Saturday, 30 September 2023

Understanding Default , Static and Floating Static Routing

1) Default Routing:

Default routing is a method used by routers to forward packets when there is no specific route entry in the routing table for the destination network. Instead of dropping the packet, the router forwards it based on a pre-defined default route. This route is often referred to as the "gateway of last resort" or "default gateway".


For example, if a router receives a packet for a network it doesn't have a specific route for, it will use the default route to send the packet to another router or gateway that has a better understanding of where to send it next.


Default routes are useful in cases where a router doesn't have specific knowledge of all possible networks but knows at least one router that does.

2) Static Routing:

Static routing involves manually configuring the routes in a router's routing table. These routes are configured by a network administrator.


With static routing, the routes don't change unless a network administrator makes changes to them. It's a simple and efficient method for small networks where the network topology doesn't change frequently.


Static routing is less flexible than dynamic routing protocols (like OSPF, EIGRP, BGP, etc.) because it doesn't adapt to changes in the network automatically. It's typically used in scenarios where the network is relatively stable.

3)Floating Static Routing:

Floating static routing is a technique used to provide a backup or secondary route in case the primary route  becomes unavailable.

It involves configuring a static route with a higher administrative distance so that it is less preferred than other routes in the routing table. If the primary route fails, the floating static route becomes active.

This is commonly used as a backup solution in case the primary connection to a network goes down. 

In summary, default routing is used when no specific route is available, static routing involves manually configuring routes, and floating static routing provides a backup route in case the primary route fails. Each of these techniques has its own use cases and benefits depending on the network environment and requirements.


 

Tuesday, 19 September 2023

Port Security

+ Port Security is a important feature in Switches.

+ Network Admin is responsible for protecting switchports from unauthorized access.

+ Security Breach happens when someone try to connect there own devices/laptops to office internal switch. 

+So how to protect Internal Network Switchports from unauthorized access, rather what is that thing which would helps Network Admin to achieve Switchport Security. 

  THE ANSWER IS " MAC -ADDRESS"

+ Yes , on basis of MAC Address Network Admin can restrict / allow workstations to access the internal network of the organization.

What all things can a Network Admin control using Port Security - 

+ Limit Max Mac Addresses allowed on the switchport. 

Default value is 1

+ Configure the  MAC address to be allowed on the switchport- 

this can be done Static or  Dynamic (Sticky) 

Static - Means Network Admin define by own which MAC address to be allowed on the switchport.

Dynamic (Sticky) - Dynamic MAC address is learned on the switchport is recorded and that MAC address/es are not only allowed on the switchport.

+ Configure Violation Mode

1) Protect - Ignore Unknow mac addresses. DROP 

2) Restrict - DROP + Trap | Also increase the violation counter

3) Shutdown - Err Disable + Trap | Also increase the violation counter 

SHUTDOWN IS DEFAULT AND MOST AGGRESSIVE 

WHERE TO APPLY SWITCHPORT SECURITY ? 

ON TRUNK OR ACCESS --> THE ANSWER IS ACCESS. 

Because on trunk port there is more multiple mac address, so there is no point of allowing or restricting any MAC Address on such port.


LAB 





+ 2 MAC addresses are learned on the interface fa0/1


Switch#sh mac address-table interfaces fa0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c937.98b3 STATIC Fa0/1

1 0002.4ad4.3045 STATIC Fa0/1

+ Default Port Security setting on an switchport




Possible options for Port Security - 



Switch(config)#int fa0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security 

Switch(config-if)#switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

<cr>


Switch(config-if)#switchport port-security maximum 2






So now lets violate by adding one more PC on the HUB



Once PC5 is connected the interface fa0/1 of the switch gets into error-dis


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down


Switch>show interfaces fa0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

Hardware is Lance, address is 000a.f313.9701 (bia 000a.f313.9701)

BW 100000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 100Mb/s

input flow-control is off, output flow-control is off

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:08, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

956 packets input, 193351 bytes, 0 no buffer

Received 956 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

2357 packets output, 263570 bytes, 0 underruns


So the violation has happened !


To recovery let disconnect PC5 and perform shut & no shut on interface fa0/1


Switch(config)#int fa0/1

Switch(config-if)#shut


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

Switch(config-if)#no shut


Switch(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up


%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up


Switch(config-if)#^Z

Switch#


===========

Let see the configuring port-security using static mac address.


Switch#show mac address-table interfaces fa0/2

Mac Address Table

-------------------------------------------


Vlan Mac Address        Type           Ports

----         ----------- -             ------- -----


1    00d0.bc4b.05ad   DYNAMIC  Fa0/2


Switch(config)#int fa0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security mac-address 00d0.bc4b.05ad 


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0


Switch#


Now lets disconnect PC1 and connect PC5 on int fa0/2





The interface gets down. 



Switch#

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down


%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down



Now lets recover and change the volitation to protect 


<omitted the steps to recover>


We can see the traffic from PC1 is following 


C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Reply from 10.1.1.3: bytes=32 time=1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128


Switch(config)#int fa0/2

Switch(config-if)#switchport port-security violation restrict 


Now lets disconnect PC1 from port fa0/2 and connect PC5 for volitation . 


The interface fa0/2 is up but the traffic is dropping 





C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Request timed out.

Request timed out.


Ping statistics for 10.1.1.3:

Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),


Control-C

^C


+Also the Security Violation Count  increased from 0 to 3 


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000C.CFA0.731E:1

Security Violation Count : 3






Lets change the volition to Protect


Switch(config-if)#switchport port-security violation protect 



Now lets disconnect PC1 from port fa0/2 and connect PC5 for volitation . 


Traffic drop is observed 


C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Request timed out.


Ping statistics for 10.1.1.3:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Protect

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000C.CFA0.731E:1

Security Violation Count : 0


Thanks for Reading!!!


NETWORK ENGINEER STUFF