Sunday, December 31, 2017

Looking to expand your knowledge on Intrusion Detection or Incident Handling, Hacker Techniques and Exploits? Then come hangout at one of my upcoming classes to learn more

Upcoming Courses Taught By Nik Alleyne
TypeCourse / LocationDateRegister









Community SANS
Community SANS Baltimore SEC503 Baltimore, MD
Mar 12, 2018 -
Mar 17, 2018


Community SANS
Community SANS Columbia SEC503 Columbia, MD
Aug 13, 2018 -
Aug 18, 2018

*Course contents may vary depending upon location, see specific event description for details.


Cisco CCNP:300-115 - 3.0 Infrastructure Services: 3.1 Configure and verify first-hop redundancy protocols: 3.1.c GLBP

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

    -    does load sharing over multiple router gateways
    -    Uses a single Virtual IP but multiple virtual MAC addresses
    -    The forwarding load is shared amongst all routers in the GLBP group
    -    All hosts are configured with the same virtual IP
    -    All host in the group forward packets
    -    Hello messages sent every 3 seconds
    -    Multicast address is 224.0.0.102:3222
    -    One group member is elected to be the Active Virtual Gateway (AVG)
    -    Other group members act as backup if the AVG fails
    -    The AVG assigns a virtual mac-address to each member of the group
    -    Each gateway assumes responsibility for traffic sent to its mac-address. These are known as active virtual forwarders
    -    AVG is responsible for answer ARP Request for the virtual IP
    -    Load sharing is achieved by the AVG responding with a different MAC address for the virutal IP
    -    If the AVG does not have an active Virtual Forwarder it responds with the MAC address of the first listening virtual forwarder. This causes traffic to route via another gateway until the Virtual Forwarder once again becomes the current AVG
    -    Important to note is that GLBP does load sharing
    -    GLBP allows up to 4 virtual MAC addresses per group
    -    The AVG is responsible for assigning the virtual mac addresses
    -    Group members request a virtual MAC address from the AVG via hello messages
    -    Gateways are assigned the next mac-address in the sequence
    -    A virtual forwarder that is assigned a virtual mac-address by the AVG is called a primary virtual forwarder
    -    Virtual forwarders that learns their virtual mac address via hello messages are known as a secondary virtual forwarder
    -    One device is elected AVG, another gateway is elected as standby other devices place in listening state
    -    after AVG fails, the standby takes overs  and a new standby is elected
    -    The "Redirect Time" is the time while hosts are being continued to be redirected to the old MAC address
    -    When the "Redirect Time" expires, the AVG stops using the old forwarder MAC address in ARP replies.
    -    "Secondary" hold time is the interval for which the virtual router is valid.
    -    When secondary holdtime expires, the virtual router is removed from all gateways in the group
    -    The expired virtual forwarder number becomes eligible for reassignment
    -    Router with higher priority is elected as AVG
    -    After Priority, Higher IP wins
    -    Backup gateway can only become the AVG if the current AVG fails, regardless of priorities
    -    Can use thresholding can be used to control forwarding
    -    Default delay is 30 seconds
    -    Uses a client cache which contains hosts that are using the GLBP group as the default gateway
    -    Entries are added based on ARP request or IPv6 neighbor discovery
    -    Information is host that sent the ARP and which forwarder was assigned to it. Also the protocol address and time elapsed since the host was updated
    - Client cache can store information for up to 2000 hosts for a GLBP group
    -    Expected normal configuration is 1000 hosts
    -    Cache is cleared based on least updated address
    -    For each host at least 20 bytes is required
    -    Supports in service software upgrades. Meaning that the devices can operate on two different software versions
    -    Each gateway in a group must be configured with the same group number
    -    At least one device must be configured with the virtual IP address
    -    All other required parameters can be learned
    -    Default Hello Time 3 seconds
    -    Default Hold Time 10     

References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-glbp.html

Cisco CCNP:300-115 - 3.0 Infrastructure Services: 3.1 Configure and verify first-hop redundancy protocols: 3.1.b VRRP

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

    -    designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs
    -    VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs
    -    The address of the virtual router is the same as that of the physical interface of a router. This host is called the  "virtual router master"
    -    Every other router in the VRRP group are called "Virtual Router Backup"
    -    "Virtual Router Master" uses the IP address of the physical interface
    -    "Virtual Router Master" is also known as the IP owner
    -    If the "Virtual Router Master" fails, the router with the highest priority becomes the "Virtual Router Master"
    -    When the original Master recovers it becomes the Master once again
    -    Can be configured to share the traffic
    -    Provides Redundancy, Load Balancing, Multiple Virtual IPs, Authentication, preemption, advertisement protocol and object tracking
    -    Supports up to 255 Virtual Router - depending on resources, etc.
    -    Uses MD5 authentication to mitigate spoofing
    -    Uses multicat IP 224.0.0.18
    -    Can track interfaces, route state
    -    The host owning the IP address on the physical interface which maps the gateway becomes the "Virtual Router Master"        
    -    Like HSRP highest priority wins when electing a master if the primary fails
    -    Unlike HSRP priority which goes from 0 - 255, VRRP goes from 1-254
    -    Like HSRP if the priority is the same on two devices, then the higher IP wins
    -    Advertisements are sent to devices in the same group
    -    Default advertisements are sent every second
    -    While the RFC does not support milliseconds timer, Cisco support allows you to do so
    -    Milliseconds seconds support needs to be configured manually on both primary and backup devices
    -    Milliseconds support works only with Cisco devices
    -    VRRP can track interface, reachability of a route along with state of an IP route
    -    Default authentication type is "text", you can also use MD5 Key string or MD5 key chains
    -    Can have different IOS version on primary and backup
    -    It is recommended to customize VRRP before enabling as it can become the master of a group
    -    The device with the owner IP will preempt regardless of preempt configuration
    -    All devices in the VRRP group must use the same timer values
    -    If timer values not set devices in the group will not communicate and any misconfigured router will change it state to master


References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-vrrp.html

Cisco CCNP:300-115 - 3.0 Infrastructure Services: 3.1 Configure and verify first-hop redundancy protocols: 3.1.a HSRP

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

    -    Typically used at Layer 3 providing redundancy for IP traffic
    -    Layer 2 used for cluster management
    -    two or more HSRP-configured routers to use the MAC address and IP network address of a virtual route
    -    HSRP can be used on routed interfaces or SVI
    -    When HSRP is configured on an interface, ICMP redirects is also automatically enabled for the interface.
   
    -    HSRP v1 group number can be from 0-255
    -    HSRP v1 uses multicat address 224.0.0.2 to send hello packets
    -    you cannot enable Cisco Group Management Protocol (CGMP) and HSRP at the same time because they use the same multicast address 224.0.0.2:1985
   
    -    HSRP v2 Matches group number to VLAN IDs
    -    Can use 0 - 4095 group numbers.
    -    MAC address can be from 0000.0C9F.F000 to 0000.0C9F.FFFF
    -    Uses Multicast address 224.0.0.12
    -    Both CGMP and HSRP can be enabled
    -    Has a different packet format from v1
    -    HSRP v2 uses TLVs - Type/Length/Values
    -    HSRP v2 can identify the sending router
    -    If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignore
   
    -    MHSRP - Multiple HSRP
    -    Allows load sharing between 2 or more groups (and paths)
    -    Highest Priority Wins when selecting Active Router
    -    Ensure you enter "standby preempt" to ensure load sharing continues when the down device comes back online.
   
   
    -    Default "Hello Time" 3 seconds
    -    Default "Hold Time" 10 seconds
    -    Default "Track" decrements 10 seconds
    -    Default "Priority" 100
    -    Cannot enable HSRP for IPv4 and IPv6 at the same time
    -    HSRP v1 and v2 cannot be enabled at the same time
    -    Can have up to 32 instances of HSRP groups
    -    If you configure the same HSRP group number on multiple interfaces, the switch counts each interface as one instance
    -    Interface must be a Layer 3 interface
    -    Can run on Layer 3 Etherchannel ports
    -    All Layer 3 interfaces must have an assigned IP
    -    Version can be changed from v2 to v1 only if the group numbers are less than 256
    -    HSRP v2 and HSRP for IPv6 requires ranges that are multiples of 256
    -    If no IP is specify via the "standby IP" command, one is learned through the standby function.
   
    -    priority is based on "Highest Priority" -> "Highest IP"
    -    When routing is first enabled, it does not have to have a complete routing table.
    -    Can still preempt even thought it cannot provide full routing services
    -    Delay can be used allow the router to update its routing table
    -    "delay" causes the local router to postpone taking over the active role for the shown number of seconds. The range is 0 to 3600(1 hour); the default is 0 (no delay before taking over)
    -    Default HSRP string is Cisco
    -    Only "Active" and "Standby" routers sends "Hello" messages. All other routers remain in listening states
  

References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-hsrp.html

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features:2.1.f Storm control

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

          -    Storm Control prevents LAN ports from being disrupted by broadcast, multicast or unicast traffic storms on physical interface
          -    Storms can occur for multiple reasons including network misconfiguration, users issuing denial-of-service attacks
          -    Storm control level is a percentage of the total available bandwidth of the port
          -    Each port has a single traffic storm control level which is used for all traffic (broadcast, multicast and unicast)
          -    Does not suppress spanning tree packets
          -    Does not differentiate control traffic from data traffic outside of spanning tree
          -    When broadcast storm control is enabled and traffic exceeds the threshold, storm control drops all broadcast traffic until the end of the traffic storm control interval
          -    If both broadcast and multicast traffic control mechanisms are in place and the combine traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
          -    If both broadcast and multicast traffic control mechanisms are in place and either of the two traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
          -    While storm control is supported on physical interfaces, it can still be configured on EtherChannel.
          -    When storm control is configured on an EtherChannel, the storm control settings propagate to the physical interfaces in the channel
          -    Configuring storm control on EhterChannel ports put the interface in suspended state

          Storm control can use:
              -    Bandwidth
                      -    A percentage of total bandwidth of the port that can be used by broadcast, multicast or unicast
              -    Traffic Rate in packets per second
                      -    rate at which broadcast, unicast or multicast is received
              -    Traffic rate in bits per second
                      -    rate at which broadcast, unicast or multicast is received
                      - Traffic rate in packets per second and for small frame. Enabled globally. Threshold for small frames is configured on each interface
          -    With each of the above, the port remains blocked until the traffic rate has dropped below the falling threshold (optional) and then resumes forwarding
          -    If falling suppression rate is not set, the switch blocks traffic until the rate drops below the rising suppression level
          -    The higher the level, the less effective the protection against broadcast storms
          -    When the threshold is met for multicast, all multicast traffic is blocked except for control traffic such as BPDU and CDP. Routing updates are blocked
          -    Higher level such as 100 percent means no limit is placed on the traffic
          -    Lower value such as 0 means all broadcast, multicast or unicast traffic on that port is blocked
          -    By default storm control is disabled. There is a suppression of 100
          -    Storm control is configured on a per port basis

          - storm control actions are shutdown and trap. However the default is to filter out the traffic and not send traps
          -    The switchport blocks traffic (shutdown) when the rising level is met
          -    The switchport forwards traffic when traffic drops below the falling threshold

References:
https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-1E/configuration/guide/storm.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.d Port security

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

      -    Used to restrict input to an interface by limiting and identifying MAC addresses
      -    When the maximum number of MAC addresses are reached on a secure port, a security violation occurs
      -    Port Security is disabled by default
      -    When enabled the port is shutdown when the maximum number of secure MAC addresses have been exceeded

      -    Static secure MAC addresses - manually configured. Stored in the address table and added to the switch running config
      -    Dynamic Secure MAC Addresses - dynamically configured and only stored in the address table and removed when the switch restarts
      -    Sticky secure MAC addresses - learned dynamically or manually configured, stored in the address table and added to the running configuration
      -    All sticky MAC addresses are added to the running configuration

      Violation occurs for any of the following:
              -    Maximum number of secure MAC address have been added to the address table and a new station attempts to access the interface
              -    An address learned or configured on one secure interface is seen on another secure interface

      -    Violation modes are:
              -    Protect
                      -    Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
                      -    You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
                      -    Notificaton is provided that a violation has occurred
                      -    No notification is provided that a security violation has occurred             

            -    Restrict
                      -    Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
                      -    You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
                      -    Notificaton is provided that a violation has occurred
                      -    SNMP traps is sent, syslog message is logged and violation counter increases   

             
              -    Shutdown
                      -    This is the default mode
                      -    When a violation occurs, the interfaces becomes error-disabled and is shutdown immediately
                      -    Port leds are turned off
                      -    SNMP trap is sent, a syslog message is looged and violation counter increases
                      -    Can leverage the following command to bring the interface out of error-disable state within a specific time:
                              SW2(config)#errdisable recovery cause psecure-violation
                      -    Alternatively you can manually reenable it by "shutdown" followed by "shutdown"

              -    Shutdown VLAN
                      -    Sets the security violation mode per-VLAN
                      -    Puts the VLAN in error disabled instead of the port when a violation occurs
         
          -    Port security can be configured on static access or trunk port only.
          -    Secure port cannot be a dynamic access port
          -    A secure port cannot be a destination port for SPAN
          -    Secure ports cannot belong to a Gigabit EtherChannel port group
          -    Note, Voice VLAN is only available on access port and not trunk ports
          -    Secure ports cannot be a private-VLAN port
          -    When using port-security with voice VLANs, set the max allowable MAC to 2 on the port

 References:
 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.c Dynamic ARP inspection


Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

         - Security feature which validates ARP packets in a network
         -  Dynamic ARP inspects, intercepts, logs and discards ARP pakcets with invalid iP-to-MAC address bindins
         -  Can protect from certain man-in-the-middle attack
         -  Ensures only valid ARP requests and responses are relayed
         -  First step is to intercept all ARP requests and response on untrusted ports
         -  Next step is to verify the IP-to-MAC binding is valid before updaing the local ARP cache or forwarding the packet to the correct destination
         -  Drop Invalid ARP Packets
         -  Validit of an ARP packet is based on valid IP-to-KAC address biding which are stroed in the trusted database known as the DHCP snooping binding database
         -  The DHCP binding database is built by DHCP snooping if it is enabled on the VLANs and on the switchc
         -  ARP packets received on trusted interfaces are forwarded without any checks
         -  ARP packets on untrusted interfaces are only forwarded if they are valid
         -  Dynamic ARP inspection is enabled on a per VLAN basis using:
                    SW2(config)#ip arp inspection vlan 30

         -  Dynamic ARP can also be used in non-DHCP environments
         -    Dynamic ARP Inspection can be configured to drop packets when the IP address in the packets are invalid
         -    Dynamic ARP inspection can also drop packets when the MAC address in the body of the ARP packets do not match the address specified in the Ethernet header

    Trust States and Network Security
         -    Dynamic ARP Inspection associates each interface with a trust state
         -    Traffic coming in on trusted interfaces bypass all dynamic ARP validation checks
         -    Traffic arriving on untrusted interfaces undergoes the dynamic ARP inspection validation process
         -    To configure trust setting, use:
                 SW2(config-if)#ip arp inspection trust

         -    Configuring interfaces as untrusted when they should be trusted can result in a loss of conectivity
         -    Dynamic ARP inspection ensures hosts connected to untrusted ports do not poison the ARP caches of other hosts on the network

         -    By default the rate of untrusted packets is 15 packets per second (pps)
         -    Trusted interfaces are not rate limited
         -    When the rate of incoming packets exceeds the configured limit, the interface is placed in "err-disabled" state
         -    When the port goes into "err-disabled" state, manual intervention is required if global recovery is not configured
         -    If EtherChannel is in use, each switchport in the Channel operates at 20 pps. If any switch exceeds the limit, the entire Channel is placed in "err-disabled" state

         -    Dynamic ARP inspection uses the DHCP snooping binding database


         -    Switches compare ARP packets to user-configured ARP ACLS
         -    If the ARP ACL denies the ARP packet, then the switch also denies the packet. This is so even if a valid binding exists in the DHCP snooping database
         -    By Default Dynamic ARP Inspection is disabled on all VLANs
         -    By Default All interfaces are untrusted
         -    Dynamic ARP inspection is an ingress security feature
         -    Dynamic ARP inspection does not perform any egress checking
         -    Dynamic ARP inspection relies on entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and responses
         -    Dynamic ARP inspection is supported on access, trunk, EtherChannel and private VLAN ports
         -    Dynamic ARP inspection should not be enabled on RSPAN VLANs. Packets may not reach the RSPAN destination port
         -    Physical ports can join the channel group only when the trust state of the physical port matches that of the channel. Otherwise ports remain suspended in the channel
         -    The rate of incoming packets on a physical port is is checked again the port-channel configs rather than the physical ports configs
         -    When the EtherChannel receives more packets than the configured rate the interfaces in the channel and the channel are placed in "err-disabled" state
         -    When Dynamic ARP inspection is configured, ARP traffic policiers are no longer valid

         -    To see current Dynamic ARP inspection interface status use
         SW2#show ip arp inspection interfaces

         Interface        Trust State     Rate (pps)    Burst Interval
         ---------------  -----------     ----------    --------------
         Gi1/0/1          Untrusted               15                 1
         Gi1/0/2          Untrusted               15                 1
         Gi1/0/3          Untrusted               15                 1
         .....
         Gi1/0/23         Trusted               None               N/A

References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdynarp.html

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.b IP Source Guard

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.


      -    Restricts IP traffic on non-routed ports
      -    Filters Layer 2 traffic by leveraging the DHCP snooping binding database and on manuall configured IP source bindings
      -    Can be used to prevent traffic attacks whens host tries to use its neighbour address
      -    IP Source Guard can be enabled when DHCP snooping is enabled on an untrusted
      -    Once enabled, IPSG blocks all IP traffic received on an interface except for DHCP packets allowed by DHCP snooping
      -    Leverages port ACL
      -    Port ACLs only allow IP traffic whose source IP is in the IP source binding table and denies all other traffic
      -    IP source binding table bindings are learned by DHCP snooping or manually configured (tatic IP source bindings)
      -    Works on Layer 2 ports, including trunks and access ports
      -    Can use either source IP address filtering or source IP and MAC address filtering

              - Source IP Address filtering
                  -    Filtering done based on source IP address
                  -    IP traffic is forwarded when the source IP matches in an entry in the DHCP snooping binding database or a binding in the IP source binding table

              - Source IP and MAC Address Filtering
                  -    Traffic filtered based on the source IP and MAC address
                  -    The switch forward traffic only if the source IP and MAC address matches an entry in the IP source binding table
                  -    The switch uses port security to filter source MAC addresses
                  -    Interface can shutdown when port-security violation occurs
          -    IP SourceGuard is not supported on EtherChannels
          -    Can leverage 802.1x port based authentication
          -    In a stack environment, IP Source Guard is configred on the stack member interface


References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html   
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.a DHCP snooping

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

         -    DHCP Snooping filters untrusted DHCP messages by building and maintaining a DHCP snooping binding database
         -    The DHCP snooping binding database is also known as snooping binding table
         -    DHCP snooping acts like a firewall between untrusted hosts and DHCP servers
         -    Used to differentiate between untrusted interfaces connected to endpoint and trusted interfaces connected to DHCP servers or other switches
         -    For DHCP snooping to function, all DHCP servers must be connected to trusted switch interfaces
         -    Messages from unknown devices are untrusted
         -    DHCP snooping binding database contains the MAC address, IP address, Lease time, binding type, VLAN number and interface information
         -    DHCP snooping binding database contains information relating to local untrusted interfaces of a switch
         -    DHCP snooping binding database does not contain information relating to host on trusted interfaces

         -    Comparison is done between the source MAC address and the DHCP client hardware address
         -    If the addresses match, the packet is forward
         -    if the addresses do not match, the switch drops the packet
       
         -    Packets get dropped for the following reasons:
             -    DHCP messages received from outside the network or firewall
             -    Packet received on an untrusted interface and the source MAC and DHCP client hardware address does not match
             -    DHCP broadcast message that has a MAC address in the DHCP snooping binding database but the information in the database does not match the interface on which the message was received
             -    A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0
             -    the relay agent forwards a packet that includes option-82 information to an untrusted port.
             -    DHCP option-82 feature is only supported when DHCP snooping is enabled globally
             -    Users must be in tethe VLAN configured for DHCP snooping to take advantage of it
        -    When DHCP snooping is enabled, the switch use the DHCP snooping binding database to store information about untrusted interfaces
        -    The DHCP snooping binding database can store up to 8192 bindings
        -    Database agent stores the bindings in a faile at a configured location
        -    To keep the entry when the switch reloads, the DHCP snooping database agent must be used

        -    DHCP snooping is managed on the stack master
        -    All statistics are generated on the stack master. When the stack master changes, the statistics counters get reset

        -    DHCP snooping is not active until DHCP snooping is enabled on a VLAN
        -    DHCP Snooping can be configured on Private VLANs
        -    When DHCP snooping is enabled on a Private VLANs, the configuration is propagated to both the primarily VLAN and its associated secondary VLANs.
        -    If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLAN
        -    If configuration changes are made on the secondary VLAN after configuring the primary VLAN, the changes made to the secondary VLAN does not take effect
        -    DHCP snooping must be configured on the primary VLAN


References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

Cisco CCNP:300-115 - 1.8.a Stackwise

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.


    -     Up to 9 switches can be stack together
    -      Uses the stackwise cable
    -    Make multiple physical switch into one logical switch
    -    If one cable is removed the loop will be broken but the stack will continue to works
    -    One switch in the stack becomes the "Master" and does all management tasks
    -    All switches other than the "Master" are "Members"
    -    Election process starts at installation or reboot of the entire stack
    -    Election process used:
            "User Priority" Defined by user -> "Hardware/Software Priority" Switch with most extensive services get higher priority -> "Default configuration". Switch with configuration wins out switch with default configuration -> "Longest Uptime" -> "Lowest Mac Address"
    -    User priority is typically used to configure a master
    -    All switches share the same management IP, hostname, configuration, routing, topology, etc
    -    VSS (4500/6500) is the same as stackwise (3750)
    -    Stack is managed by the "Master" unit
    -    Both "Master" and "Member" switches act as forwarders
    -    Single IP used for management applies to: fault detection, virtual LAN (VLAN) creation and modification, security, and QoS controls
    -    Each stack has one only one configuration file which is distributed to each member of the stack
    -    Any member can become a master if the master fails
    -    Up to 9 3750 switches in a single unit
    -    Traffic flows in 16G per direction for a total of 32 GBPs across the stack
    -    When a new switch is added, the "Master" switch automatically configures the unit with the IOS image and the configuration of the stack
    -    The network manager does not need to do anything to bring up the switch
    -    Switches can be removed without any operational effect
    -    A break in any one of the cable will result in the bandwidth being reduced to half
    -    Uses subsecond
    1:N master redundancy allows each stack member to serve as master
    -    1:N If one switch fails all other units can continue to forward traffic
    -    When a new master is selected, it applies the configuration from the previous master
    -    master switch keeps a table of all the mac-addresses
    -    Master switch creates a map of all mac-address in the entire stack and distribute it to the subordinates
    -    each switch then becomes aware of every port in the stack
    -    subordinate switches keep their own spanning tree for each vlan they support
    -    Stackwise ring ports are never put into Spanning Tree protocol blocking state
    -    Master switch keeps a copy of all the spanning tree tables for each vlan in the stack
    -    Multiple switches in a stack can create an etherchannel
    -    Loss of connectivity in an individual switch will not effect the connectivity for other switches
    -    Switches can support dual homing to different routers for redundancy
    -    RPR+ for layer 3 resiliency: Each switch is initialized for routing capability and is ready to be elected as master if the master fails
    -    Layer 3 Nonstop Forwarding (NSF) is also supported in stacks of 2 or more
    -    Layer 2 is done in distributed method
    -    Layer 3 is done via centralized  manner
    -    All units in the stack must use the same Cisco IOS software
    -    Recommended that the stack has the same feature set on each unit. However, not mandatory
    -    Later versions require that all switches be at the same version as the master
    -    If switch versions are not the same, one of 3 things happen.
    1.    If the hardware is supported, the master will download the IOS version it has in flash memory to the new switch, send the configur and bring the device online
    2.    If the hardware is supported and TFTP has been configured the Master will download and configure the new device
    3.    If hardware not supported, the new switch will be in suspended mode, noify the user of version incompatability and wait until the master is upgraded to an IOS version that support both types of hardware. Master then upgrades the rest of the stack, including the new switch
    -    Upgrade applies to all devices in the stack
    -    If there are different supported images in use, after the upgrade all members of the stack will have the same software
    -    Each data packet is put on the stack only once
    -    Each data packet has a 24 byte header
    -    Etherchannel technology can operate across multiple devices in the stack
    -    Etherchannel can aggregate up to 8 ports from any switches in the stack
    -    Up to 48 Etherchannel groups are supported on a stack
    -     Stackwise plus support destination stripping
    -    Stackwise supports source stripping
    -    highest priority number in the stack wins
    -    Lowest Mac Address wins
    -    Stack members cannot have the same number
    -    Cisco recommends specifying the stack master through the highest priority value