Switching Flashcards
DHCP snooping
Filters untrusted DHCP messages and builds a binding table of valid IP-MAC address pairs.
Switch intercepts a DHCP request from a host and validates it against the binding table before forwarding it to the DHCP server.
o Pros: protecting the network from unauthorized hosts and IP conflicts, preventing DHCP spoofing attacks and rogue DHCP servers.
Setup:
1. Enable under security section
2. Add VLANs to apply snooping to
3. Set trust mode on port that is connected to the router
4. turn on chaddr verification on ports connected to clients (optional).
DAI
o Definition: Dynamic ARP Inspection, a security feature that validates ARP packets on untrusted ports and verifies that they have a valid IP-MAC binding.
o Example: a switch intercepts an ARP reply from a host and checks it against the DHCP snooping binding table or a static ARP entry before updating the ARP cache or forwarding the packet.
o Pros: preventing hosts from impersonating other hosts or routers on the network, preventing ARP spoofing attacks and ARP poisoning.
Setup:
1. Enable DAI under security and enter VLANs it applies to
2. Enable optional DAI parameters below.
Parameters:
Trust port - Allows ARP packets without inspection
Source MAC verification - checks the source MAC in the ARP packet and sees if it matches MAC with sender IP address . Can drop or log it if MAC is suspicious or inconsistent
Destination MAC verification - checks destination MAC of the intended recipient.
IP address verification - verifies IP address in ARP packet matches IP address listed in DHCP snooping binding table.
Storm control
Monitors the traffic levels of broadcast, multicast, and unknown unicast packets on a port and takes action when a configured threshold is exceeded.
o Example: a switch drops excess broadcast packets on a port if they exceed 50% of the bandwidth.
o Pros: protecting the network from excessive traffic and preserving bandwidth for other applications, preventing traffic storms that can degrade network performance or cause denial-of-service attacks.
Setup:
1. Enable SC on the port
2. Apply control to broadcast, unknown multicast or unknown unicast independently.
3. Declare whether to just drop the packets or disable the port.
LACP
Control protocol for link aggregation that allows devices to negotiate settings for link aggregation groups (LAGs) and to exchange information about the status and configuration of the links.
o Example or use case: LACP can be used to combine multiple Ethernet links into a single logical link between two switches, a switch and a server, or a switch and a network attached storage (NAS) device. This can increase bandwidth, reliability, and availability of the connection.
o Pros: LACP can prevent errors and misconfigurations in the link aggregation setup process, and can dynamically adjust to changes in the link status or availability.
Jumbo Frame
o Definition: A jumbo frame is an Ethernet frame that has a payload size larger than the standard maximum of 1500 bytes. The maximum size of a jumbo frame varies depending on the device and the network, but it can range from 9000 to 12000 bytes or more.
o Example or use case: Jumbo frames can be used to improve the efficiency and performance of data transfers that involve large amounts of data, such as file transfers, backups, video streaming, or virtualization. Jumbo frames can reduce the overhead and fragmentation of packets, and increase the throughput and latency of the network.
o Pros: Jumbo frames can reduce the CPU utilization and network congestion caused by processing and transmitting many small packets. Jumbo frames can also improve the error detection and correction capabilities of Ethernet by using larger cyclic redundancy checks (CRCs).
o Cons: Jumbo frames require all devices in the network path to support and be configured for the same frame size. Jumbo frames may not be compatible with some devices or applications that expect standard frame sizes. Jumbo frames may also increase the impact of packet loss or corruption by affecting more data per packet.
LAG
Allows multiple physical links to be combined into a single logical link between two networked devices. Link aggregation can also be called by other names, such as port channeling, port trunking, or Ethernet bonding.
o Example or use case: Link aggregation can be used to increase the bandwidth, reliability, and availability of a connection between two switches, a switch and a server, or a switch and a NAS device. Link aggregation can also provide load balancing and failover capabilities for the traffic across the links.
o Pros: Link aggregation can improve the network performance and resilience by utilizing multiple links instead of relying on a single link. Link aggregation can also provide cost-effectiveness by increasing bandwidth without requiring new equipment or cables.
Spanning Tree
o Definition: Spanning tree is a protocol that prevents loops in a network that has redundant paths between switches. Spanning tree creates a logical tree structure that spans all the switches in the network, and blocks some ports that could cause loops. Spanning tree can also detect and recover from changes in the network topology.
o Pros: Spanning tree can enhance the network reliability and availability by preventing loops and allowing alternative paths in case of link failures. Spanning tree can also provide automatic configuration and adaptation to changes in the network topology.
Port isolation
Does not allow ports within the isolated group to communicate with each other even if they are on the same VLAN.
o Pros: enhancing privacy and security for hosts on the same network segment, preventing hosts from accessing other hosts or devices on the same network segment.
o Cons: limiting network functionality and connectivity for some applications or services, introducing complexity and overhead in the network configuration and management.
802.1x
o Definition: Grants network access at the port level through authenticating with RADIUS.
o Example: a switch authenticates a host using its username and password before allowing it to access the network. The switch acts as an authenticator and forwards the host’s credentials to the authentication server. The authentication server validates the credentials and sends back an accept or reject message to the switch. The switch then grants or denies access to the host based on the message.
AAA
o Definition: Authentication, Authorization, and Accounting, a framework that provides security services for network access. It uses an authentication server (such as RADIUS or TACACS+) to verify the identity of clients (authentication), determine what resources they can access (authorization), and keep track of their activities (accounting). Broader concept of access control
o Example: a router authenticates a user using its username and password before allowing it to access a VPN tunnel. The router acts as an AAA client and forwards the user’s credentials to the AAA server. The AAA server validates the credentials and sends back an accept or reject message to the router. The AAA server also sends back information about what resources the user can access (such as IP address, encryption key, etc.) and how long they can use them. The router then grants or denies access to the user based on the message. The AAA server also records information about when, where, how long, and how much data the user used during their session (accounting).
o Pros: enhancing network security and access control by preventing unauthorized users from accessing the network resources, supporting multiple authentication methods (such as passwords, certificates, tokens, etc.) and encryption protocols (such as IPSec, SSL VPN, etc.), providing centralized management and auditing of user activities.
Flow control
Definition: a mechanism that regulates the rate of data transmission between two network devices to prevent congestion and packet loss.
Example: a switch uses IEEE 802.3x pause frames to signal a sender to stop sending data when its buffer is full, and to resume sending data when its buffer has enough space.
Pros: preventing packet loss and improving network performance by avoiding buffer overflow and underflow, supporting full-duplex and half-duplex communication modes.
Cons: introducing delays and jitter in the data transmission, reducing the effective bandwidth of the link, depending on the compatibility and configuration of both devices.
Tagged port (trunk)
Definition: a port that sends and receives Ethernet frames with VLAN tags that indicate the VLAN membership of the frames. A tagged port can belong to multiple VLANs and can carry traffic for different VLANs on the same physical link.
Example: a switch port that connects to another switch or a router uses VLAN tags to distinguish between frames from different VLANs. The port can be configured as a trunk port (Cisco terminology) or a tagged port (other vendors’ terminology) and can use protocols such as 802.1Q or ISL to encapsulate the frames with VLAN tags.
Pros: allowing multiple VLANs to share the same physical link, increasing the bandwidth utilization and reducing the number of cables and ports needed, supporting inter-VLAN routing and communication.
Untagged Port (access)
Definition: a port that sends and receives Ethernet frames without VLAN tags. An untagged port can belong to only one VLAN and can carry traffic only for that VLAN on the physical link.
Example: a switch port that connects to an end device (such as a PC or a printer) does not use VLAN tags to identify the frames. The port can be configured as an access port (Cisco terminology) or an untagged port (other vendors’ terminology) and can assign the frames to a default or native VLAN based on its configuration.
Pros: simplifying the Ethernet frames and the network configuration, supporting devices that do not understand VLAN tags, providing hard firewalls for traffic in the VLAN.
Cons: limiting the number of VLANs that can use the same physical link, requiring more cables and ports for different VLANs, depending on other security features (such as port security) to prevent unauthorized access to the VLAN.
IGMP Snooping
Definition: a feature that allows a switch to monitor Internet Group Management Protocol (IGMP) messages between hosts and multicast routers, and to learn which ports are interested in receiving multicast traffic. IGMP snooping can optimize network performance by reducing unnecessary multicast traffic on switch ports that do not have any multicast listeners.
Example: a switch receives an IGMP join message from a host on port 1 requesting to join a multicast group G. The switch adds port 1 to its IGMP snooping table entry for group G. When the switch receives multicast traffic for group G from another port, it forwards it only to port 1. When the switch receives an IGMP leave message from the host on port 1 leaving group G, it removes port 1 from its IGMP snooping table entry for group G.
Pros: improving network performance and efficiency by reducing multicast traffic on ports that do not have any multicast listeners, saving bandwidth and CPU resources for other applications, supporting multiple multicast groups and protocols (such as IGMPv1, IGMPv2, IGMPv3).
Cons: requiring additional configuration and resources on the switch, depending on other features (such as IGMP querier or multicast router) to maintain accurate IGMP snooping table entries, introducing delays or disruptions in multicast delivery when reacting to IGMP messages.
Router port (IGMP)
Definition: a port that connects to a multicast router or a device that can send IGMP queries. An IGMP snooping router port can belong to multiple VLANs and can receive multicast traffic for different groups on the same physical link.
Example: a switch port that connects to a router that acts as an IGMP querier for multiple VLANs. The port can be configured as an IGMP snooping router port using the ip igmp snooping vlan vlan-id mrouter interface interface-id command. The port can receive multicast traffic for any group that has members in the VLANs.
Pros: allowing the switch to learn about multicast groups and sources from the multicast router, supporting inter-VLAN routing and communication for multicast traffic, enabling the switch to forward IGMP reports and leave messages to the multicast router.
Cons: requiring additional configuration and resources on the switch and the multicast router, depending on the compatibility and configuration of both devices, introducing delays or disruptions in multicast delivery when reacting to IGMP queries.
port fast leave (IGMP)
Definition: a feature that allows a port to be removed from a multicast group upon receiving an IGMP leave message. When port fast leave is enabled, IGMP snooping does not wait for an IGMP query to confirm the leave request, but deletes the port directly from the multicast group.
Example: a switch receives an IGMP leave message from a host on port 1 leaving a multicast group G. The switch has port fast leave enabled on port 1. The switch removes port 1 from its IGMP snooping table entry for group G without waiting for an IGMP query from the multicast router.
Pros: saving bandwidth and CPU resources by reducing unnecessary multicast traffic on ports that do not have any multicast listeners, improving network performance and efficiency by avoiding delays in multicast delivery.
Cons: dropping valid multicast traffic if there are other hosts on the same port that are still interested in receiving the multicast group, depending on other features (such as IGMP querier or multicast router) to maintain accurate IGMP snooping table entries.