from the AP:
- MAC of the sender
- MAC of the AP
- MAC of the wireless destination
- (Usually missing, only used in ad hoc mode)
WLANs are half-duplex, making it impossible to detect a solution on a shared media configuration.
To resolve this, CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) allows hosts to communicate on different, smaller, frequency bands.
Wireless clients communicate with multiple APs, but they truly "associate" with the one providing the best quality of connection.
There are two discover modes:
- Passive
- When connecting to an AP, we have the list of all available networks, APs regularly send Beacon frames to announce themselves;
- Active
- The client must know the SSID. It broadcasts a probe request frame on multiple channels, including SSID name and supported standards;
- A client can send a probe request without SSID names, APs configured to broadcast beacon frames will reply and name themselves, those configured to not broadcast beacons will stay quiet.
IEE standard protocol allowing a WLC to manage multiple APs. It's an encapsulation technology allowing two distinct DTLS-protected kinds of traffic.
- CAPWAP control: Management traffic for the WLC to configure APs
- CAPWAP data: traffic for user data
DTLS is a secure Datagram (L2 UDP) encryption standard.
FlexConnect APs: lets you configure and control access points in a remote office through a WAN link.
We cut up frequency bands into smaller increments called channels.
To avoid frequency channel saturation, we use:
- DSSS (Direct-Sequence Spread Spectrum)
- Spread a strong signal over a larger frequency band;
- FHSS (Frequency-Hopping Spread Spectrum)
- Rapidly switches the signal frequency until a successful communication occurs;
- OFDM (Orthogonal Frequency-Division Multiplexing)
- Subset of frequency division multiplexing. A resource-distribution method where subchannels are dedicated to different clients.
Those technologies can be mixed together.
When using multiple APs, it's important to select channels with as little overlap as possible (2.5GHz offers 11 different 22MHz channels, 3 of which have no overlap, 5GHz has much more channels).
DoS attacks can be done intentionally or unintentionally using jammers.
A rogue access point can capture L2 traffic if users unwittingly connect to it.
MiM attacks are facilitated by the nature of wireless connections, the attacker needs to be able to decrypt L2 traffic.
SSID Cloaking consists of disabling SSID (beacon frames) broadcast.
MAC address filtering allows administrator to blacklist/whitelist access based on MAC addresses.
802.11 Original Authentication Methods.
There are open networks where no WiFi authentication is needed, but a higher-level auth is still needed (like captive portals in aeroports, restaurants, etc).
Shared key authentication provides certain mechanisms:
- WEP: cracked long ago
- WPA: also cracked
- WPA2: has some security flaws
- Personal: intended for SOHO;
- Enterprise: intended for enterprise networks, requires a RADIUS server to uniquely authentify clients;
- A shared secret allows secure communication between AP and RADIUS server
- WPA3: recommended, but not completely supported
WPA and WPA2 encryption methods: TKIP is used by WPA, not as secure, AES is used by WPA2, prefered.
WPA3 is used for personal, enterprise, and open networks. Also used in IoT onboarding.
Practice module.
The role of a router is to decide where to transmit received packets.
Not all networks are directly connected.
The best path a router choses is the longest match. For example, if there are multiple networks with differing precision:
- 172.16.0.0/12
- 172.16.0.0/18
- 172.16.0.0/26
For example, 172.16.0.10 would go in the third network, while 172.16.0.120 would go to the second network. Specificity wins over administrative distance
For IPv6, the same specificity concepts apply.
Directly connected networks are configured on the active interfaces of a router. It's added to the routing table when an interface is configured with an IP address and subnet mask, and turned on.
Remote networks are not directly connected, routers can learn from other routers in two ways:
- Static routes
- Added to the table when manually configuring a route
- Dynami routing protocols
- Added when routing protocols dynamically learn about the remote network.
- ex: EIGRP (Enhanced Interior Gateway Routing Protocol)
- ex: OSPF (Open Shortest Path First)
A router determines the first path:
- Frame containing the IP => router ingress
- The router examines the destination IP address and consults the routing table
- The router finds the longest matching prefix
- The router encapsulates the packet in a data link frame and forwards it to the egress interface
- If no match found, the packet is discarded
Packet forwarding mechanisms, the main distinction is software vs hardware processing:
- Process switching
- Software
- Done on the control plane
- Older method by a generalist CPU, matching the destination address with an entry in its routing table before determining the egress
- Fast switching
- CEF (Cisco Express Forwarding)
- Hardware
- Done on the data plane
- Most recent and default IOS packet-forwarding mechanism. CEF builds a FIB (Forwarding Information Base) and an adjacency table. Those are material caches, stored directly in hardware
- Much faster as processed by an ASIC (Application-Specific Integrated Circuit) instead of a CPU (processing power in the scale of millions/s)
(An asic is a processing unit dedicated to doing one specific task as efficiently as possible).
However, since everything is done on the data layer, we can't capture packets. When doing so (for auditing purposes), we need to temporarily disable hardware processing.
There are filter commands when piping outputs.
- section - This displays the entire section that starts with the filtering expression.
- include - This includes all output lines that match the filtering expression.
- exclude - This excludes all output lines that match the filtering expression.
- begin - This displays all the output lines from a certain point, starting with the line that matches the filtering expression.
Check config using show ip route and show ipv6 route.
There are many possible codes, but only a few matter to us:
- L: Local IP addresses (router addresses that we defined on interfaces for example)
- C: Directly connected network
- S: Statically configured routes
All other codes pertain to dynamic routing.
The "gateway of last resort" is the default gateway.
All lines without a code are residuals from class-based networking.
# Example of an OSPF route
O 10.0.4.0/24 [110/50] via 10.0.3.2, 00:24:22, Serial0/1/1
The first number in square brackets represents administrative distance, a "weight" based on the connection type.
Default values are
- C = 0
- S = 1
- O = 110
This is useful for routing when routes of different types point to the same network, directly connected networks will be prefered. In case of duplicates, only the "best" routes are shown in the routing table. We can have duplicate routes for failover purposes.
The second number in square brackets is the metric value, its meaning depends on the routing protocol used, and essentially doesn't matter for static routing.
All decisions are taken router-per-router, once a hope is done, the router's job is, paths are never "pre-determined".
One drawback of static routing is the inability to adapt to network changes.
For IPv6, every network occupies two lines.
There exist interior and exterior dynamic routing protocols. Depends on if you're routing through your own network, or routing to an external entity.
Dynamic routing protocols each have their own way to find the best path.
ip route creates a static route.
- To configure a regular static route (next hop), we specify a destination IP address.
- To configure a directly connected route, we specify an egress interface.
- To configure a floating route, we add a duplicate network definition with a different administrative distance.
- To configure a host route, we set the subnet to 255.255.255.255
Practice module