Category Archives: Switching

Cisco CCNA – ICDN1 – Study notes

IPV6

  • Global Unicast
    • Public IPV6 address – equivalent to public IPV4
  • Link-Local
    • Local network only IPV6 address (within one subnet) – FE80::/10 to FEBF::00/10
    • if not given an address, device will autogenerate one based on the MAC address of the interface
    • Generally used as the def-gw for most devices.
  • Unique local
    • Like private IPv4 addresses. Will not be forwarded by routers
    • FC00::/7 to FDFF::/7
  • IPv6 Multicast
    • Assigned
      • FF02::1 – All nodes multicast – all devices with ipv6 enabled will join the group. Used for RA and RS messages.
      • FF02::2 – All routers multicast –  All routers with “ipv6 unicast-routing” will join the group.
    • Sollicited node
      • Based on ethernet MAC NIC to be received by all hosts but only processed by the one with the matching MAC address.
  • SLAAC – RA message option 1
    • Stateless Address Autoconfiguration.
    • Router RA – Router Advertisement –  message broadcast – every 200 seconds – Also when receiving Router Solicitation message.
    • Contains network prefix and length, Def GW, DNS address and domain name.
  • SLAAC and DHCPv6 – RA message option 2
    • Same as just SLAAC but suggests a DHCPv6 server that feeds the DNS server and domain name information only.
  • DHCPv6 only – RA message option 3
    • Link-local for def GW.
    • DHCPv6 server for Global Unicast, DNS and domain name and everything else.
    • Cannot provide def-gw.
  • EUI64
    • Option 1 and option 2 RA.
    • Uses the MAC address to create a interface address.
    • FF:FE in the middle portion of the IPv6 address.
    • DAD – Duplicate Address Detection – Send NS if no NA received, the address is free to be used.
  • IPv6 Neighbor Solicitation – NS
    • When you know the ipv6 unicast but don’t know the MAC address of the end device.
  • Ipv6 Neighbor Advertisement – NA
    • Message replied when receiving a NS. Contains the MAC address of the sending device.
Tagged , ,

Layer 2 security @ Lan ETS

The network team @ Lan ETS helps design and build the infrastructure for one of the biggest LAN event in North America. Over a weekend, over 2000 players will stress our infrastructure to it’s limits. This is some of our observations and lessons.


Ask anyone working in network security if allowing 4000 unknown and untrusted devices on your network is a good idea and you’ll get a chuckle and a “Wait, did you do that?”

This a very common challenge in LAN events, where we host over 2000 players over a 72 hours gaming session. Add wired and wifi devices and you get a large amount of strange devices entering your network. We have very little control over the type of devices that players bring and we need to have mechanisms in place to protect our network.

Here are a few of the tools and configs we use during the event.

DHCP Snooping

DHCP is the process by which a computer asks for a IP address and is given one by a DHCP server. Without a functioning DHCP server, computers connected to the network would have to be configured manually which is impossible with our type of event.

While extremely useful, DHCP can also be used by malicious attackers. The DHCP snooping mechanism allows us to prevent attackers from hosting their own DHCP server while on our network. Basically, we configure specific ports as “trusted”, usually our uplinks, as a source of DHCP OFFERS message type. Ports used by players become “untrusted” after enabling DHCP snooping. This means that an attacker hosting his own rogue DHCP server will never see his fake OFFERS reaching any other players. At the same time, OFFER DHCP messages will safely transit from our network core to the device.

DHCP Snooping does a bit more than just deal with the request portion of the DHCP protocol, but it’s a must-have configuration when it comes to any network. With DHCP being based mostly around broadcast message types, DHCP snooping allows you to cut down on traffic leaking to other ports. The less an attacker knows, the better.

Port-Security – Mac address limit

We also limit the number of MAC addresses per port. While we don’t necessarily mind players bringing several devices, we provide a single port per player for a console or a computer. This is mostly to prevent extreme cases where players bring their own switch (or hubs!) and connect all their friends. While not technically wrong, we offer up to a Gbit port to each player, we see no reason for players to not enjoy the full speed of the network.

This configuration will also prevent attackers from requesting too many IPs from our DHCP server by hosting dozens of Virtual Machines on his machine. This could technically prevent other legitimate players from obtaining leases from the DHCP server.

Here is a configuration snippet. We limit the MAC addresses per port to 2 and any extra MAC address traffic is dropped while the initial 2 can still pass through. This allows players to experience the network without any interruption even if they trip over the limit. We can then take action as we log all events and review throughout the event.

BPDU Guard

There are things you never want to hear when running a LAN event. “They cut the fiber in the ceiling” – “Someone dropped his lunch on the core router” and “I think we have a loop somewhere”. Loops in a network are messy. Due to the somewhat spam-ish tendency of modern networks with broadcast traffic, a single loop can sometimes bring the entire network to it’s knees as traffic is forwarded in a back and forth.

With over 30 kilometers of optical fiber and Ethernet cables and a setup spanning 20 or so hours, it’s easy to lose sight of where cables go. It takes a single moment of inattention to plug a cable back into the same switch it’s from or to create a loop by pulling a second uplink from the same switch.

Fortunately, there is something called “BPDU Guard” that can be used as a first line of defense against loops. A “BPDU”, or a Bridge Protocol Data Unit, is a packet used in the creation of a “Spanning Tree” topology which provides a loop free network when properly designed.

Our network features a topology where end-users are provided a single port for a single device which allows us to enable BPDU Guard on ports used by players. This way, there can be no mistakes when plugging in the equipment as a port receiving a BPDU packet will automatically shutdown. It also protects us against a player bringing his own Spanning-Tree aware equipment. This is also addressed with the MAC addresses limit per port.

More Tools and Techniques – (and the future for us!)

Here are other features that you should look into to protect your network.

  • ARP Inspection – Prevents ARP Spoofing and MITM attacks.
  • Storm-Control – Sets a level of a allowed Multicast and Broadcast traffic and shutdown a port of the limit is exceeded.
  • 802.1x – The holy grail of network security and NAC (Network Access Control). When enabled, all devices on your network must authenticate with a NAC device (Packetfence, Radius, NPS or any other flavor) before being granted access to the network. All devices must go through a guest VLAN for authentication and if successful, the port is switched into your internal VLAN. It was previously used for our event and it’s something we are looking into bringing back.
  • Private VLAN – Allows to further restrict traffic between VLANs by using secondary tags between ports.
  • IP Source Guard – Allows matching of IP per port. This means that another user cannot impersonate another IP while connected to another port.

Cisco Etherchannel – LACP and PAGP

Cisco Etherchannel – LACP and PAGP