Certificate, Why CA.

Certificate is required to provide security. It is the third party authentication. Each certificate contains three major field which use by receiver to see if the certificate is forged by any other person or not.

Certificate field:

  • Public key: public key of the certificate creator.
  • device signature: Device signature.
  • CA signature: copy the CA signature from the CA certificate. If the sender is CA then I will CA certificate is similar to the device signature however this CA signature is encrypted by CA’s private key.

when any receiver receives the certificate then it will use the the public key  which is present on  certificate to decrypt the CA signature and see if the CA signature is valid or not.

Certificate authority(CA): CA can be many. However root CA must be only one present. How to identify the certificate is belong to root CA: If the issue by and issue to name is same then we could say this certificate is from the root CA. There are many transient chain of CA present root is provide CA certificate to his children. Those children CA provide CA certificate to the there sub children so on.  So in this case for the end user must know and have all the CA certificate  in his memory(install) up to the root CA. Then only leaf device can create the certificate or use those certificate.

To create the certificate for any device that device must have all CA certificate (chain of all CA) must be install on that device in extreme network we called it as trust point. Once you have all the CA install then you have to go to CSR tab(certificate signining request) and create the policy  this will generate the RSA public key. we could provide this key to 1) CA(though email) for creating the certificate for me which has CA signature once certificate is created then CA will provide that certificate to end device via email 2) we could create the certificate by own which has own signature using the RSA key. When certificate is created then provide this certificate to the my client to use those certificate.


who want privacy?? does VLAN need privacy (Private VLAN)

Private VLAN: Vlan inside VLAN. recall that VLAN is essentially a broadcast domain. Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains. The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router.

Switch mode should be Transparent to configure the Private vlan.

In reality, different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet

Three type of ports

  • Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on the VLAN.
  • Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e., they are “stub” port. You commonly see these ports connecting to hosts.
  • Community (“C”) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “P”-ports

In order to implement sub-VLAN behavior, we need to define how packets are forwarded between different types of ports. We group the VLANs in “Primary” and “Secondary”.

  • Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from “P”-ports to all other port types (“I” and “C” ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P” to “I” and “C”).
  • Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port.
  • Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN.

How Private VLANs Work

Here are the key aspects of Private VLAN functioning:

  • The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts.
  • The Isolated VLAN transports frames from the stub hosts upstream to the router
  • The Community VLANs allow bi-directional frame exchange withing a single group, in addition to forwarding frames upstream towards “P”-ports.
  • Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs.

Private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, just as with regular VLANs, and the primary VLAN traffic is trunked as well. However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating swtich, as it’s not possible to use VTPv2 to dissiminate that information . This due to the fact that VTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcome this limitation among others

VLAN & VTP flavor

VLANs (Logically divides the broadcast domain)are broadcast domains defined within switches to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device. VLANs are created by number, and there are two ranges of usable VLAN numbers (normal range 1–1000 and extended range 1025–4096). We cannot currently use VTP to manage VLANs in the extended range, and these VLANs cannot be passed over an Inter-Switch Link (ISL) trunk link.  The vlan-id would be a number from 1025 to 4096. Numbers 1001 to 1024 are reserved by Cisco and cannot be configured.

We can create VLANs in either VLAN database mode or global configuration mode. We must create VLANs that are numbered higher than 1005 in global configuration mode. The VTP mode must be set to transparent in order to create these VLANs. VLANs that are numbered higher than 1005 are not advertised by VTP. Furthermore, VLANs that are numbered higher than 1005 are stored in the switch configuration file and not in the VLAN .dat file.

the VLAN information is on a separate file named vlan.dat. If the vlan.dat file is deleted accidently and the switch gets reloaded, all the VLANs that were available on the switch are lost. Until the switch is reloaded, the VLAN information is present in the switch. in this case we have to just create or delete or modify the vlan to get back the vlan.dat file.


There are three mode of VTP

  • Server: This is the default mode of VTP. It will add, delete, rename vlans also these vlan are propagated to other switch. We must configure the VTP domain.
  • Client: If we don’t configure the VTP domain on client switch then also it will receive information from the server domain  and learn the domain name and revision number. Can not create delete, add, rename VLAN.
  • Transparent: Revision number is always ZERO.  This switch will relayed all the VTP messages.

Different VTP domain won’t communicate with each other.so if we add switch which has different domain(Say AAA) in between the two switch which are running same VTP domain(say CISCO) then the new switch will not transfer the CISCO domain messages to other switch as transient switch is in AAA domain when it receives the CISCO VTP domain name packet it just Drop those packets.  We must have a trunk link in between the two switch to pass the VTP messages. VTP messages contain the tag value.

We can configure Password in VTP

Normal-range VLANs are VLANs 1–1005, and can be advertised via VTP versions 1 and 2. These
VLANs can be configured in VLAN database mode, with the details being stored in the vlan.dat file in
Extended-range VLANs range from 1006–4094, inclusive. However, these additional VLANs
cannot be configured in VLAN database mode, nor stored in the vlan.dat file, nor advertised via
VTP. In fact, to configure them, the switch must be in VTP transparent mode

Take care while adding switch

If we want to add the switch in the network then we will check revision number of switch if revision number of switch is more then we will make this switch as TRANSPARENT mode so that revision value becomes ZERO then we will configured what ever way we want.  Another way is to configured that switch in different domain so that there revision number will start from ZERO.  but when the revision number is higher(for both sever/client mode switch) than the already running network the adding switch will defiantly harm whole network even though that switch is running in CLIENT mode or SERVER mode because client switch also share the VTP with the server and other clients.

VTP Version 1,2,3

Version 1 is by default. Version 2 is used when we want to use the token ring. I have to read about version 3.

VTP pruning

It is used when in order to eliminate or prune this unnecessary traffic which broadcast to all the switch in the domain.  VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs greater than 1005) are also pruning-ineligible.

Dynamic Trunking Protocol (DTP)

Access: Don’t send DTP packet. Dynamic desirable: Actively send DTP packet. Auto: Not send DTP packet. but if receive packet from other end then only it become trunk port. It never become trunk when other end is auto. Trunk: Send DTP packet. Non-negotiate: Not send DTP packet

ISL, 802.1Q, QinQ

ISL: complete frame is encapsulated and additional header is added after it has been send. Then at receiver the header is removed and frame is de-encapsulated.

802.1Q: 4 byte is added in the frame. The 802.1Q tag is 4 bytes. Therefore, the resulting Ethernet frame can be as large as 1522 bytes. The minimum size of the Ethernet frame with 802.1Q tagging is 68 bytes.

diffrence between ISL and 802.1Q : 802.1Q support native vlan but ISL doesn’t support native vlan concept.

QinQ:The recommended minimum MTU is 1504 bytes for QinQ because 4 byte extra is added in the frame. The QinQ frame contains the modified tag protocol identifier (TPID) value of VLAN Tags. By default, the VLAN tag uses the TPID field to identify the protocol type of the tag.

The value of this field, as defined in IEEE 802.1Q, is 0x8100.

The device determines whether a received frame carries a service provider VLAN tag or a customer VLAN tag by checking the corresponding TPID value. After receiving a frame, the device compares the compares the configured TPID value with the value of the TPID field in the frame. If the two match, the frame carries the corresponding VLAN tag. For example, if a frame carries VLAN tags with the TPID values of 0x9100 and 0x8100, respectively, while the configured TPID value of the service provider VLAN tag is 0x9100 and that of the VLAN tag for a customer network is 0x8200, the device considers that the frame carries only the service provider VLAN tag but not the customer VLAN tag

Unicast flooding

Switch use forwarding table(CAM table) to send the packet to specific port based on the VLAN name and destination MAC address. When the packet does not have entry for destination mac address in the incoming VLAN, the frame will be sent to all the forwarding port within the specific VLAN this cause the FLOODING.

What are the way the flooding can be happen in network

  • Asymmetric routing: This mean source and destination have different route to reach one another.
  • TCN packet in STP: If link is goes UP and DOWN very frequently in this case it will generate the TCN packet in the STP it will informed the switch to flush it’s MAC table.
  • Forwarding table overflow: This case is rare. However, this case will cause by attack on the network where one host starts generating frames each sourced with different MAC address.

Port-Based Traffic Control

Storm control

Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. We can configure the port storm control threshold value. If the traffic goes higher than the configured value then port will block.

Protected port

Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.(storm-control broadcast)

Protected ports have these features:

  • A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
  • Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
  • Protected ports are supported on IEEE 802.1Q trunks.

Port Blocking

port will forward unknown mac address packet to all the port if we wanted to block this unknown unicast, multicast packet to be forwarded at all the port then we can configured the port blocking feature(switchport block multicast).

Port security

We can assign the MAC address to the port by three ways Static secure MAC addresses, Dynamic secure MAC addresses, Sticky secure MAC addresses. We can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning.

If we configured maximum mac address value on the port as 10 and now port has learned the 10 MAC address. However, I want to configure this maximum learn address value as 5 then this command is get reject as there are 10 mac address in the MAC table.

Security violation occurs when maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. We have few action when this type of violation occurs

  1. Protect :When the number of MAC address are reaches the threshold value which we have configured on the port Then packets are dropped until we remove sufficient  number of MAC address or increased the threshold size. Cisco not recomended to configure the protect mode on the trunk port because protect mode disables the learning when when any VLAN reached the maximum limit, even if the port has not reached the maximum limit. We are not notified that a security violation has occurred. shut down port:No
  2. Restrict: Similar to protect mode but here we are notified that a security violation has occurredshut down port:No
  3. Shutdown(default mode): Port goes to err-disable state and turn off the  LED. It also send SNMP trap like restrict mode. shut down port:Yes

None of the security violation action plan will forward the traffic and display the error messages.

Port security aging

  • Absolute—MAC address on the port are deleted after the specified aging time.
  • Inactivity—MAC address on the port are deleted only if the secure addresses are inactive for the specified aging time.

All Port Guard and Rootport

Loop Guard:

Loop guard feature is required to detect the uni directional loop. say on non-designated port(blocking port, alternate port, backup port) BPDU are not received from designated port because of uni-directional link failure. in this case the no-designated port will go into forwarding state and loop occurs to avoid this we can use loop guard.

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.

When the loop guard is configured on the port, it disables the root guard configured on the same port. Loop guard cannot be enabled for ports on which portfast is enabled


Similar to loopguard. i.e.  protect against STP failures caused by unidirectional links.

Difference between UDLD and Loop Guard

1) Designated source does not send BDPU this type of issue is due to the STP software failure and this type of problems are very rare. However, loop guard will handle this type of issue but not the UDLD.

2)UDLD is useful in the ether-channel. UDLD will identify which particular link has gone bad and disable only that particular link.  Where as in the loop guard it will block all the ether-channel link.

BPDU Skew Detection

STP operation is depends on timely received of BPDU. At every hello_time message (2 seconds by default), the root bridge sends BPDUs.  Non-root bridges do not regenerate BPDUs for each hello_time message, but they receive relayed BPDUs from the root bridge. Therefore, every non-root bridge should receive BPDUs on every VLAN for each hello_time message. In some cases, BPDUs are lost, or the bridge CPU is too busy to relay BPDU in a timely manner. These issues, as well as other issues, can cause BPDUs to arrive late (if they arrive at all). This will cause the stability of STP.

BPDU skew detection allows the switch to keep track of BPDUs that arrive late and to notify the administrator with syslog messages.

Root Guard

The configuration of root guard is on a per-port basis. Root guard does not allow the port to become an STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state. You must enable root guard on all ports where the root bridge should not appear.

BPDU guard

At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state.

When STP BPDU guard disables the port, the port remains in the disabled state unless the port is enabled manually. You can configure a port to reenable itself automatically from the errdisable state. Issue these commands, which set the errdisable-timeout interval and enable the timeout feature

Difference between BPDU guard and Root guard.

BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

Root port

Root port has to be enable on port where you are going to connect the computer. Rootport can be configured on the trunk port. however, if trunk port received the higher BPDU on trunk port then it will block that port.


STP: If any link is down on non root bridge device then root port will send TCN toward the root bridge. once TCN is received by the root bridge then it will send TC packet to all of the STP domain. once this TC packet is received by the switch then it will flush the FDB table.

If RP port goes down on the non root bridge device then switch says I am the root bridge and sends BPDU to connected switch on other end which has Designated port  when this port received  BPDU from the neighboring device.however this device also receive superior BPDU from the root bridge then this switch will generate the BPDU and send it to its designated port. this means it say i have one more path to reach Root bridge and its not down.

RSTP: when ever any link goes down that switch will generate the TC packet(means any switch can generate the TC packet). once the TC packet is received by neighboring device it will flush the FDB or MAC table and RSTP use proposal/agreement method for convergence. among two device first they send BPDU in that proposal bit is set if superior BPDU is received by switch it will send SYNK to all the non designated port(alternate port and discarding port) and block the designated port and send the BPDU to root bridge by setting the agreement flag. This process counitous in the designated port as well. it will send BPDU to its neighbor by setting proposal bit and if this BPDU is superior then it will get the agreement from its neighbors.

MSTP: We have many regions. BPDU is sent by IST which is present in each domain and those are part of all the vlan in that regions. When there are many regions then we need to choose CIST root and CIST regionl root. CIST regional root is the switch which is present at the outer part in the region and who has lowest cost value to reach the CIST root. CIST root is the switch who has lowest bridge ID in all the region.

MSTP is used to avoid maintenance of all the different STP domain and vlan. Also it will useful in the load sharing purpose. In PVST+ we can have many spanning tree domain so it might increase CPU utilization however in MST we can maintain minimum STP domain such that they can not harm CPU utilization

CIST Root Bridges Election Process

  • When a switch boots up, it declares itself as CIST Root and CIST Regional Root and announces this fact in outgoing BPDUs. The switch will adjust its decision upon reception of better information and continue advertising the best known CIST Root and CIST Regional Root on all internal ports. On the boundary ports, the switch advertises only the CIST Root Bridge ID and CIST External Root Path Cost thus hiding the details of the region’s internal topology.
  • CIST External Root Path Cost is the cost to reach the CIST Root across the links connecting the boundary ports – i.e. the inter-region links. When a BPDU is received on an internal port, this cost is not changed. When a BPDU is received on a boundary port, this cost is adjusted based on the receiving boundary port cost. In result, the CIST External Root Path Cost is propagated unmodified inside any region.
  • Only a boundary switch could be elected as the CIST Regional Root, and this is the switch with the lowest cost to reach the CIST Root. If a boundary switch hears better CIST External Root Path cost received on its internal link, it will relinquish its role of CIST Regional Root and start announcing the new metric out of its boundary ports.
  • Every boundary switch needs to properly block its boundary ports. If the switch is a CIST Regional Root, it elects one of the boundary ports as the “CIST Root port” and blocks all other boundary ports. If a boundary switch is not the CIST Regional Root, it will mark the boundary ports as CIST Designated or Alternate. The boundary port on a non regional-root bridge becomes designated only if it has superior information for the CIST Root: better External Root Path cost or if the costs are equal better CIST Regional Root Bridge ID. This follows the normal rules of STP process.
  • As a result of CIST construction, every region will have one switch having single port unblocked in the direction of the CIST Root. This switch is the CIST Regional Root. All boundary switches will advertise the region’s CIST Regional Root Bridge ID out of their non-blocking boundary ports. From the outside perspective, the whole region will look like a single virtual bridge with the Bridge ID = CIST Regional Root ID and single root port elected on the CIST Regional Root switch.
  • The region that contains the CIST Root will have all boundary ports unblocked and marked as CIST designated ports. Effectively the region would look like a virtual root bridge with the Bridge ID equal to CIST Root and all ports being designated. Notice that the region with CIST Root has CIST Regional Root equal to CIST Root as they share the same lowest bridge priority value across all regions.