Switch port security

Cisco switches come with some undesirable defaults:

• The ports are open (whereas router interfaces are shut by default), so use shutdown command on unused ports
• They are actively attempting to trunk, so use the switchport mode access command so it cannot trunk
• All ports are in VLAN 1, so place the port into an unused dummy VLAN

To lock down a particular port for a particular MAC address:

cont f
int fast 0/1
switchport mode access
switchport port-security mac-address aa-aa-aa-aa-aa-aa
switchport port-security mac-address sticky (the first MAC address connected will be used)
switchport port-security violation ?

shutdown, which is the default, will shut the port down, logs the action taken and interface status will be "err-disabled" - this must be manually reopened.

restrict will drop the frames, logs the message indicating an issue, but does not shutdown the port.

protect simply drops the violating frames.

show port-security int fast 0/1 command shows you all the info.

Forward it; Flood it; Filter it

A cisco switch will do one of three things to an incoming frame (remember, a switch is a layer 2 device -> Data link layer -> Frames):

• Forward it
• Flood it
• Filter it

The decision is based on the MAC address table. The MAC address table is created based on the INCOMING address in the frame. If the incoming frame source MAC address isn't listed in the table, the switch will add it to it's table with the Vlan, the type and the port it's connected to, i.e. 

• Forwarding happens when the switch has an entry for the destination MAC address in it's MAC address table and forwards the frame out a single port. 

• Flooding happens when the switch doesn't have an entry for the destination MAC address in the MAC address table. The frame gets sent out every port on the switch except for the one it came in on.

• Filtering happens when the switch has an entry for both the source and destination MAC address AND the MAC table indicates that both addresses are found to be on the same port.

If a host gets disconnected from one port and connected to another, the switch will notice that the incoming frame source MAC address is now on a different port and updates it's MAC address table accordingly.

Once the switch decides to either forward or flood, it also must figure out which processing method to use:

• Store-and-forward
• Cut-through
• Fragment-free

With the store-and-forward method, the switch stores the entire frame on the switch. After checking the FCS (frame check sequence) for corruption, it continues forwarding on the frame. I.e. more error detection.

With cut-through it will forward on the frame without reading the FCS even before all the frame has been received. This means it's faster, but with less error detection.

With fragment-free, the switch only checks the first 64 bytes for corruption as it assumes that if there is going to be any corruption, it'll happen in the first 64 bytes. This is considered to be the middle ground between the two above.

Switching basics!

The third video is quite an interesting one, however, it does take a little while to get into the more "interesting" stuff. Again, it's mostly all theory and starts off listing the layer 1 devices and the first layer 2 device, a bridge:

• A repeater simply amplifies the transmission
• A hub is basically a repeater with multiple ports
• A bridge connects two hubs together

Anything connected to a hub is considered to be in the same collision and broadcast domain. They also depend on CSMA/CD.

A bridge separates two hubs. This splits the collision domain into two, however, there is still only one broadcast domain.

Anything connected to a switch is considered to be in it's own collision domain but they will all be in the same broadcast domain (assuming all in the same VLAN).

Creating VLANs create new broadcast domains as traffic from one VLAN cannot reach another VLAN without the intervention of a layer 3 device, most likely a router.

Cisco switches use STP (spanning tree protocol) to prevent switching loops and is enabled by default. STP determines a loop-free path for frames and ports that are not on that path will be placed into blocking mode.

Yawn! Video #2

Video #2 is about CSMA/CD, ethernet types and cable types.

CSMA/CD stands for Carrier Sense Multiple Access with Collision Detection. When multiple hosts connect via an old fashioned shared copper wire (bus), they need to be able to detect if another host is currently using the wire. If not, the host will send it's data. However, if two hosts decide to send data at exactly the same time, they need to monitor for collisions on the wire. A small change in voltage lets a host know if a collision has occurred. Once this happens the host sends a jam signal to each host on the network. Each host sets a random back-off timer or algorithm before attempting to transmit once again.

With the ethernet standard 10Base-T, the T stands for twisted-pair cable. The 10 refers to 10Mb/s. Twisting the pairs of wires reduces possibility of electromagnetic interference.

• Ethernet runs at 10Mb/s
• Fast ethernet runs at 100Mb/s
• Gigabit ethernet runs at 1000Mb/s or 1Gb/s

• Straight-through cables are used to connect a PC to a switchport
• Crossover cables are used to connect two similar devices together, typically two switches
• Rollover cables are console cables for a serial connection (DB9 -> RJ-45)

MAC/BIA/Physical/NIC/Ethernet/LAN Address is a 48bit address written in hex (aa-bb-cc-11-22-33). The first three sections are the OUI (Organisationally Unique identifier aa-bb-cc). The broadcast MAC address is FF-FF-FF-FF-FF-FF and the multicast MAC address is 01-00-5e[00-00-00 -> 7F-FF-FF].

WAN cabling, you can connect Cisco router serial interfaces directly with a DTE/DCE cable.

Any cable over 100 meters is a cause for alarm!

TCP vs UDP

This is a little more obvious than the models below, but here it is anyway:

TCP

• Guaranteed delivery
• Error detection via sequence and ACK numbers
• Windowing
• "Connection oriented"

UDP

• "Best-effort" delivery
• No error detection
• No windowing
• "Connectionless"

TCP also uses the "three-way-handshake" -> SYN; SYN/ACK; ACK

During TCP error detection, the receiving host sends an ACK with the sequence number of the next EXPECTED sequence number; not the sequence number of the last received segment. If the sender receives the ACK with the expected sequence number, the sender will re-send that segment.

If the sender does not receive an ACK before the ACK timer expires, the sender will re-transmit all of the previous segments.

Windowing refers to the amount of data a sender can send without expecting an ACK back from the recipient. It is defined by the recipient and is dynamic. It may be increased until errors start popping up in which case it will decrease the window size until it stablises again.

OSI vs TCP/IP model

Know And Understand The Fundamentals!

Video #1 jumps right into the theory of networking models. Here's nice diagram illustrating the differences between the two:

Here's how the OSI model works:

Application Layer (Layer 7)

1. Ensures remote communication parter is available
2. Required communication resources exist
3. Both ends agree on procedures involving data integrity, privacy and error recovery
4. Authentication also runs here at layer 7

Presentation Layer (Layer 6)

1. Compatibility with OS
2. Proper encapsulation of data for network transmission
3. Data formatting (binary, ascii)
4. Data encryption, compression and translation

Session Layer (Layer 5)

1. Handles creation, maintenance and teardown of communications between hosts

Transport Layer (Layer 4)

1. Establish end-to-end connection bewteen two systems
2. Segment data received from the upper layers
3. Make sure data gets to the destination in correct order and free of errors (error recovery)

Network Layer (Layer 3)

1. What valid paths exist from local router to given destination?
2. What is the best path to get there?

Data Link Layer (Layer 2)

1. Error detection
2. Switches run at this layer

Physical Layer (Layer 1)

1. Bits (ones and zeros)
2. Anything to do with cables, power, connectors, pins etc

There's no time like the future

As it's Friday and I've just got my Trainsignal CCNA CDs, I'm just going to get everything ready for Monday. Sounding like procrastination? That's because it is. No excuses. You see, the CCNA is made up of two exams, the ICND1 and the ICND2, you can either do them separately or together but since I'm more of a "kill two birds with one stone" kinda guy, I'm doing them together.

So I'm going to rip out all the videos and remove all the HTML/Flash crap from the CDs, move them to my external harddrive and watch them on my PS3 where I can play them at 1.5 times their normal speed to avoid falling asleep to the dulcet tones of CB. I've learned so many of my life lessons from episodes of the chipmunks that this may actually be a stroke of genius. Only time will tell.

Anyway, here's a graphical representation of where I am now, note, blue ring = achieved and red ring = still to achieve:

As you can see, I'm far from anything at the moment, but we all have to start somewhere. I've left out the Design and Wireless paths on purpose as at the moment, they're just not that interesting to me. My first real decision will come after the CCNA when I try to decide whether to continue and do the CCNP, CCIP or go for one of the other CCNAs instead. Ah well, at least I have a while before I have to choose, so for now I'm going to focus on the CCNA only.

Hell, I'm getting slightly motivated again, maybe I'll just watch the intro or a video or two...

CCNA, a little research

Alright, the CCNA, the 640-802 exam, 90 minutes, 45 - 55 questions. To pass it you need to get... wait, that can't be right... they don't tell you! I'm seeing reports of 845/1000 and 825/1000, however as each question is weighed differently depending on difficulty, it's pretty hard to figure out exactly what's required. I guess I'll have to aim pretty high!

The topics according to cisco.com are:

• Describe how a network works
• Configure, verify and troubleshoot a switch with VLANs and interswitch communications
• Implement an IP addressing scheme and IP Services to meet network requirements in a medium-size Enterprise branch office network
• Configure, verify, and troubleshoot basic router operation and routing on Cisco devices
• Explain and select the appropriate administrative tasks required for a WLAN
• Identify security threats to a network and describe general methods to mitigate those threats
• Implement, verify, and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network
• Implement and verify WAN links

which all seem quite fair really. I'm looking forward to sinking my teeth into this (read getting it over with). I'll be starting with the Trainsignal videos tomorrow and hopefully they'll match up well.

Back up a step!

CCNA Security Prerequisites:
Valid CCNA

CCNA Voice Prerequisites:
Valid CCNA

Looks like I'm doing the damn CCNA first... 

How did I not spot this? I was sure it wasn't a prerequisite before. Anyways, it's probably for the best. As wham says:

If you're gonna do it, do it right, right
Do it with me...

SDM on a cisco 870

SDM (security device manager) on a cisco 870 should be fairly easy according to the cisco website:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guide09186a00803e4727.html#wp72503

show flash: doesn't show me any of the telltale signs of installation, so I'm moving on!

After downloading and tftp-ing a new IOS  over, I now have the following image running:

c870-advsecurityk9-mz.124-4.T4.bin

Now it's time to configure the router for SDM:

conf t
ip http server
ip http secure-server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
end

As we already created a user (sdm/sdmpass), we can leave it at that for now and get the client up and running. As I said before, I installed SDM on my laptop, not on the router as I want to preserve space there when possible.

After running the SDM launcher it launches automatically in IE... which is a pain. Disable pop-up blockers and allow activeX to run. Also, the biggest SDM GOTCHA about it was that I had to uninstall my version of Java (6u14) and reinstall an older version (http://java.sun.com/products/archive/j2se/6u7/index.html). After that, plain sailing with logging in as sdm/sdmpass.

And don't forget:

wr mem
copy running-config startup-config

Enabling ssh on a cisco 870

So, after setting up everything over the console cable, I finally want to be able to hook it up to my network and store it away in a nice corner and never physically touch it again. The solution is of course, ssh.

For the last time, via console:

en
show ip ssh %SSH has not been enabled
conf t
ip domain-name router.bk
crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Jun 4 13:12:07.239: %SSH-5-ENABLED: SSH 1.99 has been enabled
end
show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Now I'm going to set up a user for access. I'm going to call him "sdm" as I guess I'll be using something like that anyways soon enough:

conf t
username sdm privilege 15 secret 0 sdmpass
line vty 0 4
privilege level 15
login local
transport input ssh
exit
end

Now time to fire up ssh and try to connect! If not, check show ip ssh again, also see if you can telnet to port 22 on the device. No more console for me, yay!

As always, at the end:

wr mem
copy running-config startup-config

Recovering a cisco 870 router

So, lets turn the router on. Seeing a whole bunch of interesting stuff, especially:

Booting flash:/c870-advipservicesk9-mz.124-4.T3.bin

and all the different interfaces states. Now it's dropped me to the normal prompt. Of course, I could type en and try to guess the password, but lets not waste our time! So, according to the cisco website:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/trouble.html#wp1038210

sh version Configuration register is 0x2102

So lets hard reboot it with the power button and keep pressing the "break" key while it's rebooting. I had to try this a few times, as pressing the break key didn't seem to work very well. Other sources mention pressing "ctrl and break" which on a laptop means pressing "ctrl, the Fn key and the break key" which is a little awkward, but eventually I got to:

rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset

Woo-hoo! Now it's resetting and I land at the following prompt:

Would you like to enter the initial configuration dialog? [yes/no]: _

Here I type no, followed by enable and show startup-config to view the original configuration, but the original enable password is encrypted:

enable secret 5 $1$yusS$D4aa0.FehLVWGPzRUZjAB0

but it's pretty much useless to me (you could go to one of the million places out there to decrypt it if you wanted) as I want a fresh start anyway, so I reboot (reload) once more to get back to my prompt:

Would you like to enter the initial configuration dialog? [yes/no]: yes
Would you like to enter basic management setup? [yes/no]: yes
Enter host name [Router]: router01
This is the enable password you get prompted for when typing en:
Enter enable secret: cheese1
Enter enable password: cheese2
Enter virtual terminal password: cheese3
Configure SNMP Network Management? [yes]: no
As the 870 has four switchports (FE0 - 3) and one WAN interface FE4, we can only assign an IP address directly to FE4. We can assign IP addresses to the other switchports, but we'd have to do that through VLAN creation which I'll touch on later.
Enter interface name used to connect to the
management network from the above interface summary: FastEthernet4
Use the 100 Base-TX (RJ-45) connector? [yes]: yes
Operate in full-duplex mode? [no]: no
Configure IP on this interface? [yes]: yes
I'm using this IP address as my internal home network has this range and this particular IP address I know is free.
IP address for this interface: 192.168.1.20
Subnet mask for this interface [255.255.255.0] : 255.255.255.0
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2
Building configuration...
Press RETURN to get started!

show version Configuration register is 0x2142
en
conf t
Change back the register or else you'll always be prompted after every reload with the above (mind you, all you'd have to say is no, en and copy startup-config running-config if you have it saved).
config-register 0x2102
end
show version Configuration register is 0x2142 (will be 0x2102 at next reload)
wr mem
copy running-config startup-config
reload

Tada! The router now restarts and loads our config straight away!

It's a start!

So, my brother kindly donated 3 cisco routers to me:

1. 800A without it's proprietary power connection
2. 1700 series missing only a kettle lead for power
3. 870 with power!

So looks like I'm starting with the 870. Of course, I don't have the enable passwords for them, so the recovery procedure will have to be followed, which I believe should be a trivial enough matter (hopefully!).

For the CCNA security, you have to use the SDM (security device manager) tool and luckily enough, the 870 works with it. I just have to install it on my laptop rather than the router as it only has about 26MB (sh flash: 27611136 bytes total) and with the IOS taking up between 12MB and 14MB and SDM being another 14MB on top of that, it's just not enough.

So, seems like I've just defined a couple of rules there:

1. Actual commands written to router will be in bold
2. Output of commands, which may not be the complete output but maybe only the relevant output, will be in italic

I think I should also mention that I have already installed "winagents tftp server 4" so I can eventually move files back and forth between my laptop and the router. So, with my trusty console cable, I think I'm ready to recover the 870.

Blog 101

Well, having never created a blog before, I thought I may as well start with the obligatory introduction.

Me, I'm fairly fucked now. Made redundant March 2009, two months after buying a house, so it's a bit of a tight-arse-time I'm going through. Sending CVs here and there only to get mixed up with the other 278365872165 Linux/UNIX admins vying for the same six jobs gets both tiring and depressing, and as we all know, where do people who have nothing better to do and all day to do it go? That's right... the internet!

So here I am at my new shiny blog finding new ways to pass the day that doesn't involve either watching re-runs of Frasier (you know, since March, I've seen EVERY episode and I'm still watching them repeat it from the start again!) or Maury or that very angry man, Jeremy Kyle, or playing on the PS3.

So I have plan. Networking has always been my weakest point in IT (hate calling it that) so I wanted to do the CCNA exam. Turns out that now, they have different types of CCNA, so I've decided to do it the hard way. I'm going to attempt to get my CCNA Security AND CCNA Voice as I reckon, over time,they would be the two best that would stand to me so I could get a position anywhere (network security) and in telecoms (voice specific). Of course, I may need to actually do the CCSP and the CCVP or even CCIE Security and CCIE Voice before people take me seriously, but I reckon I have time, so why not!

From now on, the blogs you're going to see will probably be related to the CCNA Security, as that's where I'm starting. I just hope I actually keep this up! Motivation and enthusiasm aren't exactly my closest friends unless it involves copious amounts of alcohol.

So, without further adieu, lets roll bitches...