CCNA - midterm Flashcards
SWITCH BOOT SEQUENCE
When a Cisco switch powers on, it follows these five steps:
- POST: The switch runs a self-test (POST) to check the CPU, DRAM, and part of the flash storage.
- Boot Loader: A small program in ROM is loaded after POST, starting the boot process.
- CPU Initialization: The boot loader sets up CPU registers, memory mapping, and speed.
- Flash Initialization: The boot loader prepares the flash file system.
- Load IOS: The boot loader finds and loads the default IOS operating system into memory, taking control of the switch.
Differentiate boot system, flash:, c2960-lanbasek9-mz.150-2.SE/ and c2960-lanbasek9-mz.150-2.SE.bin
- Boot system - the main command
- flash: - the storage device
- c2960-lanbasek9-mz.150-2.SE/ - the path to the file system
- c2960-lanbasek9-mz.150-2.SE.bin - the IOS file name
Shows whether the system is receiving power and functioning properly.
System LED (SYST)
Shows the RPS status.
Redundant Power Supply LED (RPS)
When green, indicates port status mode is selected, which is the default. Port status can then be understood by the light associated with each port.
Port Status LED (STAT)
When green, indicates port duplex mode is selected. Port duplex can then be understood by the light associated with each port.
Port Duplex LED (DUPLX)
When green, indicates port speed mode is selected. Port speed can then be understood by the light associated with each port.
Port Speed LED (SPEED)
Present if the switch supports PoE. Indicates the PoE status of ports on the switch.
Power over Ethernet LED (PoE)
Recovering from a System Crash
If the switch’s operating system is missing or damaged, the boot loader allows access to the switch through a console connection. Here’s how to access it:
- Connect a PC to the switch via console cable and open terminal software.
- Unplug the switch power cord.
- Reconnect the power and, within 15 seconds, press and hold the Mode button while the System LED flashes green.
- Keep holding until the LED turns amber and then solid green, then release the Mode button.
- The boot loader prompt will appear in the terminal software.
The boot loader lets you format the flash, reinstall the OS, or recover a lost password using commands like dir to view files.
To manage a switch remotely, assign it an IP address, subnet mask, and a default gateway. This setup is similar to configuring a host device.
The switch’s virtual interface (SVI) on S1 should be given an IP address. The SVI is a virtual, not physical, interface. Use a console cable to connect to a PC for initial configuration.
Switch Management Access
Switch SVI Configuration Example
By default, the switch uses VLAN 1 for management. For security, it’s best to use a different VLAN for management.
- Configure the Management Interface: Assign an IP address and subnet mask to the switch’s management SVI (e.g., VLAN 99). The SVI won’t be “up/up” until VLAN 99 is created and a device is connected to a port in that VLAN. If using IPv6, configure the switch for dual IP modes first.
- Configure the Default Gateway: If managing the switch remotely from another network, set a default gateway. No IPv6 gateway is needed since the switch receives this info from a router advertisement.
-
Verify Configuration: Use
show ip interface briefandshow ipv6 interface briefto check the status of interfaces and confirm the IP setup. The IP on the SVI allows remote management, but not routing of Layer 3 packets.
Duplex Communication
- Full-Duplex: Allows data to be sent and received simultaneously, improving efficiency. It requires microsegmentation (one device per switch port) and eliminates collisions. Gigabit Ethernet and 10 Gb NICs need full-duplex to function properly.
- Half-Duplex: Only allows data to flow in one direction at a time, causing potential collisions and performance issues.
Full-duplex provides 100% efficiency in both directions, doubling the bandwidth usage.
Configure Switch Ports at the Physical Layer
- Switch ports can be configured with specific duplex and speed settings using the
duplexandspeedcommands. - By default, Cisco Catalyst 2960 and 3560 switch ports are set to auto for both duplex and speed. At
10/100 Mbps, they can be ihalf- or full-duplex, but at1000 Mbps, they are always full-duplex. -
Autonegotiationis useful when device settings are unknown or may change, but it’s best to manually set speed and duplex for known devices like servers or workstations. - When troubleshooting, check duplex and speed settings, as mismatched configurations can cause
connectivity issues. Fiber-optic ports like1000BASE-SXalways operate at a fixed speed and full-duplex.
Auto-MDIX
- Auto-MDIX allows the switch to automatically detect and adjust for the correct cable type (straight-through or crossover) needed for the connection.
- Without auto-MDIX, use straight-through cables for devices like servers and routers, and crossover cables for connecting switches or repeaters.
- With auto-MDIX, either cable type works, and the interface adjusts automatically for proper communication.
- On newer Cisco switches, enable auto-MDIX with the
mdix autocommand, and set speed and duplex to auto for proper function. - Auto-MDIX is enabled by default on Catalyst 2960 and 3560 switches but not on older models like the Catalyst 2950 and 3550. Use the
show controllers ethernet-controllercommand to check the setting.
The ___________ command can be used to verify that the switch has been correctly configured. From the sample abbreviated output on S1, some important information is shown in the figure:
show running-config
The _____________ command is another commonly used command, which displays status and statistics information on the network interfaces of the switch. The show interfaces command is frequently used when configuring and monitoring network devices.
show interfaces
The first line of the output for the ___________________________ command indicates that the FastEthernet 0/18 interface is up/up, meaning that it is operational. Further down, the output shows that the duplex is full and the speed is 100 Mbps.
show interfaces fastEthernet 0/18
Network Access Layer Issues
The show interfaces command helps identify common media problems by displaying line and data link protocol statuses.
-
Up/Down Status:
- Interface up, line protocol down: This suggests issues like an encapsulation mismatch, an error-disabled interface, or a hardware problem.
- Both down: Likely indicates no cable attached or an interface issue, such as the other end being administratively down.
-
Interface administratively down: This means the interface was manually disabled using the
shutdowncommand.
The output also shows interface counters and statistics, which can reveal errors that impact network performance, even if they don’t cause complete failures.
Give the 7 Error Type and differentiate them
- Input Errors Total number of errors. It includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts.
- Runts Packets that are discarded because they are smaller than the minimum packet size for the medium. For instance, any Ethernet packet that is less than 64 bytes is considered a runt.
- Giants Packets that are discarded because they exceed the maximum packet size for the medium. For example, any Ethernet packet that is greater than 1,518 bytes is considered a giant.
- CRC CRC errors are generated when the calculated checksum is not the same as the checksum received.
- Output Errors Sum of all errors that prevented the final transmission of datagrams out of the interface that is being examined.
- Collisions Number of messages retransmitted because of an Ethernet collision.
- Late Collisions A collision that occurs after 512 bits of the frame have been transmitted
is the sum of all errors in datagrams that were received on the interface being examined. This includes runts, giants, CRC, no buffer, frame, overrun, and ignored counts. The reported input errors from the show interfaces command include the following:
* run frames
* giants
* CRC errors
“Input errors”
- Ethernet frames that are shorter than the 64-byte minimum allowed length are called _________. Malfunctioning NICs are the usual cause of excessive _______ frames, but they can also be caused by collisions.
Runt Frames
- Ethernet frames that are larger than the maximum allowed size are called ___________.
Giants
- On Ethernet and serial interfaces, ___________ usually indicate a
mediaorcable error. Common causes includeelectrical interference, loose ordamaged connections, orincorrect cabling. If you see many __________, there is too much noise on the link and you should inspect the cable. You should also search for and eliminate noise sources.
CRC errors
is the sum of all errors that prevented the final transmission of datagrams out the interface that is being examined. The reported __________ from the show interfaces command include the following:
* collision
* late collision
“Output errors”
Collisions -
Collisions in half-duplex operations are normal. However, you should never see collisions on an interface configured for full-duplex communication.
Late collisions -
A late collision refers to a collision that occurs after 512 bits of the frame have been transmitted. Excessive cable lengths are the most common cause of late collisions. Another common cause is duplex misconfiguration.
Telnet Operation
Telnet uses TCP port 23 and transmits data, including login details (username and password), in unencrypted plaintext. This makes it insecure, as attackers can easily capture sensitive information (e.g., using Wireshark).
SSH Operation
SSH is a secure protocol that uses TCP port 22, offering encrypted remote management connections. Unlike Telnet, SSH encrypts both the login details and transmitted data, making it safer. Even if a threat actor tracks the session via the IP address, the username and password remain encrypted. SSH should replace Telnet for secure connections.
Verify the Switch Supports SSH
To enable SSH on a Catalyst 2960 switch, ensure it’s running an IOS version with cryptographic features. Use the show version command to check the IOS version. If the IOS filename includes “k9,” it supports encryption.
Configure SSH
-
Verify SSH Support: Use
show ip sshto check if the switch supports SSH. If the IOS doesn’t support encryption, this command won’t work. -
Configure IP Domain: Set the domain name with
ip domain-name domain-name. -
Generate RSA Key Pair: Use
crypto key generate rsato enable SSH and generate the RSA key pair. Delete withcrypto key zeroize rsaif needed. -
Configure User Authentication: Create a local username and password with
username username secret password. -
Configure vty Lines: Enable SSH on vty lines using
transport input sshand set local authentication withlogin local. -
Enable SSH Version 2: Enable SSH v2 with
ip ssh version 2.
Verify SSH is Operational
- On a PC, use an SSH client like PuTTY to connect to the switch (S1) with IP address 172.17.99.11 on VLAN 99.
- From PC1 (IP 172.17.99.21), initiate an SSH connection to the switch.
- Enter the username (admin) and password (ccna) when prompted to connect to the switch’s CLI.
- Use
show ip sshto check SSH version and configuration on the switch (SSH v2 is enabled in the example).
One distinguishing feature between switches and routers is the type of interfaces supported by each. For example, Layer 2 switches support LANs; therefore, they have multiple FastEthernet or Gigabit Ethernet ports. in the figure is used to demonstrate the configuration of router IPv4 and IPv6 interfaces.
* refers to a network design where two separate, independent systems or paths are used to ensure redundancy and reliability. It typically involves two sets of stocks or resources that can back up each other, minimizing the risk of failure. If one path or resource fails, the other takes over to maintain continuous operation.
Dual Stack Topology
Configure Router Interfaces
Routers connect LANs and WANs and support various interfaces (e.g., Gigabit Ethernet, serial, DSL). To configure an interface:
-
Assign an IP Address: Use
ip address ip-address subnet-maskfor IPv4 oripv6 address ipv6-address/prefixfor IPv6. -
Activate the Interface: By default, interfaces are off. Use
no shutdownto enable them, and ensure the interface is connected to another device. - Add a Description (optional): Configure a brief description for each interface to aid in troubleshooting and network management.
IPv4 Loopback Interfaces
A loopback interface is a virtual, internal interface on a router, not linked to any physical port. It’s always “up” as long as the router is functioning.
- Uses: It’s helpful for testing and managing the router, ensuring at least one interface is always available. It can also simulate networks for testing routing processes and configuration practice.
- Multiple Loopbacks: You can create several loopback interfaces to simulate more networks in lab setups.
- Configuration: Assign a unique IPv4 address to each loopback interface.
Interface Verification Commands
Use these commands to check interface status and configuration:
-
show ip interface brief/show ipv6 interface brief: Display a summary of all interfaces, including their IPv4/IPv6 address and status. -
show running-config interface interface-id: Show the configuration applied to a specific interface. -
show ip route/show ipv6 route: Display the IPv4/IPv6 routing table, with active interfaces marked as ‘C’ (Connected) or ‘L’ (Local) in Cisco IOS 15.
Verify Interface Status
Use show ip interface brief or show ipv6 interface brief to quickly check the status of all interfaces. If both the Status and Protocol are “up,” the interface is active. Any other output suggests a configuration or cabling issue.
Verify IPv6 Link Local and Multicast Addresses
Use show ipv6 interface brief to see two IPv6 addresses on each interface: a global unicast address (manually configured) and a link-local address (starting with FE80). The link-local address is automatically added with the global address.
For more details, use show ipv6 interface gigabitethernet 0/0/0 to view the interface status and all IPv6 addresses, including multicast addresses (starting with FF02).
Verify Interface Configuration
Use show running-config interface to see the current configuration of a specific interface. For more details:
-
show interfaces: Displays information and packet flow for all interfaces. -
show ip interface/show ipv6 interface: Shows IPv4/IPv6 details for all interfaces.
Verify Routes
Use show ip route and show ipv6 route to view connected and local routes.
- A
local routehas a /32 (IPv4) or /128 (IPv6) mask and an admin distance of 0. - A ‘
Cnext to a route means it’s a directly connected network. - The router’s global unicast address is added as a local route to efficiently process packets destined for that address.
Filter Show Command Output
By default, output pauses after 24 lines. Press Enter for the next line or the spacebar for the next set. Use terminal length 0 to stop the pause.
You can also filter output using a pipe (|) followed by a filter:
- section: Shows the section starting with the expression.
- include: Displays lines that match the expression.
- exclude: Hides lines that match the expression.
- begin: Starts output from the line matching the expression.
Command History Feature
The command history stores executed commands for easy recall.
- Press Ctrl+P or the Up Arrow to recall older commands.
- Press Ctrl+N or the Down Arrow for newer commands.
- By default, the history stores the last 10 commands. Use
show historyto view them. - To change the number of stored commands for the current session, use
terminal history size.
Summarize Module 1
- After powering on, a Cisco switch follows a five-step boot sequence.
- Set the BOOT environment variable using the
boot systemcommand. - Monitor switch activity with LEDs: SYST, RPS, STAT, DUPLX, SPEED, and PoE.
- The boot loader helps when the operating system is damaged or missing.
- Configure IP address and subnet mask for remote management access.
- Set a default gateway for remote network access.
- Full-duplex communication doubles bandwidth by allowing both send/receive at once.
- Switch ports can be manually set for specific duplex and speed.
- Use autonegotiation if device settings may change or are unknown.
- With auto-MDIX, the switch detects and configures cable type automatically.
- Use show commands to verify switch configurations.
- Telnet (TCP port 23) is insecure, transmitting data and credentials in plaintext.
- SSH (TCP port 22) provides secure, encrypted remote connections.
- “k9” in the IOS filename supports cryptographic features.
- To configure SSH: verify support, set domain, generate RSA keys, configure authentication, VTY lines, and enable version 2.
- Use
show ip sshto verify SSH status. - Always configure the device name, passwords, banner, and save changes.
- Routers support various LAN and WAN interfaces, interconnecting networks.
- IPv4 loopback is a logical interface, internal to the router.
- Use these commands to verify interface status:
-
show ip interface brieffor a summary of interfaces, -
show running-config interfacefor interface settings, -
show ip routefor routing table contents.
-
- Filter command output with the pipe (|) and expressions like section, include, exclude, and begin.
- Command history is enabled by default, storing the last 10 commands.
- Use
show historyto view the command history buffer.
Switching in Networking
-
-
Ingress: Traffic entering the interface -
Egress: Traffic leaving the interface
A switch forwards traffic based on the ingress interface and destination MAC address using its MAC address table (CAM table).
MAC Address Table
The switch learns the destination MAC address by recording source MAC addresses and the port they came from. It uses this information to decide where to forward traffic. A switch won’t send traffic back through the same interface it received it on.
Ingress vs Egress
-
Ingress: Traffic entering the interface -
Egress: Traffic leaving the interface
Switch Learn and Forward Method
-
Learn: examines Source Address
- The switch adds the source MAC address to the table if it’s not already there.
- If the source MAC is in the table, it resets the timeout to 5 minutes.
-
Forward: Examines Destination Address
- If the destination MAC is in the table, it forwards traffic out the correct port.
- If the destination MAC is not in the table, it floods the traffic to all ports except the one it was received on.
Switch Forwarding Methods
Switches use ASICs for quick forwarding decisions, using one of these methods:
- Store-and-forward: Receives the entire frame, checks for errors, and forwards only valid frames. Cisco’s preferred method.
- Cut-through: Forwards the frame as soon as it determines the destination MAC address.
Store-and-forward:
- Error Checking: Checks for CRC errors and discards bad frames.
- Buffering: Buffers the frame while checking for errors and handling speed differences.
Cut-through:
- Forwards the frame immediately after checking the destination MAC.
- Fragment Free: Ensures frames are at least 64 bytes to avoid runts.
- Limitations: Does not check errors, may propagate bad frames, and can’t handle ports with different speeds.
Store-and-forward
Receives the entire frame, checks for errors, and forwards only valid frames. Cisco’s preferred method.
Cut-through
Forwards the frame as soon as it determines the destination MAC address.
Store-and-forward:
* Error Checking
* Buffering
Store-and-forward:
- Error Checking: Checks for CRC errors and discards bad frames.
- Buffering: Buffers the frame while checking for errors and handling speed differences.
Cut-through:
* Fragment Free
* Limitations
Cut-through:
- Forwards the frame immediately after checking the destination MAC.
- Fragment Free: Ensures frames are at least 64 bytes to avoid runts.
- Limitations: Does not check errors, may propagate bad frames, and can’t handle ports with different speeds.
Collision Domains
Switches eliminate collision domains and reduce congestion.
- Full-duplex links eliminate collision domains.
- Half-duplex links create collision domains, leading to bandwidth contention and possible collisions.
Most devices, including Cisco and Microsoft, use auto-negotiation for duplex and speed settings by default.
Broadcast Domains
- A broadcast domain includes all Layer 1 or Layer 2 devices on a LAN.
- A router (Layer 3 device) breaks a broadcast domain.
- Devices in the domain receive broadcast traffic, which a switch floods to all interfaces except the incoming one.
- Too many broadcasts can cause congestion and slow performance.
- Adding more devices at Layer 1 or Layer 2 expands the broadcast domain.
Alleviating Network Congestion
Switches use the MAC address table and full-duplex to avoid collisions and reduce congestion. Key features include:
- Fast Port Speeds – Up to 100gbps, depending on the model.
- Fast Internal Switching – Uses fast internal bus/memory for better performance.
- Large Frame Buffers – Stores frames temporarily for efficient processing.
- High Port Density – More ports for devices, reducing cost and congestion.
Summarize of Module 2
Frame Forwarding
- Ingress is the entry port, and egress is the exit port.
- The switch uses a MAC address table to forward frames.
- It can use store-and-forward or cut-through for forwarding.
Switching Domains
- Half-duplex Ethernet ports create collision domains.
- Full-duplex eliminates collision domains.
- A switch floods broadcasts or unknown unicast frames to all ports except the ingress.
- Broadcast domains are broken by Layer 3 devices like routers.
- Switches extend broadcast domains but eliminate collision domains and reduce congestion.
are logical connections with other similar devices.
VLANs
Benefits of VLAN Design:
- Smaller Broadcast Domains: Dividing the LAN reduces the number of broadcast domains.
- Improved Security: Only users in the same VLAN can communicate together.
- Improved IT Efficiency: VLANs can group devices with similar requirements, e.g., faculty vs. students.
- Reduced Cost: One switch can support multiple groups or VLANs.
- Better Performance: Small broadcast domains reduce traffic, improving bandwidth.
- Simpler Management: Similar groups will need similar applications and other network resources.
VLAN 1 is the following:
* The default VLAN
* The default Native VLAN
* The default Management VLAN
* Cannot be deleted or renamed
Note: While we cannot delete VLAN1 Cisco will recommend that we assign these default features to other VLANs
Default VLAN
Dedicated to user-generated traffic (email and web traffic).
VLAN 1 is the default data VLAN because all interfaces are assigned to this VLAN.
Data VLAN
This is used for trunk links only.
All frames are tagged on an 802.1Q trunk link except for those on the native VLAN.
Native VLAN
This is used for SSH/Telnet VTY traffic and should not be carried with end user traffic.
Typically, the VLAN that is the SVI for the Layer 2 switch.
Management VLAN
A separate VLAN is required because Voice traffic requires:
* Assured bandwidth
* High QoS priority
* Ability to avoid congestion
* Delay less that 150 ms from source to destination
The entire network must be designed to support voice.
Voice VLAN
is a point-to-point link between two network devices(VLAN).
trunk
Without ____, all devices connected to the switches will receive all unicast, multicast, and broadcast traffic.
VLANs
With VLANs, unicast, multicast, and broadcast traffic is confined to a VLAN. Without a _____ to connect the VLANs, devices in different VLANs cannot communicate.
Layer 3 device
- 2-byte field with hexadecimal
- reffered as Tag Protocol ID (TPID)
- 3-bit user priority
- 1-bit Canonical Format Identifier (CFI)
- 12-bit vlan up to 4069
802.1Q
- tagged with appropriate layer 2 class of service priority value
voice VLAN
The ______ command can show us both data and voice VLANs assigned to the interface.
show interfaces fa0/18 switchport
Native vs Extended Range VLAN
Normal Range VLAN 1 - 1005
* Used in Small to Medium sized businesses
* 1002 - 1005 are reserved for legacy VLANs
* 1, 1002 - 1005 are auto created and cannot be deleted
* Stored in the vlan.dat file in flash
* VTP can synchronize between switches
Extended Range VLAN 1006 - 4095
* Used by Service Providers
* Are in Running-Config
* Supports fewer VLAN features
* Requires VTP configurations
Commands to verify VLAN info
brief Display VLAN name, status, and its ports one VLAN per line.id vlan-id Display information about the identified VLAN ID number. name vlan-name Display information about the identified VLAN name. The vlan-name is an ASCII string from 1 to 32 characters.summary Display VLAN summary information.
use the______ to place interface back in VLAN 1 & change VLAN port membership
no switchport access vlan
command to delete all VLANS
delete flash:vlan.dat or delete vlan.dat
Is set to trunk administratively
Is set as trunk operationally (functioning)
Encapsulation is dot1q
sh int fa0/1 switchport command
reset trunk to the default state
no sw trunk alllowed vlan
no sw trunk native vlan
is a proprietary Cisco protocol.
characteristics are as follows:
- On by default on Catalyst 2960 and 2950 switches
- Dynamic-auto is default on the 2960 and 2950 switches
- May be turned off with the nonegotiate command
- May be turned back on by setting the interface to dynamic-auto
- Setting a switch to a static trunk or static access will avoid negotiation issues with the switchport mode trunk or the switchport mode access commands.
Dynamic Trunking Protocol (DTP)
interface configuration command to stop DTP negotiation.
switchport nonegotiate
negotiated int modes
-
access:
Permanent access mode and negotiates to convert the neighboring link into an access link. -
dynamic auto:
Will become a trunk interface if the neighboring interface is set to trunk or desirable mode. -
dynamic desirable:
Actively seeks to become a trunk by negotiating with other auto or desirable interfaces. -
trunk:
Permanent trunking mode and negotiates to convert the neighboring link into a trunk link.
command to determine the current DTP mode
show dtp interface f0/1
are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the reason, hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3 switch to provide routing services.
VLANs
is the process of forwarding network traffic from one VLAN to another VLAN.
Inter-VLAN routing
There are three inter-VLAN routing options:
Legacy Inter-VLAN routing - This is a legacy solution. It does not scale well.
Router-on-a-Stick - This is an acceptable solution for a small to medium-sized network.
Layer 3 switch using switched virtual interfaces (SVIs) - This is the most scalable solution for medium to large organizations.
The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces. Each router interface was connected to a switch port in different VLANs. The router interfaces served as the default gateways to the local hosts on the VLAN subnet.
using physical interfaces works, but it has a significant limitation. It is not reasonably scalable because routers have a limited number of physical interfaces. Requiring one physical router interface per VLAN quickly exhausts the physical interface capacity of a router.
Note: This method of inter-VLAN routing is no longer implemented in switched networks and is included for explanation purposes only.
Legacy inter-VLAN routing
method overcomes the limitation of the legacy inter-VLAN routing method. It only requires one physical Ethernet interface to route traffic between multiple VLANs on a network.
* has subinterfaces
* max of 50 VLANS
‘router-on-a-stick’ inter-VLAN routing
The modern method of performing is to use Layer 3 switches and switched virtual interfaces (SVI). An SVI is a virtual interface that is configured on a Layer 3 switch, as shown in the figure.
layer 3 == multilayer switch
inter-VLAN routing
are created the same way that the management VLAN interface is configured. The SVI is created for a VLAN that exists on the switch. Although virtual, the SVI performs the same functions for the VLAN as a router interface would. Specifically, it provides Layer 3 processing for packets that are sent to or from all switch ports associated with that VLAN.
* much faster
* increase bandwidth
* more expensive
Inter-VLAN SVIs
- This command configures the subinterface to respond to 802.1Q encapsulated traffic from the specified vlan-id. The native keyword option is only appended to set the native VLAN to something other than VLAN 1.
encapsulation dot1q vlan_id [native]
- This command configures the IPv4 address of the subinterface. This address typically serves as the default gateway for the identified VLAN.
ip address ip-address subnet-mask
Common Inter-VLAN Issues
-
Missing VLANs
How to Fix: Create (or re-create) the VLAN if it does not exist. Ensure the host port is assigned to the correct VLAN.How to Verify: Use commands: show vlan [brief], show interfaces switchport, ping. -
Switch Trunk Port Issues
How to Fix: Ensure trunks are configured correctly. Ensure the port is a trunk port and enabled.How to Verify: Use commands: show interface trunk, show running-config. -
Switch Access Port Issues
How to Fix: Assign the correct VLAN to the access port. Ensure the port is an access port and enabled. Host may be incorrectly configured in the wrong subnet.How to Verify: Use commands: show interfaces switchport, show running-config interface, ipconfig. -
Router Configuration Issues
How to Fix: Router subinterface IPv4 address is incorrectly configured. Router subinterface should be assigned to the VLAN ID.How to Verify: Use commands: show ip interface brief, show interfaces.
- Missing VLANs
How to Fix: Create (or re-create) the VLAN if it does not exist. Ensure the host port is assigned to the correct VLAN.How to Verify: Use commands: show vlan [brief], show interfaces switchport, ping.
- Switch Trunk Port Issues
How to Fix: Ensure trunks are configured correctly. Ensure the port is a trunk port and enabled.How to Verify: Use commands: show interface trunk, show running-config.
- Switch Access Port Issues
How to Fix: Assign the correct VLAN to the access port. Ensure the port is an access port and enabled. Host may be incorrectly configured in the wrong subnet.How to Verify: Use commands: show interfaces switchport, show running-config interface, ipconfig.
- Router Configuration Issues
How to Fix: Router subinterface IPv4 address is incorrectly configured. Router subinterface should be assigned to the VLAN ID.How to Verify: Use commands: show ip interface brief, show interfaces.
Verify that the port connecting to the router is correctly configured as a trunk link using the .
show interface trunk command
If that port is missing from the output, examine the configuration of the port with the _____ command to see how the port is configured.
show running-config interface X
- correct address but unable to ping its default gateway
show vlan brief
show int X sw
show run int X
switch access port issues
is created using the interface interface_id subinterface_id global configuration mode command.
subinterface
is an important part of the hierarchical design for eliminating single points of failure and preventing disruption of network services to users.
Redundancy
True/False:
Ethernet LANs require a loop-free topology with a single path between any two devices.
True
is a loop-prevention network protocol that allows for redundancy while creating a loop-free Layer 2 topology.
logically blocks physical loops in a Layer 2 network, preventing frames from circling the network forever
Spanning Tree Protocol (STP)
compensates for a failure in the network by recalculating and opening up previously blocked ports.
STP
provides multiple network services by eliminating the possibility of a single point of failure.
Path redundancy
STP was developed specifically as a loop prevention mechanism for ________________________
Layer 2 Ethernet
is when the switch does not have the destination MAC address in its MAC address table and must forward the frame out all ports, except the ingress port.
unknown unicast frame
is an abnormally high number of broadcasts overwhelming the network during a specific amount of time.
can disable a network within seconds by overwhelming switches and end devices. Broadcast storms can be caused by a hardware problem such as a faulty NIC or from a Layer 2 loop in the network.
broadcast storm
To prevent these issues from occurring in a redundant network, some type of ___________ must be enabled on the switches.
spanning tree
T/F:
Spanning tree is enabled manually on Cisco switches
False
it is enabled by default
STP is based on an algorithm invented by __________ while working for Digital Equipment Corporation, and published in the 1985 paper "An Algorithm for Distributed Computation of a Spanning Tree in an Extended LAN.”
Radia Perlman
creates a loop-free topology by selecting a single root bridge where all other switches determine a single least-cost path.
spanning tree algorithm (STA)
-is the interval between BPDUs. The default is 2 seconds but can be modified to between 1 and 10 seconds.
Hello Timer
- is the
time that is spent in the listening and learning state. The default is15 secondsbut can be modified to between4 and 30 seconds.
Forward Delay Timer
- is the
maximum length of time that a switch waits before attempting to change the STP topology. The default is20 secondsbut can be modified to between6 and 40 seconds.
Max Age Timer
versions of STP, there is a root bridge elected for each spanning tree instance. This makes it possible to have different root bridges for different sets of VLANs.
Per-VLAN Spanning Tree (PVST)
: This is the original IEEE 802.1D version (802.1D-1998 and earlier) that provides a loop-free topology in a network with redundant links. Also called Common Spanning Tree (CST), it assumes one spanning tree instance for the entire bridged network, regardless of the number of VLANs.
STP
: is a Cisco enhancement of STP that provides a separate 802.1D spanning tree instance for each VLAN configured in the network.
* supports PortFast, UplinkFast, BackboneFast, BPDU guard, BPDU filter, root guard, and loop guard.
Per-VLAN Spanning Tree (PVST+)
: This is an updated version of the STP standard, incorporating IEEE 802.1w.
802.1D-2004
or IEEE 802.1w is an evolution of STP that provides faster convergence than STP.
Rapid Spanning Tree Protocol (RSTP)
: This is a Cisco enhancement of RSTP that uses PVST+ and provides a separate instance of 802.1w per VLAN. Each separate instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard.
Rapid PVST+
is an IEEE standard inspired by the earlier Cisco proprietary Multiple Instance STP (MISTP) implementation. MSTP maps multiple VLANs into the same spanning tree instance.
Multiple Spanning Tree Protocol (MSTP)
is the Cisco implementation of MSTP, which provides up to 16 instances of RSTP and combines many VLANs with the same physical and logical topology into a common RSTP instance. Each instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard.
Multiple Spanning Tree (MST)
supersedes the original 802.1D while retaining backward compatibility
RSTP (IEEE 802.1w)
EtherChannels can be formed through negotiation using one of two protocols, ___________-. These protocols allow ports with similar characteristics to form a channel through dynamic negotiation with adjoining switches.
Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP)
is a Cisco-proprietary protocol that aids in the automatic creation of EtherChannel links.
PAgP (pronounced “Pag - P”)
helps create the EtherChannel link by detecting the configuration of each side and ensuring that links are compatible so that the EtherChannel link can be enabled when needed.
PAgP
The modes for PAgP as follows:
On-This mode forces the interface to channel without PAgP. Interfaces configured in the on mode do not exchange PAgP packets.
PAgP desirable-This PAgP mode places an interface in an active negotiating state in which the interface initiates negotiations with other interfaces by sending PAgP packets.
PAgP auto-This PAgP mode places an interface in a passive negotiating state in which the interface responds to the PAgP packets that it receives but does not initiate PAgP negotiation.
The modes must be compatible on each side. If one side is configured to be in auto mode, it is placed
is part of an IEEE specification (802.3ad) that allows several physical ports to be bundled to form a single logical channel.
Link Aggregation Control Protocol (LACP)
provides the same negotiation benefits as PAgP. It helps create the EtherChannel link by detecting the configuration of each side and making sure that they are compatible so that the EtherChannel link can be enabled when needed
Link Aggregation Control Protocol (LACP)
The modes for LACP are as follows:
On-This mode forces the interface to channel without LACP. Interfaces configured in the on mode do not exchange LACP packets.
LACP active-This LACP mode places a port in an active negotiating state. In this state, the port initiates negotiations with other ports by sending LACP packets.
LACP passive-This LACP mode places a port in a passive negotiating state. In this state, the port responds to the LACP packets that it receives but does not initiate LACP packet negotiation.
The following guidelines and restrictions are useful for configuring EtherChannel:
- EtherChannel support-All Ethernet interfaces must support EtherChannel with no requirement that interfaces be physically contiguous.
- Speed and duplex-Configure all interfaces in an EtherChannel to operate at the same speed and in the same duplex mode.
- VLAN match-All interfaces in the EtherChannel bundle must be assigned to the same VLAN or be configured as a trunk (shown in the figure).
- Range of VLANs-An EtherChannel supports the same allowed range of VLANs on all the interfaces in a trunking EtherChannel. If the allowed range of VLANs is not the same, the interfaces do not form an EtherChannel, even when they are set toautoordesirablemode.
– This is a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization’s website and resources.
Distributed Denial of Service (DDoS)
– This is an attack in which an organization’s data servers or hosts are compromised to steal confidential information.
Data Breach
– This is an attack in which an organization’s hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry encrypts the data on a host and locks access to it until a ransom is paid.
Malware
- provides a
secure connection to remote usersacross a public network and into the enterprise network. VPN services can be integrated into the firewall.
Virtual Private Network (VPN) enabled router
- provides
stateful packet inspection, application visibility and control, anext-generation intrusion prevention system(NGIPS), advanced malware protection (AMP), and URL filtering.
Next-Generation Firewall (NGFW)
- includes
authentication, authorization, and accounting (AAA) services. In larger enterprises, these services might be incorporated into an appliance that can manage access policies across a wide variety of users and device types. TheCisco Identity Services Engine (ISE)is an example of a NAC device.
Network Access Control (NAC)
- are hosts which commonly consist of
laptops, desktops, servers, and IP phones, as well as employee-owned devices. Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing. - have typically used traditional host-based security features, such as
antivirus/antimalware,host-based firewalls, andhost-based intrusion prevention systems (HIPSs). - are best protected by a
combination of NAC, AMP software, an email security appliance (ESA), and a web security appliance (WSA).
Endpoints
is designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes.
Cisco ESA device
- is a
mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. -
combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting. - provides complete control over how users access the internet. Certain features and applications, such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or blocked, according to the organization’s requirements.
- can
perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of web traffic.
Cisco Web Security Appliance (WSA)
The simplest method of remote access authentication is to configure a login and password combination on ____________
console, vty lines, and aux ports
AAA
Authentication, Authorization, and Accounting
- provides the
primary framework to set up access controlon a network device. - is a way to
control who is permitted to access a network(authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting).
AAA
- Method
stores usernames and passwords locallyin a network device (e.g., Cisco router). - Users authenticate against the local database.
- Local AAA is ideal for small networks.
Local AAA Authentication
- With the server-based method, the router accesses a central AAA server.
- The AAA server contains the
usernames and password for all users. - The router uses either the
Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+)protocols to communicate with the AAA server. - When there are multiple routers and switches, server-based AAA is more appropriate.
Server-Based AAA Authentication
- is
automaticand does not require users to perform additional stepsafter authentication. - governs what users can and cannot do on the network after they are authenticated.
- uses a set of attributes that describes the user’s access to the network. These attributes are used by the AAA server to determine privileges and restrictions for that user.
*
AAA authorization
collects and reports usage data. This data can be used for such purposes as auditing or billing. The collected data might include the start and stop connection times, executed commands, number of packets, and number of bytes.
AAA accounting
is a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.
IEEE 802.1X standard
- This is a
device running 802.1X-compliant client software, which is available for wired or wireless devices.
Client (Supplicant)
–The switch acts as an ` intermediary between the client and the authentication server`. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point.
Switch (Authenticator)
–The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services.
Authentication server
Examples: Includes MAC address flooding attacks.
MAC Table Attacks
Examples: Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN
VLAN Attacks
Examples: Includes DHCP starvation and DHCP spoofing attacks.
DHCP Attacks
Examples: Includes ARP spoofing and ARP poisoning attacks.
ARP Attacks
Examples: Includes MAC address and IP address spoofing attacks
Address Spoofing Attacks
Examples: Includes Spanning Tree Protocol manipulation attacks
STP Attacks
prevents many types of attacks including MAC address flodding attacks and DHCP starvation attacks
port security
prevents DHCP starvation and DHCP spoofing attacks
DHCP Snooping
prevents ARP spoofing and ARP poisoning attacks
Dynamic ARP Inspection (DAI)
prevents MAC and IP address spoofing attacks
IP Source Guard (IPSG)
macof
enables traffic from one VLAN to be seen by another VLAN without the aid of a router.
VLAN hopping attack
configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch. If successful, the switch establishes a trunk link with the host, as shown in the figure. Now the threat actor can access all the VLANs on the switch. The threat actor can send and receive traffic on any VLAN, effectively hopping between VLANs.
threat actor
is specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.
threat actor
- is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port
- allows the attacker to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access control configuration.
VLAN double-tagging attack
- VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk security guidelines
VLAN Attack Mitigation
dynamically provide IP configuration information including IP address, subnet mask, default gateway, DNS servers, and more to clients. A review of the sequence of the DHCP message exchange between client and server is show in the figure.
DHCP servers
– The goal of this attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
DHCP Starvation Attack
– This occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information, including the following:
DHCP Spoofing Attack
- The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
Wrong default gateway
- The rogue server provides an incorrect DNS server address pointing the user to a nefarious website.
Wrong DNS server
- The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client.
Wrong IP address
occur when the threat actors alter the MAC address of their host to match another known MAC address of a target host. The switch overwrites the current MAC table entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined for the target host to the attacking host.
MAC address spoofing attacks
is when a threat actor hijacks a valid IP address of another device on the subnet or uses a random IP address. IP address spoofing is difficult to mitigate, especially when it is used inside a subnet in which the IP belongs.
IP address spoofing
is a proprietary Layer 2 link discovery protocol. It is enabled on all Cisco devices by default. Network administrators also use CDP to help configure and troubleshoot network devices.
Cisco Discovery Protocol (CDP)
is also vulnerable to reconnaissance attacks. Configureno lldp runto disable LLDP globally. To disable LLDP on the interface, configureno lldp transmitandno lldp receive.
Link Layer Discovery Protocol (LLDP)
To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For example, disable CDP on edge ports that connect to untrusted devices.
- To disable CDP globally on a device, use theno cdp runglobal configuration mode command. To enable CDP globally, use thecdp runglobal configuration command.
- To disable CDP on a port, use theno cdp enableinterface configuration command. To enable CDP on a port, use thecdp enableinterface configuration command.
