CCNA2 - Procedures Flashcards
How does the STA create a loop-free topology?
- Selecting a Root Bridge: This bridge (switch) is the reference point for the entire network to build a spanning tree around.
- Block Redundant Paths: STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. When a port is blocked, user data is prevented from entering or leaving that port.
- Create a Loop-Free Topology: A blocked port has the effect of making that link a non-forwarding link between the two switches. This creates a topology where each switch has only a single path to the root bridge, similar to branches on a tree that connect to the root of the tree.
- Recalculate in case of Link Failure: The physical paths still exist to provide redundancy, but these paths are disabled to prevent the loops from occurring. If the path is ever needed to compensate for a network cable or switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active. STP recalculations can also occur any time a new switch or new inter-switch link is added to the network.
Steps to a Loop-Free Topology
Using the STA, STP builds a loop-free topology in a four-step process:
1. Elect the root bridge.
1. Elect the root ports.
1. Elect designated ports.
1. Elect alternate (blocked) ports.
- During STA and STP functions, switches use Bridge Protocol Data Units (BPDUs) to share information about themselves and their connections. BPDUs are used to elect the root bridge, root ports, designated ports, and alternate ports.
- Each BPDU contains a bridge ID (BID) that identifies which switch sent the BPDU. The BID is involved in making many of the STA decisions including root bridge and port roles.
- The BID contains a priority value, the MAC address of the switch, and an extended system ID. The lowest BID value is determined by the combination of these three fields.
- Bridge Priority: The default priority value for all Cisco switches is the decimal value 32768. The range is 0 to 61440 in increments of 4096. A lower bridge priority is preferable. A bridge priority of 0 takes precedence over all other bridge priorities.
- Extended System ID: The extended system ID value is a decimal value added to the bridge priority value in the BID to identify the VLAN for this BPDU.
- MAC address: When two switches are configured with the same priority and have the same extended system ID, the switch having the MAC address with the lowest value, expressed in hexadecimal, will have the lower BID.
Elect the Root Bridge
- The STA designates a single switch as the root bridge and uses it as the reference point for all path calculations. Switches exchange BPDUs to build the loop-free topology beginning with selecting the root bridge.
- All switches in the broadcast domain participate in the election process. After a switch boots, it begins to send out BPDU frames every two seconds. These BPDU frames contain the BID of the sending switch and the BID of the root bridge, known as the Root ID.
- The switch with the lowest BID will become the root bridge. At first, all switches declare themselves as the root bridge with their own BID set as the Root ID. Eventually, the switches learn through the exchange of BPDUs which switch has the lowest BID and will agree on one root bridge.
- *
The priority of all the switches is _________. The value is based on the 32768 default bridge priority and the extended system ID (VLAN 1 assignment) associated with each switch (32768+1).
32769
default BID
32768
Determine the Root Path Cost
- When the root bridge has been elected for a given spanning tree instance, the STA starts determining the best paths to the root bridge from all destinations in the broadcast domain. The path information, known as the internal root path cost, is determined by the sum of all the individual port costs along the path from the switch to the root bridge.
- When a switch receives the BPDU, it adds the ingress port cost of the segment to determine its internal root path cost.
- The default port costs are defined by the speed at which the port operates. The table shows the default port costs suggested by IEEE. Cisco switches by default use the values as defined by the IEEE 802.1D standard, also known as the short path cost, for both STP and RSTP.
- Although switch ports have a default port cost associated with them, the port cost is configurable. The ability to configure individual port costs gives the administrator the flexibility to manually control the spanning tree paths to the root bridge.
STP Operations2. Elect the Root Ports
- After the root bridge has been determined, the STA algorithm is used to select the root port. Every non-root switch will select one root port. The root port is the port closest to the root bridge in terms of overall cost to the root bridge. This overall cost is known as the internal root path cost.
- The internal root path cost is equal to the sum of all the port costs along the path to the root bridge, as shown in the figure. Paths with the lowest cost become preferred, and all other redundant paths are blocked. In the example, the internal root path cost from S2 to the root bridge S1 over path 1 is 19 while the internal root path cost over path 2 is 38. Because path 1 has a lower overall path cost to the root bridge, it is the preferred path and F0/1 becomes the root port on S2.
- *
STP Operations3. Elect Designated Ports
- Every segment between two switches will have one designated port. The designated port is a port on the segment that has the internal root path cost to the root bridge. In other words, the designated port has the best path to receive traffic leading to the root bridge.
- What is not a root port or a designated port becomes an alternate or blocked port.
- All ports on the root bridge are designated ports.
- If one end of a segment is a root port, the other end is a designated port.
- All ports attached to end devices are designated ports.
- On segments between two switches where neither of the switches is the root bridge, the port on the switch with the least-cost path to the root bridge is a designated port.
*
STP Operations4. Elect Alternate (Blocked) Ports
If a port is not a root port or a designated port, then it becomes an alternate (or backup) port. Alternate ports are in discarding or blocking state to prevent loops. In the figure, the STA has configured port F0/2 on S3 in the alternate role. Port F0/2 on S3 is in the blocking state and will not forward Ethernet frames. All other inter-switch ports are in forwarding state. This is the loop-prevention part of STP.
Configuring
EtherChannel with LACP
requires the following three steps:
Step 1.Specify the interfaces that compose the EtherChannel group using theinterface rangeinterfaceglobal configuration mode command. Therangekeyword allows you to select several interfaces and configure them all together.
Step 2.Create the port channel interface with thechannel-groupidentifiermode activecommand in interface range configuration mode. The identifier specifies a channel group number. Themode activekeywords identify this as an LACP EtherChannel configuration.
Step3.To change Layer 2 settings on the port channel interface, enter port channel interface configuration mode using theinterface port-channelcommand, followed by the interface identifier. In the example, S1 is configured with an LACP EtherChannel. The port channel is configured as a trunk interface with the allowed VLANs specified.
Verify and Troubleshoot EtherChannel
Verify EtherChannel
Theshow interfaces port-channelcommand displays the general status of the port channel interface.
Theshow etherchannel summarycommand displays one line of information per port channel.
Theshow etherchannel port-channelcommand displays information about a specific port channel interface.
Theshow interfaces etherchannelcommand can provide information about the role of a physical member interface of the EtherChannel.
Troubleshoot EtherChannel
Step 1. View the EtherChannel Summary Information: The output of theshow etherchannel summarycommand indicates that the EtherChannel is down.
Step 2. View Port Channel Configuration: In theshow run | begin interface port-channel
output, more detailed output indicates that there
are incompatible PAgP modes configured on S1
and S2.
Step 3: Correct the Misconfiguration: To correct the issue, the PAgP mode on the EtherChannel is changed to desirable.
Step 4. Verify EtherChannel is Operational: The EtherChannel is now active as verified by the output of theshow etherchannel summarycommand.
Common Issues with EtherChannel Configuration
All interfaces within an EtherChannel must have the same configuration of speed and duplex mode, native and allowed VLANs on trunks, and access VLAN on access ports. Ensuring these configurations will significantly reduce network problems related to EtherChannel. Common EtherChannel issues include the following:
* Assigned ports in the EtherChannel are not part of the same VLAN, or not configured as trunks. Ports with different native VLANs cannot form an EtherChannel.
* Trunking was configured on some of the ports that make up the EtherChannel, but not all of them. It is not recommended that you configure trunking mode on individual ports that make up the EtherChannel. When configuring a trunk on an EtherChannel, verify the trunking mode on the EtherChannel.
* If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to theautoordesirablemode.
* The dynamic negotiation options for PAgP and LACP are not compatibly configured on both ends of the EtherChannel.
VLAN Double-Tagging Attacks
Step 1: The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the threat actor, which is the same as the native VLAN of the trunk port.
Step 2: The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for the native VLAN. The switch forwards the packet out all native VLAN ports after stripping the VLAN tag. The frame is not retagged because it is part of the native VLAN. At this point, the inner VLAN tag is still intact and has not been inspected by the first switch.
Step 3: The frame arrives at the second switch which has no knowledge that it was supposed to be for the native VLAN. Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that the threat actor inserted and sees that the frame is destined the target VLAN. The second switch sends the frame on to the target or floods it, depending on whether there is an existing MAC address table entry for the target.
ARP Attacks
- Hosts broadcast ARP Requests to determine the MAC address of a host with a destination IP address. All hosts on the subnet receive and process the ARP Request. The host with the matching IP address in the ARP Request sends an ARP Reply.
- A client can send an unsolicited ARP Reply called a “gratuitous ARP”. Other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables.
- An attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch would update its MAC table accordingly. In a typical attack, a threat actor sends unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway, effectively setting up a man-in-the-middle attack.
- There are many tools available on the internet to create ARP man-in-the-middle attacks.
- IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed ARP Reply.
- ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP Inspection (DAI).
*
STP Attacks
- Network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network. Attackers can then capture all traffic for the immediate switched domain.
- To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge.
- This STP attack is mitigated by implementing BPDU Guard on all access ports. BPDU Guard is discussed in more detail later in the course.
- *
Recovering from a System Crash
If the switch’s operating system is missing or damaged, the boot loader allows access to the switch through a console connection. Here’s how to access it:
- Connect a PC to the switch via console cable and open terminal software.
- Unplug the switch power cord.
- Reconnect the power and, within 15 seconds, press and hold the Mode button while the System LED flashes green.
- Keep holding until the LED turns amber and then solid green, then release the Mode button.
- The boot loader prompt will appear in the terminal software.
The boot loader lets you format the flash, reinstall the OS, or recover a lost password using commands like dir
to view files.
Switch SVI Configuration Example
By default, the switch uses VLAN 1 for management. For security, it’s best to use a different VLAN for management.
- Configure the Management Interface: Assign an IP address and subnet mask to the switch’s management SVI (e.g., VLAN 99). The SVI won’t be “up/up” until VLAN 99 is created and a device is connected to a port in that VLAN. If using IPv6, configure the switch for dual IP modes first.
- Configure the Default Gateway: If managing the switch remotely from another network, set a default gateway. No IPv6 gateway is needed since the switch receives this info from a router advertisement.
-
Verify Configuration: Use
show ip interface brief
andshow ipv6 interface brief
to check the status of interfaces and confirm the IP setup. The IP on the SVI allows remote management, but not routing of Layer 3 packets.
Configure SSH
-
Verify SSH Support: Use
show ip ssh
to check if the switch supports SSH. If the IOS doesn’t support encryption, this command won’t work. -
Configure IP Domain: Set the domain name with
ip domain-name domain-name
. -
Generate RSA Key Pair: Use
crypto key generate rsa
to enable SSH and generate the RSA key pair. Delete withcrypto key zeroize rsa
if needed. -
Configure User Authentication: Create a local username and password with
username username secret password
. -
Configure vty Lines: Enable SSH on vty lines using
transport input ssh
and set local authentication withlogin local
. -
Enable SSH Version 2: Enable SSH v2 with
ip ssh version 2
.
Verify SSH is Operational
- On a PC, use an SSH client like PuTTY to connect to the switch (S1) with IP address 172.17.99.11 on VLAN 99.
- From PC1 (IP 172.17.99.21), initiate an SSH connection to the switch.
- Enter the username (admin) and password (ccna) when prompted to connect to the switch’s CLI.
- Use
show ip ssh
to check SSH version and configuration on the switch (SSH v2 is enabled in the example).
Configure Router Interfaces
Routers connect LANs and WANs and support various interfaces (e.g., Gigabit Ethernet, serial, DSL). To configure an interface:
-
Assign an IP Address: Use
ip address ip-address subnet-mask
for IPv4 oripv6 address ipv6-address/prefix
for IPv6. -
Activate the Interface: By default, interfaces are off. Use
no shutdown
to enable them, and ensure the interface is connected to another device. - Add a Description (optional): Configure a brief description for each interface to aid in troubleshooting and network management.