Cisco Switch : VLAN ACL’s (VACL)

This week, I have been studying and configuring VLAN ACL’s. VLAN ACL’s have a use because Regular ACL’s can be used to filter inter-VLAN traffic but not intra-VLAN traffic. Filtering between hosts on the same VLAN require the use of VLAN Access Lists (VACL).

The VACL will do the actual filtering of the traffic, but we still need to write an ACL to identify the traffic. The ACL will be used as a match criteria within the VACL to drop of forward the traffic.

I will show you how to implement a VACL on TPWSW1 that will prevent anyone from telnetting from UserPC1 subnet while allowing all other traffic.

The process  I always follow for doing this is:
1. Build ACL
2. Build VACL
3. Apply VACL to VLAN

Build ACL

I always start a VACL with a regular extended ACL. Try and use descriptive names so when you look at it in 6 month it will mean something.

Create an extended access list named no_telnet_access_list and add an ACL statement that permits Telnet traffic:

TPWSW1(config)#ip access-list extended no_telnet_access_list 
TPWSW1(config-ext-nacl)#permit tcp any any eq telnet

Create an access list named allow_all_traffic and to add an ACL statement that permits all IP traffic:

TPWSW1(config)#ip access-list extended all_traffic
TPWSW1(config-ext-nacl)#permit ip any any

Verify the no_telnet_access_list and the allow_all_traffic access lists you created.

TPWSW1#show access-lists
Extended IP access list allow_all_traffic    
10 permit ip any any
Extended IP access list no_telnet_access_list   
10 permit tcp any any eq telnet

Write the VACL

Create a VLAN access map named vlan_access_map with a sequence number of 10:

TPWSW1(config)#vlan access-map vlan_access_map 10

Configure TPWSW1. Create a match statement that will match an access list named no_telnet_access_list:

TPWSW1(config-access-map)#match ip address no_telnet_access_list

On TPWSW1, Configure an action for the VLAN access map that will drop the packets matched by the no_telnet_access_list access list:

TPWSW1(config-access-map)#action drop

Create a match statement that matches the allow_all_traffic access list and uses sequence number 20:

TPWSW1(config)#vlan access-map vlan_access_map 20
TPWSW1(config-access-map)#match ip address allow_all_traffic

Configure an action for the VLAN access map that will forward the traffic matched by the allow_all_traffic access list:

TPWSW1(config-access-map)#action forward

Verify the access map configuration.

TPWSW1#show vlan access-map
       Vlan access-map “vlan_map”  10  
       Match clauses: IP address: no_telnet_access_list
           Action:
             drop

       Vlan access-map “vlan_map”  20  
       Match clauses:IP address: all_traffic
           Action:
             forward

Apply VACL to VLAN

Apply the vlan_access_map access map to VLAN 5:

TPWSW1(config)#vlan filter vlan_access_map vlan-list 5

Verify the application of the access map to the VLAN.

TPWSW1#show vlan filter
    VLAN Map vlan_map is filtering VLANs:
      5

Verify you cannot access the switch using Telnet. Now obviously you could turn off Telnet other ways, this was purely to demonstrate how powerful these VACL’s can be.

Palo Alto : DNS Sinkhole

The Problem:

We have a infected user and that user is trying to reach out to a command and control server, the infected user does a DNS lookup and since this domain is not hosted locally the internal DNS will pass the request through the Firewall to the external DNS server , the logs wont give all the information we need.

We are going to intercept the DNS traffic between the Internal and External DNS server and respond with a DNS server of our own. Palo Alto send these DNS requests from the infected machines to 72.5.65.111 , which is a Palo Alto assigned address, that will force the traffic to the Firewall to be blocked and logged appropriately.

You do need a Threat Prevention License.

The antivirus release notes will list all the domains that Palo Alto deem to be suspicious.

This is only needed for traffic going to the internet.

How to Configure DNS Sinkhole

Make sure the latest Anti-Virus updates are installed. Device > Dynamic Updates > Click “Check Now”

Configure DNS Sinkhole in the Security Profile Anti-Spyware . Objects > Anti-Spyware under Security Profiles.

Create a New Anti-Spyware Profile or Use an existing one.

Change Action to “sinkhole”

Set Sinkhole IPv4 to the address mentioned above 72.5.65.111
Set Sinkhole IPv6 to the address mentioned above ::1

You then have to apply this security profile to your outbound internet Security Policy/Rule. Select the Rule > Actions > Choose Anti-Spyware Profile

If you want to log who is hitting the sinkhole address you will need to create a deny rule.

 

Commit the Config

Cisco Switch : DHCP Snooping

DHCP seems like a seemingly innocent, but common protocol, that can be used against our network. Since we know the DHCP discovery packet is a broadcast packet, just looking for a DHCP server and the host doesn’t care what DHCP server sends a DHCP OFFER back, it will accept the first offer, the DHCP offer includes information such as IP address, Subnet Mask, Default Gateway, DNS information. What if the first offer that is returned is a Rouge or Malicious DHCP server? Does that mean all traffic from that host using the Rogue DHCP servers gateway could be looking at all of the traffic passing through it? Yes! We can prevent this from happening with a feature called DHCP Snooping.

DHCP Snooping is going to snoop or listen into DHCP traffic to make sure that DHCP conversations go to the correct interface and allow that traffic to pass, otherwise it will be dropped. The interfaces to a known good DHCP server will be ‘trusted’ and all other interfaces will be untrusted, therefor the switch will know if DHCP conversations are happening on an untrusted interface then the traffic will be dropped and the interface will be put into err-disabled mode.

By default the switch considers all ports untrusted. We have to enable DHCP snooping globally, then trust at the interface level. IP ARP inspection and IP source-guard are dependent on DHCP snooping being enabled.

Enabled DHCP Snooping

tpw-sw1(config)#ip dhcp snooping

 

Enable DHCP Snooping on a VLAN

tpw-sw1(config)#ip dhcp snooping vlan 10

 

Trust Interface with DHCP server on it

tpw-sw1(config)#int gigabitEthernet 1/1

tpw-sw1(config-if)#ip dhcp snooping ?

  information  DHCP Snooping information

  limit        DHCP Snooping limit

  trust        DHCP Snooping trust config



tpw-sw1(config-if)#ip dhcp snooping trust

 

DHCP option 82

When packets come in on an untrusted port with option 82 set, those packets are not dropped. The switch will insert its own DHCP option 82 information (the switches MAC address), and when the packet is returned it will make sure its own DHCP option 82 information is in the reply if it is, it will remove its option 82 information and forward the packet normally, if not it will drop it.  This check is enabled by default.

Turn off the validity check

tpw-sw1(config)#no ip dhcp relay information check

 

Turn on Option 82

tpw-sw1(config)#ip dhcp snooping information option

 

Show Commands

tpw-sw1#sh ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10

DHCP snooping is operational on following VLANs:

10

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:



Interface                    Trusted    Relay Info policy     Rate limit (pps)

------------------------     -------    -----------------     ----------------

GigabitEthernet1/1        yes                               unlimited

 

Cisco : SPAN and Remote SPAN

As part of the CCNP Switch you get introduced to a topic called SPAN and Remote SPAN. This feature allows Network Engineers to capture packets flowing to and from a Interface or VLAN and mirror or forward those packets to a Packet Capture Analyzer software such as Wireshark.

Things to be aware of when setting SPAN and RSPAN up:

  • Make sure you destination port is of equivalent speed to the Source port otherwise you could drop packets.
  • A source port cannot be the same as a destination port
  • A destination port can only  be a part of one SPAN session
  • Source ports can be part of a EtherChannel but destinations ports cannot
  • Trunk ports can be setup as source and destination and the default behavior will monitor all active VLAN’s on that port
  • Destination Ports will not participate in STP, CDP, VTP, DTP or LACP
  • The number of SPAN sessions can vary on different switch models

The source can be set to entire VLAN’s (VSPAN) or individual ports. The Source is the port or VLAN you want to monitor.

Here is what the basic SPAN topology would look like:

 

Here is how to setup the Source SPAN interface.

 

tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1

The Destination is the port you have the network analyzer connected to.

tpw-sw1(config)#monitor session 1 destination interface GigabitEthernet 1/2

Verify your SPAN port setup.

tpw-sw1#show monitor

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Gi1/1

Destination Ports      : Gi1/2


The behavior is expected on a SPAN port:

tpw-sw1#sh int Gi1/1
FastEthernet1/1 is down, line protocol is down (monitoring)

 

However SPAN isn’t always going to be local, so luckily for us there is Remote SPAN (RSPAN). This feature allows the mirrored packets to traverse the trunk port to another switch via a separate VLAN. The configuration is fairly straightforward however there are a couple of caveats:

  1. All switches have to be RSPAN capable.
  2. VTP does treat the RSPAN VLAN like a regular VLAN and will propagate that through the VTP domain, but if its not you will have to add them manually to each switch
  3. VTP will prune the VLANS like a regular VLAN
  4. MAC address learning is disabled on the RSPAN VLAN
  5. Source and Destinations will be slightly different on each switch so don’t just copy the commands on each switch.

The topology would look something like this:


Here is the configuration for RSPAN tpw-sw1 – be  aware the destination RSPAN VLAN

tpw-sw1(config)#vlan 4000

tpw-sw1(config-vlan)#remote-span

tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1

tpw-sw1(config)#monitor session 1 destination remote vlan 4000

Verify your work.

tpw-sw1#show monitor

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Gi1/1

Dest RSPAN VLAN     : 4000

Here is the configuration for RSPAN tpw-sw2 – be aware the source is the RSPAN VLAN

tpw-sw2(config)#vlan 4000

tpw-sw2(config-vlan)#remote-span

tpw-sw2(config)#monitor session 1 source remote vlan 4000

tpw-sw2(config)#monitor session 1 destination interface GigabitEthernet 1/2

Verify your work.

tpw-sw2#show monitor

Session 1

---------

Type                   : Local Session

Source RSPAN VLAN        : 4000

Destination Ports     : Gi1/2


If you have a setup similar to below you have to name Remote SPAN VLAN 4000 on all intermediate switches.

Happy SPANNING 🙂

 

Cisco : Port Security

Is this frame from a trusted Source? That is the question!

As I continue my CCNP studies, I near the end of the CCNP Switch Course, this is a topic that was covered in the CCNA, and I haven’t really touched it since, so here is a refresher.

A port enabled with port security will expect to see frames sourced from a particular MAC address or group of MAC addresses, if the switch receives a frame from a MAC address it does not have listed the port takes action according to the violation mode that is set. The violation mode by default is to shutdown the port.

Enable Port Security

*You can only enable port security on a edge port, so that means that port can never become a trunk port*

tpw-sw1(conf)# int gi0/1
tpw-sw1(config-int)#switchport mode access
tpw-sw1(config-int)#switchport access vlan 10
tpw-sw1(config-int)#switchport port-security

Confirm it is working and information gathering

tpw-sw1# show port-security
tpw-sw1# show port-security address
tpw-sw1# show port-security interface gi0/1

More Port Security options

tpw-sw1(conf)# int gi0/1
tpw-sw1(config-int) switchport port-security ?
          aging - Port-security aging commands
          mac-address  - Secure mac address
          maximum - Max secure addresses
          violation - Security violation mode
tpw-sw1(config-int) switchport port-security maximum <1-6144>
tpw-sw1(config-int) switchport port-security violation ?
          protect - Security violation protect mode (drops the offending frames )
          restrict - Security violation restrict mode (drops, creates log messages, but port remains active )
          shutdown - Security violation shutdown mode (default will put the port into err-disabled (fix problem first and shut, no shut))
tpw-sw1(config-int) switchport port-security mac-address ?
         H.H.H - 48 bit mac address
         sticky - Configure dynamic secure addresses as sticky (dynamic addresses but kept on switch reload )
tpw-sw1(config-int) switchport port-security aging ?
         time Port-security aging time
         type Port-security aging type

This is just the very basics of Port Security, there is similar implementations on all switches I have worked with.

Arista : VARP Configuration

Virtual-ARP or VARP is a routing technique that allows multiple switches or routers to simultaneously route packets from a common Virtual IP (VIP) address in an active/active switch/router configuration. Each switch or router is configured with the same VIP address on the corresponding VLAN interfaces (SVI) and a common virtual MAC address. In MLAG topologies, VARP is preferred over VRRP because VARP does not require traffic to traverse the peer-link to the master router as VRRP would.

A maximum of 500 VIP addresses can be assigned to a single VLAN interface. All virtual addresses on all VLAN interfaces resolve to the same virtual MAC address. However you cannot have a secondary VIP on the same VLAN interface, you can however implement VRRP on the same VLAN interface as VARP.

VARP functions by having each switch respond to ARP and GARP requests for the configured router IP address with the virtual MAC address. The virtual MAC address is only for inbound packets and never used in the source field of outbound packets.

The following commands configures 10.10.10.1 as the virtual IP address for VLAN 10. The Virtual-Router MAC address is entirely invented by you, I had a real issue finding clarification that it was just a made up MAC address, so here is my invented made up Virtual-Router MAC 1010.1010.1010 as the virtual MAC address on both switches. I also ran into an issue where #ip routing had to be enabled.

Here is what the Topology would look like:

Configuration that implements VARP on the first switch

TPW-SW1(config)#ip virtual-router mac-address 1010.1010.1010

TPW-SW1(config)#interface vlan 10

TPW-SW1(config-if-vl10)#ip address 10.10.10.2/24

TPW-SW1(config-if-vl10)#ip virtual-router address 10.10.10.1

Configuration that implements VARP on the second switch

TPW-SW2(config)#ip virtual-router mac-address 1010.1010.1010

TPW-SW2(config)#interface vlan 10

TPW-SW2(config-if-vl10)#ip address 10.10.10.3/24

TPW-SW2(config-if-vl10)#ip virtual-router address 10.10.10.1

 

Linux/Mac Networking Commands

I have been gathering a bunch of Linux/Mac Commands that I have found useful, hopefully someone else will find this list useful.

Run a speed test from CLI:

curl -s https://raw.githubusercontent.com/sivel/speedtestcli/master/speedtest.py | python -

Get an ip address for en0:

ipconfig getifaddr en0

Same thing, but setting and echoing a variable:

ip=`ipconfig getifaddr en0` ; echo $ip

View the subnet mask of en0:

ipconfig getoption en0 subnet_mask

View the dns server for en0:

ipconfig getoption en0 domain_name_server

Get information about how en0 got its dhcp on:

ipconfig getpacket en1

View some network info:

ifconfig en0

Set en0 to have an ip address of 10.10.10.10 and a subnet mask of 255.255.255.0:

ifconfig en0 inet 10.10.10.10 netmask 255.255.255.0

Show a list of locations on the computer:

networksetup -listlocations

Obtain the active location the system is using:

networksetup -getcurrentlocation

Create a network location called Work and populate it with information from the active network connection:

networksetup -createlocation Work populate

Delete a network location called Work:

networksetup -deletelocation Work

Switch the active location to a location called Work:

networksetup -switchlocation Work

Switch the active location to a location called Work, but also show the GUID of that location so we can make scripties with it laters:

scselect Work

List all of the network interfaces on the system:

networksetup -listallnetworkservices

Rename the network service called Ethernet to the word Wired:

networksetup -renamenetworkservice Ethernet Wired

Disable a network interface:

networksetup -setnetworkserviceenabled off

Change the order of your network services:

networksetup -ordernetworkservices “Wi-Fi” “USB Ethernet”

Set the interface called Wi-Fi to obtain it if it isn’t already

networksetup -setdhcp Wi-Fi

Renew dhcp leases:

ipconfig set en1 BOOTP && ipconfig set en1 DHCP

ifconfig en1 down && ifconfig en1 up

Renew a dhcp lease in a script:

echo "add State:/Network/Interface/en0/RefreshConfiguration temporary" | sudo scutil

Configure a manual static ip address:

networksetup -setmanual Wi-Fi 10.0.0.2 255.255.255.0 10.0.0.1

Configure the dns servers for a given network interface:

networksetup -setdnsservers Wi-Fi 10.0.0.2 10.0.0.3

Obtain the dns servers used on the Wi-Fi interface:

networksetup -getdnsservers Wi-Fi

Stop the application layer firewall:

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

Start the application layer firewall:

launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

Allow an app to communicate outside the system through the application layer firewall:

socketfilterfw -t
“/Applications/FileMaker Pro/FileMaker Pro.app/Contents/MacOS/FileMaker Pro”

See the routing table of a Mac:

netstat -nr

Add a route so that traffic for 10.0.0.0/32 communicates over the 10.0.9.2 network interface:

route -n add 10.0.0.0/32 10.0.9.2

Log bonjour traffic at the packet level:

sudo killall -USR2 mDNSResponder

Stop Bonjour:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Start Bojour:

launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Put a delay in your pings:

ping -i 5 192.168.210.1

Ping the hostname 5 times and then stop the ping:

ping -c 5 google.com

Flood ping the host:

ping -f localhost

Set the packet size during your ping:

ping -s 100 google.com

Customize the source IP during your ping:

ping -S 10.10.10.11 google.com

View disk performance:

iostat -d disk0

Get information about the airport connection on your system:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I

Scan the available Wireless networks:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s

Trace the path packets go through:

traceroute google.com

Trace the routes without looking up names:

traceroute -n google.com

Trace a route in debug mode:

traceroute -d google.com

View information on all sockets:

netstat -at

View network information for ipv6:

netstat -lt

View per protocol network statistics:

netstat -s

View the statistics for a specific network protocol:

netstat -p igmp

Show statistics for network interfaces:

netstat -i

View network information as it happens (requires ntop to be installed):

ntop

Scan port 80 of www.google.com

/System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke www.google.com 80 80

Port scan krypted.com stealthily:

nmap -sS -O krypted.com/24

Establish a network connection with www.apple.com:

nc -v www.apple.com 80

Establish a network connection with gateway.push.apple.com over port 2195

/usr/bin/nc -v -w 15 gateway.push.apple.com 2195

Establish a network connection with feedback.push.apple.com only allowing ipv4

/usr/bin/nc -v -4 feedback.push.apple.com 2196

Setup a network listener on port 2196 for testing:

/usr/bin/nc -l 2196

Capture some packets:

tcpdump -nS

Capture all the packets:

tcpdump -nnvvXS

Capture the packets for a given port:

tcpdump -nnvvXs 548

Capture all the packets for a given port going to a given destination of 10.0.0.48:

tcpdump -nnvvXs 548 dst 10.0.0.48

Capture the packets as above but dump to a pcap file:

tcpdump -nnvvXs 548 dst 10.0.0.48 -w /tmp/myfile.pcap

Read tcpdump (cap) files and try to make them human readable:

tcpdump -qns 0 -A -r /var/tmp/capture.pcap

What binaries have what ports and in what states are those ports:

lsof -n -i4TCP

Make an alias for looking at what has a listener open, called ports:

alias ports='lsof -n -i4TCP | grep LISTEN'

Report back the name of the system:

hostname

Flush the dns cache:

dscacheutil -flushcache

Clear your arp cache:

arp -ad

View how the Server app interprets your network settings:

serveradmin settings network

Whitelist the ip address 10.10.10.2:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 10.10.10.2

 

The Packet Wizard : Spanning Tree Explained

Spanning Tree Protocol also known as STP

There are many different types of STP but here are a couple of the main ones

STP/802.1D – Original STP
PVST+ – Cisco Improved STP adding per VLAN feature
RSTP/802.1w – Improved STP with a much faster convergence time (Rapid Spanning Tree)
Rapid PVST+ – Cisco improved RSTP adding per VLAN feature

Why Per VLAN STP?
If you have a large network with lots of switches and VLAN’s you can use Per VLAN STP to plan for a more efficient network

Even although there are many versions of STP they all use a very similar set of rules.

What is STP?

STP is a feature used to prevent loops when you are using redundant switches and without STP a loop could form and cause a number of problems on the network.

During a unicast broadcast message (which happen all the time) the switch will forward the frame out of every port except the one it came in on. Therefore if SW1 sends a frame out and SW2 and SW3 receive it then SW2 and SW3 will forward out all ports except the one it came in on.  SW2 sends to SW3 and SW1. SW3 send to SW2 and SW1 and you can see how the loop is now beginning to form. This is known as a broadcast storm, this can kill a switches CPU and Memory usage very quickly.

The second problem is the MAC address being changed all the time as it receives frames. For example SW1 sends a broadcast message, SW2 and SW3 receive it, then forward it out all other ports like in the scenario above. However each switch learns the MAC address of the next switch and assigns that in the MAC address table, but if you consider SW1 sending to SW2 and SW3 and then SW2 and SW3 forwarding those frames and they eventually get back to SW1 but on different ports, then the MAC Address table will change constantly from I know about SW2 on this port,  I now know about SW2 via SW3 on this port, and that can cause unstable MAC address tables.

Another issues is explained below

HOST1  sends data to HOST2, however since SW2 doesn’t know how to get to SW2 it sends frames out all ports, thus sending to SW1 and SW3 so HOST2 receives frames from HOST1 via SW3 and then again via SW1>SW3. This is known as Duplicate Frames.

So how do we fix the issues mentioned above? Thats right Spanning Tree Protocol by blocking one of the redundant paths.

The question now becomes how do the switches decide on that Port to block? STP follow’s strict rules, when deciding what ports to block. 

1) Elect a Root Bridge (ROOT)
2) Place root interfaces into forwarding (FWD)
3) Select Root Port on non-Root Bridge Switches (RP) – this is the best root to the Root Bridge.
4) Non Root Switches decide on a Designated Port (DP)
5) All other ports put into Blocking State (BLK)

On per VLAN STP You could have this on VLAN 10

and this on VLAN 20

I will now cover the port roles and the port states so you know what each is:

ROLES
Root Ports : The best port to get to the Root Bridge

Designated Ports : The Lowest cost alternate best root to the Root Bridge.
Non Designated Ports : All other ports that are in blocking mode.

STATES
Disabled : A Port is shutdown
Blocking : A Port that is blocking traffic
Listening : A Port that is not forwarding and not learning MAC addresses
Learning: A Port that is learning MAC addresses but is not forwarding traffic
Forwarding : A Port that is sending and receiving traffic as normal

When ports change from one Role to another it will go through the Port States. Note also that the Listening and Learning states are transitional and it wont stay on either.

Root Bridge Election

Each switch has and sends messages to each other called Bridge Protocol Data Units (BPDU’s) These BPDU’s contain specific information pertaining to each switch, such as Root Cost, Bridge ID (BID) for Itself and for the Root.  A BID is made up of STP Priority and MAC address, the default value of The BID on SW1 would be 327691111:1111:1111 since 32769 is the default STP priority and the MAC address. The switch with the lowest BID will become the Root Bridge. This is what is looks like before the Root Bridge Election and the exchange of the BPDU’s

This is what it looks like after, when the lowest BID wins.

The ports on each switch now transition into their respective states following the STP Rules as mentioned above.

The ports can change based on the Cost of each link. The port costs are listed below, however in this example we will just be using Gig Ports, but for clarity a FastEthernet Port will be slower than a GigEthernetPort, the faster the port the lower the cost. The Root Port (RP) is the lowest port cost.

Data rate STP cost RSTP cost
(Link Bandwidth) (802.1D-1998) (802.1W-2004, default value)
4 Mbit/s 250 5,000,000
10 Mbit/s 100 2,000,000
16 Mbit/s 62 1,250,000
100 Mbit/s 19 200,000
1 Gbit/s 4 20,000
2 Gbit/s 3 10,000
10 Gbit/s 2 2,000
100 Gbit/s N/A 200
1 Tbit/s N/A 20

This is a quick diagram of how the port costs are worked out to get back to the Root Bridge. SW2 to get to SW1 is 0+4=4 and SW2 via SW3 to SW1 is 4+4=8

Of course there can be ties between multiple connections and STP can be tuned.

Designated Ports are selected by Root Cost the by Lowest BID and then by lowest numbered Interface. Therefor in the diagram above the Designated port would be GigEth1 on SW3 since it is a lower numbered interface than SW2 GigEth2.

All ports that are not Root Ports or Designated Ports are Blocking Ports.

STP Convergence Times

STP:
BPDU/Hello time = 2 secs – Hello messages to each switch to see its still there
Max Age = 20 secs – How long a switch will wait for a response to the Hello message
Listening = 15 secs
Learning = 15 secs

= 52 secs to convergence

From the time a link goes down to convergence it takes a total of 52 Seconds. When STP was designed that was fine but now, this is much too slow which is where Rapid Spanning Tree Comes in.

RSTP:
3 missed BDPU/Hello at 2 sec each = 6 secs
Learning (no listening) = 15 secs

= 21 secs to convergence.

I hope this have given you a good explanation of STP. 

 

Test Connectivity with Telnet

Telnet is a Network protocol that allows users to connect to and administer a devices Command Line Interface (CLI). However all of the information exchanged on a Telnet session is unencrypted, this means is someone is sniffing the traffic from your host to the device it can be read clearly. So now all know telnet is a super un-secure way to access the CLI of a device, and you should always use SSH where you can, but Telnet can be used in another way. Telnet can only be used to verify network connectivity to remote devices that are TCP based, because TCP is a connection-oriented protocol.

I get requests all the time to open up specific ports on the firewall. You can find a list of the well know port numbers here.

Before I start poking holes in the firewall or other device I check to see if it is already open.

Telnet will by default only check and listen on TCP port 23

If a user asks me is https (port 443) is open to and on a specific server you can easily test with Telnet.

You simply add the port number at the end of the telnet command:

 telnet[host/address[port]]

 

As you can see 443 is open. To exit from the Telnet session: 

SHIFT ]

 

This telnet test to port 23 is not open as it does not say Connected to…


If a remote host does not respond to telnet it can mean a number of things.

  1. The Firewall or Firewalls or other networking devices on the path to the remote host is Denying or Dropping the packets. You will be able to confirm that in the logs on the firewall.
  2. The server or remote host on the other side is not up and active
  3. There is no connectivity to the remote host for some other reason

Further troubleshooting is required if you encounter issues.

Common Port Numbers

Common TCP/IP Protocols and Ports

Protocol TCP/UDP Port Number
File Transfer Protocol (FTP)

(RFC 959)

TCP 20/21
Secure Shell (SSH)

(RFC 4250-4256)

TCP 22
Telnet

(RFC 854)

TCP 23
Simple Mail Transfer Protocol (SMTP)

(RFC 5321)

TCP 25
Domain Name System (DNS)

(RFC 1034-1035)

TCP/UDP 53
Dynamic Host Configuration Protocol (DHCP)

(RFC 2131)

UDP 67/68
Trivial File Transfer Protocol (TFTP)

(RFC 1350)

UDP 69
Hypertext Transfer Protocol (HTTP)

(RFC 2616)

TCP 80
Post Office Protocol (POP) version 3

(RFC 1939)

TCP 110
Network Time Protocol (NTP)

(RFC 5905)

UDP 123
NetBIOS

(RFC 1001-1002)

TCP/UDP 137/138/139
Internet Message Access Protocol (IMAP)

(RFC 3501)

TCP 143
Simple Network Management Protocol (SNMP)

(RFC 1901-1908, 3411-3418)

TCP/UDP 161/162
Border Gateway Protocol (BGP)

(RFC 4271)

TCP 179
Lightweight Directory Access Protocol (LDAP)

(RFC 4510)

TCP/UDP 389
Hypertext Transfer Protocol over SSL/TLS (HTTPS)

(RFC 2818)

TCP 443
Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

(RFC 4513)

TCP/UDP 636
FTP over TLS/SSL

(RFC 4217)

TCP 989/990
The complete list of assigned ports and their assigned services can be seen at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml.