Saturday 30 September 2023

Understanding Default , Static and Floating Static Routing

1) Default Routing:

Default routing is a method used by routers to forward packets when there is no specific route entry in the routing table for the destination network. Instead of dropping the packet, the router forwards it based on a pre-defined default route. This route is often referred to as the "gateway of last resort" or "default gateway".


For example, if a router receives a packet for a network it doesn't have a specific route for, it will use the default route to send the packet to another router or gateway that has a better understanding of where to send it next.


Default routes are useful in cases where a router doesn't have specific knowledge of all possible networks but knows at least one router that does.

2) Static Routing:

Static routing involves manually configuring the routes in a router's routing table. These routes are configured by a network administrator.


With static routing, the routes don't change unless a network administrator makes changes to them. It's a simple and efficient method for small networks where the network topology doesn't change frequently.


Static routing is less flexible than dynamic routing protocols (like OSPF, EIGRP, BGP, etc.) because it doesn't adapt to changes in the network automatically. It's typically used in scenarios where the network is relatively stable.

3)Floating Static Routing:

Floating static routing is a technique used to provide a backup or secondary route in case the primary route  becomes unavailable.

It involves configuring a static route with a higher administrative distance so that it is less preferred than other routes in the routing table. If the primary route fails, the floating static route becomes active.

This is commonly used as a backup solution in case the primary connection to a network goes down. 

In summary, default routing is used when no specific route is available, static routing involves manually configuring routes, and floating static routing provides a backup route in case the primary route fails. Each of these techniques has its own use cases and benefits depending on the network environment and requirements.


 

Posted by at No comments:
Labels: , ,

Tuesday 19 September 2023

Port Security

+ Port Security is a important feature in Switches.

+ Network Admin is responsible for protecting switchports from unauthorized access.

+ Security Breach happens when someone try to connect there own devices/laptops to office internal switch. 

+So how to protect Internal Network Switchports from unauthorized access, rather what is that thing which would helps Network Admin to achieve Switchport Security. 

  THE ANSWER IS " MAC -ADDRESS"

+ Yes , on basis of MAC Address Network Admin can restrict / allow workstations to access the internal network of the organization.

What all things can a Network Admin control using Port Security - 

+ Limit Max Mac Addresses allowed on the switchport. 

Default value is 1

+ Configure the  MAC address to be allowed on the switchport- 

this can be done Static or  Dynamic (Sticky) 

Static - Means Network Admin define by own which MAC address to be allowed on the switchport.

Dynamic (Sticky) - Dynamic MAC address is learned on the switchport is recorded and that MAC address/es are not only allowed on the switchport.

+ Configure Violation Mode

1) Protect - Ignore Unknow mac addresses. DROP 

2) Restrict - DROP + Trap | Also increase the violation counter

3) Shutdown - Err Disable + Trap | Also increase the violation counter 

SHUTDOWN IS DEFAULT AND MOST AGGRESSIVE 

WHERE TO APPLY SWITCHPORT SECURITY ? 

ON TRUNK OR ACCESS --> THE ANSWER IS ACCESS. 

Because on trunk port there is more multiple mac address, so there is no point of allowing or restricting any MAC Address on such port.


LAB 





+ 2 MAC addresses are learned on the interface fa0/1


Switch#sh mac address-table interfaces fa0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c937.98b3 STATIC Fa0/1

1 0002.4ad4.3045 STATIC Fa0/1

+ Default Port Security setting on an switchport




Possible options for Port Security - 



Switch(config)#int fa0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security 

Switch(config-if)#switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

<cr>


Switch(config-if)#switchport port-security maximum 2






So now lets violate by adding one more PC on the HUB



Once PC5 is connected the interface fa0/1 of the switch gets into error-dis


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down


Switch>show interfaces fa0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

Hardware is Lance, address is 000a.f313.9701 (bia 000a.f313.9701)

BW 100000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 100Mb/s

input flow-control is off, output flow-control is off

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:08, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

956 packets input, 193351 bytes, 0 no buffer

Received 956 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

2357 packets output, 263570 bytes, 0 underruns


So the violation has happened !


To recovery let disconnect PC5 and perform shut & no shut on interface fa0/1


Switch(config)#int fa0/1

Switch(config-if)#shut


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

Switch(config-if)#no shut


Switch(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up


%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up


Switch(config-if)#^Z

Switch#


===========

Let see the configuring port-security using static mac address.


Switch#show mac address-table interfaces fa0/2

Mac Address Table

-------------------------------------------


Vlan Mac Address        Type           Ports

----         ----------- -             ------- -----


1    00d0.bc4b.05ad   DYNAMIC  Fa0/2


Switch(config)#int fa0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security mac-address 00d0.bc4b.05ad 


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0


Switch#


Now lets disconnect PC1 and connect PC5 on int fa0/2





The interface gets down. 



Switch#

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down


%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down



Now lets recover and change the volitation to protect 


<omitted the steps to recover>


We can see the traffic from PC1 is following 


C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Reply from 10.1.1.3: bytes=32 time=1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128


Switch(config)#int fa0/2

Switch(config-if)#switchport port-security violation restrict 


Now lets disconnect PC1 from port fa0/2 and connect PC5 for volitation . 


The interface fa0/2 is up but the traffic is dropping 





C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Request timed out.

Request timed out.


Ping statistics for 10.1.1.3:

Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),


Control-C

^C


+Also the Security Violation Count  increased from 0 to 3 


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000C.CFA0.731E:1

Security Violation Count : 3






Lets change the volition to Protect


Switch(config-if)#switchport port-security violation protect 



Now lets disconnect PC1 from port fa0/2 and connect PC5 for volitation . 


Traffic drop is observed 


C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Request timed out.


Ping statistics for 10.1.1.3:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Protect

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000C.CFA0.731E:1

Security Violation Count : 0


Thanks for Reading!!!


NETWORK ENGINEER STUFF






 

















Posted by at No comments:
Labels:

Saturday 29 July 2023

CISCO DISCOVERY PROTOCOL (CDP)

CISCO DISCOVERY PROTOCOL (CDP)


+Layer 2 Protocol

+Cisco Properitary Protocol

+Used by Cisco Devices to discover other connected Cisco devices

+CDP Sends advertisements to directly connected devices

+BY DEFAULT ==> CDP IS ENABLED




CDP




+ CDP is enabled by default

PUNE_ROUTER>show cdp

Global CDP information:

Sending CDP packets every 60 seconds

Sending a holdtime value of 180 seconds

Sending CDPv2 advertisements is enabled


+ CDP Neighbor Output 


PUNE_ROUTER#show cdp neighbors 

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID    Local Intrfce   Holdtme    Capability   Platform    Port ID

PUNE_LAN_SW  Gig 0/0/0        152            S       2960        Fas 0/1

CHENNAI_ROUTER

             Ser 0/1/0        150            R       ISR4300     Ser 0/1/1


+ CDP Interfaces


PUNE_ROUTER#show cdp interface

Vlan1 is administratively down, line protocol is down

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

GigabitEthernet0/0/0 is up, line protocol is up

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

GigabitEthernet0/0/1 is administratively down, line protocol is down

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

GigabitEthernet0/0/2 is administratively down, line protocol is down

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

Serial0/1/0 is up, line protocol is up

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

Serial0/1/1 is administratively down, line protocol is down

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

PUNE_ROUTER#


+ CDP Disabled Globally


PUNE_ROUTER(config)#no cdp run

PUNE_ROUTER(config)#do wr

Building configuration...

[OK]

PUNE_ROUTER(config)#do show cdp

% CDP is not enabled

PUNE_ROUTER(config)#


+ CDP Disabled on an interface


PUNE_ROUTER(config)#int serial 0/1/0

PUNE_ROUTER(config-if)#no cdp enable 



Thanks for Reading 


NETWORK ENGINEER STUFF






 

















Posted by at No comments:
Labels:
Location: Pune, Maharashtra, India
Subscribe to: Posts (Atom)