Layer 2: Data Link - Dealing with Frames!
Frames
Ethernet Header & Trailer
- header (what's inside?):
- preamble:
- allows devices to sync receiver clocks
- SFD (Start Frame Delimiter):
- 10101011
- indicates end of preamble and beginning of rest of frame
- Desination MAC address
- Source MAC address
- Type OR length:
- Type: indicates type of layer 3 protocol used in encapsulated packet. Almost always IPv4 or IPv6
- value of 1536 or greater = type of encapsulated packet (usually IPv4 or IPv6)
- ex: IPv4 = 0x0800 (hex) = 2048 (dec)
- ex: IPv6 = 0x86DD (hex) = 34525 (dec)
- ex: ARP = 0x0806
- length: indicates length of the data
- value of 1500 or less = length of encapsulated packet (in bytes)
- trailer (what's inside?):
- FCS (Frame Check Sequence): detect any errors from transmission
- CRC (Cyclic Redundancy Check): algorithm run over received data to check for errors
- detects, does NOT correct
- total size of header and trailer:
- 26 bytes --> 18 bytes wihtout preamble & SFD
- preamble: 7 bytes --> not usually considered part of Header
- SFD: 1 byte --> not usually considered part of Header
- destination: 6 bytes
- source: 6 bytes
- Type/length: 2 bytes
- FCS: 4 bytes
- minimum size for ethernet frame (header + payload/packet + trailer) = 64 bytes
- minimum payload size = 46 bytes (64-18)
ARP
ARP finds a host's hardware address when only its IP is known.
MAC Address:
- first 3 bytes: OUI (Organizationally Unique Identifier)
- assigned to company making device
- last 3 bytes: unique to device itself
- MAC Address tables delete MAC addresses after 5 minutes without use
- known unicast frame: switch knows where to forward, MAC address table has dest.
- unknown unicast frame: when switch doesn't know where the destination MAC is FFFF
- 2 messages in ARP:
1) ARP request: switch broadcasts the IP to find MAC
2) ARP reply: device with IP replies with it's MAC
- MAC address tables are stored on switches
- ARP tables are stored on PCs
- Ping (ICMP) needs MAC address to find destination, even though you ping with an IP
VLANs
High-Level Overview:
- normal traffic goes to switch, forwards to destination MAC
- VLANs were created to segment broadcast domains
- one VLAN not allowed to communicate with another by design
- only Router can route one VLAN to another for inter-VLAN communication
- for a switch to send traffic on one link from multiple VLANs, a trunk port is required
- trunk ports were created to handle traffic from multiple VLANs with 802.1Q tags (or ISL tags)
- access ports belong to one VLAN, end hosts must connect to these
- switches can be connected with access/trunk ports depending if communicating multiple VLANs
- when sending traffic over trunk link, sending switch must add an 802.1Q tag to the ethernet header
- this 802.1Q tag indicates which VLAN this frame came from, its priority, TPID type
- all interfaces belong to VLAN 1 by default (Native VLAN)
- must set native VLAN to same on all switches so that traffic can get there (security reasons to change)
- VTP (VLAN Trunking Protocol): allows all switches to sync to one server switch
- make multiple VLANs at once, highest revision number = server
- security risk
- DTP (Dynamic Trunking Protocol): interface negotiates to become access/trunk port
- enabled by default on Cisco switches
VLANs:
- LAN: single broadcast domain
- group of devices that will receive a broadcast frame (dest MAC FFFF.FFFF.FFFF) sent by any other device on same domain
- separated by routers
- VLANs allow to minimize broadcast domains to only the devices that need to communicate with each other
- same as installing a separate switch for each LAN you want separate, BUT VLANs make it easy and efficient
- security & performance: frames aren't forwarded to all end hosts/switches
- subnetting: a switch will still send a broadcast frame (FFFF) to all interfaces, even if they are on different subnets
- subnetting separates traffic (logically) at layer 3
- VLANs separate traffic (logically) at layer 2
- VLANs 1, 1002-1005 exist by default and cannot be deleted (5 VLANs minimum)
- access port: switch port that belongs to a single VLAN (usually connects to end hosts) (AKA: untagged port)
- trunk port: switch ports that allow multiple VLANs to send/receive traffic (AKA: tagged port 802.1Q / ISL)
- routers and switches can use trunk ports
- layer 2 switches need routers to send traffic between VLANs
- 802.1Q encapsulation: additional tag added to ethernet frame to ID which VLAN traffic belongs to on a trunk
- 2 trunking protocols:
1) ISL (Inter Switch Link):
- old Cisco proprietary protocol
2) IEEE 802.1Q:
- added in between the source address and type/length fields of the ethernet header (second last before data)
- 4 bytes (32 bits)
- 2 fields:
1) TPID (Tag Protocol Identifier):
- 16 bits (2 bytes): always set to 0x8100: indicates the frame is .1Q tagged
2) TCI (Tag Control Information):
1) PCP (Priority Code Point):
- 3 bits: used for CoS (Class of Service): prioritize important traffic in congested networks
2) DEI (Drop Eligible Indicator):
- 1 bit: indicate frames that can be dropped if network is congested
3) VID (VLAN ID):
- 12 bits: IDs the VLAN that the frame belongs to
- 2^12 = 4096 maximum amount of VLANs (0-4095)
- VLAN 0 & 4095 are reserved, can't be used
- actual range of VLANs = 1 - 4094
- Normal VLANs: 1 - 1005
- Extended VLANs: 1006 - 4094
- some older devices don't support extended range
- Native VLAN (feature of 802.1Q):
- Native VLAN = VLAN 1 on all trunk ports by default
- switch will not add 802.1Q tag to frames in Native VLAN, will forward normally
- untagged frames on trunk port assumed to belong to Native VLAN (drops mismatching Native VLAN frames)
- switch discards frames tagged with .1Q if going to Native VLAN (tag not req.)
VLANs (Part 2):
- ROAS (Router On A Stick):
- trunking, router uses one interface, not separate for each VLAN, must config subinterfaces on one interface
- don't need separate router interface for every VLAN
- router will tag frames after de-encapsulating, before sending again
- ex: g0/0 becomes g0/0.10, g0/0.20, g0/0.30
- one physical interface, divided logically
- to configure:
- "no shutdown"
- "interface g0/0.10"
- "encapsulation dot1q 10" (10 = vlan number)
- "ip address 192.168..... 255.255.255...."
- repeat this for every subinterface: "int g0/0.20" "encap dot1q 20" "ip add ... ..."
- physical interface will show no IP assigned to it, only subinterfaces "show ip int br" "show ip route"
VLANs (Part 3):
- Native VLAN on a router (ROAS):
- 2 methods to config Native VLAN on router:
1) manually set native VLAN on the subinterface (g0/0.10)
2) configure IP for Native VLAN on router's physical interface
- this will use the physical interface ip as the native VLAN instead of creating a subinterface for it
- switch will send untagged frames to router and visa versa
- recommended to change native VLAN to unused VLAN for security. BUT you can just use the physical interface as native
- layer 3 switching / multilayer switching:
- capable of switching and routing
- layer 3 aware
- can assign IPs to interfaces like a router (routed ports)
- can create virtual interfaces for each VLANs and assign IPs to them (just like ROAS)
- can configure routes like a router
- can be used for inter-VLAN routing
- SVI (Switch Virtual Interfaces): virtual interfaces you can assign IPs to in a multilayer switch
- config each PC to use SVI as gateway address (NOT router like with ROAS)
- config default route to router, all traffic not in VLANs will be sent to router
- conditions for a VLAN to be up up:
1) VLAN must exist on switch
- assigning an access port for a VLAN will create the VLAN if not existent
- creating an SVI for a VLAN will NOT create the VLAN automatically
2) switch must have an access or trunk port in VLAN that's up up
3) VLAN must not be shutdown
4) SVI must not be shutdown
- best to use, better than ROAS because traffic doesn't all go to router, more efficient
- each subnet has its own VLAN (subnet = divide network @ layer 3 | VLAN = divide network @ layer 2)
DTP/VTP
DTP (Dynamic Trunking Protocol) & VTP (VLAN Trunking Protocol):
- DTP: allows switches to auto negotiate status of switchports to be either access or trunk ports (ONLY between switches)
- Cisco proprietary protocol
- enabled by default on Cisco switch interfaces
- for security, DTP should be disabled
- 2 DTP modes:
- dynamic auto: passively forms trunks (only if connected to 'desirable' or 'trunk' interface modes)
- dynamic desirable: actively forms trunks (with every connection except 'access' mode)
- switches that support both 802.1Q & ISL can use DTP to negotiate which encapsulation to use
- ISL is favored over 802.1Q, will be selected
- ISL uses VLAN 1 for DTP frames
- 802.1Q uses Native VLAN for DTP frames
- VTP: config all VLANs from a central switch & all switches sync to it
- Cisco proprietary protocol
- NOT recommeded not to use: connecting an old switch with higher revision # will make all switches sync to it
- 3 versions of VTP (1,2,3) --> VTPv3 supports extended VLAN range, v1 & v2 don't
- 3 VTP modes:
1) server (default):
- add, modify, delete VLANs
- will increase revision number every time a VLAN is added/modded/deleted
- highest revision number indicates most recent config
- VTP server advertises latest VLAN database revision to clients for syncing (only sent on trunk ports)
- store VLAN database in NVRAM (Non-Volatile RAM)
- VTP server functions also as client (can sync to other servers with higher revision #)
2) client:
- sync with server with highest revision number in VTP domain (no adding/moding/deleting VLANs)
- advertise their VLAN database and forward VTP ads to other clients over trunk ports
- do not store database in NVRAM (VTPv3 client DOES store in NVRAM)
3) transparent:
- does not participate in VTP domain (does not sync its VLAN database)
- maintains own database in NVRAM, doesn't advertise
- will forward VTP ads that are in same domain
- 2 ways to reset revision number:
- change VTP domain to an unused domain
- change VTP mode to transparent
-* do this if connecting an old switch to a network that uses VTP
- if switch with no vtp domain receives a vtp ad with a domain name, it will auto join that domain & sync its database
- vtp does not auto assign interfaces to vlans
STP
STP (Spanning Tree Protocol):
- layer 2 protocol
- broadcast storm layer 2 loops:
- loops of broadcasts frames, eventually no more space for traffic
- MAC address flapping: switch keeps updating MAC address field with same source that keeps sending data
- versions of STP:
- IEEE STP 802.1D: original STP, all VLANs share one STP instance, no load balancing
- PVST+: Cisco's improved 802.1D --> ea. VLAN has its own STP instance, load balance blocking VLAN ports
- Rapid STP 802.1w: faster at adapting, no 30/50 sec wait, no load balancing (VLANs share one STP instance)
- Rapid PVST+ (Per-VLAN Spanning Tree Plus): Cisco's Improved 802.1w --> adds load balancing
- Exam topics mention Rapid PVST+ ONLY
- Multiple STP 802.1s: now the industry standard (IEEE), no improvement from Cisco
- can group VLANs into diff instances to load balance (ex: VLANs 1-5 in instance 1, 6-10 in instance 2)
- classic STP (IEEE 802.1D):
- STP creates a single path to/from each point on network
- prevents loops by placing redundant ports in blocking state
- these interfaces act as backups, can enter forwarding state if another int fails
- forwarding state: interfaces that send and receive normally
- blocking state: interfaces that only forward/receive STP messages called BPDUs
- BPDU (Bridge Protocol Data Unit)
- STP enabled switches send/receive Hello BPDUs out of all interfaces once every 2 seconds
- if switch receives a Hello BPDU, it knows it is connected to another switch (cause end hosts don't send BPDUs)
- STP Convergence Process:
1) switches use the Bridge ID (a field in the BPDU) to elect a Root Bridge for the network
- switch with lowest Bridge ID becomes Root Bridge
- Bridge ID:
- Bridge Priority: 16 bits (32768 default on all switches)
- Lowest Bridge Priority becomes Root Bridge
- MAC Address: 48 bits
- tie braking of Bridge Priority: lowest MAC Address becomes Root Bridge
- Bridge ID (Updated for PVST+):
- Bridge Priority: 16 bits
- default 32769 (add one because default VLAN = 1)
- can be changed in units of 4096
- Extended System ID (VLAN ID) = 12 bits
- MAC Address: 48 bits (same as before)
- all ports on Root Bridge are put in forwarding state (all other switches must have path to it)
- more accurate: the Root Bridge has one designated port in each Collision Domain it's connected to
- if connected with 2 ints to a hub, only one will be designated, one is backup
- in classic STP, would be a non-designated port (not backup)
2) each remaining switch will select ONE of its interfaces to be its Root Port
- interface with lowest Root Cost will be root port
- Root Cost = total cost of interfaces along path to root bridge
- Root Bridge = 0 Cost on all interfaces, only other switches have cost
-*** Root Costs:
- 10 Mb/s = 100 STP cost
- 100 Mb/s = 19 STP cost
- 1 Gb/s = 4 STP cost
- 10 Gb/s = 2 STP cost
- if mult interfaces with same Root Cost, int connected to neighbor w lowest Bridge ID will be Root Port
- Bridge ID = Bridge Priority + MAC Address = lowest
- if both of the above have ties for the lowest, the int connected with lowest port ID will be Root Port
- Port ID = 128.Port# --> ex: 128.1
-* the lowest Neighbor switch's Port ID will break the tie (G0/0 wins over G0/1 on neighbor int)
- Root Ports = Designated Ports (forwarding state)
= switch's path to Root Bridge
3) blocking ports:
- each collision domain has a single STP designated port
- other ports will be nondesignated (blocking)
- designated connects to root port & nondesignated
- switch assumes root by default, gives up when receives a superior BPDU (lower bridge id)
- once all switches agree on root bridge, ONLY root bridge will send BPDUs
- all switches will forward BPDUs from the root bridge but not send their own
- STP states/timers:
- states:
- blocking: stable
- disabled to prevent loops
- only receive BPDUs
- do NOT forward BPDUs
- forwarding: stable
- need to go through listening and learning states first
- sends/receives normal traffic
- receives/forwards BPDUs
- Learns MAC addresses from regular traffic that arrives on interface
- listening: transitional
- only receives/forwards BPDUs
- learning: transitional
- exactly the same as listening state except one thing:
- Learns MAC addresses from regular traffic that arrives on interface
- disabled: administratively disabled
- timers:
- Hello timer: 2 seconds
- how often root bridge sends Hello BPDUs
- Forward delay: 15 seconds
- how long switch will stay in listening/learning states
- 30 sec for both total
- Max age: 20 sec (10* Hello BPDUs)
- how long int will wait after ceasing to receive Hello BPDUs to change the STP topology (10x Hello BPDUs)
- changing a blocking state port to forwarding then requires additional 30 sec for listening & learning
- total time to acommodate ports if one int goes down = 50 sec (20 sec max age + 30 sec forwarding delay)
* spanning tree timers on root bridge determine timers on rest of switches
- STP BPDU fields:
-* PVST+ Destination: 0100.0ccc.cccd
- PVST+: supports 802.1Q
-* regular STP: uses a dest MAC of 0180.c200.0000
- protocol ID: 0x0000
- protocol version ID
- BPDU type
- BPDU flags
- root ID
- root path cost: 0=root bridge
- bridge ID: root bridge
- port ID: port that sent the BPDU
- message age: increase by 1 each time its forwarded by another switch
- max age
- hello time
- forward delay
- STP optional features (Spanning Tree Toolkit):
- PortFast: can be enabled on int that are connected to end hosts
- doesn't require 30 sec for forwarding delay (listening & learning states)
- allows int to move immediately to forwarding state
- don't use between switches, can cause layer 2 loop
- risk to using portfast if someone plugs in a switch where it was enabled
- BPDU Guard:
- if an int with BPDU Guard enabled receives a BPDU from another switch, int will shut down to prevent loop
- BPDU Guard can be enabled on PortFast enabled interfaces to prevent loops in case a switch is plugged in
- Root Guard:
- even if receive superior BPDU (lower bridge ID), won't accept new switch as root bridge, int will be disabled
- helps maintain STP topology
- Loop Guard:
- even if int stops receiving BPDUs, won't start forwarding, int will be disabled
- STP load balancing:
- blocking different ints depending on vlan
- STP: only root bridge creates BPDUs and other switches just forward them
- RSTP: all switches create and send their own BPDUs from their designated ports
- uses negotiation process instead of timers for most things
- only waits for 3 missed Hello BPDUs to consider a neighbor lost (6 sec, vs 20sec for STP)
- if neighbor lost, switch will flush (delete) all MAC addresses learned on that interface
- RSTP distinguishes between 3 'link types':
- link types describe if the link is full duplex, half duplex or portfast enabled
1) Edge: a port connected to end host, moves directly to forwarding without negotiation
- exactly like PortFast (built into RSTP)
- configure Edge port by configuring PortFast "spanning-tree portfast"
- Edge ports are usually ALSO point-to-point (full-duplex)
2) Point-to-Point: direct connections between 2 switches
- port that runs full-duplex
- automatically detects
- manual config: "spanning-tree link-type point-to-point"
3) Shared: connection to hub
- port that runs half-duplex
- automatically detects
- manual config: "spanning-tree link-type shared"
- if a hub is connected to endpoints, it should be both a Shared and Edge port
- similarities between STP and RSTP
- both serve same purpose: blocking ports to prevent layer 2 loops
- RSTP elects a root bridge same way as STP
- RSTP elects root ports same way as STP
- RSTP elects designated ports same way as STP
- RSTP Port Costs:
- 10Mb/s = 2,000,000
- 100Mb/s = 200,000
- 1Gb/s = 20,000
- 10Gb/s = 2000
- 100 Gb/s = 200
- 1Tb/s = 20
- 1Tb/s+ = 2
- RSTP states:
- Discarding: Blocking and Disabled states combined into one
- administratively shutdown ports are in 'discarding' state (formerly disabled)
- blocking state is now also called 'discarding' state
- Learning
- Forwarding
-* Listening state no longer used
- RSTP Port Roles:
- root port: same as STP
- designated port: same as STP
- non-designated port: split into 2 separate roles in RSTP
1) alternate port:
- discarding port that receives a superior BPDU from another switch
- same as blocking port in STP
- functions as backup to root port
- if root port fails, alternative becomes root IMMEDIATELY
- operates like an optional feature in STP called 'UplinkFast'
2) backup port:
- discarding port that receives a superior BPDU from another interface on the SAME switch (itself)
- this only happens when two ints are connected to same collision domain (via a hub)
- probably won't encounter backup ports cause hubs aren't used anymore
- backup ports function as a backup for a designated port
- if designated port fails, backup port IMMEDIATELY begins forwarding traffic as a designated port
- interface with lowest port ID will be designated port, other will be backup port
- 'UplinkFast': optional feature from STP built into RSTP
- does same thing as alternate port in RSTP
- if root port fails, alternative becomes root IMMEDIATELY
- 'BackboneFast': optional feature from STP built into RSTP
- allows a switch to expire max age timer on its interface to IMMEDIATELY forward superior BPDU to switch that lost connection to root bridge and is now sending its own BPDUs
- skip the time limit
- 'PortFast': Build into RSTP and called an 'Edge link'
- RSTP switches can work with STP switches, just use STP with them (slower)
- RSTP BPDU:
- protocol version = 2 (vs STP v0)
- BPDU type = 2 (vs STP type0)
- uses all 8 bits in BPDU flags (vs STP using 2 bits out of 8)
- allows to be faster
***- diff between link types and port roles???
- link types describe if the link is full duplex, half duplex or portfast enabled
- port roles describe what the PORTS actually are configured to do
- Reminders:
- root ports must be connected to designated ports
Resources:
Theory: https://www.youtube.com/watch?v=N_gBudULCu0
Electing Ports: https://www.youtube.com/watch?v=tcPe0KpIR7s
Electing Ports: https://www.youtube.com/watch?v=D56XiSWX6ts
Great Blog: https://networklessons.com/cisco/ccna-200-301/introduction-to-spanning-tree
Etherchannel
EtherChannel:
- AKA: LAG (Link Aggregation Group)
- AKA: Port Channel
- group multiple physical interfaces into a group which operates as a single logical interface
- behave as if they are one single interface
- Layer 2 EtherChannel: group of switchports that operate as single interface
- layer 3 EtherChannel: group of router ports that operate as single interface
- A-Switch: Access Layer switch --> end hosts connect to it
- D-Switch: Distribution Layer switch --> Access Layer switches connect to it
- Oversubscription: when bandwidth of interfaces connected to end hosts (A-Switch) > bandwidth of connection to D-Switch
- some oversubscription is acceptable, but too much will cause congestion
- Reason for EtherChannel:
- connecting 2 switches with multiple links, all except one will be disabled by Spanning Tree
- cannot lessen load on one interface by adding multiple connections between the switches
- EtherChannel solves this by combining multiple ints into one logical int
- provides redundancy & increased bandwidth
- STP treats EtherChannel as a single interface
- traffic using EtherChannel will be load balanced among the physical ints in the goup
- an algorithm is used to determine which traffic uses which physical interface
- can change the inputs used in the calculation:
- Source MAC or IP: all frames from a source always uses x physical interface
- Destination MAC or IP: all frames to a dest always uses y physical interface
- Source MAC/IP & Destination MAC/IP: all frames between two hosts always use z physical interface
- some support based on layer 4 (TCP/UDP)
- older devices may only support some of these inputs
- behaves as one interface though, won't send the same frame on all 4 physical interfaces at once (only 1)
- ex: 4 physical 1Gb/s interfaces in an EtherChannel = 1 virtual 4Gb/s interface
- EtherChannel load balancing:
- balances loads based on 'flows'
- flow: communication between 2 nodes in the network
- frames in the same flow will be forwarded using the same physical interface (algorithm determines it on first com)
- ex: pc1 sending data to srv1 will use the same physical interface every time
- the physical int that is used is calculated the first time they connect
- if frames in same flow were sent using diff physical ints, frames may arrive out of order
- EtherChannel Configuration (3 methods):
1) PAgP (Port Aggregation Protocol):
- Cisco proprietary
- dynamically negotiates creation/maintenance of EtherChannel (like DTP does for trunks)
- frames are sent to neighboring switch to determine whether to form an EtherChannel or not
2) LACP (Link Aggregation Control Protocol):
- IEEE 802.3ad Industry Standard
- does same thing as PAgP
- NON-proprietary: can be used to form EtherChannels on Juniper, etc...
- Exam topics only state LACP, it is industry standard (best to use)
3) Static EtherChannel:
- no protocol: doesn't determine if EtherChannel should be formed dynamically
- interfaces are statically configured to form an EtherChannel
- usually avoided
- up to 8 interfaces can form an EtherChannel
- LACP allows up to 16 (8 active & 8 standby)
- all interfaces on an EtherChannel (member interfaces) must have matching configs:
- same duplex
- same speed
- same switchport mode (access/trunk)
- same allowed VLANs/native VLAN (for trunk interfaces)
* if an int config doesn't match the others, it will be excluded from EtherChannel
CDP/LLDP
CDP (Cisco Discovery Protocol) & LLDP (Link Layer Discovery Protocol):
- Layer 2 discovery protocols:
- share info with and discover info about neighboring network devices
- don't use IPs, operate at layer 2, although can share IPs and layer 3 info
- can be security risk, often not used
- CDP:
- Cisco proprietary (only works on Cisco devices)
- enabled by default on Cisco devices
- operate on all network devices (routers, switches, firewalls, IP phones, etc...)
- CDP messages periodically (every 60 sec by default) sent to MAC 0100.0CCC.CCCC
- when device receives CDP message, it processes & discards the message
- receiving devices NEVER forward CDP messages
- CDP neighbor table keeps CDP info
- 180 sec holdtime: if message isn't received from neighbor, will remove from CDP neighbor table after 180 sec
- "show cdp" Displays CDP information on the device.
- "show cdp traffic" Shows statistics of CDP traffic.
- "show cdp interface" Provides CDP information per interface.
- "show cdp neighbors" Lists directly connected neighbors discovered by CDP.
- "show cdp neighbors detail" Displays detailed information about CDP neighbors.
- "show cdp entry" Shows detailed information about a specific CDP neighbor.
- "[no] cdp run" Enables or disables CDP globally.
- "[no] cdp enable" Enables or disables CDP on a specific interface.
- "cdp timer " Sets the timer for CDP update packets.
- "cdp holdtime " Sets the holdtime for CDP messages.
- "cdp advertise-v2" Enables the advertisement of CDPv2 packets.
- LLDP:
- Industry standard IEEE 802.1AB
- disabled by default on Cisco devices
- devices can run LLDP & CDP simultaneously
- can learn OS version of neighbors
- LLDP messages periodically (every 30 sec by default) sent to MAC 0180.C200.000E
- when device receives LLDP message, it processes & discards the message
- receiving devices NEVER forward LLDP messages
- LLDP neighbor table keeps LLDP info
- 120 sec holdtime: if message isn't received from neighbor, will remove from CDP neighbor table after 120 sec
- 2 sec reinitialization timer: prevent flapping
- "show lldp"
- "show lldp traffic"
- "show lldp interface"
- "show lldp neighbors"
- "show lldp neighbors detail"
- "show lldp entry "
- "[no] lldp run" --> enable/disable LLDP
- "lldp transmit" --> enable LLDP transmission on specific interface
- "lldp receive" --> enable LLDP receiving on specific interface
- usually must enable transmit & receive
- "lldp timer "
- "lldp holdtime "
- "lldp reinit "
DAI
Dynamic ARP Inspection (DAI):
- ARP: learn MAC with known IP within LAN
- Gratuitous ARP: ARP reply without a request, send to broadcast FFFF
- Dynamic ARP Inspection:
- inspects ARP messages similarly to DHCP snooping (untrusted ports)
- all ports = untrusted by default
- ports connected to hosts should be untrusted
- ports connected to other network devices should be trusted
- How it works:
- untrusted ports check
- checks Sender MAC & IP of ARP message + one of the following:
- matching entry in DHCP snooping binding table
- matching entry in ARP ACL (IP mapped to MAC): useful for non-DHCP hosts
- DAI rate-limiting enabled by default on untrusted ports (15 sec) (VS DHCP snooping rate-limiting disabled by default)
- if more ARP messages Received on interface than limit, will disable - same as DHCP rate-limiting
- What attacks it prevents:
- ARP Poisoning: man in the middle, manipulate ARP tables by sending Gratuitous ARP messages
----------------------------------------------------------Configuration----------------------------------------------------------
- "ip arp inspection vlan 1"
- "int range g0/0-2"
- "ip arp inspection trust"
- "show ip arp inspection interfaces"
- "ip arp inspection limit rate 25 burst interval 2" --> 25 packets per 2 seconds
- Optional Checks:
- "ip arp inspection validate {dst-mac | ip | src-mac}"
- ip option = check for invalid IPs
- dst-mac option = dst-mac in ethernet header vs target MAC in ARP message
- to enable all 3, must put all on one line, separate will overwrite last one
- Rate-limiting Reset:
- "shutdown" "no shutdown"
- "errdisable recovery cause arp-inspection"
- "show errdisable recovery"
- ARP ACLs:
- "arp access-list ARP-ACL-1"
- "permit ip host mac host "
- "ip arp inspection filter ARP-ACL-1 vlan 1"