Tuesday 26 September 2023

What is VTP Pruning? How to configure Cisco VTP pruning?

VTP pruning is used to improve the allocation and use of network bandwidth by reducing unnecessary traffic flood for example broadcast, multicast, and flooded unicast. Pruning makes more efficient use of trunk bandwidth. 

by default, VTP pruning is disabled, when you enable VTP pruning switch still forwards VLAN unknown unicast and broadcast frames over a trunk port but only forwards if the switch on the receiving end of the trunk has ports in the same VLAN. 

when you enable VTP Pruning on the VTP server all the clients in the VTP domain will automatically enable VTP Pruning. once you enable the VTP pruning by default all the VLANs are prune-eligible except VLAN 1 because it is an administrative VLAN and extended range of VLANs. which means VLAN 2 through VLAN 1005 are eligible for pruning. 

How does VTP pruning work? 


as you can see in the topology here, we have 5 VTP pruned enable switches. a broadcast traffic is generated on switch 2 port which is in VLAN 10. switch 2 forwards it to the trunk and switch-1 receives the traffic and forwards this traffic to switch-4 because the VLAN 10 is only configured on switch 4 and switch 1. The rest of the switches' flooded traffic is pruned. 

let's see the configuration: -

Topology: -




  • configure the topology as per the diagram
  • configure IP addresses on PCs
  • configure the 802.1q between switches
  • configure VTP server on a core switch and switch-1 and 2 clients
  • configure version 2, password cisco123 and the password must be hidden
  • configure VLAN 50,60,70,80 on the VTP server and make sure clients synced this information. 
  • configure VTP pruning on VTP server
  • remove VLAN 80 from Pruned

Sunday 24 September 2023

What is BGP Route Aggregation (R A)? How to configure Route Aggregation?

What is BGP Route Aggregation (R A)? 
What is atomic-aggregate? What is aggregated?



Route Aggregation or BGP route summarization is used to minimize the routing table size. Route aggregate provides the flexibility to allow none, all, or a subnet of the summary’s component subnets to be advertised out of the BGP table. Route Aggregation minimizes the size of the global routing table, decreases the workload of routers, and also saves the network bandwidth.

BGP summarization is more complex than IGP protocols because when we use the BGP router sub-command aggregate-address without any parameters, all the important information of individual route attributes is lost such as AS_PATH, we know AS_PATH is used for loop prevention. in order to summarize make sure at least one subnet is in the BGP table. 

atomic-aggregate is a well-known BGP attribute. this attribute must be recognized by all BGP routers but it's not mean this attribute has to be included in all BGP updates. this atomic aggregate tells the BGP routers that 192.168.0.0/18 is a result of route aggregation and some information could be missing.

aggregate attribute (aggregated by 65300 192.168.33.1) This attribute specifies the autonomous number and BGP router ID of the aggregating router.

I'm assuming you are familiar with IGP summarization. let's take a look aggregation command. 


R2(config-router)#aggregate-address 192.168.8.0 255.255.248.0 ?

  advertise-map  Set condition to advertise attribute

  as-set         Generate AS set path information

  attribute-map  Set attributes of aggregate

  nlri           Nlri aggregate applies to

  route-map      Set parameters of aggregate

  summary-only   Filter more specific routes from updates

  suppress-map   Conditionally filter more specific routes from updates

  <cr>

(When we configure the aggregate-address 192.168.8.0 255.255.248.0 command without any additional then this command advertises the route with individual prefixes and it looks like this) 


R3#show ip bgp

   Network          Next Hop            Metric LocPrf Weight Path

*> 192.168.8.0/21   2.2.2.1                  0             0 65200 i

*> 192.168.10.0     2.2.2.1                                0 65200 65100 i

*> 192.168.11.0     2.2.2.1                                0 65200 65100 i

*> 192.168.12.0     2.2.2.1                                0 65200 65100 i

*> 192.168.13.0     2.2.2.1                                0 65200 65100 i


(you can delete (suppress) these prefixes and you can tell the BGP router that only advertises the summary address but you need to add an additional command which is summary only. let's see what it looks like after adding a summary-only command) 

R2(config)#router bgp 65200
R2(config-router)#aggregate-address 192.168.8.0 255.255.248.0 summary-only
R2(config-router)#end

R3#show ip bgp
BGP table version is 46, local router ID is 192.168.33.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.8.0/21   2.2.2.1                  0             0 65200 i


 (Now the individual prefixes are gone but there is AS Path information is not available. this will happen if you do not specify any additional option to the command. it looks like a new prefix is born in the local AS.) 

Let's see the configuration: -


Topology: - 





Goal_

  • configure the topology as per the diagram 
  • assign the IPs to their respective ports as per the topology 
  • configure E-BGP as per the topology 
  • advertise the loopback route as per the topology
  • configure Router_AS_65300 to aggregate routes 192.168.0.0/18 without any additional command.
  • configure Router_AS_65300 to aggregate routes 192.168.0.0/18 with summary only 
  • configure Router_AS_65200 to aggregate routes 192.168.40.0/18 with summary only 




Friday 22 September 2023

How to configure CDP flood attack? | How to prevent CDP attack?

In this blog, we will see how to completely destroy an enterprise switch & router and also see how to prevent this DoS Attack.  We are to attack the CDP Cisco discovery protocol with the help of Yersinia. This attack is very easy and extremely powerful. This attack comes under of denial-of-service attack. To make the switch fail we need a Linux machine and simulation. The protocol we are going exploit is by default enabled on Cisco routers and switches CDP.

Let’s take an overview look at CDP: -

CDP (Cisco discovery protocol) is a Cisco proprietary protocol which is designed by Cisco. CDP is used to collect information about directly connected devices. We can collect the hardware and protocol information about neighboring devices. This information is very helpful when we do troubleshoot or document the network.

this is the topology we are going to use for the lab: -



So before starting our lab let me give the overview of what is actually going to happen to our switch while doing this attack. For example, when we log into a switch and write the command show CDP neighbors. The router is going to display all the directly connected enabled CDP neighbors' devices. Like this

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater

 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

switch2          Fas 1/0            178         R S I     Linux Uni Eth 0/0

switch1          Fas 0/0            149         R S I     Linux Uni Eth 0/0

 

 We are going flood thousands of CDP fake packets to the switch with the help of Yersinia and these packets will freeze down the switch operating system and the switch processor will utilize its full power until it crashes. In the end switch will no longer be a switch it’s become a hub. 

you will also see a warning:

 


*Sep 21 10:02:23.606: %SYS-2-NOMEMORY: No memory available for DSensor Malloc 17

 

let's see the configuration: -



  •  configure topology as per the diagram 
  • configure the IP address on kali machine 
  • make sure to check CPU utilization before and after attack 
  • configure attack using yersinia 
  • diagnose the attack and prevent this attack. 

Wednesday 20 September 2023

What is Link Layer Discovery Protocol (LLDP)? | How link layer discovery protocol work? | LLDP default configuration? | how to configure LLDP?

  

Link Layer Discovery Protocol

LLDP it’s a nonproprietary protocol that works at layer 2. It is an open IEEE-standard 802.1AB.  LLDP is an alternative to CDP.  LLDP runs over the data link layer and it collects information about the neighboring devices. This information will help us in troubleshooting and documentation. LLDP and Cisco CDP work similarly but the big difference is that LLDP is a standard while CDP is a Cisco proprietary.

LLDP has similar capabilities to CDP and there is an enhanced version to specifically address the voice application this version is called LLDP-MED (media endpoint discovery) but LLDP and LLDP-MED are not compatible.

LLDP supports a defined set of attributes that contain a T-type, L-length, and V-value, these are called TLVs. It is used to discover neighbors’ devices. LLDP support devices use TLV to send and receive information and store the information in a local table.





How link layer discovery protocol work?

First, you must enable it on the devices because by default LLDP is disabled, and remember not all Cisco IOS routers support LLDP. LLDP-enabled devices send LLDP advertisements to LLDP neighbors and the information is stored in the MIB database locally. This information can be accessed using SNMP.

What information is stored?

  • Device name and description
  • Port name
  • IP management address
  • Capabilities
  • MAC address
  • MDI power
  • Link aggregation
  • VLAN

 

LLDP default configuration: -

IOU1(config)#lldp ?

  holdtime    Specify the holdtime (in sec) to be sent in packets

  reinit      Delay (in sec) for LLDP initialization on any interface

  run         Enable LLDP

  timer       Specify the rate at which LLDP packets are sent (in seconds)

  tlv-select Selection of LLDP TLVs to send


  • LLDP is disabled by default
  • LLDP hold time – 120 seconds
  • LLDP reinitialization delay – 2 seconds
  • LLDP timer (packet update frequency) – 30 seconds
  • LLDP tlv-select – to send and receive all TLVs.

 

Let's see the configuration: -

 Topology; -



 

  •  configure the topology as per the diagram.
  • configure Trunk 802.1q
  • enable LLDP in global configuration mode.
  • change the hold time to 180,  reinit to 5 sec, and the timer to 20 sec.
  • clear the LLDP table.
  • disable the LLDP

 

 

 

Monday 18 September 2023

What is Cisco discovery protocol? | How to configure CDP? | CDP



In most networks, we have several routers, switches, and more. We want to make management for networks easy, most of the admins take the help of CDP and LLDP to know about what type of devices are present in the network, the IP addresses, and how all the devices are connected with each other (which means the interface or port) and the information about which VLAN they belong.


Cisco discovery protocol

 

CDP (Cisco discovery protocol) is a Cisco proprietary protocol which is designed by Cisco. CDP is used to collect information about directly connected devices. We can collect the hardware and protocol information about neighboring devices. This information is very helpful when we do troubleshoot or document the network.

What information do we collect from neighbors?

  • Device ID means the hostname of the neighbor.
  • The local interface is the port on which CDP enables the device to receive the CDP packets.
  • Hold time means the router's remaining amount of time is left to hold the information before the router is discarding it. The router discards the information if no more CDP packets are received. {You can choose the length from 10 – 255 seconds.}
  • Capability means what is the capability of the neighbor it’s a router or switch or it’s a repeater.
  • Platform means the type of Cisco device directly connected. In the previous output,
  • Port ID means the neighbor device’s port or interface on which the CDP packets are multicasting.

 Let's see the configuration and we will see some interesting show commands.


Topology: -



  • configure the topology as per the diagram 
  • configure the Hostname 
  • assign the IPs to their respective ports as per the topology
  • configure CDP in global mode. or you can also configure CDP on an interface. 
  • make sure the router-1-core will collect all the information.

Friday 15 September 2023

What is VTP version 3, How to configure VTP version 3?


VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol, as I already said VTP is used to share the VLAN configuration with other switches and maintain consistency throughout that network but information will be passed only if the switch is connected with fast Ethernet or higher ports and also it must be trunk links.7

if you are not familiar with VTP versions 1 and 2 please click the link

 here https://www.internetworks.in/2018/12/vlan-trunking-protocol-vtp.html




VTP version 3 has features of the VTP primary server the primary server is able to create, delete, and modify VLANs. The secondary server can relay process and save only. VTP version 3 supports the Extended VLANs range (1006 – 4094). And also supports Private VLANs, RSPAN VLANs, and MST. VTP version 3 is compatible with version 2, but not with version 1. VTP version 3 is protected against data overwrites its ability to fix the configuration revision number higher updating. VTP version 3 has more secure methods for authentication of clear text or hidden password protection.


let's configure VTP version 3: -  https://youtu.be/D0t29ZdO09I?si=GofAD3lfK61IsiS1

Topology: -




Goal: -
  1. Configure the topology as per the diagram.
  2. configure trunk Dot1q as per the topology
  3. configure VTP domain name will be internetworks
  4. configure version 3
  5. configure password ccie123
  6. Hide the password
  7. configure LAYER-3-switch-1 primary server VLAN
  8. Configure VLAN 10,20,30,40,50,60,70,80 and 90 on LAYER-3-switch-1 and make sure the rest of the domain switches synchronize this data.
  9. configure the extended range of VLAN 2000,2001 on LAYER-3-switch-1 and make sure the rest of the domain switches synchronize this data.
  10. configure MSTP on LAYER-3-switch-2 and make sure the rest of the switches synchronize this information.  

What is RBAC Role Based Access Control? | What are RBAC Views? | What is the Concept behind Role Based Access Control? | How to configure RBAC on gns3?

  What is  Role-Based Access Control? RBAC (Role Based Access Control), is also known as Role-Base security. RBAC assigns access permission ...