CCIE R&S Advanced Technologies Class v4.5 - Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our next section for security, we're going to look at the Layer 2
0:00:16	security features of the Catalyst IOS so other topics
0:00:21	that we didn't talk about up to this point in the Layer 2 Ethernet switching
0:00:24	like port security, static Mac address entries, storm control
0:00:29	for limiting our unicast, multicast and broadcast frames.
0:00:34	802.1X authentication which is going to add user based authentication
0:00:38	onto the wired Ethernet LAN.
0:00:41	The VLAN access lists which are also known as the VLAN
0:00:45	maps or vacls. The router and port based access list
0:00:49	then some additional filtering features in
0:00:51	DHCP snooping, dynamic ARP inspection and
0:00:55	IP source guard and then a Layer 2 filtering between
0:00:59	Layer 2 switch ports and VLANS with both the port
0:01:02	protection and the private VLANs feature.
0:01:05	Now the first of these port security is used to
0:01:09	limit access into the Layer 2 switches based on the Layer 2
0:01:13	Mac address of the sending host.
0:01:16	When port security is configured, there are
0:01:18	three different violation modes that we can configure
0:01:21	where by default, if a violation occurs
0:01:23	the interface is going to go into the error disable mode.
0:01:28	Now we talked about this a little bit before in the
0:01:30	switching section that when a port goes into error
0:01:33	disable mode, by default it is not going to come out
0:01:36	of that state unless the interface is manually
0:01:39	shut down and then re-enabled.
0:01:42	So typically, when port security is on, if you are
0:01:45	using the shut down violation mode, you would also want
0:01:48	to enable the error disable recovery timeout
0:01:53	which is essentially a timer that's going to
0:01:55	say after the link goes into error disable, at some point
0:01:58	later we're going to try to re-enable the link
0:02:01	then if a violation occurs again, it's going to go back
0:02:04	into error disable.
0:02:06	Otherwise, we would have to manually login to all the
0:02:08	switches that the violations occur on, shut down the port
0:02:12	and then bring it back up.
0:02:15	The other two violation modes we have are
0:02:17	protect and restrict
0:02:19	which when a violation occurs, it is not going to shut down the
0:02:22	port, but simply filter the traffic as it is received
0:02:25	in the interface.
0:02:27	The difference between the two is that restrict is going to
0:02:31	generate a logging message
0:02:34	through SNMP and syslog
0:02:37	where protect is going to just drop the traffic silently.
0:02:41	Now if you have trouble remembering what the
0:02:43	differences between the different violations mode are
0:02:46	you don't necessarily need to memorize this because you
0:02:50	can just quickly reference it on the documentation.
0:02:53	So if we were to look at the Catalyst configuration guide
0:02:57	which again from the main documentation page
0:03:01	we would go to products
0:03:04	switches
0:03:08	LAN switches for access
0:03:10	Catalyst 3560
0:03:13	configuration guides
0:03:16	and then whatever our latest release is. We'll say
0:03:19	12.2 58
0:03:22	From here, the security configuration is going to be under
0:03:26	.1X port based authentication.
0:03:30	The private VLANs
0:03:35	The DHCP features, IP source guard and dynamic ARP
0:03:37	inspection and the port based traffic control.
0:03:42	Now network security with ACLs, this technically also would be
0:03:46	security based, but this is going to be the same logic
0:03:49	as access list work on the routers.
0:03:51	So we'll see when we get to the port based, the router based
0:03:54	and the VLAN access list, it's really not that
0:03:56	much of a further stretch if you understand this
0:03:59	how this works on the regular router's IOS.
0:04:03	But for Layer 2 port security under port based traffic control
0:04:06	this is where port security, port protection and storm control
0:04:11	is going to be documented.
0:04:14	So under configuring port security
0:04:17	if we look at the understanding port security section
0:04:21	there's a table here that shows you what is the
0:04:23	difference between the different violation modes.
0:04:28	So within the scope of the lab exam, if we had a question
0:04:30	that says we want to filter the traffic when the violation occurs
0:04:33	but also generate a syslog message, you don't necessarily
0:04:37	have to memorize this, you can just come and reference it
0:04:39	here from the configuration guide.
0:04:44	Now in addition to this, port security can apply to
0:04:48	both access ports and trunk ports
0:04:51	but it is not going to apply to dynamic interfaces.
0:04:55	So if DTP is enabled and we're running it in dynamic desirable
0:04:59	or dynamic auto mode, then port security is not going to
0:05:03	be allowed.
0:05:04	You'll see that the IOS parser's just going to generate
0:05:06	an error message saying that port security cannot be
0:05:08	configured on dynamic interfaces.
0:05:12	Once the feature is configured, then we're either going to use it to
0:05:16	limit the specific Mac address that traffic is coming from or the
0:05:21	amount of Mac addresses that are allowed in the
0:05:23	interface.
0:05:25	Which one we do depends on what particular type of
0:05:28	port it is like if it's a trunk port, it doesn't make sense to
0:05:31	limit the traffic just to one particular Mac address.
0:05:34	So we would have to take into account what's the limit
0:05:37	of any Layer 2 neighbors that are in the transit path
0:05:41	over that particular trunk link.
0:05:44	So by default, the per VLAN limit over trunks is going to be
0:05:48	unlimited where when we apply a limit to an individual
0:05:53	VLAN, the total port limit is going to be the
0:05:57	aggregate of all of the VLANs together.
0:06:01	So let's say for example that we have ten VLANs
0:06:03	VLANs 1 through 10
0:06:05	and we say that each of them have a limit of ten Mac addresses.
0:06:09	It means that the port as a whole has an aggregate
0:06:12	Mac address limit of 100 Mac addresses.
0:06:16	So it's just the addition of all of the per VLAN limits.
0:06:20	Now when we apply this down to the access port
0:06:22	it's fairly obvious as to how many Mac addresses there's
0:06:25	supposed to be. Generally, there's just going to be
0:06:27	one that goes down to the end host.
0:06:30	Maybe if there's an IP phone that is connecting there
0:06:32	it would be the phone's Mac address plus the
0:06:34	end host, but typically there shouldn't be 20 or more
0:06:37	Mac addresses on that particular link.
0:06:40	So generally we're going to configure it as just one or two.
0:06:43	Now when we do that, we can either configure
0:06:46	the switch statically with a manual Mac address that we're
0:06:50	going to bind. We can dynamically learn it from whatever is attached to
0:06:54	the port or we can configure this as the sticky mode
0:06:58	which is going to dynamically learn the Mac address
0:07:01	but then insert it into the running config.
0:07:06	So the idea behind this is that if you're basically
0:07:08	trying to make up a list of all of the Mac addresses
0:07:11	that are in your network and you know that the correct
0:07:14	device is plugged into that port, you could turn the
0:07:17	Mac address sticky feature on for port security
0:07:20	it's going to learn that Mac address and then insert
0:07:22	it into the Layer 2 CAM table for port security
0:07:28	and then also into the running config.
0:07:31	So if we were to take a look at the command line for the switches here
0:07:35	let's go on switch 1 and look at the show cdp neighbors
0:07:41	where we can see on our local port Fast Ethernet 0/1
0:07:44	this link is connected to Router 1
0:07:47	if we look at the show Mac address table
0:07:51	dynamic for interface Fast Ethernet 0/1
0:07:55	this is the Mac address that Router 1 has assigned on that interface.
0:07:58	and specifically it's in VLAN 146
0:08:03	This interface right now is configured as a static
0:08:06	access port which means that we could run port
0:08:09	security on the interface.
0:08:12	So if we go to the link level and we say
0:08:15	switchport port security
0:08:18	the first thing to do would be to actually turn the feature on.
0:08:21	So without switchport port security, this command on its own
0:08:24	it's not actually enabling the feature.
0:08:27	And we can see this if we look at the show interface
0:08:31	or show port security
0:08:33	show port security interface
0:08:36	Fast Ethernet 0/1
0:08:40	it says that right now the status is enabled.
0:08:43	The port is secure up, so everything is fine.
0:08:45	The violation mode is shut down so if the Mac addresses are
0:08:50	violated, either the maximum number or the actual address
0:08:54	that we're configuring
0:08:56	then the link is going to go into error disable.
0:09:00	Now the aging type by default is going to be
0:09:03	disabled which means that once the Mac address is
0:09:07	learned in there, it's going to stay in the secure CAM
0:09:11	table until the link goes down.
0:09:15	Now this could potentially be a problem if this port is
0:09:17	going to some sort of shared portion of the network
0:09:21	where multiple hosts are connecting, the switch is not
0:09:25	going to age these Mac addresses out of the CAM table
0:09:27	unless the link actually goes down.
0:09:30	So let's say for example that one of your switch ports
0:09:33	is plugged into another switch on the access layer
0:09:36	like someone plugs a Linksys switch into the end port
0:09:40	that's going to the wall, to the wall jack
0:09:43	if I'm saying that the maximum number of Mac addresses is
0:09:46	five, then whoever the first five Mac addresses
0:09:50	to send traffic are the ones that would get inserted into the
0:09:53	secure CAM table.
0:09:56	And those would never age out unless I actually
0:09:58	manually disabled the interface.
0:10:01	So if you are doing more than one Mac address
0:10:04	typically you would want to say switchport port security aging
0:10:09	and then turn the aging time on
0:10:12	so if we say the aging time, we could say whatever 30 minutes
0:10:17	as long as it's not zero because zero means that it is disabled.
0:10:23	If we said switchports port security mac address
0:10:27	we can manually define the address here. If we said
0:10:30	sticky, then we look at the running configuration
0:10:34	it's going to take whatever Mac address was learned and then
0:10:37	insert it into the running config.
0:10:40	So now I could save and next time I reload
0:10:43	it's going to make sure to save Router 1's Mac address
0:10:46	in that port.
0:10:51	Now some of the potential issues to keep in mind with
0:10:54	port security is that if you change the Mac address
0:10:58	of the device, then it is a potential where the port security
0:11:01	is going to be violated. A case where this could typically occur
0:11:06	is that if you're doing any type of first hop redundancy
0:11:09	protocol, so let's say on VLAN 146 here if we look at the diagram
0:11:14	we have routers 1, 4 and 6
0:11:17	connected to this LAN segment and let's say that we want to make
0:11:20	Router 1 the active router for HSRP or VRRP or GLBP
0:11:28	In any of these cases, the router is going to be sending
0:11:32	traffic using its own Mac address plus the dynamic
0:11:36	Mac address that is originated by that particular protocol
0:11:41	where HSRP is going to have a different format than VRRP
0:11:44	or GLBP, but if we look at the configuration here. Let's say
0:11:51	that on Router 1 we configure HSRP
0:11:57	on Router 1 we'll go to the LAN interface
0:12:01	and say standby 1 ip 155.28.146.100
0:12:09	Ok, so any address that's on that VLAN
0:12:13	we should see that the port is going to be shut down or
0:12:16	basically go into the down down state once switch 1
0:12:21	learns the alternate Mac address on the port.
0:12:25	So if we show run interface Fast Ethernet 0/1
0:12:34	once Router 1 starts to go into the speak state
0:12:38	so if we show standby
0:12:43	it's going to start sending its frames out
0:12:47	once the switch hears this, it's going to send the link into
0:12:49	the error disabled state because now we're learning
0:12:52	multiple Mac addresses on the port. This one here
0:12:55	is specifically the Mac address that's coming from the HSRP process.
0:13:02	So any time that the router is using more than one Mac address
0:13:06	we would need to take that into account. One way we could
0:13:09	do this is simply by telling the switch that this Mac address
0:13:12	is allowed where we could go to interface Fast Ethernet 0/1
0:13:20	say switchport port security mac address is the
0:13:26	maximum number of Mac addresses would have to be at
0:13:28	least two in this case, then the specific Mac address
0:13:32	that we would allow is going to be that value
0:13:35	from HSRP.
0:13:37	So now if we shut the link down and then bring it back
0:13:46	when we look at the show run interface Fast Ethernet 0/1
0:13:52	and the show port security interface Fast Ethernet 0/1
0:13:59	it says there's two Mac addresses. One of them is
0:14:03	coming from the dynamic Mac address of Router 1
0:14:05	the other one is going to be from the HSRP derived address.
0:14:11	The other option here would be to tell the router to use its
0:14:13	own burned-in address
0:14:16	for the first hop redundancy group which in that case we
0:14:19	don't need to use the virtual address that is
0:14:22	derived from the group ID which in our particular case
0:14:26	I used group number one for standby
0:14:29	which means that this is going to end in AC01
0:14:33	where if I said that this was standby 10
0:14:35	this would then end in AC0A
0:14:38	so HSRP is encoding the group ID into the Mac address by default.
0:14:44	If Router 1 were to say at the link level
0:14:49	standby 1 use the -- standby 1 mac address use the burned-in address
0:14:56	actually just standby use bia
0:15:00	so now it's not going to use the dynamically learned
0:15:04	or the dynamically derived address
0:15:06	from the HSRP group.
0:15:08	It's going to use just whatever Mac address is assigned to the link.
0:15:14	So either variation would be a valid configuration here
0:15:17	as long as we take that into account when we're running the
0:15:21	first hop redundancy protocols, the router by default is going to
0:15:23	have more than one Mac address.
0:15:26	Now additionally, if we were running gateway load balancing protocol
0:15:30	there's going to be separate Mac addresses for the active
0:15:33	virtual gateway versus the active virtual forwarders.
0:15:37	So in the case of GLBP there's going to be more than
0:15:39	two Mac addresses depending on whether you are the virtual
0:15:44	gateway or you are the virtual forwarder.
0:15:49	Another potential design issue with this is using the
0:15:52	protected mode on trunk links which is an issue that
0:15:57	happens when one particular VLAN reaches its Mac address
0:16:01	limit and essentially what happens is that the other
0:16:05	VLANs disable Mac address learning.
0:16:10	So for example, if we were to have a case where switch 1
0:16:13	is connecting to switch 2 over a trunk link
0:16:20	so this is a say a dot1q trunk link
0:16:25	and we have VLANs 10, 20 and 30
0:16:29	For the port security configuration of VLAN 10, we say the maximum
0:16:35	is five Mac addresses
0:16:38	where for VLANs 20 and 30, we don't change those
0:16:40	so that's going to be unlimited. If in VLAN 10, more than five
0:16:47	Mac addresses are received, so as soon as the sixth one comes
0:16:52	in, if the interface is configured for not the shut down mode which
0:16:58	is the default, but if we're configuring it in protected mode
0:17:01	it essentially means that VLANs 20 and 30
0:17:05	would stop doing Mac address learning.
0:17:08	So you wouldn't be able to put their Mac addresses
0:17:09	into the CAM table.
0:17:12	The last issue as I mentioned would be with the IP phones
0:17:15	where you would have two Mac addresses on the link
0:17:18	one of them is going to be for the phone and then one is
0:17:21	going to be for the end host that is behind it.
0:17:25	So really there's not too many complicated things
0:17:27	you could get into here with port security as long as once
0:17:30	you're done with the configuration you verify it with the show port
0:17:34	security interface
0:17:35	that's pretty much going to tell you exactly what you need to know.
0:17:38	So is port security on?
0:17:40	What's the violation mode? What's the aging time?
0:17:45	What are the particular Mac addresses that we are learning inbound?
0:17:49	The next option we would have for Mac address filtering
0:17:52	is to use static entries in the CAM table
0:17:55	where we could disable Mac address learning
0:17:59	and then put static mappings that would associate an individual
0:18:02	Mac to a particular interface.
0:18:06	Now the idea behind this is that if we have a very
0:18:08	high security Layer 2 environment
0:18:10	we could tell the switch not to learn Mac addresses
0:18:14	based on its normal process of looking at the source Mac address
0:18:19	of traffic coming in the interface in which case if the Layer 2
0:18:23	switches don't have a manual mapping for that host
0:18:27	it's not going to be able to forward traffic between its
0:18:29	interfaces.
0:18:31	So if it cannot insert a Mac address into the
0:18:33	CAM table, it's not going to be able to switch any traffic to
0:18:36	that destination, so you could technically configure
0:18:39	a very high security Layer 2 environment by disabling
0:18:43	Mac address learning and then manually putting the
0:18:46	static entries in.
0:18:48	Now the syntax is fairly straightforward here
0:18:51	you simply say in the Mac address table
0:18:55	we want to configure a static entry
0:18:59	where the Mac address is 1.2.3
0:19:02	what particular VLAN it's associated with
0:19:07	then what is the interface that it's located on
0:19:09	like Fast Ethernet 0/1
0:19:11	or we could no route the Mac address by saying drop
0:19:17	So if there's a particular Mac address that we do
0:19:19	not want to forward traffic to
0:19:22	we could say simply to drop the frames. This would be the
0:19:26	equivalent of in the IP routing table saying
0:19:29	ip route 1.2.3.4/32
0:19:33	is via null 0
0:19:36	but in this case we are doing this with the CAM table
0:19:40	where we're saying this destination Mac address
0:19:44	we're not going to be able to switch any traffic towards it
0:19:47	because we're simply dropping it. We're sending it to the null 0
0:19:55	The other option as I mentioned would be if we said mac address table
0:19:58	learning for particular VLAN vlan 1
0:20:02	this would be the default where Mac address learning is
0:20:06	on. If I said no Mac address learning for VLAN 1
0:20:10	I would then have to rely only on the static entries
0:20:14	that are manually defined.
0:20:17	So this would then inherently prevent against any type of
0:20:20	Layer 2 spoofing attack or any type of Layer 2 man in the middle
0:20:23	attack because the switch is not going to dynamically
0:20:27	learn any other Mac addresses in that particular VLAN.
0:20:31	The next security feature we have documented under that
0:20:34	same section which is the port based traffic control
0:20:39	is the storm control feature.
0:20:42	Now storm control is used to limit the amount
0:20:44	of either unicast, broadcast or multicast packets that are accepted in a port
0:20:50	which is similar to policing under the module of the quality of service
0:20:53	but the difference is we're not matching it on a particular
0:20:57	destination like a just specific destination unicast or multicast
0:21:02	we're saying just based on the Layer 2 frame format
0:21:05	the switch is saying if it's all Fs, I know that's a broadcast
0:21:08	it's going to know the difference between the multicast Mac address
0:21:12	format versus the unicasts, then we could limit as we receive
0:21:16	packets from the interface what is the particular rate.
0:21:21	Now depending on the individual Catalyst IOS
0:21:24	version that you're using, different versions will have different
0:21:26	options for this. If we say storm control unicast
0:21:32	the level in this case I could configure it as a percentage
0:21:37	or a bit per second versus a packet per second value
0:21:41	where the percentage is going to be based on what
0:21:44	is the underlying negotiation of the link.
0:21:49	So if I say 10 percent, the actual effect of bandwidth value is going to be
0:21:54	different whether the interface negotiates to 10 Megabits per second
0:21:57	a 100 Meg or a 1000
0:22:00	Now another key point to note about this is that
0:22:03	when a violation occurs on the multicast rate
0:22:06	it's going to suppress not only the multicast, but the unicast and
0:22:11	the broadcasts, so when the unicast rate is exceeded
0:22:15	it's only going to suppress the unicasts same with the broadcast
0:22:18	but the multicasts some sort of code limitation on how they
0:22:21	have the feature implemented it's going to apply to all of them.
0:22:25	And you could see that mentioned under the documentation here.
0:22:28	It's one of basically the caveats of the feature
0:22:32	that if we look for multicast,
0:22:39	it says, 'Note: When storm control threshold for multicast is reached
0:22:42	all multicast traffic except control traffic is blocked
0:22:46	however, the switch doesn't differentiate between routing updates
0:22:49	and just OSPF and regular multicasts, so both types of traffic
0:22:52	are blocked.
0:22:53	That could be a potential issue with the control plane.
0:22:56	The other potential problem is that -- and it shows here
0:23:03	somewhere what this -- the diagram of the suppression.
0:23:10	But again the caveat with is that when the multicast
0:23:13	traffic is being dropped, it's also going to affect both
0:23:15	the unicasts and the broadcasts.
0:23:18	So we could get the same type of effect with using policing
0:23:21	under the module of the quality of service. The difference is that this
0:23:24	is basically a Layer 2 policing as opposed to a Layer 3 policing
0:23:30	with the class maps.
0:23:31	The next security feature we have at Layer 2 is
0:23:34	802.1X authentication which is used to authenticate
0:23:39	hosts on the port by sending an extensible
0:23:43	authentication protocol or EAP request
0:23:48	that is then forwarded from the host to the
0:23:50	RADIUS server for authentication.
0:23:52	Now what this implies is that since we're using
0:23:56	RADIUS, it means that we have to run AAA
0:23:58	and we would have to specify what the particular RADIUS server is.
0:24:03	Now again, in the case of the routing and switching lab
0:24:05	exam, we're not actually going to have a RADIUS server to deal with.
0:24:11	So if you were to be tested on this, it's just going to be based on
0:24:14	the configuration, not the actual result.
0:24:18	So configuration wise, this is fairly straightforward.
0:24:21	If we look at the documentation, this is going to be under the configuring
0:24:25	.1X port based authentication.
0:24:28	And even if you've never tried this out before
0:24:31	if you were to get a question like this in the exam
0:24:34	you could simply go to this section that says how to
0:24:37	configure this particular feature and then you would
0:24:40	see the step-by-step list of exactly what you need to do.
0:24:43	So if we say configuring 802.1X authentication
0:24:47	it's going to give us this list. It says that -- pretty much everything
0:24:51	is optional here with the exception of configuring the
0:24:55	RADIUS server.
0:24:58	And then basically enabling the feature.
0:25:01	So we don't need to specify the violation mode, the re-authentication.
0:25:08	Some of the other features like the guest VLAN or the
0:25:11	restricted VLAN this would be for things for a non-capable
0:25:18	.1X host, so for things like your printers for example
0:25:23	or maybe some network attach storage.
0:25:25	If that doesn't support .1X authentication,
0:25:28	then instead of shutting the port down, we may want to
0:25:31	put it into a default VLAN which is essentially the
0:25:35	guest VLAN.
0:25:38	This would be different than the authentication
0:25:40	failure VLAN
0:25:42	which is essentially a quarantine
0:25:44	where the .1X request is sent to the host
0:25:49	the response is received but then the host fails to do the
0:25:53	authentication, so this would be the restricted VLAN
0:26:01	where configuration wise, this is going to be the...
0:26:12	it should be the auth-fail VLAN so .1X auth-fail VLAN
0:26:18	This is to configure what the essentially the quarantine
0:26:22	VLAN is on the port, but for the most basic configuration of
0:26:26	this, we would enable AAA
0:26:29	so aaa new model
0:26:33	configure .1X authentication to go to RADIUS
0:26:37	so AAA authentication for .1X
0:26:42	is going to go to the default group RADIUS
0:26:48	which then implies we would need to know where is the RADIUS server.
0:26:51	So the ip radius server host
0:26:57	or the radius server host
0:27:00	1.2.3.4
0:27:02	Generally, you would also want to specify your source
0:27:04	interface because the RADIUS server needs to know where its
0:27:08	clients' requests are coming from.
0:27:10	So whether this is a loopback or a VLAN interface
0:27:13	here, the RADIUS server would have to know that.
0:27:17	Then globally we would say
0:27:23	.1X
0:27:26	system auth control this is enabling the feature globally.
0:27:30	Then at the link level, we would say .1X port control auto.
0:27:40	So this .1X system auth control this is turning it on
0:27:42	globally and then this is turning it on the neighbor
0:27:46	-- on the particular port. Now we can see the link goes down
0:27:49	in this case because Router 3 is not configured
0:27:52	for .1X authentication.
0:27:55	But if I were to say that .1X
0:28:05	let's see if I were to say the -- what the guest VLAN is
0:28:14	let's see what is the command for this? Let's search for guest here
0:28:26	which is the authentication event no response action authorize vlan
0:28:33	So you think that they would just say .1X guest vlan
0:28:36	so authentication event no response action authorize vlan
0:28:43	which would let's see authorize
0:28:48	no, let's see if it's under .1X
0:28:56	It's possible this version doesn't actually support this.
0:29:01	So let me keep searching for guest.
0:29:05	Configuring the guest VLAN.
0:29:15	Authentication port control auto.
0:29:18	So this is a different version. This code is for 12.2 58
0:29:23	let's see show version include ios
0:29:26	this is 12.2 46, so it looks like the syntax has changed a little bit between these
0:29:31	two versions.
0:29:35	So let's say .1X this would be the -- I thought it was the fallback VLAN
0:29:47	So it may not be supported in this one. Probably what you would
0:29:49	want to do is within the scope of the lab exam
0:29:53	look at the exact version that is being used on that
0:29:56	device and then for the switches, go to that specific sub release
0:30:01	because in the case of the routers, most of the syntax is going to be the
0:30:04	same between one maintenance release of 12.4 T versus the other
0:30:09	but in the case of the switches, a lot of times
0:30:11	there are major syntax changes between releases for whatever
0:30:14	reason, so I may want to go back here and go to
0:30:19	in this case I was running 12.2 44
0:30:23	so let's say 12.2 -- or 12.2 46
0:30:26	12.2 46 SE
0:30:30	then .1X port based authentication
0:30:34	then the guest vlan
0:30:42	This says .1X guest vlan supplicant global configuration.
0:30:51	to allow access to it, so it is two separate syntaxes.
0:30:57	So that's allowing the guest vlan and then let's see
0:31:00	how do we actually assign it.
0:31:23	So .1X port control auto this was in global config
0:31:27	.1X guest vlan
0:31:34	is in global config or at the interface level.
0:31:41	.1X
0:31:46	A must this is under the VLAN itself, let's say vlan 146
0:31:53	no, it's not an attribute of the VLAN, so things like
0:31:56	this, these minor features in the exam the best thing to do
0:31:59	is basically just follow this step-by-step list of the configurations.
0:32:02	As long as you have a general idea of what the
0:32:07	feature is designed to do, you really don't want to spend
0:32:10	tons of time working on this stuff for the routing and switching exam
0:32:14	because there's so many other core topics that you
0:32:17	really need to be an expert in, the basic Layer 2
0:32:20	switching, the IGPs, RIP, OSPF, BGP, MPLS
0:32:24	so you're better off spending the vast majority of your preparation
0:32:28	on those. Try out these kind of minor features once or twice
0:32:32	and then as long as you know where to reference it in the
0:32:34	documentation, then you should be fine with it.
0:32:37	Worst case scenario a section like this it's not really going to
0:32:40	affect anything else in the topology
0:32:43	so if this section is worth three points, you could potentially
0:32:46	just skip it and then try to come back to it at the end of the day
0:32:50	and use the documentation to piece it together
0:32:53	or just skip over it completely and then spend more time
0:32:57	focusing on the core tasks.
0:32:59	Now the next filtering features that we have on the
0:33:02	Layer 2 switches are the port based access lists
0:33:06	the routed access lists and the VLAN access lists.
0:33:11	Now the port based access lists is basically just a fancy way
0:33:15	of saying we have an access list that's applied directly to a
0:33:17	Layer 2 switch port.
0:33:20	So even if the switch is not routing Layer 3
0:33:23	on the interface, you are allowed to apply a Layer 3 access list for
0:33:29	classification.
0:33:32	So for example, if we were to look at our topology
0:33:37	we see that the segment between Router 6
0:33:41	and switch 1 is a Layer 2 segment
0:33:49	So if I were to look at what's the switch that's attached to
0:33:53	Router 6 which specifically in this case is switch 2
0:33:59	I could technically apply an access list directly to Fast Ethernet 0/6
0:34:04	and then it's going to filter all traffic that is
0:34:07	related to that specific port.
0:34:11	Now you'll see when you actually go to apply this
0:34:14	and there's a limitation for the port based access lists
0:34:18	versus the routed and the VLAN access list.
0:34:23	If I were to say access list 100
0:34:26	deny icmp any any
0:34:28	access list 100 permit ip any any
0:34:33	then on Fast Ethernet 0/6 ip access group 100 outbound
0:34:38	You can see that the Layer 2 switch port doesn't support that.
0:34:42	So it's only going to be an inbound filter.
0:34:46	What the in result of this could essentially mean
0:34:49	that Router 6 is no longer able to send icmp on that particular link.
0:34:57	So if we ping to switch 1 this is now going to be filtered.
0:35:03	Since this is a trunk port, it's also going to other segments
0:35:05	if we were to ping 146.1
0:35:10	it's going to affect that as well.
0:35:15	So even though this is a Layer 2 switch port
0:35:17	you are allowed to apply a Layer 3
0:35:20	access list for classification
0:35:22	so we see this is not affecting the TCP traffic like the telnet
0:35:26	that goes out the port
0:35:29	but now we're unable to send any icmp out there.
0:35:38	The other variation of this would be the routed access list
0:35:43	which is essentially the same as the port based access list
0:35:46	but this is applied to either the Layer 2 or excuse me, the Layer 3
0:35:51	routed interface, so when we say no switchport
0:35:54	or it's applied directly to a switch virtual interface.
0:36:01	Now one thing that's different in the operation between the
0:36:04	routed access list and the port based access list
0:36:07	is that the port based one can match a Mac access list
0:36:12	to affect non-IP traffic.
0:36:17	So if we have some sort of legacy protocol
0:36:19	like IPX or NetBIOS for example, you could technically classify
0:36:23	that based on a Mac based access list, but the Mac
0:36:27	ACL is not going to affect IP traffic.
0:36:31	If you want to do an IP filter, you have to do that
0:36:34	based with an IP access list.
0:36:37	So this means on the switch even if I were to say
0:36:43	Mac access list extended
0:36:45	no IP
0:36:50	that says deny
0:36:56	deny from any source to any destination
0:36:59	that has either type 0 by 800
0:37:03	this would be IP
0:37:07	so I'll say 0 by 800 and the an exact match of 0 by 0
0:37:12	and 0 by 806 which is IP ARP
0:37:17	then I were to permit anything, so permit any any
0:37:24	then let's apply this to one of the Layer 2
0:37:26	interfaces.
0:37:28	So Fast Ethernet 0/4
0:37:30	this is connecting to Router 4's link to BB3
0:37:37	so this is where switch 2 is physically plugged in.
0:37:41	If I were to apply this access list inbound
0:37:45	so mac access group
0:37:51	I called it NO_IP
0:37:55	inbound
0:37:57	You would assume that this is going to filter out all of the
0:38:00	IP traffic on the link
0:38:03	but we can see Router 4 can still send IP packets out that interface.
0:38:09	Now what would be a problem is that if Router 4 needed to
0:38:12	send an ARP and the 0 by 806 is being filtered out
0:38:19	because the IP ARP is using a different Ether type than
0:38:23	IP is, then this is going to drop the ARP packets.
0:38:29	But still again, with this particular application when
0:38:31	we say mac access group, this is only going to be for
0:38:34	non-ip packets.
0:38:37	The only case that this is going to be an issue
0:38:39	where it could potentially classify IP is when you're
0:38:43	doing the filtering based on a VLAN access list.
0:38:49	Now a VLAN access list is basically like a route map
0:38:52	where we have multiple sequence numbers that is
0:38:55	doing matching and then either permitting or denying
0:38:59	with the action forward or the action drop
0:39:03	where we are matching it against either an IP access list
0:39:06	or a Mac access list.
0:39:10	Now the potential issue that you could run into with this
0:39:13	is that if you end in an implicit deny
0:39:19	actually that should say don�t use implicit deny
0:39:22	if you end in deny at all, then you have the potential
0:39:27	of blocking your Layer 2 frames
0:39:30	like spanning tree or VTP or CDP or address resolution protocol
0:39:37	because the VLAN access list it can drop the Layer 2
0:39:40	frames, so the advantage of this is that we're essentially
0:39:46	applying it to all of the Layer 2 switch ports at the same time
0:39:50	inside that particular VLAN
0:39:52	but if we don't account for the other Layer 2 protocols
0:39:56	that could potentially be a problem.
0:40:00	So let's say here now on this segment that Router 4 connects to
0:40:04	BB3, I want to filter out the telnet
0:40:08	that's going in either direction, so I don't care if it's coming from
0:40:11	Router 4 or it's coming from BB3
0:40:15	so on switch 2, first thing I'm going to do is going to create an
0:40:19	access list that is going to classify that.
0:40:22	I'll say ip access list extended is telnet.
0:40:26	that is going to permit TCP any any equal to 23
0:40:31	and I could potentially do it the other way around too.
0:40:33	I could say if it's coming from 23, so I don't care if it's from
0:40:37	the client or from the server.
0:40:41	Then I'm going to configure a VLAN access map.
0:40:44	I'll call this my VLAN 43 filter.
0:40:51	This is sequence number 10
0:40:52	I'm going to match the IP address
0:41:02	based on the access list telnet
0:41:05	and if this match is true, I'm going to drop the packets.
0:41:10	action drop
0:41:14	Now if I end with this and then apply this
0:41:17	I'll say vlan filter
0:41:20	the name is vlan 43 filter
0:41:29	vlan list 43
0:41:37	Essentially what's going to happen is now all traffic
0:41:42	is going to be filtered out of that segment
0:41:45	because I'm doing an explicit deny, but then also ending in
0:41:50	an implicit deny at the end
0:41:54	because after sequence number 10 here
0:42:01	which is this first one
0:42:04	there's no sequence after this so it means that it's going to
0:42:06	be implicit deny, so it's the same logic as a route map or a regular access list.
0:42:11	If we look at the show vlan access map
0:42:14	it says if it is telnet traffic, I'm going to drop it.
0:42:18	Now if I were to do the reverse logic, let's say I'm going to
0:42:23	permit not telnet traffic
0:42:27	we could also run into a potential problem with that
0:42:31	if we are filtering Layer 2 protocols, so if we say
0:42:36	access list let's just say 100 for simplicity
0:42:41	do show access list 100
0:42:44	Ok that's used, so let's say 101
0:42:46	access list 101
0:42:49	I want to deny tcp any any equal to telnet
0:42:54	and then permit ip any any
0:43:00	then I'll say vlan access map
0:43:06	map 1
0:43:08	sequence number 10 says match ip address 101
0:43:12	action is forward
0:43:14	so I'm essentially saying permit not telnet because the access list
0:43:19	is not matching the telnet
0:43:22	which means that it falls down to the next sequence which
0:43:24	is the implicit deny.
0:43:27	So if I now apply this onto VLAN 43 here
0:43:34	so I'll remove the previous one and I'll apply the new
0:43:36	filter vlan filter 101
0:43:45	or map 1 actually
0:43:48	map 1
0:43:57	Right now Router 4 is unable to reach BB2
0:44:03	if we look at the show ARP
0:44:07	we do have a resolution for it there
0:44:15	and if we show vlan filter
0:44:19	it says VLAN Map MAP 1 is filtering VLANs: 43
0:44:21	if we show vlan map
0:44:26	or show vlan access map
0:44:29	it says MAP 1 is saying if access list 101 is true, I'm going to forward that
0:44:36	and access list 101 says match ip
0:44:44	so it should allow this through, but it's actually dropping the
0:44:48	traffic. The reason why is that you end up in this kind of backwards
0:44:52	logic with the VLAN access list
0:44:55	that since we're ending in an implicit deny, it could be
0:44:58	filtering out other Layer 2 protocols that we need
0:45:02	like potentially the spanning tree.
0:45:05	So if we look at the show spanning tree for VLAN 43
0:45:10	I could run into the case where the routers don't
0:45:12	agree on who the root bridge is and then I basically cause a Layer 2
0:45:16	loop because the VLAN access map is now ending in implicit deny.
0:45:23	What instead really I should say here is an access list that
0:45:27	matches the telnet. Match that in the VLAN access map
0:45:31	for sequence, set the action to drop.
0:45:36	Then the sequence after that I need to set that as an
0:45:38	explicit permit, so when we show vlan access map
0:45:45	if I say vlan access map vlan 43 filter
0:45:51	sequence 20
0:45:53	is action forward
0:45:56	then I'm going to reapply this back to VLAN 43
0:46:04	so VLAN filter -- VLAN 43 filter
0:46:12	I should see now that Router 4 is able to reach BB3
0:46:25	but it's not able to telnet to it.
0:46:30	Now I think I still have -- I had that Mac list applied
0:46:34	so let me remove this.
0:46:47	So we can see now Router 4 can reach that destination.
0:46:50	If I were to trace to 204.12.28.254
0:46:58	we see that's no problem.
0:47:00	But now if I were to telnet to them
0:47:05	I should see that this is going to be dropped
0:47:07	which it is.
0:47:10	So the key point with the VLAN access map
0:47:13	the same type of logic as the route map. The only
0:47:15	thing you need to do is just define the access list
0:47:17	and then match it with the VLAN map's sequence.
0:47:22	But if you end in an explicit deny or an implicit deny
0:47:27	you have the potential for dropping other traffic
0:47:29	that you didn't account for in the first place
0:47:32	because on the router, there's no problem with ending in an
0:47:35	explicit or implicit deny because we know it's only going to affect
0:47:38	the IP traffic. It's not going to affect the underlying Layer 2 transit.
0:47:42	But if we were to filter out spanning tree or
0:47:45	ARP, that's going to break other things in the network.
0:47:49	So with the VLAN access list, you always want to deny
0:47:53	what you do not want and then end in explicit
0:47:57	permit that is allowing everything else.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

Port Security, Static CAM Entries, Storm Cont...

Create Bookmark