CCNP Switch. Quick Reference Sheet Exam

Transcription

1 CCNP Switch Quick Reference Sheet Exam

2 Chapter 1 : Layer 2 Technologies Administering the Switch System Clock The heart of the time service is the system clock. This clock operates from the moment the system starts up and keeps track of the date and time. The system clock can be set from these sources: NTP Manual configuration The system clock can offer time to these services: User show commands Logging and debugging messages Time Tracking: The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also called Greenwich Mean Time (GMT). Information can be configured about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone. The system clock stores track of whether the time is authoritative or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available for display purposes and is not redistributed. Network Time Protocol The NTP is created to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP) that runs over IP. NTP is documented in RFC An NTP network commonly gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then shared this time across the network. Following are the fundamental steps works in NTP synchronization: Two mechanisms are available, an access list-based restriction scheme and an encrypted authentication mechanism. No more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another. NTP uses the concept of a stratum to define how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached A stratum 2 times server get its time through NTP from a stratum 1 time server, and so on. A device that is running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates via NTP. This strategy effectively forms a self-organizing tree of NTP speakers. NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. Correct timekeeping is possible by exchanging NTP messages between each pair of devices with an association. NTP matches the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower. The communications among devices running NTP (known as associations) are commonly statically configured; each device is assigned the IP address of all devices with which it should form associations NTP can be enabled in LAN networks to use IP broadcast messages instead to reduce configuration complexity. However, in that case, information flow is one-way only. The time kept on a device is a critical resource; you must use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Cisco s implementation of NTP (Network Time Protocol) does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. SDM Templates Why? Used to manage system resources in the switch to improve support for particular features, depending on how the switch is utilized in the network To allocate ternary content addressable memory (TCAM) resources for various usages, the switch SDM templates prioritize system resources to optimize or improve support for specific features. You can select SDM templates to optimize these features: Access The access template maximizes system resources for access control lists (ACLs) to entertain a huge number of ACLs. Default The default template provides balance to all functions. Routing The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network. VLANs The VLAN template disables routing and offer supports for maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch. In addition, the dual IPv4 and IPv6 templates enable a dual stack environment. There are 2 versions of every template: A desktop template and an aggregator template. The Catalyst S switch can utilize the larger TCAM size available in the aggregator templates or can utilize the standard desktop templates. All other Catalyst 3750 switches support only the desktop templates. If you do not enter the desktop keyword on an aggregator switch, the aggregator templates are selected. SDM Templates and Switch Stacks All stack members utilize the same SDM template that is stored on the stack master. When new switch is added to a stack, as with the switch configuration and VLAN database files, the SDM configuration that is stored on the stack master supersedes the template configured on an individual switch. If the stack master is a desktop switch and a Catalyst S running the aggregator template is added as a stack member. This could result in configuration losses on the Catalyst S. If the stack master is a Catalyst S switch utilizing an aggregator template and a new stack member is not a Catalyst S, the stack member is not able to support the template that is running on the stack master. The switch attempting to join the stack goes into SDM mismatch mode and the switch cannot be a working member of the stack. Managing the MAC Address Table The MAC address table consist of address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: Dynamic address: A source MAC address that the switch learns and then ages when it is not in use. Static address: A manually entered unicast address that does not age and that is not lost when the switch resets. Building the Address Table With multiple MAC addresses supported on every ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices. The switch offers dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As workstations are included or excluded from the network, the switch updates the address table, adding new dynamic addresses and aging out those that are not in use. The aging interval is globally configured on a standalone switch or on the switch stack

3 Chapter 1: Layer 2 Technologies MAC Addresses and VLANs All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. When private VLANs are configured, address learning depends on the following type of MAC address: Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-vlan secondary VLAN is replicated in the primary VLAN. Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs. When you configure a static MAC address in a private VLAN primary or secondary VLAN, you should also configure the same static MAC address in all associated VLANs. MAC Addresses and Switch Stacks The MAC address tables on all stack members are synchronized by maintaining the same copy of address table for each VLAN on each stack member. When an address ages out, the address is removed from the address tables on all stack members. When a switch joins a switch stack, it receives the addresses for each VLAN learned on the other stack members. When a stack member leaves the switch stack, the remaining stack members age out or remove all addresses received by the former stack member. Managing the ARP Table The process of learning the 48 bit MAC address or local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address When a MAC address is found, the IP-MAC address association is saved in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a linklayer frame and sent over the network. By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. Err disable Port is automatically disabled by the switch operating system software because of an error condition that is encountered on the port. When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange and, when you issue the show interfaces command, the port status shows err-disabled. The error disable function serves two purposes: It lets the administrator know when and where there is a port problem. It eliminates the possibility that this port can cause other ports on the module (or the entire module) to fail. Such a failure can happen when a bad port monopolizes buffers or port error messages monopolize inter-process communications on the card, which can ultimately cause serious network issues. Causes of Err disable This feature was first carry out in order to handle special collision situations in which the switch detected excessive or late collisions on a port. Excessive collisions take place when a frame is dropped because the switch encounters 16 collisions in a row. Late collisions occur after every device on the wire should have recognized that the wire was in use. Possible causes of these types of errors include: A cable that is out of specification (either too long, the wrong type, or defective) A faulty network interface card (NIC) card (with physical problems or driver problems) A port duplex misconfiguration is the most common cause in which devices fails to negotiate speed and duplex parameters properly. Only half-duplex connections should ever have collisions in a LAN. Because of the carrier sense multiple access (CSMA) nature of Ethernet, collisions are normal for half duplex, as long as the collisions do not exceed a small percentage of traffic. Port channel misconfiguration Security violation Port Aggregation Protocol (PAgP) flap Layer 2 Tunneling Protocol (L2TP) guard DHCP snooping rate-limit BPDU guard violation Unidirectional Link Detection (UDLD) condition Late-collision detection Link-flap detection Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable Address Resolution Protocol (ARP) inspection Inline power BPDU port guard and PortFast A port which uses Port Fast must only connect to an end station (such as a workstation or server) and not to devices that generate spanning tree BPDUs, such as switches, or bridges and routers that do bridging. If the switch receives a spanning tree BPDU on a port that has spanning tree PortFast and spanning tree BPDU guard enabled, the switch puts the port in err disabled mode in order to guard against potential loops. PortFast assumes that a port on a switch cannot generate a physical loop. As a result, PortFast skips the initial spanning tree checks for that port, which avoids the timeout of end stations at boot up. The network engineer/administrator must carefully implement PortFast. On ports that have PortFast enabled, BPDU guard helps ensure that the LAN stays loop-free. CDP (Cisco Discovery Protocol) CDP is a Cisco proprietary device discovery protocol that operates over Layer 2 (the data link layer) on all Ciscomanufactured devices Allows network management applications to discover Cisco devices that are neighbors of already known devices. Network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols. This feature enables applications to send SNMP queries to neighboring devices.cdp runs on all media that support Subnetwork Access Protocol (SNAP). LLDP (Link Layer Discovery Protocol) IEEE 801.1AB based LLDP is a interoperable neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol runs over the data-link layer, which allows two systems running different network layer protocols to learn about each other. LLDP supports a set of attributes such as type, length and value description refers as TLVs that it uses to discover neighbor device. LLDP supported devices can use TLVs to receive and send information to their neighbors. Details like configuration information, device capabilities, and device identity can be advertised using this protocol.

4 Chapter 1: Layer 2 Technologies The switch supports the following basic management TLVs, which are optional: Port description TLV System capabilities TLV Management address TLV System name TLV System description TLV UDLD (Unidirectional Link Detection) UDLD is a layer 2 protocol that enables devices connected through fiberoptic or twisted-pair Ethernet cables. It monitors a physical connection (such as wrong cabling) to detect unidirectional links to avoid spanning-tree topology loops or silent drop traffic. All connected devices must support UDLD for the protocol to successfully identify the unidirectional links. When UDLD detects a unidirectional link, it can administratively shut down the affected port and send you a warning message. Modes of Operation UDLD supports two operation modes: Normal Mode: A UDLD-capable port A periodically sends a UDLD probe to port B. If port B is not UDLD capable, no unidirectional link detection occurs. If both devices are UDLD capable and bi-directional connectivity exists, probe messages travel in both direction at a rate of 1 every few seconds (through the UDLD message time interval global configuration command). Upon getting the probe, the UDLD protocol attempts to synchronize the devices by forwarding echo messages to the peer port and waiting for answer during the detection window. If the unidirectional traffic is detected when the port link is still up (port B no longer sends traffic to port A), port B enters errdisable mode. Port A is marked Undetermined but does not enter errdisable mode. It continues to operate under its current STP status because this mode is informational only; it is potentially less disruptive although it does not prevent STP loops. Aggressive Mode: If port A loses its neighbor connectivity, it actively tries to re-establish the relationship by sending a probe to port B. If port B does not respond, it is considered unidirectional and port A will enter errdisable state to avoid silent drop traffic.udld aggressive mode can interoperate with UDLD normal mode. What are VLAN's? Virtual LANs are implemented over physical LAN infrastructure to reduce broadcast messages, allow logical separation and maintain security between different VLANs devices. VTP (VLAN Trunking Protocol) VTP is a Layer 2 messaging protocol that keep up VLAN configuration consistency by directing or administering the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. It manage configuration changes centrally on one or more than one switches and have those changes automatically communicated to all the other switches in the network. VTP Pruning VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them. VTP pruning is disabled by default on switch. VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported in all VTP versions. Understanding IEEE 802.1Q Tunneling Assigning a unique range of VLAN IDs to each business customer would restrict customer configurations and could easily exceed the VLAN limit (4096) of the IEEE 802.1Q specification. Using the IEEE 802.1Q tunneling feature, service providers can use a single VLAN to support customers who have multiple VLANs. Customer VLAN IDs are preserved, and traffic from different customers is segregated within the service-provider network, even when they appear to be in the same VLAN. Using IEEE 802.1Q tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy and retagging the tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel port. Native VLANs When enabling IEEE 802.1Q tunneling on an edge switch, you must use IEEE 802.1Q trunk ports for sending packets into the service-provider network. However, packets passes through the core of the service-provider network can be carried through IEEE 802.1Q trunks, ISL trunks, or nontrunking links. When IEEE 802.1Q trunks are used in these core switches, the native VLANs of the IEEE 802.1Q trunks must not match any native VLAN of the nontrunking (tunneling) port on the same switch because traffic on the native VLAN would not be tagged on the IEEE 802.1Q sending trunk port. Manual Pruning By default, trunk ports permit traffic for all VLANs. VTP pruning can only instruct a switch to not request traffic for specific VLANs. Manual pruning allows an administrator to explicitly decide which VLANs can traverse across the link. The command to do this is switchport trunk allowed vlan a, b- c. This is the recommended method to prune VLANs because it limits the number of spanning tree instances to the number of VLANs allowed on the trunk. EtherChannel An EtherChannel consists of each FastEthernet or Gigabit Ethernet links bundled into a single logical link It provides full-duplex bandwidth up to 800 Mb/s (Fast EtherChannel) or 8 Gb/s (Gigabit EtherChannel) between your switch and another switch or host. Each EtherChannel can consist of up to eight compatibly configured Ethernet ports. All ports in every EtherChannel must be configured as either Layer 2 or Layer 3 ports. The number of EtherChannel is limited to 48. The EtherChannel Layer 3 ports are made up of routed ports. Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command. EtherChannel can be configured in one of these modes: Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or On. Configure both ends of the EtherChannel in the same mode. PAgP/ LACP Mode: In either PAgP or LACP mode, the system negotiates with the other end of the channel to determine which ports should become active. Incompatible ports are put into an independent state and continue to carry data traffic as would any other single link. The port configuration does not change, but the port does not participate in the EtherChannel. On Mode: When you configure an EtherChannel in the on mode, no negotiations take place. The switch forces all compatible ports to become active in the EtherChannel. The other end of the channel (on the other switch) must also be configured in the on mode; otherwise, packet loss can occur.

5 Chapter 1: Layer 2 Technologies You can configure an EtherChannel on a standalone switch, on a single switch in the stack, or on multiple switches in the stack (known as crossstack EtherChannel). If a link within an EtherChannel fails, traffic previously carried over that failed link moves to the remaining links within the EtherChannel. If traps are enabled on the switch, a trap is sent for a failure that identifies the switch, the EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel. Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface. You can also use the interface port-channel port-channel-number global configuration command to manually create the port-channel logical interface, but then you must use the channel-group channel-groupnumber command to bind the logical interface to a physical port. The channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channelgroup command dynamically creates a new port channel. With Layer 3 ports, you should manually create the logical interface by using the interface port-channel global configuration command followed by the no switchport interface configuration command. Then you manually assign an interface to the EtherChannel by using the channelgroup interface configuration command. Each EtherChannel has a port-channel logical interface numbered from 1 to 48. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. The switch learns the identity of partners capable of supporting PAgP and the capabilities of each port. It then dynamically groups similarly configured ports into a single logical link (channel or aggregate port). Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels among switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports. The switch learns the identity of partners capable of supporting LACP and the capabilities of each port. It then dynamically groups similarly configured ports into a single logical link (channel or aggregate port). Load Balancing and Forwarding Methods EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses. The chosen mode applies to all EtherChannels configured on the switch. You configure the load balancing and forwarding method by using the port-channel load-balance global configuration command. With source-mac address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-mac address of the incoming packet. Thus, to provide load balancing, packets from several hosts use different ports in the channel, but packets from the same host use the same port in the channel. With destination-mac address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host s MAC address of the incoming packet. Thus, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel. STP (Spanning Tree Protocol) STP is a Layer 2 link management protocol that support path redundancy while avoiding loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations.multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Algorithm: The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology: Root A forwarding port elected for the spanning-tree topology Designated A forwarding port elected for each switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch that has at least one of its ports in the designated role is called the designated switch. How PortFast Works PortFast causes a switch or trunk port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch or trunk ports that are connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state How PortFast BPDU Guard Works The most secure implementation of PortFast is to enable it only on ports that connect non-trunking access points or end stations to switches because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports. PortFast BPDU guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When you configure BPDU guard on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting them into the spanning tree blocking state. BPDU guard provides a secure response to invalid configurations because the administrator must manually put the interface back in service. How PortFast BPDU Filtering Works BPDU filtering permits you to avoid transmitting BPDUs on PortFastenabled ports that are connected to an end system on per-switch basis. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. How UplinkFast Works UplinkFast provides fast convergence using uplink groups in the network access layer after a spanning tree topology change. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is forwarding) and a set of blocked ports (not including self-looped ports). The uplink group provides an alternate path in case the currently forwarding link fails. How Loop Guard Works Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Some software failures may introduce temporary loops in the network. Loop guard sees if a root port or an alternate root port receives BPDUs. If the port is receiving BPDUs, loop guard puts the port into an inconsistent state until it starts getting BPDUs again. Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge.

6 Chapter 1: Layer 2 Technologies SPAN and RSPAN Network traffic passing through ports or VLANs can be analyzed by using SPAN or RSPAN to forward a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use. Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN Traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored. The traffic that is received on the source VLAN and routed to another VLAN can be monitored. You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker. Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis. Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on several switches (or different switch stacks), configuring remote monitoring of multiple switches across your network. Cisco StackWise Cisco StackWise technology provides an innovative new method for collectively utilizing the capabilities of a stack of switches. Individual switches intelligently join to create a single switching unit with a 32-Gbps switching stack interconnect. Configuration and routing information is shared by each switch in the stack, building a single switching unit. Switches can be added to and deleted from a working stack without affecting performance. The switches are linked into a single logical unit using special stack interconnect cables that create a bidirectional closed-loop path. This bidirectional path acts as a switch fabric for all the connected switches. The stack is managed as a single unit by a master switch, which is elected from one of the stack member switches. Each switch in the stack has the capability to behave as a master or subordinate (member) in the hierarchy. The master switch is elected and serves as the control center for the stack. Both the master member switches act as forwarding processors. Each switch is assigned a number. Up to nine separate switches can be joined together. The stack can have switches added and removed without affecting stack performance. Each stack of Cisco Catalyst 3750 Series Switches has a single IP address and is managed as a single object. This single IP management applies to activities such as fault detection, virtual LAN (VLAN) creation and modification, security, and QoS controls. Each stack has only one configuration file, which is distributed to each member in the stack. This allows each switch in the stack to share the same network topology, MAC address, and routing information. In addition, it allows for any member to become the master, if the master ever fails. Stack Membership A standalone switch is a stack with one member that is also the master. You can connect one standalone switch to another to create a stack containing two stack members, with one of them as the master. You can connect standalone switches to an existing stack to increase the stack membership. If you replace a stack member with an identical model, the new switch functions with the same configuration as the replaced switch (assuming that the new switch is using the same member number as the replaced switch). The operation of the stack continues uninterrupted during membership changes unless you remove the master or you add powered-on standalone switches or stacks. Master Election The stack master is elected based on one of these factors in the order listed: 1. The switch that is currently the stack master. 2. The switch having highest stack member priority value. 3. The switch that is not using the default interface-level configuration. 4. The switch having higher priority switch software version. These switch software versions are listed from highest to lowest priority: Cryptographic IP services image software Noncryptographic IP services image software Cryptographic IP base image software Noncryptographic IP base image software 5. The switch having lowest MAC address.

7 Chapter 2: Infrastructure Security DHCP Snooping DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server, which significantly minimizes the overhead of administration of IP addresses. DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts; only those hosts that are connected to the network consume IP addresses. DHCP Server The DHCP server gives IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from database, it forwards the request to one or more secondary DHCP servers defined by the network administrator or engineer. DHCP Relay Agent A DHCP relay agent is a Layer 3 device that sends DHCP packets between clients and servers. Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams are switched transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces. Option-82 Data Insertion In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified. Cisco IOS DHCP Server Database During the DHCP-based auto configuration process, the designated DHCP server uses the Cisco IOS DHCP server database. It has IP addresses, address bindings, and configuration parameters, such as the boot file. An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool. DHCP Snooping and Switch Stacks DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives the DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. When a stack merge occurs, all DHCP snooping bindings in the stack master are lost if it is no longer the stack master. With a stack partition, the existing stack master is unchanged, and the bindings belonging to the partitioned switches age out. The new master of the partitioned stack begins processing the new incoming DHCP packets. IP Source Guard IPSG is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to avoid traffic attacks if a host tries to use the IP address of its neighbor. You can configure IP source guard when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets permitted by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. The IP source binding table bindings are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address with its associated MAC address and VLAN number. The switch uses the IP source binding table only when IP source guard is enabled. IPSG is supported only on Layer 2 ports, including access and trunk ports. You can configure IPSG with source IP address filtering or with source IP and MAC address filtering. Source IP Address Filtering If IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table. Source IP and MAC Address Filtering IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. Dynamic ARP Inspection ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker s computer and then to the router, switch, or host. A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Private VLANs The private-vlan feature addresses two problems that service providers face when using VLANs: Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers that the service provider can support. To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can waste the unused IP addresses and cause IP address management problems. Private VLANs and SVIs In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.

8 Chapter 2: Infrastructure Security Private VLANs and Switch Stacks Private VLANs can operate within the switch stack, and private-vlan ports can reside on different stack members. However, some changes to the switch stack can impact private-vlan operation: If a stack contains only one private-vlan promiscuous port and the stack member that contains that port is removed from the stack, host ports in that private VLAN lose connectivity outside the private VLAN. If a stack master stack that contains the only private-vlan promiscuous port in the stack fails or leaves the stack and a new stack master is elected, host ports in a private VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN. If two stacks merge, private VLANs on the winning stack are not affected, but private-vlan configuration on the losing switch is lost when that switch reboots. Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm. Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold. Storm control uses one of these methods to measure traffic activity: Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received. Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received. Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface. With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms. Port Security We can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged. AAA Protocols: RADIUS and TACACS+ TACAS+ and RADIUS are the two best known types of AAA protocols. TACAS+ is a newer version of TACAS and XTACAS. There are inherent difference between TACAS+ and RADIUS which make them suitable for particular situations. To exemplify, TACAS+ is a proprietary of Cisco Technology and RADIUS is of Internet Engineering Task Force (IETF). Another difference is that TACAS+ operates in TCP environment while RADIUS Understanding RADIUS This is a client or a server system securing network against unauthorized access and run on supported Cisco devices. It works by sending authentication requests to a central RADIUS server. This central server contains all information regarding user authentication and network access. It is most suitable in the network environments which have Multiple-vendor access servers, with a pre requisite that they all support RADIUS. Turnkey network security environments, in which applications support the RADIUS protocol. Networks that need resource accounting. The RADIUS accounting can be used independently of authorization and authentication. This system is not suitable for networks with: Multiprotocol access environments; Router to router or switch to switch situations as it does not support two way authentication. Understanding TACAS+ TACAS+ like RADIUS is a security application providing centralized validation of users. It differs from RADIUS in its scope as it does not authenticate client devices which are associated to the access point. Separate authentication, authorization and accounting facilities are provided by TACAS+ allowing for a single access control server for each of the services independently. Every service can be tied to its own database. It is a primary protocol for Cisco AAA implementations and is supported on IOS routers, switches, and the Cisco PIX Firewall. TACAS+ through AAA provides the following: Authentication: It ensures complete control of authentication of administrators. This is done through the password dialog, challenge and response. Authorization: It provides control over the administrator capabilities for the entire duration of the administration session. Along with that restrictions can be imposed on the commands that can be executed by the administrator. Accounting: Information is gathered and used for the purposes of billing, auditing and reporting. This can also be used for conducting a security audit. Fallback Bridging With fallback bridging, the switch bridges together two or more VLANs or routed ports, essentially connecting multiple VLANs within one bridge domain. Fallback bridging forwards traffic that the switch does not route and forwards traffic belonging to a nonroutable protocol such as DECnet. A VLAN bridge domain is described with switch virtual interfaces (SVIs). A set of SVIs and routed ports (which do not have any VLANs associated with them) can be configured (grouped together) to create a bridge group. Recall that an SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the system. You associate only one SVI with a VLAN, and you configure an SVI for a VLAN only when you want to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch. A routed port is a physical port that behaves like a port on a router, but it is not connected to a router. A routed port is not related with a particular VLAN, does not support VLAN sub interfaces, but acts like a normal routed port.

9 Chapter 3: Infrastructure Services Hot Standby Router Protocol (HSRP) Cisco developed the proprietary Hot Standby Router Protocol (HSRP) to allow multiple routers or multilayer switches to masquerade as a single gateway. This is achieved by assigning a virtual IP and MAC address to all routers participating in an HSRP group. Routers within the same HSRP group must be assigned the same group number, which can range from 0 to 255. However, most of the Cisco platforms only support 16 configured HSRP groups. HSRP routers are elected to specific roles: 1. Active Router router currently serving as the gateway 2. Standby Router backup router to the Active Router 3. Listening Router all other routers participating in HSRP Only one active and one standby router are allowed per HSRP group. Thus, HSRP provides Layer-3 redundancy, but no inherent load balancing. Hello packets are used to elect HSRP roles and to ensure all routers are functional. If the current active router fails, the standby router will immediately take over as active, and a new standby is elected. By default, hello packets are sent every 3 seconds. The role of an HSRP router is dictated by its priority. The priority can range from 0 255, with a default of 100. A higher priority is preferred. Thus, the router with the highest priority is elected the active router. Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups. You can configure MHSRP to achieve load balancing and to use two or more standby groups (and paths) from a host network to a server network. In Figure X half the clients are configured for Router A, and half the clients are configured for Router B. Together, the configuration for Routers A and B establishes two HSRP groups. For group 1, Router A is the default active router because it has the assigned highest priority, and Router B is the standby router. For group 2, Router B is the default active router because it has the assigned highest priority, and Router A is the standby router. During normal operation, the two routers share the IP traffic load. When either router becomes unavailable, the other router becomes active and assumes the packet-transfer functions of the router that is unavailable. HSRP and Switch Stacks HSRP hello messages are generated by the stack master. If an HSRP-active stack master fails, a flap in the HSRP active state might occur. This is because HSRP hello messages are not generated while a new stack master is elected and initialized, and the standby router might become active after the stack master fails. Virtual Router Redundancy Protocol (VRRP) The Virtual Router Redundancy Protocol (VRRP) is an industry-standard Layer- 3 redundancy protocol, originally defined in RFC VRRP is nearly identical to HSRP, with some notable exceptions: The router with the highest priority becomes the master router. All other routers become backup routers. The virtual MAC address is the reserved e00.01xx, with xx representing the hexadecimal group number. Hello packets are sent every 1 second, by default, and sent to multicast address VRRP will preempt by default. VRRP cannot directly track interfaces it can track an object which is tied to an interface, though. Gateway Load Balancing Protocol (GLBP) To overcome the shortcomings in HSRP and VRRP, Cisco developed the proprietary Gateway Load Balancing Protocol (GLBP). Routers are added to a GLBP group, numbered 0 to Unlike HSRP and VRRP, multiple GLBP routers can be active, achieving both redundancy and load balancing. A priority is assigned to each GLBP interface by default. The interface with the highest priority becomes the Active Virtual Gateway (AVG). If priorities are equal, the interface with the highest IP will become the AVG. Routers in the GLBP group are assigned a single virtual IP address. Hosts will use this virtual address as their default gateway. The AVG will respond to ARP requests for the virtual IP with the virtual MAC address of an Active Virtual Forwarder (AVF). Up to three routers can be elected as AVFs. The AVG assigns a virtual MAC address to each AVF, and to itself, for a maximum 4 virtual MAC addresses. Only the AVG and AVFs can forward traffic for hosts. Any router not elected as an AVF or AVG will become a Secondary Virtual Forwarder (SVF), and will wait in standby until an AVF fails.

10 About this Quick Reference Sheet IPSpecialists Quick Reference Sheets are summarized collection of the condensed notes taken from our technology workbooks that are prepared keeping the exam blueprint in mind. It s an ideal handy document to help you remember the most important technology concepts.