Challenge Labs #2: Switching & Layer 2
These challenge labs cover layer 2 switching technology and protections
Below I will showcase labs focused on switching which should give you inspiration and assist in learning layer 2. As you have probably googled and found plenty of guides elsewhere for configuring specific things, I will take a different approach and simply showcase and discuss content in addition to providing links to guides. This is to simulate a more real world scenario without any hand holding. You will have to research, create, and configure things in addition to using the Visio diagram as a reference. This would be similar to what you would have to do in a professional setting.
When I started my CCNA studies back in 2014, I purchased a Cisco 2950 from ebay and began executing commands and getting hands on with the hardware. Then when I started my CCNP studies I ended up with 5 switches (2x 3750, 2x 3560, 1x 2950) to study with (total was less than $200 if I recall). However now with Cisco Virl being more popular and with the new possibility of running switches in GNS3 or EVE-NG, you might think that the prospect of buying actual switches is less desirable. However I still recommend this if you are starting out so you can get hands on and more comfortable with locating ports on switches (and enjoy the buzz of multiple fans kicking off at once). I'll talk about my original certification lab in a section below.
The main objective of a lab is for testing and/or learning. So I recommend to learn show commands to test different behaviors so you can view what happens in real time. For example with Spanning tree protocol (STP), after things have converged I would remove a cable that is used as a root port and then issue the show spanning-tree (for cisco) command to see the ports transition through the different STP states. Another good STP example is to run loop-guard and then to turn on BPDU filter on a designated port to then see the other switch's blocking port go into the loop-inconsistent state due to no bridge protocol data units (BPDU's) being received. It's methods like these that help you learn the protocols and concepts. (Note: References to STP are generally meant to be for rapid or rapid per-vlan spanning tree)
Here are some primer reference guides if needed.
The "haircut menu" inspired diagram descriptions:
The new school is inspired by the new design of Layer 3 to the access layer. Bringing L3 to the access layer does have some challenges but it also has some advantages like convergence and separation. This is the most advanced lab.
The campus special is the common 3 tier architecture you see with campus LAN design. It has the core, distribution and access layers. Layer 2 trunking is up from the access switches to the distribution, where then the distribution layer connects to the core via layer 3 port-channels.
The old school is similar to the campus design except layer 2 is carried all the way to the core layer. You can also see the full mesh of links between the layers. This setup offers the most lessons on layer 2 because due to the way STP works there could easily be sub optimal flows due to blocked ports. STP port and bridge priority configuration is key in this topology.
The Box is a common lab setup to learn basics of switching. This is the setup I utilized a lot when learning. It's easy to understand and cable up.
The Green Leaf is inspired by a common data center design of Spine (distribution) and Leaf (access). You'll notice each of the access switches connect to each spine switch.
Lastly the Ring leader is a common Ring topology. Here each of the switches has at least a primary and backup path. Don't get this confused with a switch stack which is logically turning multiple switches to one. A switch stack is generally cabled in a ring, but there is typically special hardware/cables involved in this.
To begin the focus of this is layer 2, so you can see a few of the diagrams are layer 2 only. I have placed the switched virtual interfaces SVIs (Vlan Interfaces) in locations where layer 2 meets layer 3, these would be the default gateways for the end hosts. Learning how to configure and understand SVIs is important in understanding how hosts travel via layer 2 to the layer 3 gateway. Search for "router on a stick" if you want to see the other way to provide a gateway for end hosts.
For configuring the port-channels I recommend to use Link-aggregation control protocol (LACP) as it is vendor neutral and supported by a lot of platforms. The advantage of using LACP (or PaGP if learning cisco) vs the the "on" mode for port-channeling is that they provide a means of negotiation between the switches which helps during failure scenarios like a configuration mismatch. Remember that all the configuration needs to match on all the ports in the port-channel.
Some of the other protocols shown which are generally seen on switches is HSRP/VRRP for default gateway redundancy, and also virtual chassis. VSS/vPC are Cisco's way of turning two switches into one (I believe Juniper calls it virtual switching). Switch stacking is a common method used by different vendors to logically (and physically) connect multiple switches together which has advantages like not needing to use HSRP/VRRP. See below for more information on these technologies.
I specially did not call out root bridges here as I want you to think about where it should be placed, and also to configure it on different locations. Maybe you should purposefully configure it on the access layer if you can run the 3 tier topology, because being able to identify a badly placed root bridge by tracing through the devices is useful experience.
So after reading through the initial material and completing one of these setups you should be able to understand and configure STP and port-channels at a minimum.
Spanning Tree Features and Security
This is network defense blog so we had to include some security right? Some of the possible attacks that can be be performed on the layer 2 domain are root bridge hijacking, CAM table overflowing, Address resolution protocol (ARP) poisoning (i.e. man-in-the-middle), and Rogue DHCP servers.
The diagram below shows a few of the STP features that can help protect the switching domain. BPDU guard and port-fast should be applied to access ports in order to protect from rogue switches and to begin forwarding standard traffic as soon as possible. Furthermore, Root guard should be applied on the root switches designated ports in order to help protect from lower layer switches taking over as the root bridge.
Take note of some of the configuration call outs here. This diagram's setup should be mastered as part of your layer 2 switching practice. Virtual switching is optional but if you can lab it then do it ! (Note: without virtual switching you can't have the same ether-channel setup displayed between distribution and core layers)
Some general security features are:
DHCP Snooping - Prevents a rogue device from becoming a DHCP server on the LAN
Dynamic ARP Inspection - Prevents ARP spoofing (requires DHCP snooping)
Port-security - Only permits a certain amount of MAC addresses on a port
802.1x - Only allows authorized devices on the port (requires a radius server to configure, this is a more advanced topic and beyond the scope of these labs)
These are generally easy to configure but to properly execute in a lab requires some technical capabilities. If you took the real hardware route then ideally you can do this with two PCs configured in the same VLAN. If you're interested in simulating attacks or are more security oriented then Kali Linux is a great linux OS that comes jam packed with tools that can execute the above attacks. I'll likely cover this in a later post.
This is my original CCNP lab illustrated. I purchased another PCI NIC card for my PC so I could simulate having 2 PCs on different VLANs or have them on the same VLAN to simulate an attack as mentioned in the previous section. Additionally I utilized a dual console to single USB which allowed me to console in to all 4 switches while only taking up 2 USB ports on the PC.
What's nice about this setup is you can do everything from one computer, and can run multiple wireshark instances for each of your NICs. I recommend to run wireshark while performing the layer 2 lab so you can see the device broadcasts (or IPv6 Multicast), ARP requests, STP messages etc. It really helps to solidify the concepts.
I hope this post provided you with a good amount of information and inspiration for this round of challenge labs. Remember to issue the show commands and try to break things after you're confident in understanding the protocol and features. Learning about Spanning tree, layer 2 broadcast domains, and other Layer 2 switching related topics is essential for any network or security engineer. Moreover, learning about common attacks seen in the switching domain and how to mitigate them is a useful start in how to protect the local area network.
Shout to to 802.1s MST (if you need more ideas)
Good luck !