CCIE R&S Advanced Technologies Class v4.5

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:12	In our next section here we're going to look at some more of the advanced spanning tree features.
0:00:17	The first of which is the BPDU filter feature that is used to either
0:00:23	drop spanning tree packets as they come in an interface or drop spanning tree packets as they go out an interface.
0:00:30	So this command can be configured either at the link level or in global config, which in either case
0:00:37	it is the same effect as disabling spanning tree on a per interface basis
0:00:42	of if we configure it globally, essentially disabling it on every interface.
0:00:48	So this typically would be used at the access layer
0:00:52	down towards the end hosts so that we are not sending them information about the root bridges in our topology.
0:01:00	The reason that we would potentially want to do this is that if someone is trying to do some sort of attack on spanning tree
0:01:06	maybe a Layer 2 man in the middle attack or some sort of Layer 2 denial service attack, we don't want to give them the information
0:01:14	about who is the current root bridge, what is their MAC address, and what are the priority values that they have assigned.
0:01:22	So if the end host learns this information they could potentially craft malformed spanning tree packets
0:01:27	to advertise alternate paths to the root bridge.
0:01:32	So implementation wise the feature is very straightforward.
0:01:36	We could go to the interface level and let's say that we do this on switch one's link to router three.
0:01:46	In this case router three is...or not on router three. Let's look at the diagram. This would be on
0:01:55	switch one's link to router five.
0:01:59	So router five is on FastEthernet zero slash five. It's configured in VLAN 30.
0:02:06	At this point if we look at the show spanning tree interface FastEthernet zero slash five,
0:02:13	we see that this is considered an edge port
0:02:17	because we currently have portfast running in global config.
0:02:22	So if we show run include spanning tree,
0:02:27	we see the global command spanning tree portfast default. So for now I'm going to remove this.
0:02:34	Okay, we're not running spanning tree portfast by default on all of the interfaces now.
0:02:39	So if on
0:02:41	switch one we look at the show spanning tree interface FastEthernet zero slash five
0:02:48	notice the change is that FastEthernet five is no longer an edge port.
0:02:51	It's a normal point to point link that is running spanning tree.
0:02:55	This means that switch one should be sending BPDUs out this interface.
0:03:02	We see it says up to this point 8191 BPDUs have been sent out.
0:03:09	If we check this again, 8197, so we could tell we are sending BPDUs out the interface.
0:03:17	At this link level then, if we were to say spanning tree BPDU filter enable, then we will stop sending BPDUs.
0:03:28	So we can think of this as kind of like the passive interface command for spanning tree.
0:03:33	If we clear the interface counters then look at the show spanning tree for the interface detail
0:03:43	we should see...Or let's see, is there a clear spanning tree counters? Yes.
0:03:50	So now let's look at show spanning tree interface FastEthernet five detail and I just want to see the BPDUs.
0:04:00	Right now we're not sending any BPDUs. We have not received any BPDUs.
0:04:04	Okay, this is again when we have this configured at the link level.
0:04:09	Now the disadvantage of this is that if the device on the other end does start to run spanning tree,
0:04:16	so if we go to router five and say bridge one protocol IEEE, then at the link level bridge group one
0:04:26	and on router five we look at the show spanning tree one,
0:04:31	we should see that we will send BPDUs once we
0:04:41	move into the forwarding state so it's going to take us 30 seconds to do this based on the default timers.
0:04:48	Now we see that we are sending BPDUs. On the other end of the link on switch one,
0:04:55	when we look at the counters for the interface, it says that we're not receiving these.
0:05:01	Technically we are. If we were to look at some sort of Layer 1 packet capture on the link between router five and switch one,
0:05:08	router five is sending the BPDUs but switch one is filtering them out.
0:05:14	You could potentially run into a case where there would then be a spanning tree loop
0:05:19	if you had multiple links going to the same portion of the network where the BPDU filter feature was configured.
0:05:28	So assuming that this is going to a portion of the network that is not running spanning tree,
0:05:34	and does not have multiple connections to the switches, then it should be fine.
0:05:39	Likewise this feature also can be configured globally in which case it's going to be a little bit
0:05:47	easier to control whether the BPDU filter should be on or off.
0:05:54	Next on router five let's remove the bridge group from the interface.
0:05:59	So now we are no longer running spanning tree.
0:06:03	On switch one I removed the BPDU filter from the interface level.
0:06:09	If we look at the detailed output we should see now that we are sending BPDUs.
0:06:18	Okay, we're not going to receive them anymore because router five disabled it's spanning tree process
0:06:25	but at least we are sending them.
0:06:29	The other option for this feature would be to configure it globally in conjunction with portfast.
0:06:36	So if we say spanning tree portfast default,
0:06:42	which again means that now every interface that is not a trunk link will be running portfast.
0:06:48	If we show spanning tree interface FastEthernet five portfast we see the portfast process is enabled.
0:06:57	Additionally we can say spanning tree portfast BPDU filter default
0:07:05	This means that for any interface that is currently in the portfast mode we will not be sending BPDUs out.
0:07:15	Now it's a little bit different behavior when we look at this from the interface level to the global level
0:07:21	where at the interface level it means that we will not send spanning tree out and we will not receive the packets in.
0:07:27	So it's a bi-directional filter, inbound and outbound.
0:07:29	In global config, it is only an outbound filter.
0:07:35	The reason why is that the spanning tree portfast process
0:07:40	is still listening for BPDUs to come in
0:07:44	and in which case they are received in, we would revert the interface out of the portfast state.
0:07:52	So if we look at the show spanning tree portfast we can see it's enabled. If we show interface FastEthernet five
0:07:59	detail and include the BPDUs, we should see that we are not sending them out the link.
0:08:08	So if we do clear spanning tree counters
0:08:28	we should see here at some point
0:08:35	the process is going to stop. I may need to go back to exec mode. Let's say show run include spanning tree.
0:08:47	So we have portfast default and portfast BPDU filter default.
0:08:54	This link
0:08:58	we could see is no longer sending BPDUs. So it sends them up to some point to try to detect the other devices running spanning tree
0:09:06	but at this point we're no longer sending them. Okay, if we look again at the
0:09:11	show spanning tree interface FastEthernet five portfast, right now it's in the portfast state.
0:09:19	Okay, the next step would be to look at what happens when the interface does start to run spanning tree on the other side.
0:09:26	So on router five we'll now go to the link and enable the bridge group
0:09:34	which then means that switch one should be receiving BPDUs
0:09:40	which then in turn disables portfast and now the interface runs a normal non-edge port in spanning tree.
0:09:51	The key point being here that if you combine these two features together, which is the portfast default and portfast BPDU filter default,
0:10:01	the switch will automatically figure out what interfaces should be edge ports.
0:10:06	It does this by looking for interfaces that BPDUs are not coming in.
0:10:13	For the interfaces that do not receive BPDUs in, we in turn will not send BPDUs out.
0:10:19	That's because we're running the BPDU filter feature.
0:10:23	But in the case that we do start to receive spanning tree packets inbound
0:10:28	then we will revert the interface out of the portfast state and disable the BPDU filter.
0:10:35	So it's a way to dynamically control whether we should run spanning tree
0:10:42	and whether we should send, or whether we should run the port as an edge port,
0:10:48	and whether we should run spanning tree on the link.
0:10:55	So the idea behind this is that you're basically automating which interfaces should run portfast, which ones should not,
0:11:02	and then the ones that are running portfast you're not going to send the spanning tree information down to those interfaces.
0:11:10	Now there's a comment here - what would be the purpose of this? It sounds like it would be a security concern.
0:11:15	It is a potential security issue. Okay? We'll look at this when we get to the
0:11:21	actual security section and we talk about the different Layer 2
0:11:25	filtering mechanisms and the Layer 2 protection mechanisms that the Catalyst IOS has built in
0:11:30	but this does leave you open to a Layer 2 man in the middle attack.
0:11:36	Okay, running these two features together, portfast default and portfast BPDU filter default.
0:11:41	Now the way that the attack works is that let's say we have switch one here that is going to the rest of the Layer 2 network.
0:11:53	Okay, somewhere out there on the Layer 2 network we have the root bridge
0:11:58	which means that from switch one's perspective this interface would be the root port.
0:12:05	Now we have a bunch of links that go down to the access layer. These are supposed to be going to the end hosts.
0:12:11	Now if someone takes two or more of these links and plugs them in to the same device
0:12:19	let's say this is the PC. PC has two NIC cards - NIC 1 and NIC 2. These are links 1 and 2 on the switch.
0:12:27	There's nothing now stopping the end host from advertising a superior BPDU
0:12:38	essentially declaring itself as the root bridge.
0:12:44	Now what would happen in that case is that Layer 2 connectivity is not going to break.
0:12:51	It's just that now this host must be used as transit to get to different portions of the Layer 2 network.
0:12:58	And this is what is considered a man in the middle attack.
0:13:00	So there's some device that is inserting itself into the transit path of traffic
0:13:05	but it is transparent both to the sender and the receiver.
0:13:10	So the idea behind this attack is that you're just going to run some sort of packet sniffer
0:13:15	and then you could see all the traffic that's going through the Layer 2 network.
0:13:19	So we'll see next there are some features in spanning tree that we can prevent this case
0:13:24	and then also later in the dedicated security section, what other things besides
0:13:30	spanning tree can be used to prevent this type of security hole.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

STP BPDU Filter

Create Bookmark