Tuesday, December 11, 2012

Cisco CCNP tutorial: Link aggregation/bundling and failover

The last article was about layer 3 switches and how they can be useful in your network. Today I introduce another technology which is introduced in CCNA. Suppose I have  a switch connected to a server by a 1 gbps link. Now suppose two servers want to exchange data at very high speed but are not able to because of the limit on the carrier capacity. What if I could tell the switch to make (atleast) two links connected to it to behave as one? The inter-server communication can be done at 2 gbps now, utilizing both the links. Or suppose we have a switch which connects to an upstream switch. To provide redundancy we require that two links be connected to it so if one link fails the switch is automatically able to failover to the other link. If you try to simple connect two wires to a switch, one of them will get blocked because of STP and will not be utilized (a loop is being formed).To try and solve this problem a technology called Link aggregation/bundling/bonding was invented. Earlier each major vendor had its own proprietary protocol, but now that has changed. IEEE has come up with a standard known as IEEE 802.1ax LACP (Link aggregation control protocol) for Ethernet network. Please note that this technology can be used ONLY for ethernet networks. Since it is an open source protocol it can be used on a variety of devices from different vendors including HP,Juniper and  of course Cisco. Even today's servers can be configured to run LACP ( a thorough treatment of how to run LACP on servers in a future article). Refer to the below diagram which we strive to implement within a few more articles.

Topology having aggregate links, multilayer switches and gre tunneling

As you can clearly see the two links between Switch 0 and multilayer switch 2 are both active, indicated by the green light. This is because they are acting as an aggregate of a single link. STP and infact all the devices see this as one interface known as port-channel interface. To ensure a smooth formation of aggregate link a few steps are recommended.

  • Both the ports on the switch should be of the same type.
  • Similarly, one port of a switch should be connected to a similar port on the other switch. This means that their hardware properties, link speed, duplex mode, IOS version etc must be the same.
  • Any configuration after link aggregation should be done on the newly formed aggregate itnerface.
These steps should ensure that you have a robust aggregate pipe of multiple links. The number of links that can be aggregated depends on the switch being used.

Implementation of aggregate link

On switch 0:

enable  //we will define port channel bundle with id 1
conf t
interface range fa0/1-2 //change the itnerface number according to your needs
channel-group 1 mode active  //define a bundle of two links with LACP set 
channel-protocol lacp //ensure LACP is working
interface port-channel 1 //the logical aggregate interface

switchport trunk encapsulation dot1q //required
switchport mode trunk

On switch 1:

enable //we will define port channel bundle with id 2
conf t
interface range fa0/23-24
channel-group 2 mode active
channel-protocol lacp
interface port-channel 2
switchport mode trunk
switchport trunk encapsulation dot1q //required

On multilayer switch:

conf t
interface port-channel 1
switchport trunk encapsulation dot1q //required
switchport mode trunk
conf t
interface port-channel 2
switchport trunk encapsulation dot1q  //required
switchport mode trunk

Spanning Tree shows no port is blocked even though two ports are connected to the same switch
The above diagram clearly exhibits that none of the ports were blocked even though in a normal configuration they would have.

Who would have thought that it was so easy to make multiple ports on your switch to behave as one giving far superior throughput and  network redundancy at the same time! Note that a device can have upto 16 ports bundled together. So if all the ports have a capacity of 1gbps, that is 16gbps of pipe in your network!

This was a quick rundown of what Ethernet bonding/aggregation is . In the next article in this series gre tunneling will be introduced which is also another interesting topic in CCNP curriculum.

Important Links:

1. Wiki on Ethernet Aggregation
2. Cisco page on LACP(802.3ad)
3. Part 1: Inter Vlan routing using layer 3 switch in Cisco

Sunday, December 9, 2012

CCNP tutorial: layer 3 switch & inter-vlan routing Part 1

This is an introductory article to talk about some of the fundamental technologies which will be useful for students of CCNA and CCNP certification exam. Please note that this is not the most comprehensive guide but i hope it will immensely help not only the CCNA/CCNP candidates but network administrators, architects as well. Through this series I will cover interesting topics such as:

1. What is a Layer 3 switch? Why and how can it be useful?
2. Implementing inter-Vlan routing by using an l3-switch.
3. What is an aggregate link? Implementation of an aggregate link.
4. Introduction to GRE tunnel and how it can be implemented on a Cisco router.

At the end you will be able to configure such a topology:

Network topology having layer 3 switches and link aggregation
Network topology

Before I write about inter vlan routing using a multilayer switch I would recommend you understand how it can be achieved using a router. Link to the webpage describing router on stick. If you a total newbie to VLANs, I highly suggest that you go through these blog posts:

Layer 3 aka l3 switch

If you look at the classic network device paradigm you will find a neat separation between "layers of OSI model". Each layer talks to the upper/lower layer by a protocol and they do not interfere with each other. Similarly each networking device had a specific purpose at a particular OSI model layer. A switch was called a Layer 2 device because it could only understand the Data link layer ie MAC addresses in TCP/IP. It  was not designed to read or process anything above layer 2. It did not know which IP address it was sending the packet to. Router on the other hand was a Layer 3 device. It could read and understand the IP address and make modifications to it. So if a network administrator of a relatively large network (having different Vlans and multiple switches) had to design a network topology it used to be pretty simple. Connect all the end devices to the switch (hub has been deprecated). Create a trunk link connecting to the 'upstream' device which used to be a router. The router would be configured to do an inter-Vlan routing. This would be the most simple topology that I can think of. Ofcourse it has many flaws, for example it does not have any redundancy or failover capabilties. Moreover there are chances that some links would get saturated. All about this in some future post! The main problem faced is that all the inter-Vlan routing is done by the router. Now a router was not built and optimized to do Layer 2 lookups and handle Vlans.

In comes a layer 3 switch. It not only has the ASICS to do hardware switching but also do routing lookups (for more details follow the link given below). This gives very fast inter vlan switching because the traffic know longer goes through the relatively slow physical connections. By doing so, a layer 3 switch effectively eliminates the need for a router for vlan switching and makes the connections much much faster.

Understanding inter-vlan routing using layer 3 switch

Consider the following network topology.
NOTE: I have used 2 2960 layer 2 switches and one 3560-24PS layer 3 switch which is available in packet tracer.

inter vlan routing
Layer 3 switch doing inter-vlan routing

Note that by default a layer 3 switch DOES NOT do routing by default. You will have to configure it by running a simple command to make it populate routing table and entries. In practice you need to create either a SVI or a routed interface. An SVI (switched Virtual interface) is a virtual interface which belongs to a particular VLAN and can also have an IP address. A routed interface on the other hand is a physical interface to which an IP address is assigned. Do you notice the difference? An SVI interface has an Ip address but no physical interface attached to it. Creating a routed interface is just like making a switch behaving as a router. The switch will lose any information about vlans will not pass any Layer 2  traffic.

Configure an SVI for all the Vlans between which you want to do inter-Vlan routing. Now these ip addresses will actually act as gateway for the host devices. Let us dig deeper as to how this will work. There are two possible scenarios- when a device wants to talk to another device within the same vlan or when it has to talk to another device in some different vlan.

Intra-Vlan communication will work exactly the way it works in a layer 2 device. Now refer to the diagram. When intra-Vlan communication has to be done, eg PC 0 wants to talk to PC 4, it will realise that PC 4 does not belong to its subnet and therefore it will send a broadcast asking for the MAC address of its gateway which happens to be the switch. As soon as it receives the request, the switch will reply with MAC of the SVI. How the MAC is assigned to an SVI is out of scope of this article but you can read it here. PC 0 will then send the packet with MAC address of the SVI.

When the switch will receive the packet it will realise that the packet was meant for an SVI. It will then consult the routing table and realise that the ip address of the SVI belongs to a network which is in some VLAN. The following illustration should clear the concept.

The switch now knows that the packet is meant for a device in vlan 2. It will flood to all the ports of that vlan  an arp request for the destination IP address (remember the destination IP address does not change throughout the packet forwarding, only the mac address does at each hop). The rest is pretty straightforward. Now let us quickly fast move to implementation of these concepts.

Implementation of Layer 3 switch

NOTE: I will be using the above topology for configuration.

On Layer 2 switch, Switch 0

conf t
int fa0/1
port mode access
port access vlan 2 //configure the port to be part of vlan id 2
int fa0/3
port mode access
port access vlan 3
int fa0/4
port mode trunk //pass all traffic through this link
On switch 1
conf t
int fa0/1
switchport mode access
switchport access vlan 2
int fa0/3
switchport mode access
switchport access vlan 3
int fa0/4
switchport mode trunk

On Multilayer Switch (layer 3 switch) 

conf t
int fa0/1
switchport trunk encapsulation dot1Q #use 802.1Q protocol
switchport mode trunk 
int fa0/2
switchport trunk encapsulation dot1Q
switchport mode trunk
vlan 2 //create a vlan of id 2
vlan 3 
interface vlan 2 //create an SVI belonging to vlan-id 2
ip address //assign the SVI an ip address
interface vlan 3 
ip address
ip routing //very important command. Enables routing and tells switch to populate routing entries


  1. First try to ping the local gateway. If you are able to ping then move to step 2, otherwise check whether correct vlans are being passed to the multilayer switch. Check vlans by running
     show vlans 

    Also check whether the host has been assigned an IP and it is connected to an access port.
  2. Try to ping the other Vlans subnet. If you are not able to, it means the IP has not been assigned on the switch. First define a vlan by executing
    vlans &ltvlan-id&gt
    interface vlan &ltvlan id&gt
    ip address &ltip-address&gt
  3. If you are not able to ping the foreign machine, check the routing table by executing the show route command.
  4. Always remember to run the command "ip routing" to ensure that the switch starts behaving as a router and populates the routing table
You should be able to ping from now. We have successfully achieved inter-vlan routing using a layer 3 switch. In the next article of this series we will understand what an aggregate link is and how to configure it. Finally we will understand what is a GRE tunnel.

Next part of this series: Cisco CCNP Link aggregation or link bundling

Important Links:

Friday, November 23, 2012

Actively sniffing and spoofing using Cain and Abel

In Part 1 (link) active sniffing and performing a man-in-the-middle attack were introduced. It allows you to intercept between the communication of two clients and thus able to read all their conversation. In this part tools will be demonstrated with which such an attack can be performed.

We will begin with one of the most easy to use and robust tools called Cain and Abel. It is composed of two components, first being Cain which is can perform a host of features such as:

a) Sniffing
b) Man-in-the-middle attack
c) Bruteforce and dictionary based hash cracking
d)Windows logon password cracking

The lesser known component, Abel can be also be pretty useful. The two utilities compliment each other in the sense that Cain is used to remotely execute attacks whereas Abel has to be installed on the victim machine as a service after which Cain's frontend can be used to remotely control the machine.

Brief Overview:

This post will cover the first two aspects of Cain only. Please note that this tool is available for Windows only. It uses the Winpcap (a port of libpcap) library to inject and monitor packets at link layer.

1. Install Cain (link)and run a quick Arp scan to find out all the local machines within your network.

2. Now start a man in the middle attack between two victim nodes. Obviously the best strategy is to attack a victim PC and your gateway router. This will allow you to read or sniff all the data between your victim PC and the outside world which is the requirement in most of the cases.

Options and Basic Configuration:

To configure which protocols/ports to sniff and route through your machine, go to configure->filter and ports and then tick all the protocols. Nowadays modern browser display a warning when the connection is under MitM. I would suggest that you uncheck port 443 which denotes ssl/https traffic. There are other interesting ways to decipher ssl traffic.

The other important tab to go is the HTTP Fields tab. It defines which keywords to grab and display the corresponding values. So if you are not able to capture username and/or password of a particular webpage, chances are that they use different value and name pair variables.

Finally the option which makes Cain and Abel worth using is the "Spoofed ip and mac option". It basically allows you to do all the above using some other IP from your subnet. So even if there is a MitM or sniffing detector, it will catch that imaginary IP that you have chosen. Simply go to ARP tab and choose a spoofed IP and MAC address. Make sure it is not in use by any other machine in your subnet.

Initiating the Attack:

Now that we are all set, click on the sniffer button as illustrated below. Click on the + button to ennumerate all the devices. Click on the button next to it and you will start poisoning the victims ARP table and thus perform the MitM attack. Once the whole process has started, the tabs at the bottom come in handy. According to me, the most important ones to look at is the APR tab and Passwords tab. They will in all likelihood contain all the details that you wanted to know, for which you started this whole process! Passwords found in all the major protocols- HTTP,HTTPS, FTP,RADIUS,SMB,SSH-1,Telnet to name a few!

Cain can process protocol specific traffic

Cain And Abel is one of the best sniffing tools around for several years now. It is easy to configure and quite stable. The only drawback is that it is Windows based tool.

Here is a short video exhibiting how powerful yet easy this tool is to use.


In the next part of this tutorial I will be describing how we can use open source tools to achieve the same. I will also explain how we can thwart such techniques. Till then, happy packet sniffing!

Important Links:

1.Cain and Abel homepage
2. Uses of Abel
3. Promiscuous mode

Wednesday, July 4, 2012

Sniffing & man-in-the-middle/mitm using network sniffers

A long time ago I had written an article (http://anadisays.blogspot.in/2010/06/wireshark-as-sniffer.html) on network sniffers, primarily wireshark, which described what sniffing is and how one can passively sniff other users' data by setting Wireshark in promiscuous mode. Such a technique is known as passive sniffing and is really useful if your local network uses hubs instead of switches. But if your network uses the latter then you will not be able to capture all the traffic. The difference is due to the way these devices forward packets to the destination.

When a node sends a packet to a hub it quickly makes several copies and forwards it to all the other physical ports. The figure below illustrates this.

As you can see, the network packet denoted by the envelope is supposed to be delivered to PC0. But as soon as it receives the packet from Router0 it makes several copies and pushes it through all the links.

So if PC1 were to be running Wireshark then it will always receive all the traffic meant for PC0. It should be clear that it becomes very simple to sniff data when using hub.

Now let us consider a network using a switch.

 In the previous article mentioned above I have explained how a switch maintains a table which has MAC address and physical port mapping.

Briefly speaking, any packet meant for PC0 will be forwarded only to that particular link and the other links will never get a copy. It is obvious that Wireshark running on PC1 will not be able to capture any other data.

Now comes the interesting part! A technique known as Active sniffing is all you need to overcome this problem! It requires you to perform a Man in the Middle attack aka MitM which will be described below. But before I delve into what is active sniffing and mitm let me talk a little about ARP and ARP spoofing.


(NOTE: You may skip this section if you are well aware of what ARP is)

I assume you are already a little familiar with ARP (Address Resolution Protocol ). It is basically a protocol designed to allow two machines to communicate. It works at the link layer of the OSI model. You should also be aware of the arp or MAC table. It can be viewed by running the arp -a command in Windows and a simple arp command in Linux. It is a mapping of the IP address of a machine and its MAC address present in the local network.

Very briefly, if a node wants to send a packet it uses the destination IP address to look up its arp table to find the MAC address of that machine. When the packet is processed by a receiving node, it validates whether the destination MAC address matches or not, otherwise the packet is discarded.

ARP Spoofing/Poisoning

What if an attacker machine is somehow able to convince that it is actually the destination machine the victim wants to talk to? Simultaneously if it is able to convince the destination machine that it is actually the victim pc? Basically it will be able to read all their conversation.

Technically speaking, what if the attacking machine keeps on sending false ARP updates telling the victim pc that the destination pc's MAC address is its own?

network topology

Refer to the illustration above. Here the attacker PC has crafted and sent false ARP updates telling the victim PC to update its arp table to point the destination PC's arp table with bb:bb:bb:bb . The poor victim PC would always put the destination MAC address as bb:bb:bb:bb. The attacker after reading the packet will then quietly forward it to the destination using the correct MAC address. At the same time the attacker would attack the destination node as well.

Please keep in mind is that if the destination node is not in the local network then it will never be able to know its MAC address. This is because MAC addresses are not forwarded outside the local network.In such a situation you will have to attack the local gateway/router since all the traffic intended for outside the network is forwarded to it.

Finally even though physically the attacker may be anywhere within the local network, logically all data will travel through it. The attacker acts as a middle man between the victim and the destination PC, thus the term man in the middle attack.

To summarize, we achieved a man in the middle attack by ARP spoofing or ARP poisoning. This is active sniffing because unlike passive sniffing, where the attacker simply sits and silently reads all the packets, proactive measures are taken and network configuration or setting is stealthily disturbed.

Limitations of this attack

It should become clear that in order to perform this attack the victim PC and the attacker MUST be within the same local network. Also some protocols have been built to detect Mi-t-M attacks. HTTPS/SSL is one such protocol (I hope now you realize why it is advised to look for the small padlock when communicating sensitive information!). Most modern browsers will detect errors in digital certificates and promptly display an error. There are other techniques which have been developed to specifically attack SSL and HTTPS which will be dealt with in future.


Using these concepts, tools have been built which allow you to actively sniff packets. Such tools such as Wireshark combined with Arpspoof, Cain and Abel and Ettercap will be discussed in the next post of this series. By the next article you will be able to actively sniff and read data from packets intended for others! Prevention techniques will also be discussed.

IMPT: the next part of this tutorial *Actively network sniffing uing cain and abel*

Important Links:

1. Understanding passive sniffing
2. Wiki on arp spoofing
3. Wiki on Packet sniffing
4. Wiki on promiscuous mode