Академический Документы
Профессиональный Документы
Культура Документы
SWITCHED NETWORKS
Dynamically Populating a Switch MAC Address Table
The following steps describe the process of building the MAC address table:
1. The switch receives a frame from PC 1 on Port 1 (Figure 1).
2. The switch examines the source MAC address and compares it to MAC
address table. If the address is not in the MAC address table, it
associates the source MAC address of PC 1 with the ingress port (Port
1) in the MAC address table (Figure 2). If the MAC address table
already has an entry for that source address, it resets the aging
timer. An entry for a MAC address is typically kept for five minutes.
3. After the switch has recorded the source address information, the
switch examines the destination MAC address. If the destination
address is not in the MAC table or if its a broadcast MAC address, as
indicated by all Fs, the switch floods the frame to all ports, except
the ingress port (Figure 3).
4. The destination device (PC 3) replies to the frame with a unicast
frame addressed to PC 1 (Figure 4).
5. The switch enters the source MAC address of PC 3 and the port number
of the ingress port into the address table. The destination address of
the frame and its associated egress port is found in the MAC address
table (Figure 5).
6. The switch can now forward frames between these source and destination
devices without flooding, because it has entries in the address table
that identify the associated ports (Figure 6).
Switch Security
VLAN Definition
VLANs are mutually isolated and packets can only pass between them via
a router.
The partitioning of the Layer 2 network takes place inside a Layer 2
device, usually via a switch.
The hosts grouped within a VLAN are unaware of the VLANs existence.
VLAN Benefits
1. Security - Groups that have sensitive data are separated from the rest
of the network, decreasing the chances of confidential information
breaches.
2. Cost Reduction - Cost savings result from reduced need for expensive
network upgrades and more efficient use of existing bandwidth and
uplinks.
3. Better Performance - Dividing flat Layer 2 networks into multiple
logical workgroups (broadcast domains) reduces unnecessary traffic on
the network and boosts performance.
4. Shrink Broadcast Domains - Dividing a network into VLANs reduces the
number of devices in the broadcast domain.
5. Improved IT Staff Efficiency - VLANs make it easier to manage the
network because users with similar network requirements share the same
VLAN. When a new switch is provisioned, all the policies and
procedures already configured for the particular VLAN are implemented
when the ports are assigned. It is also easy for the IT staff to
identify the function of a VLAN by giving it an appropriate name.
6. Simpler Project and Application Management - VLANs aggregate users and
network devices to support business or geographic requirements.
VLAN Trunks
VLAN Security Attacks (Check out the PPT you made fucker)
1. Move all ports from VLAN 1 and assign them to a not-in-use VLAN
2. Shut down all unused switch ports.
3. Separate management and user data traffic.
4. Change the management VLAN to a VLAN other than VLAN 1. (The same goes
to the native VLAN.)
5. Ensure that only devices in the management VLAN can connect to the
switches.
6. The switch should only accept SSH connections.
7. Disable autonegotiation on trunk ports.
8. Do not use the auto or desirable switch port modes.
Routing Concepts
Ethernet switches function at the data link layer, Layer 2, and are used to
forward Ethernet frames between devices within the same network. However,
when the source IP and destination IP addresses are on different networks,
the Ethernet frame must be sent to a router. A router connects one network
to another network. The router is responsible for the delivery of packets
across different networks. The router uses its routing table to determine
the best path to use to forward a packet. It is the responsibility of the
routers to deliver those packets in a timely manner.
The router uses its routing table to determine the best path to use to
forward a packet. It is the responsibility of the routers to deliver those
packets in a timely manner.
Router Memory
A router connects multiple networks, which means that it has multiple
interfaces that each belong to a different IP network. When a router
receives an IP packet on one interface, it determines which interface to use
to forward the packet to the destination. The interface that the router uses
to forward the packet may be the final destination, or it may be a network
connected to another router that is used to reach the destination network.
Forwarding (CEF) - CEF is the most recent and preferred Cisco IOS packet-
forwarding mechanism. Like fast switching, CEF builds a Forwarding
Information Base (FIB), and an adjacency table. However, the table entries
are not packet-triggered like fast switching but change-triggered such as
when something changes in the network topology. Therefore, when a network
has converged, the FIB and adjacency tables contain all the information a
router would have to consider when forwarding a packet. The FIB contains
pre-computed reverse lookups, next hop information for routes including the
interface and Layer 2 information. Cisco Express Forwarding is the fastest
forwarding mechanism and the preferred choice on Cisco routers.
To enable network access, devices must be configured with IP address
information to identify the appropriate:
IP address - Identifies a unique host on a local network.
Subnet mask - Identifies with which network subnet the host can
communicate.
Default gateway - Identifies the router to send a packet to when the
destination is not on the same local network subnet.
The following lists some dynamic protocols and the metrics they use:
Routing Information Protocol (RIP) - Hop count
Load Balancing
When a router has two or more paths to a destination with equal cost
metrics, then the router forwards the packets using both paths equally. This
is called equal cost load balancing. The routing table contains
the single destination network, but has multiple exit interfaces, one for
each equal cost path. The router forwards packets using the multiple exit
interfaces listed in the routing table. Note: Only EIGRP supports unequal
cost load balancing.
Administrative Distance
Static routes are manually configured. They define an explicit path between
two networking devices. Unlike a dynamic routing protocol, static routes are
not automatically updated and must be manually reconfigured if the network
topology changes. The benefits of using static routes include improved
security and resource efficiency.
There are two common types of static routes in the routing table:
Static route to a specific network - A static route can be configured
to reach a specific remote network. IPv4 static routes are configured
using the ip route network mask {next-hop-ip | exit-intf} global
configuration command. A static route is identified in the routing
table with the code S.
Default static route - A default static route is similar to a default
gateway on a host. The default static route specifies the exit point
to use when the routing table does not contain a path for the
destination network.
Dynamic Routing
The process of forwarding network traffic from one VLAN to another VLAN
using routing is known as inter-VLAN routing.
Static Routing
Advantages -
1. Static routes are not advertised over the network, resulting in better
security.
2. Static routes use less bandwidth than dynamic routing protocols, no
CPU cycles are used to calculate and communicate routes.
3. The path a static route uses to send data is known.
Disadvantages -
1. Initial configuration and maintenance is time-consuming.
2. Configuration is error-prone, especially in large networks.
3. Administrator intervention is required to maintain changing route
information.
4. Does not scale well with growing networks; maintenance becomes
cumbersome.
5. Requires complete knowledge of the whole network for proper
implementation.
Types of Static Routes
CIDR replaced the classful network assignments and address classes (A, B,
and C) became obsolete. Using CIDR, the network address is no longer
determined by the value of the first octet. Instead, the network portion of
the address is determined by the subnet mask, also known as the network
prefix, or prefix length (i.e., /8, /19, etc.).
CIDR also reduces the size of routing tables and manages the IPv4 address
space more efficiently using:
Route summarization - Also known as prefix aggregation, routes are
summarized into a single route to help reduce the size of routing
tables. For instance, one summary static route can replace several
specific static route statements.
Supernetting - Occurs when the route summarization mask is a smaller
value than the default traditional classful mask.
Determining the summary route and subnet mask for a group of networks can be
done in the following three steps:
Step 1. List the networks in binary format.
Step 2. Count the number of far left matching bits. This identifies the
prefix length or subnet mask for the summarized route.
Step 3. Copy the matching bits and then add zero bits to the rest of the
address to determine the summarized network address.
The summarized network address and subnet mask can now be used as the
summary route for this group of networks.
Routing Protocols -
1. Routing Information Protocol (RIP)
2. Open Shortest Path First (OSPF)
3. Intermediate System-to-Intermediate System (IS-IS)
4. Interior Gateway Routing Protocol (IGRP)
5. Enhanced IGRP (EIGRP)
Features:
1. Classless - It is classless by design; therefore, it supports VLSM and
CIDR.
2. Efficient - Routing changes trigger routing updates (no periodic
updates). It uses the SPF algorithm to choose the best path.
3. Fast convergence - It quickly propagates network changes.
4. Scalable - It works well in small and large network sizes. Routers can
be grouped into areas to support a hierarchical system.
5. Secure - It supports Message Digest 5 (MD5) authentication. When
enabled, OSPF routers only accept encrypted routing updates from peers
with the same pre-shared password.
Data Structures
OSPF creates and maintains three databases:
Adjacency database - Creates the neighbor table
Hello packet
Algorithm
The CPU processes the neighbor and topology tables using Dijkstras SPF
algorithm. The SPF algorithm is based on the cumulative cost to reach a
destination.
The SPF algorithm creates an SPF tree by placing each router at the root of
the tree and calculating the shortest path to each node. The SPF tree is
then used to calculate the best routes. OSPF places the best routes into the
forwarding database, which is used to make the routing table.
NAT has many uses, but its primary use is to conserve public IPv4 addresses.
It does this by allowing networks to use private IPv4 addresses internally
and providing translation to a public address only when needed. NAT has an
added benefit of adding a degree of privacy and security to a network,
because it hides internal IPv4 addresses from outside networks.
NAT-enabled routers can be configured with one or more valid public IPv4
addresses. These public addresses are known as the NAT pool. When an
internal device sends traffic out of the network, the NAT-enabled router
translates the internal IPv4 address of the device to a public address from
the NAT pool. To outside devices, all traffic entering and exiting the
network appears to have a public IPv4 address from the provided pool of
addresses.
A NAT router typically operates at the border of a stub network.
Terminology -