Showing posts with label Switching. Show all posts
Showing posts with label Switching. Show all posts

What is FlexLinks

by Shabeeribm
Flex links is a network switch feature which enables redundancy and load balancing at the layer 2 level. The feature serves as an alternative to Spanning Tree Protocol (STP). A pair of layer 2 interfaces, such as switch ports or port channels has one interface configured as a backup to the other. If the primary link fails, the backup link takes over traffic forwarding.

 When we configure interfaces as FlexLinks they will not send BPDUs. There is no way to detect loops because we don't run spanning-tree on them. Whenever our active interface fails the backup interface will take over.As simple as that

Configuration:
Switch(config)#interface fa0/14
Switch(config-if)#switchport backup interface fa0/16

This is how we make interface fa0/16 a backup of interface fa0/14.

To verify
Switch#show interfaces switchport backup

NOTE : There will be only one interface active at the moment.
Read More...

How to enable "Routed Ports" on Layer3 Switches

by Shabeeribm
By default routing is disabled in layer 3 switches.We can enable it globally using "IP routing" command.To enable routing in specific interface, type "no switchport" command and put an IP address on it.

 Configuration
Switch(config)#interface fa0/16
Switch(config-if)#no switchport
Switch(config-if)#ip address 192.168.10.254 255.255.255.0

This ports can be used by the computers as a gateway.

There are two things you should remember about the routed port:
• It's no longer a switchport so it's not associated with any VLAN.
• It's a routed port but it doesn't support sub-interfaces like a router does.

Related articles

Read More...

Short Note on Etherchannel

by Shabeeribm
Etherchannel is a technology that lets you bundle multiple physical links into a single logical link.We know if we connect two switches via one cable there will not be any loop and no need of STP.But if we connect two or more cables between two switches there will be chance for loops.In normal case STP will run and prevent formation of loops.But the problem is we cant add redundancy between switches.

Etherchannel can bundle all physical links into a logical link with the combined bandwidth.For example if there are 4 fast Ethernet cables between switch A and Switch B,by combining 4x 100 Mbit I now have a 400 Mbit link. Spanning tree sees this link as one logical link so there are no loops!

Etherchannel will do load balancing among the different links that we have and it takes care of redundancy. Once one of the links fails it will keep working and use the links that we have left.we can use upto 8 physical interface in one bundle

We can configure Etherchannel using two protocols
•  PAgP(Cisco proprietary)
•  LACP (IEEE standard)

These protocols can dynamically configure an etherchannel. It’s also possible to configure a static etherchannel without these protocols doing the negotiation of the link for you. PAgp and LACP will check if the configuration of the interfaces that you use are the same.If you are going to create an etherchannel you need to make sure that all ports have the same configuration:

•  Duplex has to be the same.
•  Speed has to be  same.
•  Same native AND allowed VLANs.
•  Same switchport mode (access or trunk).

Related articles

Read More...

CCNP Note : MAC flooding attack

by Shabeeribm
Switches maintain a MAC Table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data to the destination port as unicast messages and there by avoiding broadcasting all messages.

In MAC flooding attack, a switch is flooded with ethernet frames, each containing different source MAC addresses.This frames with unique invalid source MAC address flood the switch and exhaust CAM table space.The result is that new entireis cannot be inserted because of the exhausted CAM table space and traffic is subsequently flooded out all ports

The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (Same as hub), instead of sending unicasts in normal operation. A malicious user could then use a packet sniffer to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

MAC Flooding attack can be prevented by

  1. Implement port security.
  2. Implement VLAN access maps

Related articles

Read More...

CCNP Note : What is Unidirectional Link Detection (UDLD)

by Shabeeribm
Unidirectional Link Detection (UDLD)

Unidirectional Link Detection (UDLD) is a data link (layer 2) protocol from Cisco Systems to monitor the physical configuration of the cables and detect unidirectional links. UDLD allow two switches to verify if they can both send and receive data on a point-to-point connection.UDLD works with the Layer 1 (L1) mechanisms to determine the physical status of a link.UDLD can be run on both fiber optic and twisted-pair copper links.

All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts down the affected port and alerts administrator. Unidirectional links can cause a variety of problems, including spanning-tree topology loop

If two devices, A and B, are connected via a pair of optical fibers, one used for sending from A to B and other for sending from B to A, the link is bidirectional (two-way). If one of these fibres is broken, the link has become one-way or unidirectional. The goal of the UDLD protocol is to detect a broken bidirectional link

Modes of Operation

UDLD supports two modes of operation: normal (the default) and aggressive.

 In normal mode, UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections.

 In aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected interfaces on fiber-optic links.In UDLD aggressive mode, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled.

 Cisco recommends enabling UDLD globally in aggressive mode as a best practice.

Related articles

Read More...

What is Dynamic ARP Inspection (DAI) ?

by Shabeeribm
Dynamic ARP Inspection (DAI) 
Several types of attacks can be launched against a host or devices connected to Layer 2 networks by “poisoning” the ARP caches. A malicious user could intercept traffic intended for other hosts on the LAN segment and poison the ARP caches of connected systems by broadcasting forged ARP responses. 

 Several known ARP-based attacks can have a devastating impact on data privacy, confidentiality, and sensitive information. To block such attacks, the Layer 2 switch must have a mechanism to validate and ensure that only valid ARP requests and responses are forwarded.

 DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.

 DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

 •Intercepts all ARP requests and responses on untrusted ports

 •Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

 •Drops invalid ARP packets

 It forwards all ARP packets received on a trusted interface without any checks

•DAI determines the validity of an ARP Packet based on the valid MAC address-to-IP address bindings stored in the DHCP snooping database

 DAI is supported on access ports,trunk ports,EtherChannels and private VLAN ports.

 DAI is an ingress security feature,it does not perform any egress checking.
DAI is not effective for hosts connected to router that do not support DAI or do not have this feature enabled.

This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

 Enable arp inspection

Switch(config)# ip arp inspection vlan <vlan-range>

Related articles

Read More...

Dynamic Trunking Protocol (DTP)

by Shabeeribm
Dynamic Trunking Protocol (DTP) is the Cisco-proprietary protocol that actively attempts to negotiate a trunk link between two switches. Below is the switchport modes (or DTP modes) for easy reference:

ModeFunction
Dynamic AutoCreates the trunk based on the DTP request from the neighboring switch.
Dynamic DesirableCommunicates to the neighboring switch via DTP that the interface would like
to become a trunk if the neighboring switch interface is able to become a trunk.
TrunkAutomatically enables trunking regardless of the state of the neighboring switch
and regardless of any DTP requests sent from the neighboring switch.
AccessTrunking is not allowed on this port regardless of the state of the neighboring
switch interface and regardless of any DTP requests sent from the neighboring
switch.
NonegotiatePrevents the interface from generating DTP frames. This command can be
used only when the interface switchport mode is access or trunk. You must
manually configure the neighboring interface as a trunk interface to establish a
trunk link.
Below figure shows the combination of different modes 

Related articles

Read More...

What is Multi VLAN port ?

by Shabeeribm
What is Multi VLAN port ?

The multi-VLAN port is a special feature which allows switch for configuring a single port for 2 or more vlans. This feature allows users from different VLANs to access a server or router without implementing InterVLAN routing capability. A multi-VLAN port performs normal switching functions in all its assigned VLANs.

multi-VLAN port will not work when a trunk is configured on the switch. Multi-VLAN can’t be used to connect between switches. Multi-VLAN port only used to connect a router or server. The switch automatically transitions to VTP transparent mode when the multi-VLAN port feature is enabled, making the VTP disabled.

The multi-VLAN port feature is supported only on the Catalyst 2900 XL/3500 XL series switches. This feature is not supported on the Catalyst 4000/5000/6000 series or any other Cisco Catalyst switches.

Configuration
Switch(config-if)# switchport mode multi

To assign a multi-VLAN port already in multi mode to a range of VLANs:
Switch(config-if)# switchport multi vlan 15-20

Related articles

Read More...

How to configure Private VLAN

by Shabeeribm
Private VLAN


The private VLAN always has one primary VLAN. Within the primary VLAN you will find the
promiscuous port. In my picture above you can see that there’s a router connected to a
promiscuous port. All other ports are able to communicate with the promiscuous port.
Within the primary VLAN you will encounter one or more secondary VLANs.There are two
types of secondary VLAN. They are 

    • Community VLAN: All ports within the community VLAN are able to communicate
       with each other and the promiscuous port.
    • Isolated VLAN: All ports within the isolated VLAN are unable to communicate with
       each other but they can communicate with the promiscuous port.

Private VLANs are only locally-significant to the switch - VTP will not pass this information to other switches.Each switch interface in a private VLAN assumes a specific role:

Promiscuous - communicates with the primary VLAN and all secondary VLANs. Gateway devices such as routers and switches should connect to promiscuous ports.
Host – communicates only with promiscuous ports, or ports within the local community VLAN. Host devices connect to host ports.PVLANs thus allow groups of host devices to be segmented within a VLAN,while still allowing those devices to reach external networks via a
promiscuous gateway.

NOTE : Private vlan is configured in VTP Transparent Mode

Private VLAN Configuration

The first step to configuring Private VLANs is to specify the secondary VLANs:

Switch(config)# vlan 100
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated

Next, the primary VLAN must be specified, and the secondary VLANs associated with it:

Switch(config)# vlan 50
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 100,101

Secondary VLANs 100 and 101 have been associated with the primary VLAN 50.Next, Host ports must be identified, and associated with a primary and secondary VLAN:

Switch(config)# interface range fa0/5 – 6
Switch(config-if)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 50 101

Interfaces fa0/5 and fa0/6 have been identified as host ports, and associated with primary VLAN 50, and secondary VLAN 101.Finally, promiscuous ports must be identified, and associated with the primary VLAN and all secondary VLANs.

Switch(config)# interface range fa0/20
Switch(config-if)# switchport private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 50 100 101

Interface fa0/20 has been identified as a promiscuous port, and associated with primary VLAN 50, and secondary VLANs 100 and 101.

Show Commands

#show interfaces fastEthernet 0/20 switchport
#show vlan private-vlan
#show vlan private-vlan type

Points to Remember

    • Devices within a community VLAN can communicate with each other AND the
        promiscuous port.
    • Devices within an isolated VLAN cannot communicate with each other and can ONLY
        communicate with the promiscuous port.
    • The promiscuous port can communicate with any other port.
    • Secondary VLANs are unable to communicate with other secondary VLANs.
    • Private VLANs can be spanned across multiple switches if you use trunks.


Related articles

Read More...

Notes on Basics of Multiprotocol Label Switching (MPLS)

by Shabeeribm
Multiprotocol Label Switching (MPLS) is a Layer-2 switching technology. MPLS-enabled routers apply numerical labels to packets, and can make forwarding decisions based on these labels. The MPLS architecture is detailed in RFC 3031.
MPLS reduces CPU-usage on routers, by allowing routers to make forwarding decisions depending on the attached label rather than looking to routing table. MPLS is not restricted to IP, or any specific Layer-2 technology, and thus is essentially protocol-independent.

Introduction to terms used in  MPLS

Provider Edge Routers(PE) / Edge LSR (Label Switch Router) : Routers on the ISP side which is connected to Customer/Client side. Responsible for adding/removing labels from packets. Cisco refers to this as a PE (provider  edge) router.

Provider Router(P) / LSR (Label Switch Router) : Routers used inside the ISP network which is not connected to customer side. Responsible for forwarding packets  through the provider core based on the packet’s label

Non-Label Routers – Cisco refers to this as C (customer) routers

LSRs perform the following functions:
    •   Control Plane – Logical plane where exchange of routing and label information takes place
    •   Data Plane - forwards actual packets based on label information

Label Information Base (LIB) – label information is exchanged  between LSRs using label protocols, such as LDP (Label  Distribution Protocol) or TDP (Tag Distribution Protocol).

LDP is now default on Cisco devices, and uses TCP port 646. TDP is a Cisco-proprietary label protocol, and uses TCP port 711.

Label Forwarding Information Base (LFIB) – for forwarding  labeled packets.

The MPLS Label

MPLS label format is a 32-bit label that is injected between the Layer-2 and Layer-3 header.Even MPLS is called as L2 service theoritically it can be called as a 2.5 layer service
LABEL
Experimental
Bottom of Stack
TTL
20 bit     `                           3 bit                                       1 bit                                       8  bit

Label (20 bits) – 20 bits are exactly used for label representation

Experimental (3 bits) – This field is officially undefined, but is used  by Cisco as an IP precedence value. 

Bottom-of-Stack (1 bit) – This field indicates the last label, as multiple labels are supported in the same packet. A value of 1  identifies the last label in the stack.

TTL (8 bits)[Time to Live]  – This field indicates the number of router this label can  ‘live’ through.

Penultimate Hop Popping: Edge Routers(PE) need to check both normal routing table and LIB table before forwarding packets to customer side.This will slow down the  process.To avoid this PE router informs adjacent router to send packets after popping up(removing) labels.This process is called Penultimate Hop Popping

From Wikipedia
Penultimate Hop Popping (PHP) is a function performed by certain routers in an MPLS enabled network. It refers to the process whereby the outermost label of an MPLS tagged packet is removed by a Label Switch Router (LSR) before the packet is passed to an adjacent Label Edge Router (LER).The process is important in a Layer 3 MPLS VPN environment as it reduces the load on the LER. If this process didn't happen, the LER would have to perform at least 2 label lookups

Related articles

Read More...