Showing posts with label Layer 2 Switching. Show all posts
Showing posts with label Layer 2 Switching. Show all posts

Tuesday 21 February 2023

What is cisco port security? How to secure switches ports? | What are the violations of port security? | How to configure?

 As we already know switches are very important network devices and with the help of switches we connect and maintain communication channels between various devices. we also know ethernet ports are present on our switches and with these ports, we connect our devices like routers computers, and other devices. switches identify the devices by their MAC addresses and provide the services. the important thing is we need to secure these ethernet ports so that authorized users are able to connect network securely. 





here we can use the security feature of Cisco IOS Port-security to block the ethernet, fast ethernet, or Gig ports when the MAC address is different from the specified MAC on the port. we can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address. These security features only be configured on access ports and by default this feature is disabled.  

before we start our lab and come to the direct point, what I always do but before we need to understand these points.


  • Aging 
  • mac-address
  • maximum
  • violation

Aging is when we configure the maximum number of MAC addresses on the particular port, we can also configure aging with the help of aging we specify how long the address on the port is secure,



 once the time is expired, the MAC address on that port will be insecure, by default all addresses on a port are secured permanently. <1-1440> Aging time in minutes. Enter a value between 1 and 1440.


MAC address_ when we configure the specific MAC address in the port security command, only that device will be authorized by the switch to connect through the available port. this is also called a static mac address.  





from the above output, we can see after the? mark. now have (H.H.H means configure static MAC address) and the second mode is (sticky) let's take a look at sticky.


Sticky before we understand what is sticky mode first, we must know, we have two configuration options for example 

Switch(config-if)#switchport port-security mac-address sticky 0000.0C39.6AEC
                                                            {AND}

Switch(config-if)#switchport port-security mac-address sticky



whenever we enable sticky learning on an interface, the interface converts all the dynamic secure MAC addresses, and also those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. all newly on-boarded clients are considered sticky MACs.



now we know that the switch can learn MAC addresses on a secure port in one of three ways. 

1. Manually the admin can manually configure a static MAC address. using the command

switchport port-security mac-address 0000.0C39.6AEC

2. Dynamically when we configure the command switchport port-security, whatever the current source MAC address on that port device will be secured but not added in running-config.  if we reboot the switch the port has to re-learn the MAC address. 

switchport port-security 

3. Dynamically-Sticky the admin can enable the switch to learn MAC address dynamically and stick them in running-config. 

switchport port-security mac-address sticky 


Maximum as per our requirements we can increase the limit of the number of hosts which is associated with the interface. by default, only 1 MAC address is allowed by the cisco switch on a single port. if other devices try to connect using this port our switch shutdown the port automatically. we can set this limit from 1 to 132. the maximum number is 132.  






Now we have the last mode violation


Violation_
when the MAC address of a connected device to a port is different from the list of secure addresses we are given on the interface, then a port violation occurs and the port enters the error-disable state. In violation, we have three modes. as you can see in the picture below.



Protect_ under the Protect mode the data packets from the configured MAC addresses are only transferred within the network. this mode is the least secure of the security violation mode. the port dropped the packets with unknown MAC addresses until you remove a sufficient number of MAC addresses. no syslog message is sent.   








Restrict_ under the restrict mode if the security violation occurs, all the data transfer is blocked and packets are dropped. also, Syslog messages are generated simultaneously, 





Shutdown_ under the shutdown mode if the violation occurs on port security enable the port. the port changed to an error-disable state. this mode is enabled by default. 





{if you like this post, please take a look at our YouTube program}

https://youtu.be/D0t29ZdO09I










Wednesday 1 February 2023

What is PVST PVST+ and RPVST+ Spanning tree? How to configure PVST?

  

Per VLAN Spanning tree (PVST) is cisco's proprietary version of STP which delivers more flexibility than the common spanning tree version. PVST works on a separate instance of STP for each VLAN. In normal STP, CST (Common Spanning Tree), only one instance can be used for the network. There are no specific instances per VLAN. This allows the STP on each VLAN to be configured independently and offers better load balancing and tuning according to the conditions. 

but as we know PVST is a cisco proprietary and because of its proprietary nature, Per VLAN Spanning tree (PVST) requires the use of a cisco inter-switch link (ISL) trunk but in coexist network where CST is working, and we configure PVST there will be problem occurs both require different trunking methods and the problem remains BPDUs are never exchanged between these types of STP. 

the solution is Per-VLAN spanning tree plus (PVST+) it's also the cisco proprietary version of STP and allows the device to interoperate with both PVST and CST. PVST+ act as a translator between a group of CST switches and groups of PVST switches. PVST+ creates an instance for each VLAN and in each instance, a different STP process occurs, a different Root bridge is selected, different port roles are used, etc.


Rapid Per VLAN Spanning Tree Plus (RPVST+) it's a Cisco proprietary STP version. Again, it has an instance for each VLAN and each VLAN has a separate STP process just like PVST but RPVST+ has a faster convergence advantage if we compare it with PVST+.

 

Let's see the configuration for a better understanding:

Topology:



Goal:

  • configure the topology as per the diagram.
  • configure VLANs 10,20,30 and 40 on all the switches.
  • configure TRUNK between switches 
  • Allowed all VLANs on all the switches
  • configure PVST on all switches 
  • configure Root bridge on switch 1 for VLAN 10
  • configure Root bridge on switch 2 for VLAN 20 
  • configure Root bridge on switch 3 for VLAN 30
  • configure Root bridge on switch 4 for VLAN 40 
  • verify the configuration 


SWITCH-1(config-vlan)#VLAN 10

SWITCH-1(config-vlan)#VLAN 20

SWITCH-1(config-vlan)#VLAN 30

SWITCH-1(config-vlan)#VLAN 40 


SWITCH-2(config)#VLAN 10

SWITCH-2(config-vlan)#VLAN 20 

SWITCH-2(config-vlan)#VLAN 30

SWITCH-2(config-vlan)#VLAN 40


SWITCH-3(config)#VLAN 10

SWITCH-3(config-vlan)#VLAN 20 

SWITCH-3(config-vlan)#VLAN 30

SWITCH-3(config-vlan)#VLAN 40


SWITCH-4(config)#VLAN 10

SWITCH-4(config-vlan)#VLAN 20 

SWITCH-4(config-vlan)#VLAN 30

SWITCH-4(config-vlan)#VLAN 40


SWITCH-1(config)#interface range fastEthernet 0/1-2
SWITCH-1(config-if-range)#switchport mode trunk
SWITCH-1(config-if-range)#exit

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

SWITCH-2(config)#interface range fastEthernet 0/1-2
SWITCH-2(config-if-range)#switchport mode trunk

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up


SWITCH-3(config)#interface range fastEthernet 0/1-2
SWITCH-3(config-if-range)#switchport mode trunk

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

SWITCH-4(config)#interface range fastEthernet 0/1-2
SWITCH-4(config-if-range)#switchport mode trunk

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

SWITCH-1(config)#interface range fastEthernet 0/1-2
SWITCH-1(config-if-range)#switchport trunk allowed vlan 1-40 
SWITCH-1(config-if-range)#exit











SWITCH-2(config)#interface range fastEthernet 0/1-2
SWITCH-2(config-if-range)#switchport trunk allowed vlan 1-40 
SWITCH-2(config-if-range)#exit

SWITCH-3(config)#interface range fastEthernet 0/1-2
SWITCH-3(config-if-range)#switchport trunk allowed vlan 1-40 
SWITCH-3(config-if-range)#exit













SWITCH-4(config)#interface range fastEthernet 0/1-2
SWITCH-4(config-if-range)#switchport trunk allowed vlan 1-40 
SWITCH-4(config-if-range)#exit

SWITCH-1(config)#spanning-tree ?
  mode      Spanning tree operating mode
  portfast  Spanning tree portfast options
  vlan      VLAN Switch Spanning Tree

SWITCH-1(config)#spanning-tree  mode ?
  pvst        Per-Vlan spanning tree mode
  rapid-pvst  Per-Vlan rapid spanning tree mode
























SWITCH-1(config)#spanning-tree  mode pvst

SWITCH-2(config)#spanning-tree mode pvst

SWITCH-3(config)#spanning-tree mode pvst

SWITCH-4(config)#spanning-tree mode pvst


SWITCH-1(config)#spanning-tree vlan 10 root primary 

SWITCH 1 VLAN 10














SWITCH-2(config)#spanning-tree vlan 20 root primary


SWITCH 2 VLAN 20











 
SWITCH-3(config)#spanning-tree vlan 30 root primary 

SWITCH 3 VLAN 30














SWITCH-4(config)#spanning-tree vlan 40 root primary 

SWITCH 4 VLAN 40


















Friday 20 January 2023

How to configure Static MAC Address table Entries?

 By default, our switch dynamically learns the MAC address and stores it in the CAM table. by just looking at the source MAC address of the incoming frame. 




This dynamically learning the MAC addresses and filling in the CAM table the process is vulnerable to layer 2 MAC address spoofing attacks. The attacker easily spoofs a few MAC addresses to change entries in the MAC address table. We can deal with this problem by manually configuring entries in the MAC address table. A statically configured MAC address will always overrule dynamic entry. 




Let's configure the Static MAC Address table Entries: -

Topology:




Goal: -

  • configure the topology as per the diagram.
  • configure the IP addresses as per the topology
  • configure IP addresses on the PC as per the topology 
  • ping from PC 1 to all the PCs 
  • configure STATIC MAC addresses

Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown 
Router(config-if)#exit


%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up



Switch(config)#interface vlan 1

Switch(config-if)#ip address 192.168.1.2 255.255.255.0

Switch(config-if)#no shutdown

Switch(config-if)#exit


C:\>ping 192.168.1.4


Pinging 192.168.1.4 with 32 bytes of data:


Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Reply from 192.168.1.4: bytes=32 time=1ms TTL=128

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128


Ping statistics for 192.168.1.4:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms


C:\>ping 192.168.1.5


Pinging 192.168.1.5 with 32 bytes of data:


Reply from 192.168.1.5: bytes=32 time=1ms TTL=128

Reply from 192.168.1.5: bytes=32 time<1ms TTL=128

Reply from 192.168.1.5: bytes=32 time=1ms TTL=128

Reply from 192.168.1.5: bytes=32 time<1ms TTL=128


Ping statistics for 192.168.1.5:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms


C:\>ping 192.168.1.6

C:\>ping 192.168.1.7

C:\>ping 192.168.1.8

C:\>ping 192.168.1.9

C:\>ping 192.168.1.10

C:\>ping 192.168.1.11


Router#ping 192.168.1.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms


Switch#show mac address-table

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c92e.016d DYNAMIC Fa0/9

1 0004.9a7b.331d DYNAMIC Fa0/2

1 000a.418d.0b8b DYNAMIC Fa0/4

1 000d.bd40.3c82 DYNAMIC Fa0/10

1 0010.1141.3d28 DYNAMIC Fa0/6

1 0030.f2d1.9701 DYNAMIC Fa0/1

1 0050.0f64.a758 DYNAMIC Fa0/7

1 0060.3e6e.6dd5 DYNAMIC Fa0/3

1 0060.7020.0505 DYNAMIC Fa0/5

1 0090.2b15.c5cd DYNAMIC Fa0/8


(Our switch dynamically learns and store the MAC entries)


Switch(config)#mac address-table static 0030.f2d1.9701 vlan 1 interface fastEthernet 0/1

Switch(config)#

Switch(config)#mac address-table static 0004.9A7B.331D vlan 1 interface fastEthernet 0/2

Switch(config)#

Switch(config)#mac address-table static 0060.3E6E.6DD5 vlan 1 interface fastEthernet 0/3

Switch(config)#

Switch(config)#mac address-table static 000A.418D.0B8B vlan 1 interface fastEthernet 0/4

Switch(config)#

Switch(config)#mac address-table static 0060.7020.0505 vlan 1 interface fastEthernet 0/5

Switch(config)#

Switch(config)#mac address-table static 0010.1141.3D28 vlan 1 interface fastEthernet 0/6

Switch(config)#

Switch(config)#mac address-table static 0050.0F64.A758 vlan 1 interface fastEthernet 0/7

Switch(config)#

Switch(config)#mac address-table static 0090.2B15.C5CD vlan 1 interface fastEthernet 0/8

Switch(config)#

Switch(config)#mac address-table static 0001.C92E.016D vlan 1 interface fastEthernet 0/9

Switch(config)#

Switch(config)#mac address-table static 000D.BD40.3C82 vlan 1 interface fastEthernet 0/10

Switch(config)#end


Switch#show mac address-table static

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c92e.016d STATIC Fa0/9

1 0004.9a7b.331d STATIC Fa0/2

1 000a.418d.0b8b STATIC Fa0/4

1 000d.bd40.3c82 STATIC Fa0/10

1 0010.1141.3d28 STATIC Fa0/6

1 0030.f2d1.9701 STATIC Fa0/1

1 0050.0f64.a758 STATIC Fa0/7

1 0060.3e6e.6dd5 STATIC Fa0/3

1 0060.7020.0505 STATIC Fa0/5

1 0090.2b15.c5cd STATIC Fa0/8




Switch#show mac address-table

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c92e.016d STATIC Fa0/9

1 0004.9a7b.331d STATIC Fa0/2

1 000a.418d.0b8b STATIC Fa0/4

1 000d.bd40.3c82 STATIC Fa0/10

1 0010.1141.3d28 STATIC Fa0/6

1 0030.f2d1.9701 STATIC Fa0/1

1 0050.0f64.a758 STATIC Fa0/7

1 0060.3e6e.6dd5 STATIC Fa0/3

1 0060.7020.0505 STATIC Fa0/5

1 0090.2b15.c5cd STATIC Fa0/8












Thursday 1 November 2018

What is Layer 2 Switching?



Switching uses the hardware address of devices on a LAN to segment the network. Switching breaks up large collision domains into smaller domains and a collision domain is a network segment with two or more devices sharing the same bandwidth. each port on a switch is its collision domain. Layer 2 switching increases the bandwidth because each port of the switch is its self-collision domain.




Switch services bridges use software to create and manage a Content Addressable Memory (CAM) table. new switches use Application-Specific Integrated Circuits (ASICs) to build and maintain their MAC filter table. 

Advantages of using Layer 2 switchings:
  • Hardware-based bridging 
  • Wire-speed
  • Low latency
  • Low cost 
Layer 2 switching increases the bandwidth because each switch port is its own self-collision domain.

 Layer 2 Switch Functions:


Address learning layer 2 switches remember the source hardware address of each frame received on an on-interface and enter this information into a MAC database called a forward/filter table.

Forward/filter decisions when a frame is received on an interface, the switch looks at the destination hardware address, and then chooses the appropriate exit interface for it in the MAC database. This way, the frame is only forwarded out of the correct destination port.

Loop avoidance if multiple connections between switches are created for redundancy purposes, network loops can occur, and spanning tree protocol (STP) is used to prevent network.



 


 


Instagram

Facebook


Twitter



LINKEDIN








How to configure the DHCP server on a Cisco ASA device?

How to configure the DHCP server on a Cisco ASA device?    DHCP (Dynamic Host Configuration Protocol) servers provide all the basic informat...