802.1D Port States

Posted: 29th March 2021 by ccna7guru in SRWE
Tags: , , ,

802.1D Port States
In the 802.1D STP protocol, every port transitions through the following states:
Disabled: The port is in an administratively off position (that is, shut down).
Blocking: The switch port is enabled, but the port is not forwarding any traffic to
ensure that a loop is not created. The switch does not modify the MAC address table.
It can only receive BPDUs from other switches.
Listening: The switch port has transitioned from a blocking state and can now send or
receive BPDUs. It cannot forward any other network traffic. The duration of the state
correlates to the STP forwarding time. The next port state is learning.
Learning: The switch port can now modify the MAC address table with any network
traffic that it receives. The switch still does not forward any other network traffic
besides BPDUs. The duration of the state correlates to the STP forwarding time.
The next port state is forwarding.
Forwarding: The switch port can forward all network traffic and can update the
MAC address table as expected. This is the final state for a switch port to forward
network traffic.
Broken: The switch has detected a configuration or an operational problem on a port
that can have major effects. The port discards packets as long as the problem continues
to exist.

Free DEVASC 200-901 Course

Posted: 3rd February 2021 by ccna7guru in ITN

Download Full Course here

The OWASP Top 10

Posted: 31st January 2021 by ccna7guru in ITN

Now that you know about three of the most well-known attacks, here is the entire OWASP Top 10 list.

  • Injection – This item consists of all sorts of injection attacks. We talked earlier about SQL injection, but this is only the most common. All databases, such as LDAP databases, Hibernate databases, and others, are potentially vulnerable. In fact, any action that relies on user input is vulnerable, including direct commands. You can mitigate these types of attacks by using parameterized APIs, escaping user input, and by using LIMIT clauses to limit exposure in the event of a breach.
  • Broken Authentication – This item relates to multiple problems with user credentials, from stolen credentials database to default passwords shipped with a product. You can mitigate these attacks by avoiding default passwords, by requiring multi-factor authentication, and using techniques such as lengthening waiting periods after failed logins.
  • Sensitive Data Exposure – This item refers to when attackers steal sensitive information such as passwords or personal information. You can help to prevent these attacks by storing as little personal information as possible, and by encrypting the information you do store.
  • XML External Entities (XXE) – This item refers to attacks made possible by a feature of XML that enables users to incorporate external information using entities. You can solve this problem by disabling XML Entity and DTD processing, or by simply using another format, such as JSON, instead of XML.
  • Broken Access Control – This item refers to the need to ensure that you have not built an application that enables users to circumvent existing authentication requirements. For example, attackers should not be able to access admin functions just by browsing directly to them. In other words, do not rely on “security through obscurity”. Make sure to protect all resources and functions that need to be protected on the server side, ensuring that any and all access really is authorized.
  • Security Misconfiguration – This item refers to the need to ensure that the system itself is properly configured. Is all software properly patched and configured? Is the firewall running? Prevention of these types of problems requires careful, consistent hardening of systems and applications. Reduce the attack surface that is available. To do this, only install the services you actually need, and try to separate out components that are not related to different systems to reduce the attack surface further.
  • Cross-Site Scripting (XSS) – This item refers to the ability for an attacker to use the dynamic functions of a site to inject malicious content into the page, either in a persistent way, such as within the body of comments, or as part of a single request. Mitigating these problems requires careful consideration of where you are including untrusted content in your page, as well as sanitizing any untrusted content you do include.
  • Insecure Deserialization – This item describes issues that can occur if attackers can access, and potentially change, serialized versions of data and objects, that is, text versions of objects that can be reconstituted into objects by the server. For example, if a user’s information is passed around as a JSON object that includes their access privileges, they could conceivably give themselves admin privileges by changing the content of that object. Because objects can include executable code, this exploit can be particularly dangerous, even if it is not necessarily simple to exploit. To help prevent issues, do not accept serialized objects from untrusted sources, or if you must, ensure validation before deserializing the objects.
  • Using Components with Known Vulnerabilities – One of the advantages today’s developers have is that most of the core functions you are trying to perform have probably already been written and included in an existing software package, and it is probably open source. However, many of the packages that are available also include publicly available exploits. To fix this, ensure that you are using only necessary features and secure packages, downloaded from official sources, and verified with a signature.
  • Insufficient Logging and Monitoring – This item reminds you that your most basic responsibility is to ensure that you are logging everything important that is happening in your system so that you can detect attacks, preferably before they succeed. It is particularly important to ensure that your logs are in a common format so that they can be easily consumed by reporting tools, and that they are auditable to detect (or better yet prevent) tampering.

STP Port States and BPDU Timers

Posted: 13th December 2020 by ccna7guru in ITN

To facilitate the learning of the logical spanning tree and avoid loops, each switch port transitions through five possible port states and uses three BPDU timers.
The five STP port states are as follows:
Blocking: The port is a non-designated port and does not participate in frame forwarding. The port continues to process received BPDU frames to determine the location and root ID of the root bridge and what port role the switch port should assume in the final active STP topology.
Listening: STP has determined that the port can be selected as a root port or designated port based upon the information in the BPDU frames it has received so far. At this point, the switch port is not only receiving BPDU frames, it is also transmitting its own BPDU frames and informing adjacent switches that the switch port is preparing to participate in the active topology. The port returns to blocking state if it is determined that the port does not provide the lowest cost path to the root bridge.
Learning: The port prepares to participate in frame forwarding and begins to populate the MAC address table.
Forwarding: The port is considered part of the active topology and forwards frames and also sends and receives BPDU frames.
Disabled: The Layer 2 port does not participate in spanning tree and does not forward or process frames. The switch port is administratively disabled.

Once stable, every active port in the switched network is either in the forwarding state or the blocking state.
The amount of time that a port stays in the various port states depends on the BPDU timers. The following timers determine STP performance and state changes:

Hello time: The time between each BPDU frame sent on a port. The default is 2 seconds, but can be tuned between 1 and 10 seconds.
Forward delay: The time spent in the listening and learning states. The default is 15 seconds, but can be tuned between 4 and 30 seconds.
Maximum age: Controls the maximum length of time a switch port saves configuration BPDU information. The default is 20 seconds, but can be tuned between 6 and 40 seconds.

Spanning-Tree Algorithm

Posted: 13th December 2020 by ccna7guru in ITN

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. A switch port is considered blocked when network traffic is prevented from entering or leaving that port.

STP uses the spanning-tree algorithm (STA) to determine which switch ports on a network need to be blocking in order to prevent loops from occurring. The STA designates a single switch as the root bridge and uses it as the reference point for all subsequent calculations. Switches participating in STP determine which switch has the lowest bridge ID (BID) on the network. This switch automatically becomes the root bridge.

A bridge protocol data unit (BPDU) is a frame containing STP information exchanged by switches running STP. Each BPDU contains a BID that identifies the switch that sent the BPDU. The lowest BID value determines which switch is root.
After the root bridge has been determined, the STA calculates the shortest path to the root bridge. If there is more than one path to choose from, STA chooses the path with the lowest path cost.
When the STA has determined the “best” paths emanating from the root bridge, it configures the switch ports into distinct port roles. The port roles describe their relation in the network to the root bridge and whether they are allowed to forward traffic:

Root ports: Switch ports closest to the root bridge
Designated ports: Non-root ports that are still permitted to forward traffic on the network
Nondesignated ports: Ports in a blocking state to prevent loops
Disabled port: Ports that are administratively shut down

After a switch boots, it sends BPDU frames containing the switch BID and the root ID every 2 seconds. Initially, each switch identifies itself as the root bridge after bootup.

Port Cost in STP


  1. Network Fundamentals: Includes basic fundamentals of networking 20%
  2. Network Access: How to connect to a network 20%
  3. IP Connectivity: Basics of Routing and Switching 25%
  4. IP Services: Includes services DNS, DHCP, FTP… 10%
  5. Security Fundamentals: Foundational knowledge 15%
  6. Automation and Programmability: Importance, basics and application 10%

Port Address Translation

Posted: 17th November 2020 by ccna7guru in ITN

Port Address Translation (PAT), also known as NAT overload, maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses. This is what most home routers do. The ISP assigns one address to the router, yet several members of the household can simultaneously access the internet. This is the most common form of NAT for both the home and the enterprise.

With PAT, multiple addresses can be mapped to one or to a few addresses, because each private address is also tracked by a port number. When a device initiates a TCP/IP session, it generates a TCP or UDP source port value, or a specially assigned query ID for ICMP, to uniquely identify the session. When the NAT router receives a packet from the client, it uses its source port number to uniquely identify the specific NAT translation.

PAT ensures that devices use a different TCP port number for each session with a server on the internet. When a response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines to which device the router forwards the packets. The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session.

Click Play in the figure to view an animation of the PAT process. PAT adds unique source port numbers to the inside global address to distinguish between translations.

As R2 processes each packet, it uses a port number (1331 and 1555, in this example) to identify the device from which the packet originated. The source address (SA) is the inside local address with the TCP/UDP assigned port number added. The destination address (DA) is the outside global address with the service port number added. In this example, the service port is 80, which is HTTP.

For the source address, R2 translates the inside local address to an inside global address with the port number added. The destination address is not changed but is now referred to as the outside global IPv4 address. When the web server replies, the path is reversed.

Dynamic NAT

Posted: 17th November 2020 by ccna7guru in ITN
Dynamic NAT

Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When an inside device requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool.

In the figure, PC3 has accessed the internet using the first available address in the dynamic NAT pool. The other addresses are still available for use. Similar to static NAT, dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.

Static NAT

Posted: 17th November 2020 by ccna7guru in ENSA

Now that you have learned about NAT and how it works, this topic will discuss the many versions of NAT that are available to you.

Static NAT uses a one-to-one mapping of local and global addresses. These mappings are configured by the network administrator and remain constant.

In the figure, R2 is configured with static mappings for the inside local addresses of Svr1, PC2, and PC3. When these devices send traffic to the internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices appear to have public IPv4 addresses.

Static NAT CCNA200-301

Static NAT is particularly useful for web servers or devices that must have a consistent address that is accessible from the internet, such as a company web server. It is also useful for devices that must be accessible by authorized personnel when offsite, but not by the general public on the internet. For example, a network administrator from PC4 can use SSH to gain access to the inside global address of Svr1 ( R2 translates this inside global address to the inside local address and connects the session to Svr1.

Static NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.

Selección de las unidades ópticas

Posted: 10th November 2020 by ccna7guru in ITN

Los factores que deben tenerse en cuenta al adquirir una unidad óptica se enumeran en la Figura 1.

En la tabla de la Figura 2 se resumen las funcionalidades de las unidades ópticas.

Los DVD pueden almacenar una cantidad de datos mayor que el CD y los discos Blu-Ray (BD) pueden almacenar una cantidad de datos mayor que el DVD. Los DVD y BD también pueden tener doble capa para los datos de registro; prácticamente se duplica la cantidad de datos que se pueden registrar en los medios.

Selección de las unidades ópticas