Cisco CCIE Security 350-701 Topic: L2-Security Basic
December 16, 2022

1. Switch Security – Overview

The section will primarily concentrate on some late-to-market security options. So we’ll look at what types of threats you can expect in or from the land and how we can mitigate them by utilizing some of the switch security features. If you compare the lack of security between firewalls or different devices, let’s say you have a router that connects to a switch, then to some firewall, and then to the internet. So most likely, you expect threats from outside the network. So that’s the reason we have a dedicated device for a firewall.

Alternatively, the router can be configured with some security features. However, most land users, whether they are your employees who are connected to the LAN or some guest users who are attempting to access the Internet, will almost certainly introduce some kind of attack into the land itself. These are not the threads coming from the outside; these are the typical internal threads. So that’s what we are going to focus on here. And in general, there is no security applied to the land because you generally trust the traffic coming from the land. But in today’s networks, you cannot even trust the traffic because the attackers might be sitting in your network, like an employee trying to run some kind of malicious software or some codes that can impact the network’s performance, or maybe some kind of security can be compromised.

2. Disable Unused Ports

To begin, we’ll go over some of the fundamental security features, such as disabling unused ports. Let’s say this is my switch, and typically most of the switches support around 24 ports or even more than that. Now, maybe most of these ports have some pre-cabling done that goes through different cabins, and maybe there are some stations where there is no computer connected. Now, one of my employees or another user may be able to use these ports without my knowledge. Maybe he will just connect his computer to this particular port where you have wire already, and he can try to connect to the network. If this port is configured to some VLAN, which means this user will be getting an IP address, he will then be able to add access to the resources of that particular VLAN. So it’s always recommended to make sure that you identify which ports you are not using, that they are not connected in general, and that they are in a shutdown state.

3. Dynamic Trunking Protocol – DTP

DDP stands for “Dynamic Trucking Protocol.” It is an alternate way to configure the trunk links between the switches. One method is to go to the links. You’re probably familiar with the basic concept of trunks. Trunk links are the connections between switches that carry multiple ran traffic. Now, one method is that I can go to this individual port and say “switch port more trunk” on both sides to manually enable that trunk port on both sides of the switches. There is an alternative method in which we can dynamically negotiate these two ports in order to send some messages. And if both sites dynamically negotiate and agree on trucking, this link can automatically become a trunk with the concept of DTP. And DTP is by default enabled on both sites.

So we can verify that by using “show DTP.” So, as you’ll see, the DTP messages will be sent every 30 seconds. So it is enabled by default, but it is recommended to disable it in general if you are not using DTP because of some security vulnerabilities. So, before we proceed with some DTP vulnerabilities, we must first understand the various modes in which DTP operates. So, one mode is that I can simply go to the interface, which says switch port to trunk. So that means, manually, I’m enabling this port to be the trunk port for manual trunking.

So, even though you do manual trunking, the DTP still runs on that particular link. Nonetheless, it negotiates as if it were one side. If you can’t be a DTP, sometimes the trunk will come up automatically because of the negotiation. I’ll talk about the other modes, the access modes. Access modes mean I’m manually saying this port is accessible. It will never become a chunk. So, more commonly, we use this for the end devices, where we configure this VLAN into VLAN 10. Like we say, “switchboard mode access.” Then we say switchboard mode access (VLAN VLAN 10) and switchboard access (VLAN VLAN 10). That’s what we say. So that means they belong to only one VLAN, either VLAN one or VLAN ten, and then never become a transport. So, generally, the end devices are disabled, and we can also disable the DTP by just giving a command called “switch port no negotiate.” So there’s a switchboard no negotiate command. This command actually disables the DTP on that particular interface. Now, there are some other modes, like Desirable Mode and Auto Mode. Desirable is the default mode in the majority of the switches. Sorry, Auto is the default mode in some switches.

And on some switches, like the 2950 and 3550 switches, desirable is the default mode. Now, Desirable is more like it will actually send and reply to the DTP messages, whereas Auto will only reply to the DTP messages but will not initiate them. That is, if I use undesirable on one side, I will also use undesirable on the other side. Also, I’m using desirable. So desirable will initiate the messages and also reply. So it’s like if both the interfaces are agreeing on the negotiation process, it will automatically configure this link as a trunk, and you don’t need to enable it manually. Now, there are other options, like you can configure desirable on one side and auto on the other; desirable will initiate the messages, and auto will reply, so automatically it becomes a trunk. Similarly, if you just say trunk port on one side and desirable on the other, because when you enable switch port more trunk, the DTP is still running unless and until you disable it by using negotiable commands, desirable will initiate and reply. So DTP messages will be exchanged. But if you use auto, auto negotiation will not work because auto will not initiate. So this will not be initiated.

And if there’s no initiation, there’s no reply as well. But if you use trunk and auto on the other side, it will still work. So depending upon the modes configured on the opposite side of the switches, your link between the switches can automatically become trunk or not; it totally depends. This is like a summary, like if you just want to verify which mode will become trunk, so if you have access, it will never become a trunk, and trunk will automatically become one. These are just like a table; if both sides are trunk, it will become a trunk. It still becomes a trunk if one side is trunk and the other is auto. Even if one side is strong and the other is desirable, the result is a trunk. So for a successful trunk link to work, either you need to configure both sides of the trunk, but you can see the same thing, so the trunk will form if you have these modest In general, his combination of these modes works, so you have a trunk with DDP or a trunk with no negotiate. Again, trunk with no negotiate will form the trunk link because we are manually enabling it, so if you want to test the DTP’s behavior, use trunk with no negotiate. Cisco packet tracer can be used to connect some links. I’m connecting the numbers 21 and 22.

So if you want to verify the default status, I did not do any configuration. So if I say, “Show interface trunk,” it doesn’t show any trunking because the trunking is not enabled. You can say “show interface.” F0 by 21 and switch ports. It will show you the modes. The default mode on this particular port is auto, which means that, as I previously stated, the default mode will be auto in most switches. And the other set is also auto because switch two is set to auto, as you can see because I have configured the same switch to display interface head zero by 20. The default mode is auto, and the operational mode is down because I’m not connecting to 20; it has to be 21. You can see the static access now on both sides of auto. “Auto” means it is operating as an access port. Because if the negotiation is unsuccessful, the port will act as an access port. If the negotiation is successful, it will be transformed into a mode of transportation. So in my case, both are automatic. Auto, so I can go to this port and change the modes, such as Desirable, and on the other side, I’ll keep it as Auto. So let’s go to Switch One. To change the same commands, you can say port number 21.

 I’ll do it in switchboard mode. Now, we can either manually disable the access port, which means it will never become a trunk, or we can manually enable the trunk port, which is the most common way of doing the trunking. However, we have the option of “Dynamic,” where we can specify whether the mode is “Auto” or “Desirable,” with “Auto” being the default. So I’m going to change it to “desirable.” So, once I change it to “Desirable,” if I check “Show interface trunk,” I should see that the trunking is negotiated and the trunk port appears. And if I want to verify, you can say “Show interface 21 switch port.” You can see this port is configured as desirable, so it’s operating as a trunk port because the negotiation was successful.

4. DTP Vulnerabilities – Mitigation

So DTP is not generally preferred in production networks, even though it does negotiate dynamically. Because, let’s say, this particular port is in the default mode called Auto. And if you don’t configure the trunk or access, Now, maybe this device is connecting to an access port or maybe to an end device, and of course this is my PC, which does not negotiate the DTP messages, so there won’t be any kind of trunk configured. As a result, it will default to acting like an access. But there is a possibility that an attacker may try to initiate a DTP message using some kind of software, or maybe he can just bring and connect a switch on this particular network, and he can connect his host and make this particular link a trunk port. Because if the DPT is negotiated, which means this port is configured as desirable, the other side is auto.

So automatically, this link may become a trunk link. And if the attacker connects a switch and is able to carry or send traffic for all VLANs, and there is a chance that an attacker can get through with all VLANs, you will bypass VLAN security in general. So that’s the reason it’s really not recommended to enable TTP, which means not to use DTP. It’s always the best practice. So the best practice is to always make sure that the host facing us configures these commands like switchboard mode access. So maybe if you remember, in the majority of the basic VLAN configurations, we use these commands, which are switchboard mode access and switchboard access we land ten. So, that means I am manually saying this port is accessible. which means even though the opposite device connects to a switch or will try to tone gate, it will never become a sound click. Manual access is always recommended, which is why we say it is the best practice.

5. VLAN Hopping Attacks – Mitigation

Now the next thing we’ll see is some control plane policing configuration. Example here: I’m going to use a simple task to match my control plane traffic light. My requirement is that I’m going to implement control plane policing on this router. So I’m saying it’s connecting on the one-dot network, and maybe this router is configured with EHRP, and it produces no more than 200 packets per second, let’s say.

So again, before you implement control-print policing, you need to know the exact statistics of your network. If your network is actually stable, you need to collect some statistics, like what kind of traffic you receive and how many packets you actually receive on that. And if your network is growing, you actually also need to keep changing the statistics, because if your network is growing and maybe you are receiving 400 packets per second in the future on the control plane from all your neighbors, I just have one neighbor here. Of course, you may add a few new neighbors here, and you may receive some more packets in the future. So that is one of the actual issues here.

You need to have some real-time statistics about your network. It requires some kind of testing, and the network does not grow in terms of control plane requirements, so if it is stable, that’s good. But for growing networks, you need to make sure that you adjust these parameters in general. So at this point in time, I’m going to use control plane policing here, where it produces no more than 200 packets per second and all other traffic should not exceed more than 50 packets per second. So the first thing is that we need to create a class map. So inside the class map, we are going to match the particular traffic. So the first thing I’ll do is quickly configure the EHRP just for touching purposes. I’ll say router EHRP 100, and then I’ll say no auto summary; simply configure zero, zero, zero to authorize everything, so it’s not recommended in the production network. But at this point in time, I just want to advertise EHRP on all the interfaces. So under router two as well, inside the configuration mode, I’m going to configure EHRP.

So I should expect the neighbor’s ship. If I say “show IP EHRP neighbors,” I’m expecting some EHRP traffic on the interface. So the first thing is that we are going to create a class map, and in that class map, I’m going to match my EHRP traffic. So in my case, let’s say this router is receiving traffic from the One Dot Network. And maybe you have submitted configurations for all one-dot networks. or you want to match a specific source. Then we can write an ACL. And this ACL is going to tell if the traffic is coming from this source and going to any destination, which means that’s my router and it is receiving EHRP packets, or you can write it the other way around: it might be coming from any source if it is coming on the one-dot network, which means on this interface. And then I want to match the EHRP traffic from selected source, which I’ll use inside the calls in the class map that say that match this ACL. This ACL I’m going to match with a command called match access group. So configuration-wise, you don’t need to memories these commands.

As a result, the first step is to learn how to create ACLs. So I’m going to say “IP access list extended” and I’m going to match my EHRP packets. I can use a name like EHRP packets, and then I’ll say allow EHRP protocol from a specific source to any destination. And then all the configuration starts with class mapping. So we can say “control print policing” or “class.” I’ll just try to use the same names. You can use any name in general. And then I need to say “match.” We can actually say match protocol EHRP, or we can say match any protocol in the list, such as FTP and TFTP, or any of the other options. But at this point in time, I want to match the ACL. So if you want to match the ACL, you need to say “match access group” and the name of the ACL. So for the name of the ACL, I have used HRP packets, so I need to say match access group. If I’m using name in the ACL, I need to say name and then exit. And the next thing is that we need to create a policy map. Now, this policy map is going to tell you what action you want to take.

Now, in my scenario, I want to match this class map inside the policy map, and then I’m going to tell that police rate because I want to do rate limiting. So if you want to do rate limiting, we use the “police rate” option. If you want to just drop the packets, we can also drop them before I actually hit the CPU, like if I want to match my telenet traffic, so we can write some ACLs to match the tele traffic, and then I can simply use the “drop” option here instead of using the “police rate” option. So in my case, I’m going to say 200 packets per second. Confirm action is equivalent to saying “Confirm action” if the packets are within 200 packets per second of the limit I’ve set. Transmit means to allow the traffic to go, and exit action is like, “If it exceeds 200 packets per second, what is the action I want to take?” So, I’m going to say drop; don’t tell anything faster than 200 packets per second. As a result, we must instruct confirm action to allow and exit action if it is less than 200 packets per second. And then we need to know what other traffic is hitting; I want to limit other traffic to 50 packets per second, so I’m going to apply rate limiting to that as well.should not exceed more than 50 packets per second. The class map—I need to say class.

And the name of the class map is this one. And then we need to say that we have a lot of options here. Priorities can be viewed in the same way that police officers can. Also, priority is generally used in quality of service, so most of these options are used in quality of service. We can do bandwidth reservations, but at this point, I want to do policing. Now, policing is nothing but rating. You want to drop, but here I want to transmit, so I’m going to say transmit, and then we use the exit action. So exit action is like, what do you want to do with exit action? Just drop it, and then I need to exit this class map, and the next thing is that I’m going to match the class default.

Now, class default is going to match all the other traffic just like permit any in the ACL; any other traffic that is not defined matches in this category. And then here also I want to implement the police rate, but the only difference is that I want to change the limit to 50 packets per second for any other traffic, and then finally we need to apply this inside the control plane. It is now dependent on the iOS versions. In some iOS versions, I think there is an option to turn Control Plane host in. In the MYOS version, I can apply directly inside the control plane. So we don’t apply it to a specific interface here because Control Pin Policing applies to all interfaces from any inbound direction; it’s always inbound here because we want to remit how many packets you want to receive on the Control Plane and then we need to apply the Control Plane policy.

So if I use the same name, I need to see what the name is that I have used here because if I try to implement a different name, it’s not going to work. As a result, we can use various options such as ShowrunClassmap. I can figure out what the class map is by using the shown class map. Showrun Policy Map because I just want to confirm my name before applying. So we’ll say “Control Plane,” and then we’ll say “Service Policy Inbound,” and the name of the Control Plan is “so I’m getting an error message here.” Now again, depending upon iOS versions, like if you get back here, when I was trying to configure the policy map in general, it was giving me the message that “the packets per second are not allowed on the Control Plane interface because it depends upon the iOS version.” Sometimes you cannot allow it based on the packets per second. So I just changed the configuration a little bit because I’m using a 15-dot iOS version and this feature, this package per second, is not allowed in some iOS versions. However, I believe that when I was documenting the workbook, I was using iOS version 12.4, so you can probably try that.

So I just changed my policy map slightly where I have the same policing configuration but this time I’m using 8000.This is actually bit per second, how many bits per second you want to allow for EHR traffic if it is received, as well as other traffic; I’m allowing 8000 bits per second. So there are different statistics we can use, like packets per second or bits per second, or these kinds of options we can use to match. But again, you need to have clear statistics of how many packets are actually coming and matching that particular protocol. So in this iOS version, I cannot configure the control plane packets per second. Engine rob, so we can use “show policy map control plane” for verification; I believe control plane is all the option that works in this IBM version, so I can see the default matches: how many packets are actually matching how many bytes of information; the policing: how many rate how many confirm packets have been sent; and if any packages are getting dropped, how many are actually dropped; and any other traffic that matches the class map. So trying.

6. Cisco Discovery Protocol – CDP

So in this video, we are going to discuss some troubleshooting concepts. So before we get into the troubleshooting in detail, So one of the major tools we use for troubleshooting is CDP. So we call it the Cisco discovery protocol. As the name implies, it is a Cisco discovery protocol, which means it will only work with Cisco devices. This protocol is thus a Cisco proprietary protocol. So now, by using CDP, what we can do is gather the information relating to our hardware and the protocol information about your neighbor’s devices. So it’s a very useful tool, especially when you’re troubleshooting your networks, because it’s going to provide some information about your network topology and how the nodes are connected. So it’s very useful, especially in the troubleshooting and documentation of your network. And suppose you have doubts about your documentation, suppose you’re doing some troubleshooting and have proper documentation diagrams, and you just want to make sure this device is connected to other devices. So we use something called CDP. So in short, we’ll be seeing some more CDP commands here. Like here you can see these are all the CDP commands.

So CDP is a Cisco discovery protocol. It’s a proprietary protocol designed by Cisco in order to help the administrators collect information about your directly connected devices. By using CDP, you can gather hardware information, which is very useful for troubleshooting in particular. So let’s see how it is going to be used and what commands we’ll be using. Okay, so let’s take an example. I’m going to take one diagram and connect it here. Let’s take an example. This is your production network, and you have a user.

Maybe there is a user called Router One, which is connecting to my internet. So there is an internet connection to router one. And then there is a user sitting here in my land who is using an IP address. 192.168.1 is unable to access your network, maybe the Internet, or any other server that is present over there. Now one of the basic steps of troubleshooting is to ensure that your connectivity is perfect. So the major part is understanding how the devices are connected. To understand the connectivity, you’ll need a proper documentation diagram that shows how the devices are connected, their names, IP addresses, and all of this other information. So now let’s take an example. So, if you want to go from your router here, you might want to find out how the device is connected. So I’ve got a user here who is supposed to connect to a specific server somewhere around here, possibly on the internet.

So the main task now is to ensure that proper connectivity exists between your source and destination. So now, in order to understand the connectivity, you need to have some basic information about how the devices are connected here.So you can use your documentation, scenarios, or diagrams; sometimes, even if you have proper documentation, you still want to ensure that your devices are properly connected in that file, such as which port they are connected to and what a remote device is and how it is connected. So you can probably get that information by using the CDP protocol. Okay, by default, CDP will be running on all the interfaces. So now I can go to any one of the devices and I’m going to just give a command called “Show CDP enables.” So when I provide a command called “Show CDP Neighbors,” it is going to provide me with information about my neighbouring devices.

There is a device called Switch One, whatever the host name you configure. And if that switch has an IP address, it will provide you with layer two information, layer three information, and layer one information. Layer one means, like, which port you are connecting, and then what remote port is connected on that particular device. And if there is an IP address, what is the IP address? Also, what is the Mac address? So it is going to provide a lot of information, even about the hardware, like what the platform is. It could be a 29-60 series, a switch model, or a 35-60 switch; the exact model of that switch, as well as the iOS version, is also available. So you can get all of this information simply by sitting at my desk. Okay. So that is a good thing about the CDP protocol. But it only works when Cisco discovers their Cisco devices. That’s one of the major drawbacks with CDP. It works only with Cisco. And the second thing is that it is going to only provide information about your directly connected interface. Directly connected devices Assume there is a router here, and if I go to it, switch to it, and issue the command “Showcdp Neighbor” or whatever the command relating to “Show CDP,” this command will only display information about your neighbouring devices. “Neighbor” means directly connected devices. So it’s going to provide information about all three routers because they are directly connected.

And it will provide information about Switch One and Switch Three, but it will not provide information about the device that is not directly connected. So that is one thing, but still, it is very useful to get the information, especially to troubleshoot your connectivity. So you may believe that there is a problem, such as router one being unable to communicate with router two. As a result, these two cannot ping each other over these two connect interfaces. Now you must determine exactly what occurred, as in one simple scenario that I frequently use in my troubleshooting labs. Whenever I do some troubleshooting, the first thing I’ll do is go to this router, and then let’s say there is a router one that is connecting to switch two, and then again connecting to router two. And from router one to router two, I’m not able to ping. So the first thing I should figure out is what the exact interface is connecting to on this particular port. Now you can even see the cabling, but it’s going to be a very lengthy procedure, okay? Even you can follow the documentation, whatever you have.

But still, the documentation may not be accurate because we keep changing things. So we can easily go to the switch, and I can just issue one command called “Show CDP Neighbor.” Okay? So when I give ShowCP Neighbor, it is going to display all the neighbour information, like here; it is going to provide the information about router one; what is the port I’m using here; and what is the port used on the router side? F equals zero And what is the port used here, and what is the port used on the router? And also, you can easily find what the IP address is. As a result, you can easily troubleshoot the situation. So CDP is a very useful tool, especially when you’re troubleshooting. So what I’m going to do is quickly jump to the lab here. So that’s it; that’s all about CDP. So you’re going to directly jump to the lab. In this lab, I’m going to use the same scenario as before, but this time I’m going to this switch. I also have some switches that are directly guided. I created some different platforms. I’m not sure what platform these devices use, but I’ll verify and try to learn more about them. And I already have some preconfigured IP addresses on these routers.

IP addresses are already I pre configured.I just want to ensure that I should be able to see the IP address information. Also, that’s what we discussed. I should also be able to see what platform this router is connected to and what port it is. As a result, everything in my diagram is very clearly described. But still, I just want to find some information, and we’ll implement these things with a basic CDP lab here. Okay, so we are ready to start our lab here. So I have the same topology in my packet reserve, which is similar to the diagram that I mentioned over there. So I’m getting into this particular device console screen, and I want to verify the neighbour information. You can see this is the centralised router, which is connecting to three routers and then again connecting to two different switches. And I’m using some different models of switches here. So I’m already inside the console screen of “switch to,” and in “switch to,” I already have a connection from this side and also have a connection here.

And these are all the devices to which I’m connecting. Okay. So the first command I can use is the “verify show CDP” command, just to see. By default, you can see that CDP runs on every interface, and it is going to send the CDP message every 60 seconds, with 180 seconds as the hold time between them. So, now that I have a preconference IP address, the next command I can use is. So I’ll be using 19216 shared 101, 9216 shared 201, 9168, and 300 here, which means I’ve already done the IP addressing in my routers. You can see in my lab that it is written over there. I’m using 1916-101-9162-103-100 here. This is the default IP addressing scheme that I’m using, which I think I preconfigured. So let me just go to the console screens of the routers for verification. So I’m on the router here; show IP interface is a brief command. You can see I have a pre-conference process here. So, similarly, on Routers 2 and 3, and I’m hoping for a pre-conference teleconference. So I’ve already verified that part. So if you want, you can just go and check.

Okay. And then I connected some devices here, switch two and switch three here, which are connected on ports 20 and 21. You can see over there that these devices are connected on ports 20 and 21, as per my requirement here, 2021 and 22. And I want to gather information on these particular ports. Let us start with the lab here. So the first thing I’m going to do is give the command called “Show CDP Neighbor.” So when I give you ShowCP Neighbor, you can see some useful information here. As per my diagram, you can see switch two connecting to four devices. So one device is router one, router two, and router three, which I already configured, and they are connected on port number one, port number two, and port number three. So using this, I can figure out the exact ports that they are using for connectivity. According to this diagram, I can clearly confirm that. I’ll try to figure out this one. Okay? So, in terms of output, router one and switch two are connecting on port number f zero by one, connecting to f zero by zero port here, as I previously stated. Over there, you can see 0 by 10. One is connected to router 1, two is connected to router 2, and three is connected to router 3. So similar information can be found here. This is the local interface, the router’s or switch’s local interface interface, and what is a remote port, the remote port of the specific device, whatever it is.

And after that, I got one more switch connected here on port number 20, which means I have a device called switch one that is connecting on port number 20 here, and similarly, I have one more device connecting on port number 22, and that is this device here. Okay, so by seeing this, I can get this information; this is the basic information; even I can see the capabilities of the device and whether that device is a router or a switch. You can see that SS represents switches, whereas generally you’ll find R representing routers here. So this is actually a multilayer switch here.Switch one. I’m using a multilayer 3560-series switch here, which is a multilayer switch that is doing routing and switching as well. So it’s basically switch-capable, and you can see the platform here. I’m using router two, an 1841 series router, router one, a 2600 series router, and router three, a 2800 series router. So I just connected three different platforms of routers here just for variation, and in a similar way, I connected another switch, a 2950 switch, and a 3560 switch. If you want to have more detailed information, you can add the ShowC neighbour detail command. And this detail command is going to give you a lot of information.

If I start with some of the output, I can see the device capability switch and what platform I’m using, as well as which port it is connected to. So you’re talking about this particular port here. So we’re talking about Switch 3 here, and then what is the iOS version that it is using, and what is the duplex we are using between them? And after that, another deviceinformation like Router Two. And, if applicable, what is the device’s IP address? If there is an IP address, it will display the IP address of Router Two, which we have already configured with a platform, as well as the port to which it is connecting our port and what is a remote port. So, similar to the previous iOS information, our port is f zero by two, and it connects to router two’s f zero by zero port. So Show CDP neighbour will give you detailed information like this.

So this is something very useful, especially when you are troubleshooting. You can also use the show CDP interface command to see which interfaces are running CDP. When you show CDP interfaces, every interface of the switch or router runs CDP by default. But if you want, you can specifically disable some of the interfaces. and, and, and, and, and, and, but, and, but, a.;.; but, ;; and;; So we need to disable CDP, especially on the interfaces that are connecting to some remote networks or maybe connecting to some ISP networks or maybe connecting to some other branch offices or other networks that are not secure. So, as security precautions, we can simply disable CDP on these interfaces to minimise the types of attacks that can occur because, by using CDP, anyone sitting somewhere here can gather my information. As a result, it is not recommended in all interfaces, particularly external interfaces. We can say that from a security point of view, it’s recommended to disable CDP on the outer interfaces and specific interfaces in the land. You can use CDP; that’s what trimming the CDP is. We call it “which is more recommended in the case of production networks.” Okay. So we need to minimise the CDP use—wherever we need it, we can enable that. And if you don’t need it, we can simply turn off the CDP.

And to disable it, either you can use a command called “no CDP run,” which is going to disable the CDP on all interfaces, or you can even specifically disable the CDP on any specific interface. You can, for example, go to the interface and define a command there. Okay. So you can also verify here. I don’t get any similar results when I reduce on f zero by 20. You should see something like this. But I don’t see it because I have CDP disabled on the f0 by f0 x 20 interface. So that’s all about CDP. One of the points is CDP; let’s quickly summarise them here. So CDP is a Cisco proprietary protocol that is going to provide information about your directly connected devices, which is very useful. Troubleshooting tool. Topology analysis is a fundamental troubleshooting tool, especially when you need to understand how connections are formed. So if you want to verify CDP, you can just use a command called “show CDP okay.”

And apart from that, the major command that we use is show cp neighbors, which is going to provide information about your device. ID is nothing but the host name, local interface, and remote interface, as well as the hold time and capability platform and port ID information. So if you want some detailed information like IP addressing and all those things, you can even use the showcp neighbordetail command, and you can also verify, which shows the CDP interface, to figure out which interfaces are running CDP and which interfaces are not running CDP. So, if you want to disable CDP on a specific interface, we can use the “no CDP enabled” command on the interface. And if no CDP run is specified, it is a global command. It is going to disable CDP on every interface. Okay, from a troubleshooting point of view, CDP can be used either to confirm or fix the documentation, which is shown here. In general, one network diagram will be discovered, as will the devices and interfaces used in the network. So it gives a real idea of the exact ports that are connected to these devices. One of the major disadvantages of CDP is that it only provides information about devices that are directly connected. That is, if the devices are Cisco. because it is a Cisco discovery protocol.

7. Link Layer Discovery Protocol – LLDP

In this video, we’ll talk about a protocol called the LLDP Link Layer Discovery Protocol. This is more similar to CDP. Now, in the previous videos, we have seen something called the CDP Cisco Discovery Protocol. Now, the Cisco discovery protocol is providing information about the neighbouring devices, and it’s a Cisco proprietary protocol. We can see the information of the switch one router, one route, two, and three on the switch two because they are directly connected to interfaces. So it’s mostly used for troubleshooting purposes, as it provides some device information, a local interface with a hold on time capability platform, and a local port with a remote port.

All that information can be verified by using some of the CDB commands. Now, the same thing can be done by using LDB. But the only difference between these two is that CDP is a Cisco proprietary, which means all the neighbor devices have to be Cisco-running Cisco devices. But here, what if, in your production network, you are running some non-Cisco devices? So in those kinds of scenarios, we can go with something like LADP, which will do the same job as CDP. So network devices advertise their information to the neighbouring devices themselves. And this protocol can advertise the details, such as configuration information, device capabilities, port descriptions, name descriptions, capabilities, and then IP addresses, whatever is configured, and then identity as well.

Now let’s see the configuration. If you want to enable LDP, then we probably just need to go to the configuration mode and run a command called “LLDP run.” Just like in the case of CDP, we just use CDP run to enable CDP. Now, if you want to specifically enable LLDP on that specific interface, then we can configure some commands like LLDP transmit and LLDP receive. Now, these commands will send the device information to the neighbouring device and receive the information from the neighbouring device. So just like we have a showcase, we have something called Show LLDP Neighbors, which is going to provide the device ID, the actual ID of the device, and then the local interface. And it will also provide remote interface information as well.

8. CDP- LLDP Vulnerabilities – Mitigation

CDP and LLDP are very useful protocols for providing neighbour device information. But at the same time, these protocols have some vulnerabilities because they generally provide information about the neighbouring device information. It can also introduce some attacks, like those where the attacker comes to know the native VLAN information and probably can change the VDP information, the router’s IP address, and also some iOS vulnerabilities. If the attacker knows that, what are the specific iOS versions used? He can figure out some vulnerabilities in iOS and use that information for future attacks.

Now, while the system administrator typically uses CDP to obtain neighbour information, an attacker can actually run a packet-capturing tool in the network to capture some of the CDP traffic. And it will primarily carry device information in that CDP. So CDP is really good for the network administrators, but if the attacker comes to know about the network information, it will probably be useful for him to introduce some kind of attack based on the network addresses and the device information, or maybe some kind of iOS vulnerability. So it’s recommended to disable the CDP on untrusted interfaces, like the ones given by the provider or maybe the access interfaces and the internet-facing interfaces. So all the untrusted interfaces should be disabled with CDP or LDP. So either you can do it globally or you can do it interface-specific. Similarly, we can do the same thing for LDP. These are the commands.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!