CCNP Notes : what is Cisco Nonstop Forwarding (NSF)

Cisco Nonstop Forwarding (NSF)

Cisco Nonstop Forwarding (NSF) is a redundancy protocol works with the Stateful Switchover (SSO) feature in Cisco IOS software. NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover. The main objective of Cisco NSF is to continue forwarding IP packets following a Route Processor (RP) switchover.

Usually, when a networking device restarts, all routing peers of that device detect that the device went down and then came back up. This transition results in what is called a routing flap, which could spread across multiple routing domains. Routing flaps caused by routing restarts create routing instabilities, which are detrimental to the overall network performance. Cisco NSF helps to suppress routing flaps in SSO-enabled devices, thus reducing network instability.

Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover. With Cisco NSF, peer networking devices do not experience routing flaps.  After the routing has reconverged and a new RIB is built, the old CEF entries are removed.        

Main Characteristics

• Uses the FIB table
• Maintains L3 continuity
• Prevents route flapping

Related articles

• Short note : Cisco IOS IP Service Level Agreements (SLAs)
• Difference between Linkstate and distance vector protocols 
• What is the difference between the ip default-gateway, ip default-network, and ip route 0.0.0.0/0 commands?
• Basic notes on BGP (border gateway protocol) 
• Notes on Basics of Multiprotocol Label Switching (MPLS)
• How to configure Static Routes,Default routes,Floating static routes

Read More...

CCNP Notes : What is Cisco Express Forwarding (CEF)

Cisco Express Forwarding (CEF) 

Cisco Express Forwarding (CEF) is a packet-switching technique that is the default for many of Cisco’s router.It provides the ability to switch packets through a device in a very quick efficient way while also keeping the load on the router’s processor low.CEF is made up of two different main components: the Forwarding Information Base (FIB) and the Adjacency Table. These are automatically updated at the same time as the routing table

Forwarding Information Base (FIB)

The FIB contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions. 

Adjacency Table

The FIB is combined along with an adjacency table. For a node to be considered adjacent it must be reachable within a single hop of the data link layer (e.g. ethernet hop). The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB.

The adjacency table contains a number of different types of adjacency:

    Host route adjacency: A host route adjacency entry is used to specify that a specific host is within one layer two hop.

    Null adjacency: This is used for packets which are destined for the Null0 interface.

    Glean adjacency: A glean adjacency is used when a device is connected to multiple hosts off the same interface. In this case, the entry contains a prefix for the subnet not just for a specific host entry.

    Punt adjacency: This is used for those packets that utilize features not currently supported by CEF and which must be forwarding to the next switching level (often to be process switched).

    Discard adjacency: A discard adjacency entry is used for those packets that are to be automatically dropped.

    Drop adjacency: A drop adjacency entry is used for those packets which dropped but only after the prefix is checked.

Source : http://www.petri.co.il

Related articles

• OSPF neighbors
• Notes on Basics of Multiprotocol Label Switching (MPLS) 
• Short note : Cisco IOS IP Service Level Agreements (SLAs) 
• VLAN explained with Interview Questions 
• Basic Notes on OSPF (Open Shortest Path First) 
• CCNP Notes : what is syslog 
• Difference between Linkstate and distance vector protocols
• What is VLAN Hopping
• OSPF DR and BDR election 

Read More...

CCNP Note : What is Unidirectional Link Detection (UDLD)

Unidirectional Link Detection (UDLD)

Unidirectional Link Detection (UDLD) is a data link (layer 2) protocol from Cisco Systems to monitor the physical configuration of the cables and detect unidirectional links. UDLD allow two switches to verify if they can both send and receive data on a point-to-point connection.UDLD works with the Layer 1 (L1) mechanisms to determine the physical status of a link.UDLD can be run on both fiber optic and twisted-pair copper links.

All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts down the affected port and alerts administrator. Unidirectional links can cause a variety of problems, including spanning-tree topology loop

If two devices, A and B, are connected via a pair of optical fibers, one used for sending from A to B and other for sending from B to A, the link is bidirectional (two-way). If one of these fibres is broken, the link has become one-way or unidirectional. The goal of the UDLD protocol is to detect a broken bidirectional link

Modes of Operation

UDLD supports two modes of operation: normal (the default) and aggressive.

 In normal mode, UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections.

 In aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected interfaces on fiber-optic links.In UDLD aggressive mode, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled.

 Cisco recommends enabling UDLD globally in aggressive mode as a best practice.

Related articles

• Bridge protocol data unit (BPDU)
• Dynamic Trunking Protocol (DTP) 
• Basic Notes on OSPF (Open Shortest Path First) 
• Difference between Linkstate and distance vector protocols 
• Difference between End-to-end VLANs and Local VLANs 
• Spanning-tree protocol Notes with Interview Questions 

Read More...

What is VLAN Hopping

VLAN Hopping

VLAN hopping is a security threat , a method of attacking networked resources on a Virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is where a user can gain access to a VLAN not assigned to the switch port to which the user connects..

There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attacks can be easily mitigated with proper switchport configuration

The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port

To overcome this kind of VLAN hopping attack, you must  follow below steps

1. Ensure that ports are not set to negotiate trunks automatically.

Switch(config-if)# switchport nonegotiate

2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports

Switch(config-if)# switchport mode access

The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.

Mitigation

Simply do not put any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port

 Switch(config-if)# switchport access vlan 2

Change the native VLAN on all trunk ports to an unused VLAN ID.

Switch(config-if)# switchport trunk native vlan 999

Explicit tagging of the native VLAN on all trunk ports.

Switch(config-if)# switchport trunk native vlan tag

Example
As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN1. Hosts on VLAN1 are allowed access to the web server; hosts from outside the VLAN are blocked by layer 3 filters.

An attacking host on a separate VLAN, called VLAN2, creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 on top of another header tagging the packet as belonging to VLAN1. When the packet is sent, the switch on VLAN2 sees the VLAN2 header and removes it, and forwards the packet.

The VLAN2 switch expects that the packet will be treated as a standard TCP packet by the switch on VLAN1. However, when the packet reaches VLAN1, the switch sees a tag indicating that the packet is part of VLAN1, and so bypasses the layer 3 handling, treating it as a layer 2 packet on the same logical VLAN. The packet thus arrives at the target server as though it was sent from another host on VLAN1, ignoring any layer 3 filtering that might be in place.

Via :Wikipedia

Related articles

• What is Multi VLAN port ? 
• What is QinQ ( 802.1Q tunneling ) ? 
• What is the difference between static VLAN and dynamic VLAN?
• How to configure Private VLAN

Did You Enjoy this Article ?

If yes, Then enter your email below to get
more articles on CCNA and CCNP in your inbox
For FREE !

Read More...

CCNP note : what is Cisco IOS IP Service Level Agreements (SLAs)

 Cisco IOS IP Service Level Agreements (SLAs)  

Cisco IOS IP SLA is a core part of the Cisco IOS Software portfolio which allows Cisco customers to analyze IP service levels for IP applications and services, to increase productivity, to lower operational costs, and to reduce the frequency of network outages. Cisco IOS IP SLAs uses active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.

Cisco IOS IP SLAs collects a unique subset of the following performance metrics:

•Delay (both round-trip and one-way)

•Jitter (directional)

•Packet loss (directional)

•Packet sequencing (packet ordering)

•Path (per hop)

•Connectivity (directional)

•Server or website download time

•Voice quality scores

Read More...

What is Dynamic ARP Inspection (DAI) ?

Dynamic ARP Inspection (DAI) 

Several types of attacks can be launched against a host or devices connected to Layer 2 networks by “poisoning” the ARP caches. A malicious user could intercept traffic intended for other hosts on the LAN segment and poison the ARP caches of connected systems by broadcasting forged ARP responses. 

Several known ARP-based attacks can have a devastating impact on data privacy, confidentiality, and sensitive information. To block such attacks, the Layer 2 switch must have a mechanism to validate and ensure that only valid ARP requests and responses are forwarded.

DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.

DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

•Intercepts all ARP requests and responses on untrusted ports

•Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

•Drops invalid ARP packets

•It forwards all ARP packets received on a trusted interface without any checks

•DAI determines the validity of an ARP Packet based on the valid MAC address-to-IP address bindings stored in the DHCP snooping database

•DAI is supported on access ports,trunk ports,EtherChannels and private VLAN ports.

•DAI is an ingress security feature,it does not perform any egress checking.


•DAI is not effective for hosts connected to router that do not support DAI or do not have this feature enabled.

This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Enable arp inspection

Switch(config)# ip arp inspection vlan <vlan-range>

Related articles

• Notes on Basics of Multiprotocol Label Switching (MPLS) 
• Spanning-tree protocol Notes with Interview Questions 
• VLAN explained with Interview Questions 
• What is the difference between the ip default-gateway, ip default-network, and ip route 0.0.0.0/0 commands? 

Read More...

Difference between End-to-end VLANs and Local VLANs

End-to-end VLANs are positioned to support maximum flexibility and mobility of end devices. Users can be assigned to VLANs regardless of their physical location. As a user moves around the campus, that user’s VLAN membership stays the same. End-to-end VLANs should group users according to common requirements. All users in a VLAN should have roughly the same traffic flow patterns

End-to-end VLAN follows the 80/20 rule in which 80 percent of user traffic stays within the local workgroup, whereas 20 percent is destined for a remote resource in the campus network (like Internet…).

End-to-end VLANs have the following characteristics:
Users are grouped into a VLAN based on function, not location.
The user belongs to the same VLAN no matter where he plugs his PC into the network (this requires Cisco's VMPS).
End-to-end VLANs are typically used for security reasons or for application or resource requirements.
End-to-end VLANs are difficult to implement and troubleshoot

Local VLANs
The problem with end-to-end VLANs is that they become extremely difficult to maintain as the campus network grows and changes. Because of this, most network administrators of campus environments use local VLANs.
Unlike end-to-end VLANs, local VLANs are very easy to plan and implement. Local VLANs are based on geographic locations by demarcation at a hierarchical boundary (core, distribution, access). Therefore, a local VLAN would never span from an access layer to a core block.

Local VLAN follows the 20/80 rule: only 20 percent of traffic is local, whereas 80 percent is destined to a remote re-source across the core layer 

Read More...

What is QinQ ( 802.1Q tunneling ) ?

802.1Q tunneling

IEEE 802.1Q tunneling can be used to achieve simple layer 2 VPN connectivity between sites by encapsulating one 802.1Q trunk inside another. 802.1Q tunneling also called QinQ

Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported. The VLAN ranges required by different customers in the same service-provider network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a unique range of VLAN IDs to each customer would restrict customer configurations and could easily exceed the VLAN limit (4096) of the IEEE 802.1Q specification.

802.1Q tunneling solves this issues by assigning each customer a single VLAN number, chosen by the service provider. Within each customer VLAN exists a secondary 802.1Q trunk, which is controlled by the customer. Each customer packet traversing the service provider network is tagged twice: the inner-most 802.1Q header contains the customer-chosen VLAN ID, and the outer-most header contains the VLAN ID assigned to the customer by the service provider.

Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port. 

Note: By default, the native VLAN traffic of a dot1q trunk is sent untagged, which cannot be double-tagged in the service provider network. Because of this situation, the native VLAN traffic might not be tunneled correctly. Be sure that the native VLAN traffic is always sent tagged in an asymmetrical link.Also we must verify that all of our switches support the necessary maximum transmission unit (MTU), 1504 bytes before configuring 802.1Q tunneling

These are some ways to solve Native VLAN tagging problem:

•Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.1Q trunk, including the native VLAN, are tagged. If the switch is configured to tag native VLAN packets on all IEEE 802.1Q trunks, the switch accepts untagged packets, but sends only tagged packets.

•Ensure that the native VLAN ID on the edge-switch trunk port is not within the customer VLAN range. For example, if the trunk port carries traffic of VLANs 100 to 200, assign the native VLAN a number outside that range.

Related articles

• How to Prepare for NETWORK ENGINEER INTERVIEW QUESTIONS 
• VLAN Trunking Protocol (VTP) explained with Interview Questions 
• How to configure Private VLAN 
• VLAN explained with Interview Questions

Did You Enjoy this Article ?

If yes, Then enter your email below to get

more articles on CCNA and CCNP in your inbox

For FREE !

Read More...

What is Multi VLAN port ?

What is Multi VLAN port ?

The multi-VLAN port is a special feature which allows switch for configuring a single port for 2 or more vlans. This feature allows users from different VLANs to access a server or router without implementing InterVLAN routing capability. A multi-VLAN port performs normal switching functions in all its assigned VLANs.

multi-VLAN port will not work when a trunk is configured on the switch. Multi-VLAN can’t be used to connect between switches. Multi-VLAN port only used to connect a router or server. The switch automatically transitions to VTP transparent mode when the multi-VLAN port feature is enabled, making the VTP disabled.

The multi-VLAN port feature is supported only on the Catalyst 2900 XL/3500 XL series switches. This feature is not supported on the Catalyst 4000/5000/6000 series or any other Cisco Catalyst switches.

Configuration
Switch(config-if)# switchport mode multi

To assign a multi-VLAN port already in multi mode to a range of VLANs:
Switch(config-if)# switchport multi vlan 15-20

Related articles

• What is the difference between static VLAN and dynamic VLAN?
• How to configure Private VLAN 
• VLAN Trunking Protocol (VTP) explained with Interview Questions 
• VLAN explained with Interview Questions 
• How to Configure Protected Ports (Switching) 

Read More...

What is the difference between static VLAN and dynamic VLAN?

Static VLAN and dynamic VLAN

Static VLANs are also referred to as port-based VLANs .In static VLAN switch-ports must be manually assigned to a VLAN. Any device connecting to that switch-port(s) becomes a member of that VLAN. The client device is unaware that it belongs to a specific VLAN. Static VLAN is easy to configure.

In static VLAN,as a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN

In dynamic VLAN devices are automatically assigned into a VLAN based on its MAC address. This allows a client device to remain in the same VLAN, regardless of which switch port the device is attached to. VLAN membership of a user always remains the same even when he/she is moved to another location. 

Dynamic VLANs are created through the use of software. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the switch queries a database for the VLAN membership of the port that device is connected to.

Static VLAN assignment provides a simple way to assign VLAN to a port while Dynamic VLANs allow a great deal of flexibility and mobility for end users but require more administrative overhead.

Read More...

What is the difference between the ip default-gateway, ip default-network, and ip route 0.0.0.0/0 commands?

Question: What is the difference between the ip default-gateway, ip default-network, and ip route 0.0.0.0/0 commands?

A. The ip default-gateway command is used when IP routing is disabled on the router. This command serves non-routing network device that need to reach any network outside its own subnet or outside of its local network. The command is to function when the network device is not in routing mode.When the ip routing is disabled, the router becomes merely a host, similar to regular PC. To reach any network outside its own subnet or outside of its local network, the device needs to have a default-gateway.

However, ip default-network and ip route 0.0.0.0/0 are effective when IP routing is enabled on the router and they are used to route any packets which do not have an exact route match in the routing table. 

Configuration Commands

Default Gateway 

#ip default-gateway x.x.x.x

Default Network 

#ip default-network a.b.c.d

Gateway of Last Resort 

#ip route 0.0.0.0 0.0.0.0 (next-hop-ip/exit-interface)

Read More...

How to check whether a SMPS is in working condition or not?

Take a small piece of wire and connect one end in GREEN wire port and other in the BLACK. Switch ON the supply if the fan in the smps is working the smps is good. 

Read More...