Network Security Wiki

BGP OSPF Questions: Difference between revisions

Page Discussion

BGP OSPF Questions (view source)

Revision as of 03:27, 22 June 2021

25 bytes added ,  2 years ago
→‎Spanning Tree enhancements
Line 660:
== Spanning Tree enhancements ==
 
* Bpdu Guard
bpdu Gaurd--- Enable on the edge ports , connected to the hosts. If bpdu is reveived on these interfaces , it will put the interface in shudown state.
If bpdu is reveived on these interfaces, it will put the interface in shudown state.
 
* Bpdu Filter
bpdu filter---Enable on edge ports---it dont send and recieve bpdu if enabled, if bpdu received, drop the bpdu, port goes, through normal stp states.
Enable on edge ports
bpdu filter---Enable on edge ports---it It dont send and recieve bpdu if enabled, if bpdu received, drop the bpdu, port goes, through normal stp states.
 
* Root guard
root gaurd: Root guard prevent the switch to become root bridge , It is enabled on the designated ports of root switch, so that if those ports listen to the superior BPDU then put that port in inconsistent state.
 
* Loop Guard
Loop Gaurd: Spanning Tree Loop Guard helps to prevent loops when you use fibre links.STP is not able to detect Layer 1 issue , Enable alternate ports/backup ports when Loop Guard detects that BPDUs are no longer being received on a non-designated port, the port is moved into a loop-inconsistent state instead of transitioning to the listening/learning/forwarding state. and idealy it can be enabled on all the ports.should be enabled on non-designated ports .
Spanning Tree Loop Guard helps to prevent loops when you use fibre links.
Loop Gaurd: Spanning Tree Loop Guard helps to prevent loops when you use fibre links. STP is not able to detect Layer 1 issue , Enable alternate ports/backup ports when Loop Guard detects that BPDUs are no longer being received on a non-designated port, the port is moved into a loop-inconsistent state instead of transitioning to the listening/learning/forwarding state. and idealy it can be enabled on all the ports.should be enabled on non-designated ports .
Actually, loopguardLoopguard is a method of protecting against unidirectional links. In order for spanning tree to function correctly, any link participating in the STP have to be bidirectional. If a link should become unidirectional, through a cable failure or interface fault, spanning tree could unblock a link which would cause a loop.
UDLD (UniDirectional Link Detection) is a Cisco proprietary protocol that will detect this condition. Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question.
Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question.
Based on the various design considerations, you can choose either UDLD or the loop guard feature.
In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software.
As a result, the designated switch does not send BPDUs.
However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links.
In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel.
In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain.
In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel.
Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up.
In the last case, the port never receives BPDU and becomes designated.
Because this behaviour could be normal, this particular case is not covered by loop guard.
UDLD provides protection against such a scenario.
Loopguard is not able to detect misiwring problem but UDLD able to detect this and UDLD is using its own layer 1 keepalive message .
 
* DHCP snooping - allowed confgration of trusted and untrusted ports , trusted will sorurce all the DHCP messages and untrusted will source on DHCP request, if the rouge DHCP server tries to reply the DHCP request DHCP snopping will make this port shut.
Actually, loopguard is a method of protecting against unidirectional links. In order for spanning tree to function correctly, any link participating in the STP have to be bidirectional. If a link should become unidirectional, through a cable failure or interface fault, spanning tree could unblock a link which would cause a loop.
DHCP option 82 - in wichwhich port number is also added in DHCP request.
 
* Spanning port security feature only works if we have configured the port in statc access/trunk port, it won't work with port in dynamic mode.
UDLD (UniDirectional Link Detection) is a Cisco proprietary protocol that will detect this condition. Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question.
SPanning port security feature only works if we have configured the port in statc access / trunk port ,it won't work with port in dynamic mode.we We can bind the mac address with switchport port security command and if we use sticky what ever mac is learned over interface it will mannualymanually add to secure cam table and also add in running config .
Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel.
Second option is mannaulmanaul create static enriers in CAM table .
 
* Storm control feature - used to limit the amount of unicast /mutlicast /broadcast packet recieved on interface . Simmilar to polcier in MQC.
Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against such a scenario.
 
* Port basebased ACL - is used to apply access list on layer 2 port but its only used to filter inbound traffic .
Loopguard is not able to detect misiwring problem but UDLD able to detect this and UDLD is using its own layer 1 keepalive message .
We can also use MAC based ACL but that is only used to restrict non-IP traffic .
 
* IP source guard ( layer 2 port, ,Dyanmic arp inspection is for arp spoofing .
 
DHCP snooping -allowed confgration of trusted and untrusted ports ,trusted will sorurce all the DHCP messages and untrusted will source on DHCP request,if
the rouge DHCP server tries to reply the DHCP request DHCP snopping will make this port shut .
DHCP option 82 -in wich port number is also added in DHCP request.
 
SPanning port security feature only works if we have configured the port in statc access / trunk port ,it won't work with port in dynamic mode.we can bind the mac address with switchport port security command and if we use sticky what ever mac is learned over interface it will mannualy add to secure cam table and also add in running config .
 
Second option is mannaul create static enriers in CAM table .
 
Storm control feature - used to limit the amount of unicast /mutlicast /broadcast packet recieved on interface .Simmilar to polcier in MQC.
 
Port base ACL- is used to apply access list on layer 2 port but its only used to filter inbound traffic .
We can also use MAC based ACL but that is only used to restrict non-IP traffic .
 
IP source guard ( layer 2 port ,Dyanmic arp inspection is for arp spoofing .
 
== VLAN ==
Retrieved from "https://aman.awiki.org/wiki/Special:MobileDiff/4448"