The Evolution of LAN Environment:

HUB: Single Collision Domain. Half Duplex

SWITCH (Layer2): Multiple Collision Domains. Support Full Duplex. Single Broadcast
Domain.
SWITCH (Layer3): Also has Routing capability.

Cisco’s Enterprise Composite Network Model:

Problem with ‘Plug and Play’ switching model:
1. Chances of failure
2. Broadcast traffic
3. Mulsticasting issues
4. Security issues
5. MAC flooding

Core Layer

Distribution
Layer

Access Layer

Switch Operating Systems:

• CatOS
• IOS
VLAN:
Facts:
1. Logical separation
2. Each VLAN is a separate subnet
3. Each VLAN is a separate broadcast domain
4. Each VLAN can have its own QoS and Access Control
5. VLANs are stored in flash as ‘vlan.dat’ file. So erasing the nvram won’t
delete vlans. Delete ‘vlan.dat’.
6. Each VLAN runs its own STP, thus called PVST (Per-VLAN Spanning Tree)
7. One Root bridge is elected for each VLAN

Guidelines:
1. Restrict VLANs to switch blocks, otherwise we have to use trunk to carry all
broadcast VLAN traffic. In other words, local VLANs shouldn’t extend
beyond the Distribution layer. VLANs should be created around physical
boundaries. For eg. Access Layer’s physical boundary is Distribution Layer
and Distribution Layer’s physical boundary is Core Layer.
2. Implement Management VLAN.
3. Separate Voice traffic not only for QoS but also for security.
4. Implement multicast support.
5. Implement inter VLAN routing.

Configuration:
1. Create VLAN
• Old way (through ‘vlan database’) Disadvantage: if we do ^Z then
VLAN configuration is lost. We need to type EXIT instead of ^Z to
save the configuration.
• New Way (through ‘user config mode’)
SW(Config)#vlan 10 name SALES
2. Change the mode of a port.
• Access – (for Access layer devices, for e.g. PC, Printers etc., no
advertisement) SW(Config-if)#switchport mode access
• Trunk – (for Trunking, advertise DTP [Dynamic Trunking Protocol] &
VTP)
• Dynamic Desirable – (dynamically negotiates and desires to be Trunk,
advertise DTP & VTP)
• Dynamic Auto – (dynamically negotiates but don’t have any desire, no
advertisement)
• Non-negotiate – (do not advertise any DTP & VTP, even if the port is
Trunk)
3. Assign that port to a VLAN SW(Config-if)#switchport access vlan 10
4. Verify VLAN with ‘show vlan’ command.
5. Verify port mode with ‘show int f0/0 switchport’. Check ‘Administrative mode
and Operational mode fields’
 6. Make sure to turn all access layer ports to Access mode for security reasons.
SW(Config)#int range f0/0 - 15
SW(Config-if-range)#switchport mode access

Trunking:
1. Trunking protocols:
a. ISL (Inter-Switch Link) – Cisco proprietary & encapsulates the entire
frame. Thus adds 26 bytes header (out of which VLAN tag is only 2
byte, but rest is junk for future use) [not supported on 2950]
b. 802.1q – Open standard & inserts tag into frame instead of
encapsulation. Only 4 byte tag is inserted (including 3 bit for priority)
2. Configure Trunk protocol (either ISL or 802.1q)
SW(Config-if)#switchport trunk encapsulation dot1q
3. If using 802.1q, make sure Native VLAN is configured properly. Because if a
802.1q trunk port receives an untagged packet, it won’t know what to do with
it. Then if we configure Native VLAN, we must make sure it’s same on the
adjacent switch, otherwise we will receive Native VLAN mismatch error.
(Native VLAN is practically required in VOIP where we don’t want separate
ether for our PC in the cubical. We would just like to use the ether port on the
VOIP phone to connect our PC too. VOIP phone has the capability of sending
VLAN tagged packet, but PC always sends untagged packet, which will be
then discarded by switch if Native VLAN is not configured.)
SW(Config-if)#switchport trunk native vlan 10
4. Configure a port mode to Trunk and use Non-negotiate.
SW(Config-if)#switchport nonnegotiate
5. If not using VTP pruning then manually configure the allowed VLANs to pass
through the trunk.
SW(Config-if)#switchport trunk allowed vlan 10,20,30
6. Verify using ‘sh int f0/0 trunk’ command

VTP (VLAN Trunking Protocol):

1. Basically used to replicate VLAN revisions to switches.
a. Advantage: We don’t have to manually configure VLANs in every
switches
b. Disadvantage: Can be a huge problem if not properly used.
Scenario: If we mistakenly connect a switch consists of different
VLANs and that switch is a VTP server with a same domain
name too, then it will advertise VTP updates to all client
switches and will thus result into flushing of their vlan database
with the new information. This will result into a complete
network outage because the ports of those client switches were
configured for the VLANs which are now lost.
2. Configure VTP domain. Domain name is case sensitive.
SW(config)#vtp domain cisco.com
3. Configure VTP mode
 • Server (Has power to update; saves vlan configuration; there should be
only one server)
• Client (Cannot update, do not save vlan configuration)
SW(config)#vtp mode client
• Transparent (Forwards VTP updates if Version2 is configured; has
power to update but never updates; saves vlan configuration but never
advertise)
4. Configure VTP Pruning (Keep unnecessary broadcast traffic from crossing
trunk links; only works on VTP server)
SW(config)#vtp pruning
5. Verify with ‘sh vtp status’ command

STP (Spanning Tree Protocol): 802.1d

Facts:
1. Used to avoid loops (by dropping trees on redundant link). Otherwise
broadcast packets will keep on looping out of all the interfaces of the switches
and clog the network.
2. Switches send BPDU (Bridge Protocol Data Unit) probes (every 2 seconds) to
detect loops in the network. These BPDU packets consist of MAC address and
Priorities that are used to elect Root switch. If a BPDU probe sent by a switch
is received by the same switch, then that switch learns about the loop in the
network and makes a decision to block a link based on the best path to reach
Root switch. (Priority bits are made up of 4 bits, therefore priority is a
multiple of 4096, so as to achieve the highest value till 61440; if Priority is
same then MAC address is the tie breaker. Lower wins)
3. Make sure only Core switches are elected as Root by increasing the priority
manually. Otherwise, the purpose of having the campus network model will
be defeated. Core switches can handle much more traffic as compared to
Access & Distribution layer switches.
4. PORTS ROLES:
• Root port: Used to reach thee Root switch
• Designated port/Forwarding port: All ports in a Root switch are
Forwarding. Further, there should be atleast ONE forwarding port per link.
• Blocking: Where the tree fell. (Basically one who has highest MAC
address)

Root

D D
19
19
R R

D 19 B
 5. STATES:
Listening: 15 sec of listening for BPDU
Learning: 15 sec of learning MAC address
Forwarding: 0 sec of port is forwarding traffic
Blocking: Switch will wait upto 20 sec before moving a blocked port into
listening phase.

• In case of Equal Cost Links to the upstream, blocking of port is decided

upon Bridge-ID (i.e. Priority + MAC)
• If the Bridge ID is also equal, then blocking of port is decided upon lowest
port no.
6. Each VLAN runs its own STP by default, thus called PVST (Per-VLAN
Spanning Tree). A VLAN tag is inserted between Priority and MAC field.
VLAN no. is added to the priority. (that’s why every switch has a default
priority 32768+1=32769) SW(Config)#Spanning-tree mode pvst
7. One Root bridge is elected for each VLAN. This can help us building load
balancing by applying priority to each VLAN’s instance of STP.
SW(config)#Spanning-tree vlan 10 root primary
SW(config)#Spanning-tree vlan 10 root secondary
SW(config)#Spanning-tree vlan 10 root priority <number>
Configuration:
1. Configure STP and assign priority
2. Verify using ‘sh spanning-tree’ command

RSTP (Rapid Spanning Tree): 802.1w

STP takes 30 sec to converge when switch starts for the first time and 50 sec to
re-converge after blocking. To avoid this delay, we use RSTP.

STATES:
• Learning
• Discarding
• Forwarding
PORT ROLES:
• Root
 • Designated
• Alternate
• Edge

Root
D D

R R
D A
E

1. To avoid 30 sec delay when switch starts, use ‘SW(config)#spanning-tree

portfast’ command. But only on non-trunking ports (for e.g. ports connected
to host)
2. Unlike STP where the ports are blocked and forgotten, in RSTP for are
blocked but are not forgotten. Therefore, there is no re-computation delay to
bring the blocked port to forwarding.
3. It thinks proactive, thus if a link goes down RSTP send a TC (topology
change) packet and inform others.
Configuration:
SW(Config)#Spanning-tree mode rapid-pvst
‘OR’
SW(Config)#Spanning-tree uplinkfast
MST (Multiple Spanning Tree):
To run STP for a group of VLANs rather than a single VLAN.
SW(Config)#Spanning-tree mode mst

EtherChannel:
1. Combining multiple Ethernet links to get a high bandwidth single channel.
2. Negotiation Protocols:
a. PAGP (Port Aggregation Protocol): Cisco proprietary; port modes: Auto,
Desirable, On
b. LACP (Link Aggregation Control Protocol): Industry standard 802.3ad;
port modes: Passive , Active, On
3. Two flavors:
• Layer2 Etherchannel
SW(config)#int range f0/23 – 24
 SW(config-if-range)#channel-protocol lacp
SW(config-if-range)#channel-group 1 mode on
• Layer3 Etherchannel
SW(config)#int port-channel 1
SW(config-if)#no switchport
SW(config-if)#ip add 10.1.1.1 255.255.255.0
SW(config-if)#int range f0/23 – 24
SW(config-if)#no switchport
SW(config-if-range)#channel-protocol lacp
SW(config-if-range)#channel-group 1 mode on

4. Verify: sh etherchannel 1 port

sh etherchannel detail
Guidelines:
1. All ports must use same speed and duplex.
2. Interfaces in bundle must be in same VLAN or Trunk
3. Any changes to port channel affects all bundled ports.
4. Any changes to individual ports affect only that port.

Inter-VLAN Routing:

Router-on-a-stick:

Advantage:
• Simple to setup
• Lower cost
Disadvantage:
• Congestion on link
• Single point of failure
• Delay of routing
Configuration:
• Configure Trunk connecting Router
SW(config-if)#switchport trunk encapsulation dot1q
SW(config-if)#switchport mode trunk
• Create sub interfaces on Router
Router(config)#int f0/0
Router(config-if)#no shut
Router(config-if)#speed 100
Router(config-if)#duplex full
Router(config-if)#int f0/0.10
Router(config-subif)#encapsulation dot1q
Router(config-subif)#ip add 10.1.10.1 255.255.255.0
Router(config-if)#int f0/0.20
Router(config-subif)#encapsulation dot1q
Router(config-subif)#ip add 10.1. 20.1 255.255.255.0
 • Configure Default Gateway on PCs according to VLANs

Multilayer Switching:

Advantage:
• Routing at wire speed
• Backplane bandwidth
• Redundancy enabled
Disadvantage:
• Cost
Configuration:
• Create SVI
SW(config)#int vlan 10
SW(config-if)#ip add 10.1.10.1 255.255.255.0
SW(config-if)#no shut
SW(config)#int vlan 20
SW(config-if)#ip add 10.1.20.1 255.255.255.0
SW(config-if)#no shut
• Enable IP Routing
SW(config)#ip routing
• Create Routed Ports (optional)
SW(config)#int f0/0
SW(config-if)#no switchport
SW(config-if)#ip add 10.1.24.1 255.255.255.252
• Enable Routing protocols (optional)
SW(config)#router eigrp 1
SW(config-if)#no auto
SW(config-if)#net 10.0.0.0

Some Facts:
• Router and L3 switch both have IOS software routing
• Software routing is relatively slow compared to ASIC (Application
Computes Specific Integrated Circuitry)
routes and • L3 switches can play a little software – hardware trick.
copy those to
FIB First Time First Time
L3 Engine

FIB ADJ Next Time At Wire

Next Time Table
Speed
Contains
Routing Corresponding
table MAC addresses
for all the Routes
in FIB
 Disadvantages of CEF:
• Any packet with Header options are not supported
• Packets with TTL time expired not supported
• Packets with unsupported encapsulation
• Packets requiring Fragmentation (MTU exceed) not supported.
• Packets destined to tunnel interface not supported.
Verify:
sh ip cef

Managing Redundancy:

HSRP (Hot-Standby Router Protocol):

• Created by Cisco, for Cisco 1994
• Uses a default hello timer of 3 sec with hold timer of 10 sec, but are tunable.
• One gateway is active at a time. Others are in standby state.
• Virtual IP & MAC address is generated. 0000.0c07.acxx; 0000.0c is Cisco
vendor ID, 07.ac is HSRP ID, xx is standby group no.
• PCs use this Virtual IP address as their default gateway.
Configuration:
a) Add standby groups and Virtual IP address on all switches.
SW(config)#int VLAN 70
SW(config-if)#standby 1 ip 172.30.70.1
b) Verify
sh standby
c) Optimize and Tune
SW(config-if)#standby 1 priority 150 [100 is default, higher priority
gets active]
SW(config-if)#standby 1 preempt delay reload 180 [If the desired switch
comes back then it will preempt the current active switch and will take its
position back; but be careful of flapping links and thus always use delay
command]
SW(config-if)#standby 1 track f0/0 60 [Makes it link specific, if a specific
link goes down then switch decrements its priority; but it has to be
configured with preempt above]
SW(config-if)#standby 1 timers msec 150 msec 700

VRRP (Virtual Router Redundancy Protocol):

a) Created by IETF in 1999
b) Uses a default hello timer of 1 sec and hold timer of 3 sec + skew timer
c) One gateway is master at a time. Others are in backup state.
d) Master router can share virtual IP

Configuration:
a) Add VRRP groups and Virtual IP address on all switches.
SW(config)#int VLAN 70
 SW(config-if)#vrrp 1 ip 172.30.70.1 [ip address of one of the physical
interface]
b) Verify
sh vrrp
c) Optimize and Tune
SW(config-if)#vrrp 1 priority 150
SW(config-if)#vrrp 1 preempt delay reload 180
SW(config-if)#vrrp 1 track f0/0 60
SW(config-if)#vrrp 1 timers advertise msec 100 [configure it on master]

GLBP (Gateway Load Balancing Protocol):

• Created by Cisco, for Cisco 2005
• Identical to HSRP, but allows load balancing.
• Single Virtual IP with multiple real MAC
• Active virtual gateway act as ‘point man’
• Other switches act as Active Virtual Forwarders
Configuration:
a) Add VRRP groups and Virtual IP address on all switches.
SW(config)#int VLAN 70
SW(config-if)#glbp 1 ip 172.30.70.1 [ip address of one of the physical
interface]
b) Verify
sh glbp
c) Optimize and Tune
SW(config-if)#glbp 1 priority 150 [Who will be AVG]
SW(config-if)#glbp 1 load-balancing [host-dependent/round-
robin/weighted] [round-robin is default]
SW(config-if)#glbp 1 timers redirect 100 [specify timeout value for failed
forwarders]

WIRELESS LAN:

Types of Wireless network:

• PAN – Bluetooth network (10 meters)

• LAN – Cisco or Linksys access point (100 meters)
• MAN – City wide wireless connection
• WAN – GSM, GPRS, 3G

Facts:
• WAP (Wireless Access Point): Acts like a hub; i.e., shared signal & half
duplex.
o Autonomous AP: Standalone; IOS based; Can be centrally controlled
using Wireless Domain Services (WDS); Managed using Ciscoworks
WLAN Solution Engine (WLSE)
 o Lightweight AP: Server dependent; Zero-configuration (Dumb); Can be
centrally controlled using Wireless LAN Controller that has all the
intelligence; Managed using Cisco Wireless Control System (WCS)
optional; Lightweight Access Point Protocol (LWAPP) is used between
controller and WAPs; MAC is associated with WLC instead of WAP.
o Indoor AP – 1130AG, 1240AG
o Outdoor AP – 1300 series, 1400 series (Autonomous only)
• Is a physical & data-link standard. 802.11b, 802.11g, 802.11a
• Uses CSMA/CA instead of CSMA/CD
• Faces connectivity issues because of interference.
• Uses SSID (Service Set Identifier) to uniquely identify and separate wireless
networks. When wireless is enables, client issues a probe and WAP responds with
a beacon. Client then associates itself with a chosen SSID. WAP adds client MAC
to association table.
• RF service areas should have 10-15% overlap. Solid coverage provides better
battery life. For seamless roaming, WAP should support roaming features,
because MAC are usually locked until the connectivity is lost.
Two flavors of Roaming:
a) Layer 2 Roaming
Same SSID, VLAN & subnet
b) Layer 3 Roaming
Same SSID; Source IP address gets encapsulated inside other service
area subnet IP, when they are in.

Topology:

WAP

Distribution Access Layer

Layer Wireless
Bridge

• Repeaters should have 50% overlap

• Client should prefer ‘Data Rate Shifts’ or ‘Periodic Intervals’ to find out when to
change area.
 • Upper end WAPs also supports multiple VLANs. Different SSIDs are associated
with different VLANs. This provides multiple security levels, subnets and access
privilege.
• Uses unlicensed bands of radio frequency
900 MHz, 2.4 GHz, 5-6GHz; Higher the frequency Greater the bandwidth Shorter
the range.
• Bordering WAPs should use different channels.
802.11b & 802.11g has 3 clear channels, 802.11a has 12 clear channels.
• The wired security evolution
o 1997 – Wired Equivalent Privacy (WEP)
o 2001 – 802.1x Extensible Authentication Protocol (EAP)
o 2003 - Wi-Fi Protected Access (WPA) uses TKIP
o 2004 – IEEE 802.11i (WPA2) uses AES
• Antennas: Omni-Directional, Directional, Yagi

Layer 2 Attack

1. Hacker can use any hacking tool and send MAC addresses continuously to a
port until the CAM table of that switch fills up and fails to learn any more
MAC addresses. The switch then turns into a Hub and starts sending
everything to everybody to make sure everybody gets the data they are
looking for. Hacker then use packet sniffer to have easy access to any data
that is passing through.
2. Hacker negotiates a Trunk connection with a switch and moves between
VLANs. This is called VLAN Hopping Attack. In this way, hacker can even
sneak into VOIP VLAN and record voice conversation into wav files.
3. Hacker can act as a Man-In-The-Middle. When host sends an ARP message
asking for MAC address of the Authentication server, hacker sends its own. In
this way, host starts sending packets to Hacker and hacker relays those
packets to Authentication Server, pretending as if it’s that host. In this way,
Authentication server also starts sending packets to Hacker.

Security Measures:
• Use secure MAC address
SW(config-if)#switchport mode access [access mode is necessary to enable port
security]
SW(config-if)#switchport port-security mac-address a000.hcs1.010f [make sure
you type as many MAC addresses as you defined using ‘maximum’ command, or
the security purpose of manually typing MAC addressed will be defeated]
‘OR’
SW(config-if)#switchport port-security mac-address sticky [It will start assigning
the MAC addresses to thee port everytime we plug into it, this will save manually
typing MAC addresses]
Verify using ‘sh mac-add int f0/0’
 Remember to do Save run config
• Limit no. of MAC addresses per port
SW(config-if)#switchport port-security maximum 1
• Configure Violation mode
SW(config-if)#switchport port-security violation [shutdown/restrict/protect]
[Shutdown is default]
• Verify using ‘sh port-security int f0/0’
‘sh interface status’
• To re-enable a shutdown port, do ‘shut’ then ‘no shut’ on that interface
‘OR’
SW(config)#errdisable recovery cause security-violation
SW(config)#errdisable recovery interval 60
sh errdisable recovery

Identity Based Network Services 802.1x (using RADIUS or

TACACS+):
Protocols:
EAP – TLS
EAP – PEAP
EAP – LEAP

EAP doesn’t require Switch to look inside the EAP packet but still make the Switch
able to participate in authentication. Because of this, we can use thee same old switch
with many forthcoming technology of authentication. Whereas, other authentication
protocols like MD5 is totally opposite.

Configuration:
SW(config)#aaa new-model
SW(config)#aaa authentication dot1x default group radius
SW(config)#dot1x system-auth-control
SW(config)#int f0/0
SW(config-if)#dot1x port-control auto

Preventing VLAN Hopping Attack (using Private VLANs):

It’s VLAN within VLAN

 Community
VLAN 30

Promiscuous VLAN

Connectivity

Isolated VLAN 50
Community
VLAN 70
Configuration:

Private VLANs can only be configured on Transparent mode VTP

• Create Private VLANs
SW(config)#vtp mode transparent
SW(config)#vlan 30
SW(config-vlan)#private-vlan community
SW(config-vlan)#vlan 50
SW(config-vlan)#private-vlan isolated
SW(config-vlan)#vlan 100
SW(config-vlan)#private-vlan primary
SW(config-vlan)#private-vlan association 30,50
SW(config-vlan)#vlan 70
SW(config-vlan)#private-vlan community
SW(config-vlan)#vlan 200
SW(config-vlan)#private-vlan primary
SW(config-vlan)#private-vlan association 70

• Verify:
sh vlan private-vlan type

• Associate ports
SW(config)#int f0/0
 SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 100 30
SW(config-if)#int f0/1
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 100 30
SW(config-if)#int f0/2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 100 50
SW(config-if)#int f0/3
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 200 70
SW(config-if)#int f0/4
SW(config-if)#switchport mode private-vlan promiscuous
• Mapping on Promiscuous port
SW(config-if)#switchport mode private-vlan mapping 100 30,50
• Verify:
sh vlan private-vlan

Preventing Man-In-The-Middle Attack (using DHCP Snooping):

SW(config)#ip dhcp snooping
SW(config)#int f0/0
SW(config-if)#ip dhcp snooping trust [It will now accept DHCP replies only on
this trusted port]
sh ip dhcp snooping binding

‘OR’

SW(config-if)#ip verify source vlan dhcp snooping port-security

Prevent STP manipulation (using BPDU guard):

SW(config-if)#spanning-tree bpduguard enable [on trunk interface]

Prevent a Root Switch to allow any Switch attached to its specific

port to become a root (using Root guard): instead of marking that port error
disabled it will mark it inconsistent.
SW(config-if)#spanning-tree guard root