Professional Documents
Culture Documents
2
2
to prevent spoofing
*Secure MAC addresses can be configured in a number of ways:
>Static secure MAC addresses-Dynamic secure MAC addresses-Sticky
secure MAC addresses
>Protect-Restrict0Shutdown
*
Show port security address
A shutdown/no shutdown interface command must be issued to re-enable
the port
*
Ch3
*vlan 1 is native and management and default vlan and cant be deleted
ip phone
*
*Dynamic Trunking Protocol (DTP) is a protocol to manage trunk
negotiation
show interfaces
trunk
*To prevent a basic switch spoofing attack, turn off trunking on all ports,
except the ones that specifically require trunking
*Most switches perform only one level of 802.1Q de-encapsulation,
allowing an attacker to embed a second, unauthorized attack header in
the frame , After removing the first and legit 802.1Q header, the switch
forwards the frame to the VLAN specified in the unauthorized 802.1Q
header
The best approach to mitigating double-tagging attacks is to ensure that
the native VLAN of the trunk ports is different from the VLAN of any user
ports
*Private VLAN (PVLAN) Edge feature, also known as protected ports,
ensures that there is no exchange of unicast, broadcast, or multicast
Ch4
*Process switching An older packet forwarding mechanism still available
for Cisco routers.
Fast switching A common packet forwarding mechanism which uses a
fast-switching cache to store next hop information.
Cisco Express Forwarding (CEF) The most recent, fastest, and preferred
Cisco IOS packet-forwarding mechanism. Table entries are not packettriggered like fast switching but change-triggered
used on ospf
*Dynamic routing protocols use their own rules and metrics to build and
update routing tables for example:
Routing Information Protocol
(RIP) - Hop count
Open Shortest Path First (OSPF) - Cost based on cumulative bandwidth
from source to destination
Enhanced Interior Gateway Routing Protocol (EIGRP) delay, load, reliability
Bandwidth,
Fully specified static route - The next-hop IP address and exit interface are
specified. used when the output interface is a multi-access interface
Default Static Route used when the routing table does not contain a path
for a destination network
ip route 0.0.0.0 0.0.0.0 {exit-intf | next-hop-ip}
Ch5
*Inter-VLAN routing(Legacy Inter-VLAN Routing VS Router-On-A-Stick)
=(physical -virtual)connection
*show run show interfaces
*Layer 3 switch : A routed port is a physical port that acts similarly to an
interface on a router
Routed ports are not associated with any VLANs
Layer 2 protocols, such as STP, do not function on a routed interface
Routed ports on a Cisco IOS switch do not support sub interfaces
To configure routed ports, use the no switchport interface configuration
mode command
*The sdm lanbase-routingtemplate can be enabled to allow the switch to
route between VLANs and to support static routing
*To troubleshoot Layer 3 switching issues, check the following items for
accuracy:
VLANs : VLANs must be defined across all the switches/VLANs must be
enabled on the trunk ports/Ports must be in the right VLANs
SVIs : SVI must have the correct IP address or subnet mask/SVI must be
up/SVI must match with the VLAN number
*Routing : Routing must be enabled/Each interface or network should be
added to the routing protocol
Ch6
*
Floating static routes are static routes that are used to provide a backup
path to a primary static or dynamic route, in the event of a link failure.
The floating static route is only used when the primary route is not
available. In order to accomplish this, the floating static
route is
configured with a higher administrative distance than the primary route.
*Configure a Next-Hop Static Route : therefore it search 2 times firstly to
look at the next hop secondly to find which exit interface connected to
that next hop
fully(link local)
next hop(global)
exit interface
(8-16-24)
10
11
Interior Gateway Protocols (IGP) -:Used for routing within an AS while EGP
used between AS
*distance vector protocol forward updates every 30 sec(RIPV1-RIPV2-IGRP)
of time while link state protocols forward updates at any change in the
network(EIGRP-OSPF..)
*Classful routing protocols do not send subnet mask information in their
routing updates like RIPV1 &IGRP remaining protocols use classless
*
*RIP uses the Bellman-Ford algorithm as its routing algorithm
IGRP and EIGRP use the Diffusing Update Algorithm (DUAL) routing
algorithm developed by Cisco
12
13
*
*
*slide 51 >>>>>>>>>>> 60
* Routes are discussed in terms of: Ultimate route: directly connected
and link local routes
Level 1 route : supernet-default-network (a route you configured
manually)
Level 1 parent route: contain childes of the network
Level 2 child routes: childes network of the parent network
14
*
*adminstrative distance: connection(directly connected-rip-static-ospf.)
Metric: the cost of thast path
Ch8
*
15
*slide 9-10-11
16
* Dead interval is the period that the router waits to receive a Hello
packet before declaring the neighbor down , Ciscos default is 4 times the
Hello interval 40 seconds (default on multiaccess and point-to-point
networks) , 120 seconds (default on NBMA networks; for example, Frame
Relay)
*slide 21 >>>>>26-29-30
* passive interface : router ospf 10/passive-interface g0/0 (receive but not
to send
*
* OSPF uses a reference bandwidth of 100 Mb/s for any links that are equal to or
faster than a fast Ethernet connection && the default bandwidth on most serial
interfaces is set to 1.544 Mb/s to solve
*show ip ospf neighbor: to check that router makes adjacency with other
routers and router id
17
*
* FF02::5 address is the all OSPF router address &&FF02::6 is the DR/BDR
multicast address
*
ospf for ipv6
Ch9
* Packet filtering (ACL) work on layer 3 and 4 (src & dest IP and src & dest
port)
*
inbound and
outbound ACL deny every thing by default unless permit comand is entered
*Standard(ports(1-99)&(1300-1999)) VS extended acl (ports(100-199)&(2000-2699))
18
*
*ACL per(protocol-direction-interface)
*steps to do ACL: 1-base it on security polices of organization 2description 3-text editor 4-test
19
extended ACL
20
*same for named but remove every (1) and put name
*slide 38 using standard acl to detect telnet and ssh despite it can be
done by extended acl
*Extended ACL use src and dest ip and port no and protocol ::: structure:
21
22
23
then on the port and protocol of the destination, and makes a final permit
or deny decision.
*slide 59>>>>>>>>>>>>>63
*
*IPV6 ACL
*
*Command : show access lists show ipv6 interface brief
Ch10
24
25