Professional Documents
Culture Documents
Chapter 1
Simple to install and configure, so it is a good fit for home networking and small
office. Downside is that it does not scale well as demands on the network
increase.
2. Describe what is meant by the term multilayer switching. List and briefly
describe several characteristics or advantages of the use of multilayer
switching in network design. (Section 1.1.6)
1
the building access layer at remote sites may provide access to the corporate
network across WAN technology.
• Building distribution layer: aggregates the wiring closets and use switches to
segment workgroups and isolate network problems.
• Building core layer: known as the campus backbone submodule, it is a high-
speed backbone and is designed to switch packet as fast as possible. Because
the core is critical for connectivity, it must provide a high level of
availability and adapt to changes very quickely.
Chapter 2
A single VLAN associated with switch posts that are widely dispersed
throughout an enterprise network.
• Geographically dispersed throughout the network
• User are grouped into the VLAN regardless of physical location
• As a user moves throughout a campus, the VLAN membership of the user
remains the same
• User are typically associated with a given VLAN for network management
reasons
• All devices on a given VLAN typically have addresses on the same IP
subnet.
Problems:
• Switch ports are provisioned for each user and associated with a given
VLAN.
Because users on an end to end VLAN may be anywhere in the network, all
switches must be aware of the VLAN.
• Flooded traffic for the VLAN is passed to every switch even if it does not
currently have any active ports in the particular end to end VLAN.
• Troubleshooting devices on a campus with end to end VLANs can be
challenging. Because the traffic for a single VLAN can traverse multiple
switches in a large area of campus.
2
2. What is a local VLAN? Briefly describe some of the characteristics of a
local VLAN. (Sections 2.1.7, 2.1.8)
VLANs that have boundaries based upon campus geography rather than
organizational function are called local VLANs. They are generally confined to
a wiring closet.
• Local vlans should be created with physical boundaries rather than the job
functions of the users on the end devices.
• Traffic from a local vlan is routed to reach destinations on other networks.
• A single vlan does not extend beyond the building distribution sub module.
Statically: an access port needs to manually assign a vlan and the valn must exist
in vlan database of the switch.
ISL protocol: support multiple layer 2 protocols, supports PVST. Do not use
native VLAN so it encapsulates every frame. Encapsulation process leaves
original frame unmodified.
3
When a switch port is configured as an ISL trunk port, the entire original layer 2
frames, including the header and FCS trailer, is encapsulated before it traverses
the trunk line. Encapsulation places an additional header in the front and a trailer
at the end of the original layer 2 frame.
802.1Q protocol: support Ethernet and token ring, support 4096 vlans, support
CST, MSTP and RSTP, point-to multipoint topology support, support for
untagged traffic over the trunk via native VLAN, extended QoS support,
growing standard for IP telephony links.
The 802.1Q protocol adds a tag, or field to the standard layer 2 ethernet data
frame, because inserting the tag alters the original frame, the switch must
recalculate and alter the FCS value for the original frame before sending it out
the 802.1Q trunk port.
DTP, switch can automatically negotiate a trunk link. This cisco proprietary
protocol can determine an operational trunking mode and protocol on a switch
port when it is connected to another device that is also capable of dynamic trunk
negotiation.
The best practice is to set the interface to trunk and nonegotiate when a trunk
link is required. DTP should be turned off on links where trunking is not
intended.
VTP is designed to automate a consistent list of VLANs across switches and can
be administratively cumbersome and potentially error prone. VTP run s over
trunk links, allowing interconnected switches to distribute and synchronize a
single list of configured VLANs. This process reduces the manual configuration
required at each switch; vlans can be created on one switch and then propagated
to others.
7. A switch may operate in one of three VTP modes. List these modes.
Discuss significant differences between these modes. (Section 2.4.3)
• Server
o Creates, modifies and deletes vlans at CLI.
o Generate VTP advertisements and forwards advertisements from
other switches in the same management domain
o May update its own vlan database with information received from
other servers in the management domain
o Saves vlan configuration information “vlan.dat” file in flash memory
• Client
4
o Cannot create, modify or delete vlans at CLI
o Forwards VTP advertisements received
o Synchronizes its own VLAN database with latest information
received from VTP server in the management domain
o Vlan information in RAM only, not stored in NVRAM or Flash
memory; must be repopulated from a VTP server if switch is power
cycled
• Transparent
o Create, modifies and delete vlans for the vlan database on the local
switch only
o Does not generate vtp advertisements
o Does not update its vlan database with information received from vtp
servers in the same management domain
o Forwards vtp advertisements received from vtp servers in the same
vtp domain
o Always has a configuration revision number of 0
o Save vlan configuration in NVRAM
Chapter 3
1. Explain the purpose of the Spanning Tree Protocol (STP). (Sections 3.1.2,
3.1.3)
A bridge loop occurs when there are no layer 2 mechanisms such as time to live
to manage the redundant paths and stop the frame from circulating endlessly.
5
1. Upon startup, each switch transmits BPDUs out all enabled interfaces on
a per-vlan basis. at startup, each switch set the root ID equal to its own
BID. During this time, the switch ports are not used to forward standard
data frames.
2. As the BPDU goes out through the network, each switch compares the
root BPDU it sent out to the one it received.
3. If the received root ID is superior, the switch will propagate it;
otherwise, it will continue to send its own BID as the root BID in
transmitted BPDUs.
4. On the root bridge, all ports are designated ports in a forwarding state.
5. Nonroot bridges must determine an optimal path to the root.
Lower BID values are preferred; the priority field value help determine which
bridge is going to be the root and can be manually altered. The priority field is
set at 32768 by default, when default priority field is the same for all bridges,
selecting the root bridge is based on lowest MAC address.
o Root port - this port exists on nonroot bridges and is the switch port with
the best path to the root bridge. Root ports forward traffic toward the
root bridge and the source MAC address of frames received on the root
port is capable of populating the MAC table. Only one root port is
allowed per bridge
o Designated port – it exists on root and nonroot Bridge. For root bridges,
all switch ports are designated ports. For nonroot bridges, a designated
port is the switch port that will receive and forward frames toward the
root bridge as needed. Only one designated port is allowed per segment.
If multiple switches exist on the same segment, an election process
determines the designated switch, and the corresponding switch port
begins forwarding frames for the segment. Designated ports are capable
of populating the MAC table.
o Nondesignated port – it is a switch port that is no forwarding (blocking)
data frames and not populating the MAC address table with the SAs of
the frames seen on that segment.
o Disabled port – is a switch port that is shut down.
6
6. In a switched network, one of the functions of Spanning Tree Protocol
(STP) is to find a least-cost path from a switch to the root bridge. How is
the cost determined? Can an administrator modify the default cost? List
the default costs most recently recommended by the IEEE. (Section 3.1.6)
Each bridge advertises the spanning tree path cost in the BPDU, this spanning
tree path cost is the cumulative cost of all the links from the root bridge to the
switch sending the BPDU. The receiving switch use this cost to determine the
best path to the root bridge. The lowest cost is considered to be the best path.
The lower values are associated with higher bandwidth and therefore, are the
more desirable path.
7. The original Spanning Tree Protocol (STP) created a single tree for each
and every VLAN in a switched network. Per-VLAN Spanning Tree (PVST)
and Multiple Spanning Tree Protocol were later developments. Briefly
discuss advantages and disadvantages of STP, PVST and MSTP. (Sections
3.1.7, 3.3.1)
7
Advantages:
o Implementation is simple
o Layer 3 services are not required on the switch
o The router provides communications between VLANs
Disadvantages:
o The router is a single point of failure
o The single traffic path between the switch and ther outer may become
congested
o Latency is higher than on a layer 3 switch
4. Briefly describe what is meant by the term switch virtual interface (SVI).
(Section 4.2.1)
An SVI is a virtual layer 3 interfaces that can be configured for any VLAN that
exists on a layer 3 switch. It is virtual in that there is no physical interface for
the vlan, and yet it can accept configuration parameters applied to layer 3 router
interface. The SVI for the vlan provides layer 3 processing for packets from all
switch ports associated with that vlan. Only one SVI can be associated with a
VLAN.
8
5. An administrator may configure one or more switch virtual interfaces
(SVI) on a switch. Give several reasons why the administrator might do
this. (Section 4.2.1)
1. switch(config)#ip routing
2. switch(config-if)#no switchport
3. switch(config-if)#ip address …..
4. switch(config)#router …..
Chapter 5
1. Briefly describe the purpose and operation of Hot Standby Router Protocol
(HSRP). (Sections 5.1.2, 5.1.4)
HSRP defines a standby group, with each router assigned to a specific role
within the group. HSRP provides gateway redundancy by sharing IP and MAC
address between redundant gateways. The protocol transmits virtual MAC and
IP address information between two routers belonging to the same HSRP group.
A set of routers works in concert to present the illusion of a single virtual router
to the hosts on the LAN. By sharing a IP and MAC address, two or more routers
can act as a single “virtual” router. The virtual route’s IP address is configured
as the default gateway for the workstations on a specific IP segment. When
frames are to be sent from the workstation to the default gateway, the
workstation uses ARP to resolve the MAC address associated with the IP
address of the default gateway. ARP return the MAC address of the virtual
9
router. Frame sent to the virtual router’s MAC address can then by physically
processed by any active or standby router that is part of that virtual router group.
With a single HSRP group on a subnet, the active router is forwarding all the
packets off that subnet while the standby router is not forwarding any packets.
To facilitate load sharing, a single router may be a member of multiple HSRP
groups on the same segment. Multiple standby groups further enable redundancy
and load sharing. While a router is actively forwarding traffic for one HSRP
group, the router can be in standby or listen state for another group. Each
standby group emulates a single virtual router.
Similarities: one router is elected to handle all requests sent to the virtual IP
address.
Differences:
o VRRP is an IEEE standard for router redundancy; HSRP is a cisco
proprietary protocol
o The virtual router represents a group of routers, knows as VRRP group or
virtual router group
o The active router is referred to as the master virtual router
o The master virtual router may have the same IP address as virtual router
group
o Multiple router can function as back routers
o VRRP is supported on Ethernet, fast Ethernet, gigabit Ethernet interfaces
and with MPLS, VPN and VLANs.
10
o Communication: GLBP members communicate with each other using hello
message sent every 3 seconds to the multicast address 224.0.0.102, UDP
port 3222.
Chapter 8
Rogue access; because unauthorized rogue access points are inexpensive and
readily available, employees sometimes plug them into existing LANs and build
ad hoc wireless network without IT department knowledge or consent. There
rough access points can be a serious breach of network security because they
can be plugged into a network port behind the corporate firewall.
11
o Attacks between device on a common vlan – device may need protection
from one another, even through they are on a common vlan. This is
especially true on service provider segments supporting devices from
multiple customers. (implement private vlan)
Spoof attacks
o DHCP starvation and DHCP spoofing – an attacking device can exhaust
the address space available to dhcp server for a period of time or establish
itself as a dhcp server in man in the middle attack. (using dhcp snooping)
o Mac spoofing – attacking device spoofs the mac address of a valid host
currently in the CAM table. Switch then forwards frames destined for th
valid host to the attacking device (use dhcp snooping, port security)
o ….
Switch device attack
o SSH and telnet attacks – telnet packets can be read in clear text. Ssh is an
option but has security issues in version 1 (use ssh version 2. use telnet
with virtual terminal (vty) ACLs)
3. What is meant by the term sticky MAC address? How does use of this
configuration option ease the burden of network administration? (Section
8.1.7)
Port security has a feature called “sticky mac address” that can limit switch port
access to single, specific mac address without the network admin having to
determine the mac address of every legitimate device and manually associate it
with a particular switch port.
When sticky mac address are used, the switch port converts dynamically learned
mac addresses to sticky mac addresses, and adds them to the running
configuration as if they were static entries for a single mac address allowed by
port security. Sticky secure mac address is added to the running configuration
but do not become part of the startup configuration file. Unless the running
configuration is copied to the startup configuration after addresses have been
learned. If they are saved in the startup configuration, they do not have to be
relearned when the switch is rebooted, which provide a higher level of network
security.
The 802.1x standard defines a port based access control and authentication
protocol that restricts unauthorized workstations from connecting to a LAN
through publicly accessible switch ports. The authentication server authenticates
each workstation connected to a switch port before making available any service
offered by the switch or the LAN.
5. Briefly explain the switch VLAN attack using the double-tag exploit.
(Section 8.2.1)
12
Double tagging allows a frame to be forwarded to a destination vlan other the
source’s vlan. The switch remove outer tag and the inner tag will use be used to
forward frame. This attack will cause the attacker to forward frame to any vlans
that is inaccessible from it’s vlan.
6. List and briefly describe “best practice” to protect against VLAN hopping
attacks. (Section 8.2.2)
Use CDP only as needed: cdp does not reveal security-specific information,
but it is possible for an attacker to exploit this information in a reconnaissance
attack, where by an attacker learns device and IP address information for the
purpose of launching other types of attacks.
13
Minimize physical port access
Establish standard access port configuration for both unused and used ports
Secure switch access: set system passwords, secure physical access to the
console, secure access via telnet, use ssh when possible, configure warning
banners, use syslog if available.
14