sh processes cpu
use ip subnet 0 on the router to allow you to use subnet 0 with a router
DLS2(config)#vlan 10
DLS2(config-vlan)#no shut
%VLAN 10 is not shutdown.
DLS2(config-vlan)#vlan 20
DLS2(config-vlan)#no shut
%VLAN 20 is not shutdown.
DLS2(config-vlan)#vlan 30
DLS2(config-vlan)#no shut
%VLAN 30 is not shutdown.
DLS2(config-vlan)#^Z
Then can make it an SVI with ip routing and then add an address to each vlan
under the interface command
Int vlan 10
Network …
SSH setup on a switch/router config
Remember that the command to create a standard access list for a single host
is access-list
<number> permit host <host-ip>.
b. Use this access list to define the access-class for the vty connections.
Set the access-class to
the vty lines (0 – 4) for inbound connections.
Setting up local accounts on the router and what level to authenticate them
as ----Only use login local when you have a user account setup 1st****8
http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios
.htm
conf t
key chain ^_^
key 1
key-string cisco
conf t
banner motd ~
__ _
/\ \ \__ _| |_ ___ _ __
/ \/ / _` | __/ _ \ '__|
/ /\ / (_| | || __/ |
\_\ \/ \__,_|\__\___|_|
.ed"""" """$$$$be.
-" ^""**$$$e.
." Authorized Access'$$$c
/ ONLY "4$$b
d 3 $$$$
$ * .$$$$$$
.$ ^c $$$$$e$$$$$$$$.
d$L 4. 4$$$$$$$$$$$$$$b
$$$$b ^ceeeee. 4$$ECL.F*$$$$$$$
e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$
z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c
4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$.
^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$
"**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P""
"*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***"
^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP"
"$$$$$$"'$=e....$*$$**$cz$$" "..d$*"
"*$$$ *=%4.$ L L$ P3$$$F $$$P"
"$ "%*ebJLzb$e$$$$$b $P"
%.. 4$$$$$$$$$$ "
$$$e z$$$$$$$$$$%
"*$c "$$$$$$$P"
."""*$$$$$$$$bc
.-" .$***$$$"""*e.
.-" .e$" "*$c ^*b.
.=*"""" .e$*" "*bc "*$e..
.$" .z*" ^*$e. "*****e.
$$ee$c .d" "*$. 3.
^*$E")$..$" * .ee==d%
$.d$$$* * J$$$e*
""""" "$$$"
~
Exit
Conf t
No ip domain-lookup
ip domain-name cisco.com
crypto key generate rsa
ip ssh time-out 15
ip ssh authentication-retries 3
username cisco priv 15 password cisco
service password-encryption
enable secret class
line con 0
login local
password class
login
logging synchronous
line vty 0 4
transport input ssh
password cisco
login local
int s0/0
ip authentication key-chain eigrp 1 ^_^
ip authentication mode eigrp 1 md5
R1# conf t
R1(config)# interface serial 0/0/0
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
Now, apply the key chain to the interface with the ip authentication mode
eigrp as_number md5 command:
R1# conf t
R1(config)# interface serial 0/0/0
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
R1(config-if)# ip authentication mode eigrp 1 md5
R1(config-if)# interface serial 0/0/1
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
R1(config-if)# ip authentication mode eigrp 1 md5
R1(config-if)# interface fastethernet 0/0
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
R1(config-if)# ip authentication mode eigrp 1 md5
run tcl script from each router!!!
tclsh
foreach address {
192.168.1.1
192.168.1.129
192.168.1.130
192.168.1.161
192.168.1.162
192.168.1.133
192.168.1.134
10.1.1.3
10.1.1.4
10.4.4.4
192.168.1.5
192.168.100.1
192.168.1.101
192.168.1.105
192.168.1.109
192.168.1.113
} {
ping $address
}
show controllers - indicates the state of the interface channels and whether a
cable is attached to the interface
• debug serial interface - Verifies whether HDLC keepalive packets are incrementing. If
they are not, a possible timing problem exists on the interface card or in the network.
• debug arp - Indicates whether the router is sending information about or learning about
routers (with ARP packets) on the other side of the WAN cloud. Use this command when
some nodes on a TCP/IP network are responding, but others are not.
• debug frame-relay lmi - Obtains Local Management Interface (LMI) information which
is useful for determining whether a Frame Relay switch and a router are sending and
receiving LMI packets.
• debug frame-relay events - Determines whether exchanges are occurring between a
router and a Frame Relay switch.
• debug ppp negotiation - Shows Point-to-Point Protocol (PPP) packets transmitted
during PPP startup where PPP options are negotiated.
• debug ppp packet - Shows PPP packets being sent and received. This command displays
low-level packet dumps.
• debug ppp - Shows PPP errors, such as illegal or malformed frames, associated with PPP
connection negotiation and operation.
• debug ppp authentication - Shows PPP Challenge Handshake Authentication Protocol
(CHAP) and Password Authentication Protocol (PAP) packet exchanges.
router# show ip route -> show routing table
router# show ip route static <or dynamic> shows static routes
router# show ip int brief
router# show int <interface name>
router(config)#ip route 0.0.0.0 0.0.0.0 <interface or next hop address>
default route
Using the debug ? command, what debug options are available at level 10?
d. Exit out of privilege level 10 and return to level 15.
Next, assign specific commands to be used in privilege level 10. To configure
a new privilege
level for users and associate commands to that privilege level, use the
privilege command.
The syntax for the privilege command is privilege mode {level level | reset}
command-string. Enter the following commands to assign specific commands to
the privilege
level 10:
RouterP(config)# privilege exec level 10 debug ppp auth
RouterP(config)# privilege exec level 10 debug ppp error
RouterP(config)# privilege exec level 10 debug ppp negotiation
In the above commands, specific debug commands were allowed for anyone
logging in with
privilege level 10.
f. Verify privilege level commands
i. Exit the router and return to privilege level 10. After the current
privilege level of 10 is
confirmed, verify the previously configured privilege level 10 commands.
Enter the following
commands to verify the defined privileges enter the following commands:
RouterP#debug ?
RouterP#debug ppp ?
What are the available parameters for the debug ? command?
---------------------------------------------------------
OSPF
IP OSPF cost – can be used to manually set link costs for calculation
show ip ospf database – shows link-state age and sequence numbers are kept in the database.
debug ip ospf packet command is used in troubleshooting and to verify that OSPF packets are
flowing properly between two routers
Using the router-id command is the preferred procedure to set the router ID and is always used in
preference to the other two procedures. If not set will use highest loopback ip then physical
After the router-id command is configured, use the clear ip ospf process command. This
command restarts the OSPF routing process so that it will reselect the new IP address as its router ID.
Highest ID wins the battle
show ip ospf command to verify the OSPF router ID - also displays OSPF timer settings and other
statistics, including the number of times the SPF algorithm has been run
• show ip route ospf command to verify the OSPF routes in the IP routing table. In Figure ,
the O code represents OSPF routes, and IA is “interarea.” The 10.2.1.0 subnet is recognized on
FastEthernet 0/0 via neighbor 10.64.0.2.
• The entry [110/782] represents the administrative distance assigned to OSPF (110), and the total
cost of the route to subnet 10.2.1.0 (782).
• The show ip ospf interface [type number] [brief] command displays OSPF-
related interface information.
• The command output in Figure is from router A from the previous configuration example and
details the OSPF status of FastEthernet 0/0 interface. This command verifies that OSPF is
running on this particular interface and lists the OSPF area that it is in.
• This command also displays other OSPF information, such as the process ID, router ID, network
type, DR and BDR, timers, and neighbor adjacency.
show ip ospf neighbor command. OSPF does not send or receive updates without having full
adjacencies established between neighbors.
The show ip ospf neighbor [type number] [neighbor-id] [detail]
Show ip ospf database nssa-external – this displays specific details of each
lsa type 7 update in database
To clear all routes from the IP routing table, use the following command:
Router#clear ip route *
To clear a specific route from the IP routing table, use the following command:
Router#clear ip route A.B.C.D
To debug OSPF operations, use the debug ip ospf command with an option listed in Figure .
Useful options when troubleshooting include:
Router#debug ip ospf events
Router#debug ip packet
To configure an area as a stub, use the following steps:
***must be a different area than area 0 backbone network
Step 1 Configure OSPF.
Step 2 Define the area as a stub by issuing the area area-id stub command to
all routers within the area. Figure lists the parameters of this command.
To configure an area as totally stubby, use the following steps:
Step 1 Configure OSPF.
Define the area as a stub area by issuing the area area-id stub command
Step 2
to all routers within the area.
At the ABR only, add the no-summary keyword to the area area-id stub
Step 3
command.
Example on 3.7.6
Example 3.7.8
To configure an area as an NSSA, use the following steps:
Step 1 Configure OSPF.
Step 2 Define the area as an NSSA by issuing the area area-id nssa command
to all routers within the area. All routers in the NSSA must have this
command configured. Routers cannot form an adjacency unless both are
configured as NSSA. Figure lists the parameters of this command.
To cause router 2 (the NSSA ABR) to generate an O *N2 default route (O *N2
0.0.0.0/0) into the NSSA, use the default-information-originate
option of the area area-id nssa command on router 2.
In a multiaccess broadcast environment, each network segment has its own DR and BDR. A router
connected to multiple multiaccess broadcast networks can be a DR on one segment and a regular router
on another segment.Use the ip ospf priority interface command to designate which router
interfaces on a multiaccess link are the DR and the BDR. The default priority is 1, and the range is from
0 to 255. The interface with the highest priority becomes the DR, and the interface with the second-
highest priority becomes the BDR.
Interfaces set to zero priority cannot be involved in the DR or BDR election process.
Here is a configuration example:
interface FastEthernet 0/0
ip ospf priority 10
Also in NBMA networks you can yse the neighbor command in conf t to statically assign a neighbor
To configure basic single-area and multiarea OSPF, complete the following steps:
Step 1 Enable OSPF on the router using the router ospf process-id command
as shown in Figure .
Note
Unlike the process ID in EIGRP, the OSPF process ID is not an autonomous
system number. The process-id an be any positive integer and only has
significance to the local router.
Step 2 Identify which interfaces on the router are part of the OSPF process, using the
network area command, as shown in Figure . This command also
identifies the OSPF area to which the network belongs. Figure describes the
parameters of this command.
Uses wild card masks
OSPF can be enabled directly on the interface using the ip ospf area command, which simplifies the
configuration of unnumbered interfaces. Since the command is configured explicitly on the interface, it
takes precedence over the network area command
Router A uses a general network 10.0.0.0 0.255.255.255 statement. This technique assigns all
interfaces defined in the 10.0.0.0 network to OSPF process 1.
Router B uses a specific host address technique. The wildcard mask of 0.0.0.0 requires a match on all
four octets of the address. This technique allows the operator to define which specific interfaces will run
OSPF. Network 10.1.1.1 0.0.0.0 area 0
Figure shows an example of a multiarea OSPF configuration. Router A is in area 0, router C is in area
1, and router B is the ABR between the two areas.
The configuration for router A is the same as in the previous example.
Router B has a network statement for area 0. The configuration for area 1 in this example uses the ip
ospf 50 area 1 command. Alternatively, a separate network router configuration command could
have been used.
Virtual links
Use the area area-id virtual-link router-id router configuration command, along with any
necessary optional parameters, to define an OSPF virtual link. To remove a virtual link, use the no form
of this command.
The area virtual-link command includes the router ID of the far-end router. To find the router ID in
the far-end router, use the show ip ospf, show ip ospf interface, or show ip protocol
commands on that remote router, as illustrated in Figure .
show ip ospf virtual-links command to verify that the configured virtual link works properly.
show ip ospf neighbor, show ip ospf database, and debug ip ospf adj
• area 0 range 172.16.96.0 255.255.224.0: Identifies area 0 as the area containing the range of
networks to be summarized into area 1. ABR router R1 summarizes the range of subnets from
172.16.96.0 to 172.16.127.0 into one range: 172.16.96.0 255.255.224.0.
• area 1 range 172.16.32.0 255.255.224.0: Identifies area 1 as the area containing the range of
networks to be summarized into area 0. ABR router R1 summarizes the range of subnets from
172.16.32.0 to 172.16.63.0 into one range: 172.16.32.0 255.255.224.0.
For OSPF to generate a default route, you must use the default-information originate
command.
To configure OSPF simple password authentication, use the following steps:
Step 1 Assign a password to be used with neighboring routers using the ip ospf
authentication-key command, as shown in Figure .
Note
In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a
password longer than eight characters, and only the first eight characters will be used. Some earlier Cisco
IOS releases did not provide this warning.
The password created by this command is used as a key that is inserted directly into the OSPF header
when Cisco IOS software originates routing protocol packets. A separate password can be assigned to
each network on a per-interface basis. All neighboring routers on the same network must have the same
password to be able to exchange OSPF information.
Note
If the service password-encryption command is not used when configuring OSPF authentication,
the key is stored as plain text in the router configuration. If you configure the service password-
encryption command, the key is stored and displayed in an encrypted form. When it is displayed, an
encryption type of 7 is specified before the encrypted key.
Note
In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a
password longer than 16 characters, and only the first 16 characters are used. Some earlier Cisco IOS
releases did not provide this warning.
The key and the key ID specified in the ip ospf message-digest-key command are used to
generate a message digest (also called a hash) of each OSPF packet. The message digest is appended
to the packet. A separate password can be assigned to each network on a per-interface basis.
Usually, one key per interface is used to generate authentication information when sending packets and
to authenticate incoming packets. All neighboring routers on the same network must have the same
password to be able to exchange OSPF information. Therefore, the same key ID on the neighbor router
must have the same key value.
The key ID allows for uninterrupted transitions between keys, which is helpful for administrators who wish
to change the OSPF password without disrupting communication. If an interface is configured with a new
key, the router sends multiple copies of the same packet, each authenticated by different keys. The router
stops sending duplicate packets when it detects that all of its neighbors have adopted the new key.
For example, if this is the current configuration:
interface FastEthernet 0/0
ip ospf message-digest-key 100 md5 OLD
You change the configuration to the following:
interface FastEthernet 0/0
ip ospf message-digest-key 101 md5 NEW
The system assumes that its neighbors do not have the new key yet, so it begins a rollover process. It
sends multiple copies of the same packet, each authenticated by different keys. In this example, the
system sends out two copies of the same packet, the first one authenticated by key 100 and the second
one authenticated by key 101.
Rollover allows neighboring routers to continue communication while the network administrator is
updating them with the new key. Rollover stops when the local system finds that all its neighbors know the
new key. The system detects that a neighbor has the new key when it receives packets from the neighbor
authenticated by the new key.
After all neighbors have been updated with the new key, the old key should be removed. In this example,
you would enter the following:
interface FastEthernet 0/0
no ip ospf message-digest-key 100
Then only key 101 is used for authentication on Fast Ethernet interface 0/0.
It is recommended that you do not keep more than one key per interface. Every time you add a new key,
you should remove the old key to prevent the local system from continuing to communicate with a hostile
system that knows the old key.
Note
If the service password-encryption command is not used when configuring OSPF authentication,
the key is stored as plain text in the router configuration. If you configure the service password-
encryption command, the key is stored and displayed in an encrypted form. When it is displayed, an
encryption type of 7 is specified before the encrypted key.
---------------------------------------------------------
EIGRP
You can create an EIGRP default route with the ip default-network network-number global
configuration command. The configured router advertises the specified network listed as the gateway of
last resort. Other routers use their next-hop address to the advertised network as their default route.
The internal distance (administrative distance 90) applies to networks from other routers inside the
autonomous system. The external distance (administrative distance 170) applies to networks introduced
to EIGRP from outside this autonomous system through redistribution.
show ip eigrp interfaces command displays information about interfaces configured for EIGRP.
EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequal-
cost load balancing. The degree to which EIGRP performs load balancing is controlled with the
variance command,
Note
If the service password-encryption command is not used when implementing EIGRP
authentication, the key string is stored as plain text in the router configuration. If you configure the
service password-encryption command, the key string is stored and displayed in an
encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key
string.
Eigrp default network
------------------------------------------------------------------------------
Passwords
conf t
enable secret <password>
line con 0
password <enter password here>
login
line vty 0 4
password <enter password here>
login
exit
conf t
enable secret cisco
line con 0
password class
login
line vty 0 4
password class
login
exit
example
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#enable password cisco
ISP(config)#enable secret class
ISP(config)#line console 0
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#line vty 0 4
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#interface loopback 0
ISP(config-if)#ip add 172.16.1.1 255.255.255.255
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface serial 0
ISP(config-if)#ip add 200.2.2.17 255.255.255.252
ISP(config-if)#clock rate 64000
no shut - to interfaces
PPP
ISDN PRI
Defining static routes for DDR (Dial on demand routing)
Clear int bri 0 to erase spid id
Show Dialers
Show ISDN stat
To configure a static route for IP use the following command:
Router(config)#ip route net-prefix mask {address | interface } [distance ] [permanent]
DDR calls are triggered by interesting traffic. This traffic can be defined as any of the following:
• IP traffic of a particular protocol type
• Packets with a particular source address or destination
• Other criteria as defined by the network administrator
Use the dialer-list command to identify interesting traffic. The command syntax is as follows:
Router(config)#dialer-listdialer-group-num protocolprotocol-name {permit | deny | listaccess-
list-number }
Thedialer-group-num is an integer between 1 and 10 that identifies the dialer list to the router.
The command dialer-list 1 protocol ip permit will allow all IP traffic to trigger a call. Instead
of permitting all IP traffic, a dialer list can point to an access list in order to specify exactly what
types of traffic should bring up the link. The reference to access list 101 in dialer list 2 prevents
FTP and Telnet traffic from activating the DDR link. Any other IP packet is considered
interesting, and will therefore initiate the DDR link.
Dialer group command is given on the interface and is the same as the dialer list #.
Configure routing protocols as uninteresting so line doesn’t keep coming up. Also use no cdp to
keep the line from going up (MAKE INTERFACE PASSIVE TO NOT GIVE OUT UPDATE
TRAFFIC)
A dialer list specifying the interesting traffic for this DDR interface needs to be associated with
the DDR interface. This is done using the dialer-group group-number command:
Home(config-if)#dialer-group 1
In the command, group-number specifies the number of the dialer group to which the interface
belongs. The group number can be an integer from 1 to 10. This number must match the dialer-
listgroup-number . Each interface can have only one dialer group. However, the same dialer list
can be assigned to multiple interfaces with the dialer-group command.
The correct dialing information for the remote DDR interface needs to be specified. This is done
using the dialer map command.
The dialer map command maps the remote protocol address to a telephone number. This
command is necessary to dial multiple sites.
Router(config-if)#dialer map protocol next-hop-address [name hostname ] [speed 56 | 64]
[broadcast] dial-string
If dialing only one site, use an unconditional dialer string command that always dials the one
phone number regardless of the traffic destination. This step is unique to legacy DDR. Although
the information is always required, the steps to configure destination information are different
when using dialer profiles instead of legacy DDR.
To configure PPP on the DDR interface use the following commands:
Home(config)#username Central password cisco
Home(config)#interface bri0/0
Home(config-if)#encapsulation ppp
Home(config-if)#ppp authentication chap
Home(config-if)#ip address 10.1.0.1 255.255.255.0
The dialer idle-timeoutseconds command may be used to specify the number of idle seconds
before a call is disconnected. The seconds represent the number of seconds until a call is
disconnected after the last interesting packet is sent. The default is 120.
Multiple dialer interfaces may be configured on a router. Each dialer interface is the complete
configuration for a destination. The interface dialer command creates a dialer interface and
enters interface configuration mode.
To configure the dialer interface, perform the following tasks:
1. Configure one or more dialer interfaces with all the basic DDR commands:
• IP address
• Encapsulation type and authentication
• Idle-timer
• Dialer-group for interesting traffic
2. Configure a dialer string and dialer remote-name to specify the remote router name and
phone number to dial it. The dialer pool associates this logical interface with a pool of
physical interfaces.
3. Configure the physical interfaces and assign them to a dialer pool using the dialer pool-
member command.
An interface can be assigned to multiple dialer pools by using multiple dialer pool-member
commands. If more than one physical interface exists in the pool, use the priority option of the
dialer pool-member command to set the priority of the interface within a dialer pool. If multiple
calls need to be placed and only one interface is available, then the dialer pool with the highest
priority is the one that dials out.
A combination of any of these interfaces may be used with dialer pools:
• Synchronous Serial
• Asynchronous Serial
• BRI
• PRI
**Clear int Bri
To get the clear out of
FRAME RELAY
cisco Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting to
another Cisco router. Many non-Cisco devices also support this encapsulation type. This is
the default.
ietf Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF)
standard RFC 1490. Select this if connecting to a non-Cisco router.
Set an IP address on the interface using the ip address command. Set the
bandwidth of the serial interface using the bandwidth command. Bandwidth is
specified in kilobits per second (kbps). This command is used to notify the routing
protocol that bandwidth is statically configured on the link. The bandwidth value is
used by Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway
Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) to determine the
metric of the link.
The local DLCI must be statically mapped to the network layer address of the remote router
when the remote router does not support Inverse ARP. This is also true when broadcast traffic
and multicast traffic over the PVC must be controlled. These static Frame Relay map entries are
referred to as static maps. Use the frame-relay map protocol protocol-address dlci [broadcast]
command to statically map the remote network layer address to the local DLCI---Used on HQ
Router
Split-horizon updates reduce routing loops by not allowing a routing update received on one
interface to be forwarded out the same interface. One way to solve the split-horizon problem is to
use a fully meshed topology. However, this will increase the cost because more PVCs are
required. The preferred solution is to use subinterfaces.
Create a subinterface by
Int s0.301 point-to-point
-----------------------------------------------------------------------------
---------------------------------
Switch Commands
switch(config)#ip default-gateway <ip> --> sets the default gateway for the
switch (to be set under conf t)
**More detailed spanning tree info
spanning-tree portfast —> to be used with conf t and maybe on the interface
itself to make the interface instantly up and connected (Use the spanning-
tree portfast global configuration command to globally enable BPDU filtering on
Port Fast-enabled ports, the BPDU guard feature on Port Fast-enabled ports, or the
Port Fast feature on all nontrunking ports. The BPDU filtering feature prevents the
switch port from sending or receiving BPDUs. The BPDU guard feature puts Port
Fast-enabled ports that receive BPDUs in an error-disabled state.)
show trunk
show interface vlan 1 --> used in priv exec mode, shows mac, ip, and port info
show spanning-tree or show spanning-tree brief --> used in priv exec mode,
shows port status (forwarding/blocking) root router, priority and mac address
use only on non trunking ports
Show mac-address-table
#password configs and hostname is setup the same way (except for line vty 0
15)
switch(config)#int vlan 1
switch(config)#ip add <IP & Subnet)
switch(config)#NO SHUT
Vlan dat
vlan 101 name Voice101
vlan 102 name Voice102
vlan 103 name Voice103
vlan 104 name Voice104
vlan 105 name Voice105
vlan 106 name Voice106
vlan 107 name Voice107
vlan 108 name Voice108
vlan 109 name Voice109
vlan 110 name Voice110
vlan dat
vtp client
vtp domain Cisco
vlan dat---old way – try new commands on the next pict
vtp server
vtp domain Cisco
2.5.
Best Practice for VTP Configuration
6
Following is a list of general best practices with regard to configuring VTP in the enterprise
composite network model:
• Plan boundaries for the VTP domain. Not all switches in the network need information
on all VLANs in the network. In the enterprise composite model, the VTP domain should
be restricted to redundant distribution switches and the access switches that they serve.
• Have only one or two switches specifically configured as VTP servers and the
remainder as clients.
• Configure a password so that no switch can join the VTP domain with a domain name
only (which can be derived dynamically).
• Manually configure the VTP domain name on all switches that are installed in the
network so that the mode can be specified and the default server mode on all switches
can be overwritten.
• When you are setting up a new domain, configure VTP client switches first so that they
participate passively. Then configure servers to update client devices.
• In an existing domain, if you are performing VTP cleanup, configure passwords on
servers first. Clients may need to maintain current VLAN information until the server
contains a complete VLAN database. After the VLAN database on the server is verified
as complete, client passwords can be configured to be the same as the servers. Clients
will then accept updates from the server.
• WHEN ADDING A DIFFERENT SWITCH TO A NETWORK (MOVING CABLES) TAKE
IT OUT OF THE VTP DOMAIN, CHANGE, THEN RE-ADD SO THE REVISION NUMBR
IS RESET TO ONE SO IT DOESN’T OVERRIDE THE OTHER ONE
interface FastEthernet0/1
switchport access vlan 101
switchport mode access
no ip address
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 101
switchport mode access
no ip address
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 102
switchport mode access
no ip address
spanning-tree portfast
2.5.
Resolving Issues with 802.1Q Native VLANs
2
Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link:
• The native VLAN interface configurations must match at both ends of the link or the trunk
may not form.
• By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a
trunk should be set to a specific VID that is not used for normal operations elsewhere on
the network.
Switch(config-if)#switchport trunk native vlan vlan-id
• OR switchport trunk
• If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning)
issues a “native VLAN mismatch” error.
• On select versions of Cisco IOS software, CDP may not be transmitted or automatically
turns off if VLAN1 is disabled on the trunk.
• If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may
occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address
(0180.c200.0000) untagged.
• When troubleshooting VLANs, note that a link can have one native VLAN association
when in access mode, and another native VLAN association when in trunk mode.
When implementing VLANs, you should consider a few measures to secure the VLAN and the switch
itself. The security policy of the organization will likely have more detailed recommendations, but these
can provide a foundation.
• Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch
ports in this VLAN. This VLAN may provide the user with some minimal network connectivity.
(Check on the security policy of your organization before implementing.)
• Disable unused switch ports, depending on the security policy of the organization.
Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run
Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary
protocol can determine an operational trunking mode and protocol on a switch port when it is connected
to another device that is also capable of dynamic trunk negotiation.
(show dtp interface)
• To enable trunking to a device that does not support DTP, use the switchport mode trunk
and switchport nonegotiate interface configuration commands to cause the interface to
become a trunk but to not generate DTP frames.
• Use the switchport trunk encapsulation isl or switchport trunk
encapsulation dot1q interface to select the encapsulation type on the trunk port.
Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring
the interface to trunk and nonegotiate.
2.3.
Configuring Trunking---has pictures for more examples
7
Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as
an 802.1Q or an ISL trunking port, follow these steps on each trunk interface.
Step 1 Enter interface configuration mode.
Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration.
Step 3 Select the trunking encapsulation. Note that some switches support only ISL or
802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q.
Step 4 Configure the interface as a Layer 2 trunk.
Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at
both ends of an 802.1Q trunk.
Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to
certain trunk links. This is best practice with the Enterprise Composite Network Model and leads
to the correct operation of VLAN interfaces.
Step 7 Use the no shutdown command on the interface to activate the trunking process.
Step 8 Verify the trunk configuration using show commands.
Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from
VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode
for the interface is trunk (on), and no DTP messages will be sent on the interface.
Note:
For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be
discussed in more detail later.
Figure describes the commands used to configure a switch port as an 802.1Q trunk link.
3.
Describing STP
1
Describin
3.1.
g the Root
5
Bridge
STP uses a root bridge, root ports, and designated ports to establish a loop free path through the
network. The first step in creating a loop free spanning tree is to select a root bridge to be the
reference point that all switches use to establish forwarding paths. The STP topology is
converged after a root bridge has been selected, and each bridge has selected its root port,
designated bridge, and the participating ports. STP uses BPDUs as it transitions port states to
achieve convergence.
Spanning tree elects a root bridge in each broadcast domain on the LAN. Path calculation
through the network is based on the root bridge. The bridge is selected using the bridge ID (BID),
which consists of a 2-byte Priority field plus a 6-byte MAC address. In spanning tree, lower BID
values are preferred. The Priority field value helps determine which bridge is going to be the root
and can be manually altered. In a default configuration, the Priority field is set at 32768. When the
default Priority field is the same for all bridges, selecting the root bridge is based on the lowest
MAC address.
The root bridge maintains the stability of the forwarding paths between all switches for a single
STP instance. A spanning tree instance is when all switches exchanging BPDUs and participating
in spanning tree negotiation are associated with a single root. If this is done for all VLANs, it is
called a Common Spanning Tree (CST) instance. There is also a Per VLAN Spanning Tree
(PVST) implementation that provides one instance, and therefore one root bridge, for each VLAN.
The BID and root ID are each 8-byte fields carried in a BPDU. These values are used to
complete the root bridge election process. A switch identifies the root bridge by evaluating the root
ID field in the BPDUs that it receives. The unique BID is carried in the Root ID field of the BPDUs
sent by each switch in the tree.
When a switch first boots and begins sending BPDUs, it has no knowledge of a root ID, so it
populates the Root ID field of outbound BPDUs with its own BID.
The switch with the lowest numerical BID assumes the role of root bridge for that spanning tree
instance. If a switch receives BPDUs with a lower BID than its own, it places the lowest value into
the Root ID field of its outbound BPDUs.
Spanning tree operation requires that each switch have a unique BID. In the original 802.1D
standard, the BID was composed of the Priority Field and the MAC address of the switch, and all
VLANs were represented by a CST. Because PVST requires that a separate instance of spanning
tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information, which is
accomplished by reusing a portion of the Priority field as the extended system ID.
To accommodate the extended system ID, the original 802.1D 16-bit Bridge Priority field is split
into two fields, resulting in these components in the BID :
• Bridge Priority: A 4-bit field that carries the bridge priority. Because of the limited bit
count, priority is conveyed in discrete values in increments of 4096 rather than discrete
values in increments of 1, as they would be in a full 16-bit field. The default priority, in
accordance with IEEE 802.1D, is 32,768, which is the mid-range value.
• Extended System ID: A 12-bit field that carries the VID for PVST.
• MAC address: A 6-byte field with the MAC address of a single switch.
By virtue of the MAC address, a BID is always unique. When the priority and extended system ID
are appended to the switch MAC address, each VLAN on the switch can be represented by a
unique BID.
If no priority has been configured, every switch has the same default priority and the election of
the root for each VLAN is based on the MAC address. This is a fairly random means of selecting
the ideal root bridge and, for this reason, it is advisable to assign a lower priority to the switch that
should serve as root bridge.
Only four bits are used to set the bridge priority. Because of the limited bit count, priority is
configurable only in increments of 4096.
A switch responds with the possible priority values if an incorrect value is entered:
Switch(config)#spanning-tree vlan 1 priority 1234
% Bridge Priority must be in increments of 4096.
% Allowed values are:
0 4096 8192 12288 16384 20480 24576 28672
32768 36864 40960 45056 49152 53248 57344 61440
If no priority has been configured, every switch will have the same default priority of 32768.
Assuming all other switches are at default priority, the spanning-tree vlan vlan-id root
primary command sets a value of 24576. Also, assuming all other switches are at default
priority, the spanning-tree vlan vlan-id root secondary command sets a value of
28672.
The switch with the lowest BID becomes the root bridge for a VLAN. Specific configuration
commands are used to determine which switch will become the root bridge.
A Cisco Catalyst switch running PVST maintains an instance of spanning tree for each active
VLAN that is configured on the switch. A unique BID is associated with each instance. For each
VLAN, the switch with the lowest BID becomes the root bridge for that VLAN. Whenever the
bridge priority changes, the BID also changes. This results in the recomputation of the root bridge
for the VLAN.
To configure a switch to become the root bridge for a specified VLAN, use the spanning-tree
vlan vlan-ID root primary command.
CAUTION:
Spanning tree commands take effect immediately, so network traffic is disrupted while the reconfiguration
occurs.
A secondary root is a switch that may become the root bridge for a VLAN if the primary root
bridge fails. To configure a switch as the secondary root bridge for the VLAN, use the command
spanning-tree vlan vlan-ID root secondary. Assuming that the other bridges in the
VLAN retain their default STP priority, this switch will become the root bridge in the event that the
primary root bridge fails. This command can be executed on more than one switch to configure
multiple backup root bridges.
BPDUs are exchanged between switches, and the analysis of the BID and root ID information
from those BPDUs determines which bridge is selected as the root bridge. and
In the example shown, both switches have the same priority for the same VLAN. The switch with
the lowest MAC address is elected as the root bridge. In the example, switch X is the root bridge
for VLAN 1, with a BID of 0x8001:0c0011111111.
The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with that
VLAN. Only one SVI can be associated with a VLAN. You configure an SVI for a VLAN for the following
reasons:
• To provide a default gateway for a VLAN so that traffic can be routed between VLANs
• To provide fallback bridging if it is required for non-routable protocols
• To provide Layer 3 IP connectivity to the switch
• To support routing protocol and bridging configurations
By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration.
Additional SVIs must be explicitly created.
SVIs are created the first time a VLAN interface configuration mode is entered for a particular VLAN SVI.
The VLAN corresponds to the VLAN tag associated with data frames on an Ethernet trunk or to the VLAN
ID (VID) configured for an access port. An IP address is assigned in interface configuration mode to each
VLAN SVI that is to route traffic off of and on to the local VLAN.
Inter-VLAN Routing
Routed Switch ports
A routed port has the following characteristics and functions:
• Physical switch port with Layer 3 capability
• Not associated with any VLAN
• Serves as the default gateway for devices out that switch port
• Layer 2 port functionality must be removed before it can be configured
conf t
int range fa0/1 – 6
switchport port-security <specific mac address> sets the specific mac
address to that interface
switchport port-security max (1-132) how many mac addresses the port is to
remember
switchport port-security violation {shutdown, restrict, protect}
port security max-mac-count{1-132}enables port security and sets the max mac
count
port security action shutdown if more than specified mac address is hit the
port is shutdown
arp timeout seconds to a smaller time to mitigate the mac address spoofing
To access this mode, the vlan database command is executed from privileged EXEC mode. From this
mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005.
Note:
This mode has been deprecated and will be removed in some future release. The move to the global
VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach.
----
Configuring Multiple Spanning Tree protocol (MSTP)
-refer to 3.3.5-3.3.6 cpt176
Switch#show spanning-tree mst
Switch#show spanning-tree mst <mst instance #>
However, the switch does not automatically revert to Rapid PVST+ or MSTP mode if it no longer receives
IEEE 802.1D BPDUs, because it cannot determine whether the legacy switch has been removed from the
link unless the legacy switch is the designated switch. Use the following command in this situation :
Switch#clear spanning-tree detected-protocols
Load balancing is applied globally for all EtherChannel bundles in the switch. To configure EtherChannel
load balancing, use the port-channel load-balance command. Load balancing can be based on
the following variables:
• src-mac: Source MAC address
• dst-mac: Destination MAC address
Interface <blahblah>
Ip dhcp snooping trust make that port a trusted DHCP port snooper
Ip dhcp snooping limit rate 100 set rate to limit dhcp snooping on that
interface (DHCP packets per second (100) usually don’t do more than 100
packets–do both commands on the same interface
The show ip dhcp snooping binding command displays the DHCP snooping
binding entries for a switch, as shown in Figure
One of the more important elements is to use dedicated VLAN IDs for all trunk ports.
Also, disable all unused switch ports and place them in an unused VLAN. Set all user
ports to non-trunking mode by explicitly turning off DTP on those ports. This is
accomplished on IOS switches by setting the switch port mode to access with the
switchport mode access interface configuration command.
ACLs can be configured on the router port to mitigate private VLAN attacks. VLAN
ACLs (VACLs) can also be used to help mitigate the effects of private VLAN attacks.
An example of using ACLs on the router port is if a server farm segment were
172.16.34.0/24, then configuring the ACLs shown in Figure on the default gateway
would mitigate the private VLAN proxy attack.
Conf t
Int <blahblah>
Use the spanning-tree guard <loop or root> interface configuration command to
enable root guard or loop guard on all the VLANs associated with the selected
interface. Root guard restricts which interface is allowed to be the Spanning-Tree
root port or the path to the root for the switch. Loop guard prevents alternate or
root ports from becoming designated ports when a failure creates a unidirectional
link.
**Put loop guard on the trunks
Globally enable
spanning-tree portfast bpduguard default
**Don’t put portfast on trunks or other routers
Dynamic
To define the pool of public addresses, use the ip nat pool command:
Gateway(config)#ip nat pool public-access 199.99.9.40 199.99.9.62
netmask 255.255.255.224
Step 8 Define an access list that will match the inside private IP addresses
To define the access list to match the inside private addresses, use the
access list command:
Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Step 9 Define the NAT translation from inside list to outside pool
To define the NAT translation, use the ip nat inside source command:
Gateway(config)#ip nat inside source list 1 pool public-access
int fa0/0
ip add <ip & subnet>
ip nat inside <or outside>
convert from private to public for an IP (from a server) that needs internet
access/wan
ip nat inside source static <internal ip> <external ip>
Display active translation
router#show ip nat translations [verbose]
router#show ip nat stat
Debug ip nat
Debug ip nat detailed
Overloading
Overloading is configured in two ways depending on how public IP addresses have been
allocated. An ISP can allocate a network only one public IP address, and this is typically assigned
to the outside interface which connects to the ISP. Figure shows how to configure overloading
in this situation.
Another way of configuring overload is if the ISP has given one or more public IP addresses for
use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure .
Figure shows an example configuration of PAT.
-----------------------------------------------------------------------------
--------
DHCP
router(config)#ip dhcp pool <name ex. NET(range)> --> specifies the DHCP pool
router(dhcp-config)#network <IP & Subnet>--> specifies the range
----------
Configure DHCP excluding IP
-------------------------------
To get a DHCP from the server that is on a different network ex. server on
172.17.1.0 clients on 172.16.1.0
--look at last slide for ip helpers in module 1
ip helper-addresscommand to relay broadcast requests for these key UDP
services. -> when DHCP tries to broadcast between routers ip helpers don’t block it.
6.2.7
Configuring SNMP
In order to have the NMS communicate with networked devices, the devices must have
SNMP enabled and the SNMP community strings configured. These devices are
configured using the command line syntax described in the following paragraphs.
More than one read-only string is supported. The default on most systems for this
community string is public. It is not advisable to use the default value in an enterprise
network. To set the read-only community string used by the agent, use the following
command:
Router(config)#snmp-server community string ro
• String – Community string that acts like a password and permits access to the
SNMP protocol
• ro – (Optional) Specifies read-only access. Authorized management stations are
only able to retrieve MIB objects.
More than one read-write string is supported. All SNMP objects are available for write
access. The default on most systems for this community string is private. It is not
advisable to use this value in an enterprise network. To set the read-write community
string used by the agent, use the following command:
Router(config)#snmp-server community string rw
• rw – (Optional) Specifies read-write access. Authorized management stations are
able to both retrieve and modify MIB objects
There are several strings that can be used to specify location of the managed device and
the main system contact for the device.
Router(config)#snmp-server location text
Router(config)#snmp-server contact text
• text – String that describes the system location information
These values are stored in the MIB objects sysLocation and sysContact .
SNMP Configuration (string values are private or public) other apps to monitor
Host commands
C:\host1>arp –an
Route commands
Netstat
Route print and other route commands
Ping Sweep
Another method for collecting MAC addresses is to employ a ping sweep across a
range of IP addresses. A ping sweep is a scanning method that can be executed at
the command line or by using network administration tools. These tools provide a
way to specify a range of hosts to ping with one command.
Using the ping sweep, network data can be generated in two ways. First, many of
the ping sweep tools construct a table of responding hosts. These tables often list
the hosts by IP address and MAC address. This provides a map of active hosts at the
time of the sweep.
As each ping is attempted, an ARP request is made to get the IP address in the ARP
cache. This activates each host with recent access and ensures that the ARP table is
current. The arp command can return the table of MAC addresses, as discussed
above, but now there is reasonable confidence that the ARP table is up-to-date.
SDM Configuration
Use the following process to access SDM for the first time . This procedure assumes that an
out-of-box router with SDM installed is being used, or that a default SDM configuration was
loaded into flash.
Step 1
Connect a PC to the lowest number LAN Ethernet port of the router using a cross-over cable.
Step 2
Assign a static IP address to the PC. It is recommended to use 10.10.10.2 with a 255.255.255.0
subnet mask.
Step 3
Launch a supported web browser.
Step 4
Use the URL https://10.10.10.1. A login prompt will appear.
Step 5
Log in using the default user account:
Username: sdm
Password: sdm
The SDM startup wizard opens, requiring a basic network configuration to be entered . To
access SDM after the initial startup wizard is completed, use either http: or https:, followed by
the router IP address.
When you enter https: it specifies that the Secure Sockets Layer (SSL) protocol be used for a
secure connection. If SSL is not available, use http: to access the router.
Once the WAN interface is configured, SDM is accessible through a LAN or WAN interface.
NOTE:
The startup wizard information needs to be entered only once and will only appear when a
default configuration is detected.
Troubleshooting SDM Access
Use the following tips to troubleshoot SDM access problems:
• First determine if there is a web browser problem by checking the following:
○ Are Java and JavaScript enabled on the browser? Enable them.
○ Are popup windows being blocked? Disable popup blockers on the PC, since
SDM requires popup windows.
○ Are there any unsupported Java plug-ins installed and running? Disable them
using the Windows Control Panel.
• Is the router preventing access? Remember that certain configuration settings are required
for SDM to work. Check the following:
○ Is one of the default configurations being used, or is an existing router
configuration being used? Sometimes new configurations disable SDM access.
○ Is HTTP server enabled on the router? If it is not, enable it and check that other
SDM prerequisite parameters are configured as well. Refer to the "Downloading
and Installing Cisco SDM" document for the required settings. This document can
be found at the weblink below.
○ Did SDM access work before, but now its not? Ensure that the PC is not being
blocked by a new ACL. Remember that SDM requires HTTP, SSH, and Telnet
access to the router, which could have been inadvertently disabled in a security
lockdown.
• Is SDM installed?
○ The quickest way to determine this is to access it using the appropriate HTTP or
HTTPS method https://<router IP address>/flash/sdm.shtml.
○ Use the show flash command to view the flash file system and make sure that the
required SDM files are present.
Refer to NS1 labs
PIX
The primary rule for security levels is that an interface with a higher security level
can access an interface with a lower security level. Conversely, an interface with a
lower security level cannot access an interface with a higher security level without
an access control list (ACL). Security levels range from 0 to 100.
• Higher security level interface to a lower security level interface – For traffic originating
from the inside interface of the PIX with a security level of 100 to the outside interface of
the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by
ACLs, authentication, or authorization.
• Lower security level interface to a higher security level interface – For traffic originating
from the outside interface of the PIX with a security level of 0 to the inside interface of
the PIX with a security level of 100,all packets are dropped unless specifically allowed
by an access-list command. The traffic can be restricted further if authentication and
authorization is used.
• Same secure interface to a same secure interface – No traffic flows between two
Interfaces with the same security level.
• hostname – assigns a hostname to the PIX.
• interface – Configures the type and capability of each perimeter interface.
• nameif – Assigns a name to each perimeter interface.
• ip address – Assigns an IP address to each interface.
• security level – Assigns the security level for the perimeter interface.
• speed – Assigns the connection speed.
• duplex – Assigns the duplex communications.
n the interface configuration sub-commands, hardware speed and duplex, interface
name, security level, IP address, and many other settings can be configured. For an
interface to pass traffic, the nameif, ip address, security level, and no
shutdown interface configuration sub-commands are necessary
nameif assigns a name to each interface on the PIX Security Appliance. The first
two interfaces have the default names inside and outside
If it is necessary that interfaces with the same security level are able to
communicate, use the same-security-traffic command. Two interfaces could be
assigned to the same level to allow them to communicate without using NAT
Static routes can be created to access specific networks beyond the locally
connected networks. For example, in Figure , PIX Security Appliance sends all
packets destined to the 10.0.1.0 255.255.255.0 network out the inside interface to
the router at IP address 10.0.0.102. This static route was created by using the
command route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knows
how to route the packet to the destination network of 10.0.1.0.
Commonly Used show Commands
The show memory command displays a summary of the maximum physical memory, current
used memory, and current free memory available to the PIX Security Appliance operating
system.
The show cpu usage command displays CPU use.
Use the show version command to display the PIX Security Appliance software version,
operating time since the last reboot, processor type, Flash memory type, interface boards, serial
number, BIOS identification, and activation key value .
The show ip address command is used to view the IP addresses that are assigned to the network
interfaces.
The show interface command is used to view network interface information. This is one of the
first commands that should be used when trying to establish connectivity.
Use the show nameif command to view the named interfaces. In Figure , the first two
interfaces have the default names inside and outside. The inside interface has a default security
level of 100, and the outside interface has a default security level of 0. Ethernet2 is assigned a
name of dmz with a security level of 50.
If it is necessary to allow internal hosts to be able to ping external hosts, an ACL for
echo reply is necessary. If pings through the PIX Security Appliance between hosts
or routers are not successful, use the debug icmp trace command to monitor the
success of the ping.
The show run nat command to display a single host or range of hosts to be translated. In Figure
, all hosts on the 10.0.0.0 network will be translated when traversing the PIX Security
Appliance. The nat-id is 1.
The show run global command displays the global pools of addresses configured in the PIX
Security Appliance. In Figure there is currently one pool configured. The pool is configured on
the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. The
nat_id is 1.
The show xlate command displays the contents of the translation slot. In Figure , the number
of currently used translations is 1 with a maximum count of 1. The current translation is a local
IP address of 10.0.0.11 to a global IP address of 192.168.0.20.
NTP
The ntp server command synchronizes the PIX Security Appliance with a specified network
timeserver . The PIX can be configured to require authentication before synchronizing with the
NTP server. To enable and support authentication, there are several forms of the ntp command
that work with the ntp server command. Additional information about the ntp command forms
and their uses is available in the Command Reference.
The show run ntp command can be used to display the current NTP configuration. The show
ntp status
• 0 – emergencies – System unusable messages
• 1 – alerts – Take immediate action
• 2 – critical – Critical condition
• 3 – errors – Error message
• 4 – warnings – Warning message
• 5 – notifications – Normal but significant condition
• 6 – informational – Information message
• 7 – debugging – Debug messages and log FTP commands and WWW URLs
The show logging Command
Use the show logging command to see the logging configuration and any
internally buffered messages. Use the clear logging
The primary rule for security levels is that an interface with a higher security level
can access an interface with a lower security level.
Two Interfaces with NAT
In Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to start
outbound connections using the IP addresses from a global pool. The second nat command
statement permits all hosts on the 10.2.0.0 network to do the same. The nat_id in the first nat
command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to those
in the global pool containing the same nat_id . Likewise, the nat_id in the second nat command
statement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in the
global pool containing nat_id 2.
Three Interfaces with NAT
In Figure , the first nat command statement enables hosts on the inside interface, which has a
security level of 100, to start connections to hosts on interfaces with lower security levels. In this
case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The
second nat command statement enables hosts on the DMZ, which has a security level of 50, to
start connections to hosts on interfaces with lower security levels. In this case, that includes only
the outside interface.
Because both global pools and the nat (inside) command statement use a nat_id of 1, addresses
for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when
users on the inside interface access hosts on the DMZ, their source addresses will be translated to
addresses in the 172.16.0.20−172.16.0.254 range from the global (dmz) command statement.
When they access hosts on the outside, their source addresses will be translated to addresses in
the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.
When users on the DMZ access hosts on the outside, their source addresses will always be
translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside)
command statement.
Use the static command for outbound connections that must be mapped to the
same global IP address.
the address 192.168.0.9 is not translated. When the command nat (DMZ) 0
192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance displays the
following message:
NAT 0 enables the Internet server address to be visible on the outside interface. The
administrator also needs to add a static in combination with an access-list to
allow users on the outside to connect with the Internet server.
The show conn command displays information about the active TCP connections.
To configure OSPF on the PIX Security Appliance requires the administrator to do the following:
• Enable OSPF
• Define the PIX Security Appliance interfaces on which OSPF runs
• Define OSPF areas
Enable OSPF
To enable OSPF routing, use the router ospf command. The syntax for the router ospf
command is shown in Figure .
The PIX Security Appliance can be configured for one or two processes, or OSPF routing
domains. If the PIX is functioning as an ABR and it is configured for one process, the PIX will
pass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configured
for one OSPF process, OSPF 1.
Define Network Interfaces
To define the interfaces on which OSPF runs and the area ID for those interfaces, use the
network area subcommand.
The syntax for the network area command is shown in Figure .
FWSM, the following tasks must be completed:
• Initialize the FWSM.
• Configure the switch VLANs.
• Associate VLANs with the FWSM.
The switch CLI is accessible through a Telnet connection to the switch or through the switch
console interface.
Verify FWSM Installation
Before the FWSM can be used, it must be verified that the card is installed and recognized by the
switch. Enter the show module command to verify that the system acknowledges the new
module and has brought it online .
The syntax for the show module command is shown in Figure .
Configure the Switch VLANs
The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces
. Hosts are connected to ports VLANs are assigned to these physical switch ports. To prevent
mismatched VLANs, the administrator should first configure a VLAN on the MSFC, and then
configure the VLANs on the FWSM. VLAN IDs must be the same for the switch and the
FWSM. After the MSFC VLAN is configured, specific VLANs can be associated with a FWSM.
The first step was to add VLANS to the MSFC. The next step is to associate VLANs to be
inspected by the FWSM. A VLAN can be linked with a specific FWSM by using the firewall
command.
The firewall vlan-group command creates a group of firewall VLANs named by the vlan-group
parameter. The syntax for the firewall vlan-group command is shown in Figure .
Once a group of VLANs are assigned to a group, the firewall module command associates a
VLAN group with a specific FWSM.
The syntax for the firewall module command is shown in Figure
In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLAN-
group 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300.
Verify the MSFC Configuration
The administrator can verify that the MSFC is properly configured for interaction with the
FWSM. The show firewall vlan-group command verifies which VLANs are assigned to each
firewall. VLAN-group. The show firewall module command verifies that the VLAN-groups are
assigned to the associated slot where the FWSM resides .
Configure the FWSM Interfaces
The FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are
associated with a specific FSWM. The next step is to configure the security policy on the
FWSM. The FWSM can be accessed by using the session command. Use the default password
cisco for the FWSM when prompted. A prompt for an enable mode password is then displayed.
By default, there is no password, and the Enter key can be pressed to access the enable mode. It
is recommended that you change the enable password to a valid value and use this for future
access to this mode.
Once on the FWSM, standard security appliance commands are used to configure interface
names, add security levels, and specify IP addresses.
The example in Figure shows the use of the nameif command and associates VLAN 100 as the
outside interface and sets the interface with a security level of 0. It also defines VLAN 200 as the
inside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ip
address command is used to add an IP address to each interface.
Configure A Default Route
A default route may also need to be added. In the example in Figure , a default route is created,
pointing to the VLAN 100 interface of the MSFC.
It may also be necessary to create static routes. Multiple context mode does not support dynamic
routing, so static routes must be used to reach any networks to which the FWSM is not directly
connected, such as when a router is between the destination network and the FWSM.
Static routes might be appropriate in single context mode if:
• The network uses a routing protocol other than RIP or OSPF.
• The network is small and static routes can be easily managed.
• The traffic or CPU overhead associated with routing protocols is to be avoided.
Configure the FWSM access-lists
The administrator needs to create ACLs to allow outbound as well as inbound traffic because the
FWSM, unlike the security appliances, denies all inbound and outbound connections that are not
explicitly permitted by ACLs . Explicit access rules need to be configured using the access-list
command and attached to the appropriate interface using the access-group command to allow
traffic to pass through that interface. Traffic that has been permitted into an interface can exit
through any other interface. Return traffic matching the session information is permitted without
an explicit ACL.
Firewall Services Module Operation
3.8
3.8. Using PDM with the FWSM
3
PDM v. 4.0 can be used to configure and monitor FWSM v. 2.2. Figure shows the steps
needed to prepare the FWSM to use PDM. Be sure to initialize the FWSM before
attempting to install PDM.
• Use the copy tftp flash command to copy the PDM image into FWSM flash
copy tftp://10.1.1.1/pdm-XXX.bin flash:pdm
(where XXX = pdm image version number)
• Enable the http server on the FWSM. Without it, PDM will not start.
http server enable
• Identify the specific hosts/networks that can access the FWSM using HTTP.
http 1.1.1.0 255.255.255.0 inside
Hosts from network 10.1.1.0 (on the inside interface) are permitted http access.
• Launch the browser and enter the following address:
https://10.1.1.1 (FWSM inside interface)
Resetting and Rebooting the FWSM
If the module cannot be reached through the CLI or an external Telnet session, enter the
hwmod module module_number reset command to reset and reboot the module. The
reset process requires several minutes. The syntax for the command is shown in Figure .
The example in Figure shows how to reset the module, installed in slot 4, from the CLI.
When the FWSM initially boots, by default it runs a partial memory test. To perform a full
memory test, use the hw-module module module_number mem-test-full command. The
syntax of the command is shown in Figure .
A full memory test takes more time to complete than a partial memory test depending on
the memory size. The table in Figure lists the memory and approximate boot time for a
long memory test.
PIX ACLs
The show access-list command also lists a hit count that indicates the number of times an
element has been matched during an access-list command search.
The clear access-list command is used to clear an access list counter. If no ACL is specified, all
of the access list counters are cleared. If the counters option is specified, it clears the hit count
for the specified ACL. If no ACL is specified all the access lists counters are cleared.
The no access-list command removes an access-list command from the configuration. If all of
the access-list command statements in an ACL group are removed, the no access-list command
also removes the corresponding access-group command from the configuration.
The access-list mode command allows the administrator to specify whether the defined ACL
should be active immediately or when specified. . The access-list commit command activates
the previously created ACL .
Use the access-list id line line-num command to insert an access-list command
statement, and the no access-list id line line-num command to delete an access-
list command statement. Line numbers are maintained internally in increasing
order, starting from 1. A user can insert a new entry between two consecutive ACEs
by choosing the line number of the ACE with the higher line
n Figure the users in the corporate office wish to communicate with the branch
site over a VPN tunnel. To accomplish this, the administrator employs nat 0
access-list. The IP source network, 10.0.0.0/24, and IP destination network,
10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command.
Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not
translated by the PIX.
ActiveX Filtering
Another application that can be filtered by the PIX Security Appliance in order protect against
malicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or
other applications. They were formerly known as Object Linking and Embedding (OLE) or
Object Linking and Embedding Control (OCX). ActiveX controls create a potential security
problem because they provide a way for someone to attack servers. Due to this security threat,
administrators have the option of using the PIX to block all ActiveX controls.
The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. In
the example in Figure , the command specifies that ActiveX is being filtered on port 80 from
any internal host and for connection to any external host. The Command Reference provides
more information about the commands and syntax for blocking ActiveX or Java.
Use the url-server command to designate the server on which the URL filtering application runs,
and then enable the URL filtering service with the filter url command.
PIX Security Appliance Software Versions 6.1 and earlier do not support the filtering of URLs
longer than 1159 bytes. PIX version 6.2 supports the filtering of URLs up to 6 KB for the
Websense filtering server. The maximum allowable length of a single URL can be increased by
entering the url-block url-size command. This option is available with Websense URL filtering
only.
HTTPS and FTP Filtering
This feature extends Web-based URL filtering to HTTPS and FTP. The filter ftp and filter https
commands were added to the filter command in PIX Security Appliance Software Version 6.3.
The filter ftp command enables FTP filtering. The filter https command enables HTTPS
filtering. The filter ftp and filter https commands are available with Websense URL filtering
only.
The example command in Figure instructs the PIX Security Appliance to send all URL
requests to the URL filtering server to be filtered. The allow option in the filter command is
crucial to the use of the PIX URL filtering feature. If the allow option is used and the URL
filtering server goes offline, the PIX lets all FTP and HTTPS URL requests continue without
filtering. If the allow option is not specified, all FTP and HTTPS URL requests are stopped until
the server is back online.
9.2.2
Getting started with object groups
Complete the following steps to configure an object group and to use it in the
configuration of ACLs:
Step 1 Use the object-group command to enter the appropriate subcommand mode for
the type of group to be configured. All subcommands entered from the subcommand
prompt apply to the object group identified by the object-group command.
Step 2 In subcommand mode, define the members of the object group. In subcommand
mode, object grouping subcommands as well as all other PIX Security Appliance
commands can be entered, including show commands and clear commands. Enter a
question mark (?) in the subcommand mode to view the permitted subcommands.
Step 3 (Optional) Use the description subcommand to describe the object group.
Step 4 Return to configuration mode by entering the exit command or the quit command.
When any valid configuration command other than one designed for object grouping is
entered, the subcommand mode is terminated.
Step 5 (Optional) Use the show object-group command to verify that the object group
has been configured successfully. This command displays a list of the currently configured
object groups of the specified type. Without a parameter, the command displays all object
groups.
Step 6 Apply the object group to the access-list command. Replace the parameters of the
access-list command with the corresponding object group, as summarized in Figure .
Step 7 (Optional) Use the show access-list command to display the expanded ACEs.
The group-object command is used to construct hierarchical, or nested, object groups. The
group-object command, which is not to be confused with the object-group command, places
one object group into another .
The difference in object groups and group objects is as follows:
• An object group is group consisting of objects.
• A group object is an object in a nested group and is itself a group.
Nested Object Group Examples
In Figure , the access-list named ALL enables all hosts in HOSTGROUP1 and
HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP addresses in
HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the ALLHOSTS group. With
nesting, however, the duplicated definitions of the hosts are eliminated.
Figure illustrates multiple nested object groups configured so that one ACL entry enables
remote hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all local
hosts in the ALLHOSTS group. Note that with object grouping configured, only one ACL entry
is required.
• show object-group
• no object-group
• clear object-group
9.3.2
Configure a class map
The class-map command is used to classify a set of traffic with which security actions
may be associated. Configuring a class map is a two step process. The steps are to name a
class of traffic and define the attributes of the traffic. A name is assigned to each
individual class of traffic. For example in Figure , there are four traffic classes named.
The class-map se command identifies the system engineer remote VPN traffic from the
system engineers. The class-map s2s command identifies the remote VPN traffic from the
system engineers.
The syntax of the class-map commands is as follows:
class-map class_map_name
After a class of traffic is named, the characteristics of the traffic flow are identified. To be
considered part of a named class, a traffic flow must match a defined set of attributes.
There are various types of match criteria in a class map. One example of match criteria is
an access list that defines all traffic from the Internet to the DMZ. Another match is VPN
tunnel-group. This includes all members of the SE and EXEC tunnel-groups. Another such
match is a TCP or UDP port number. This could be used to define all HTTP or FTP traffic.
The following is the class matching criteria :
• match access-list – This keyword specifies to match an entry in an access-list.
• match any – This keyword specifies that all traffic is to be matched. Match any is
used in the class-default class-map.
• match dcsp – This keyword specifies to match the IETF defined Differentiated
Service Code Point (DSCP) value in the IP header. This allows the administrator to
define classes based on the DCSP values defined within the TOS byte in the IP
header.
• match flow – This keyword specifies to match each IP flow within a tunnel-group.
This match command must be used in conjunction with the match tunnel-group
command.
• match port – This keyword specifies to match traffic using a TCP or UDP
destination port.
• match precedence – This keyword specifies to match the precedence value
represented by the TOS byte in the IP header. This allows the administrator to
define classes based on the precedence defined within the TOS byte in the IP
header.
• match rtp – This keyword specifies to match Real-Time Transport Protocol (RTP)
destination port. This allows the administrator to match on a UDP port number
within the specified range. The allowed range is targeted at capturing applications
likely to be using RTP.
• match tunnel-group – This keyword specifies to match tunnel traffic.
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP
traffic with a port value of 21 and 80 may be classified as an Internet traffic class.
9.3.3
Configure a policy map
The policy-map command is used to configure various policies. A policy consists of a
class command and its associated actions. The PIX Security Appliance supports one
policy per interface and one global policy. Each policy map may support multiple classes
and policy actions. In the example in Figure , there are two policy maps, the outside
policy map and the global policy map. The outside policy map supports four class maps,
these are the Internet, SE, EXEC, and S2S class maps. IDS, Inspect, police, and priority
actions are associated with the aforementioned classes. The global policy map supports
default inspection criteria for all traffic.
The following steps are use to define a policy map:
Step 1 Name the policy.
Step 2 Identify a class of traffic covered by this policy.
Step 3 Associate an action or actions with each traffic flow.
The first step is to define the policy maps. In the example in Figure , there are two
policy maps, outside and global.
The next step is to identify which traffic flows, or classes, are specified in a policy map.
Each traffic flow is identified by a class map name. In the example in Figure , the
outside policy map is identified. Internet class traffic flow is assigned to the outside policy
map.
The syntax of the policy-map commands is as follows:
policy-mappolicymap_name
description text
classclassmap_name
The last step is to associate actions with specific traffic flows within a policy map. In the
example in Figure , the policy map name, outside, is defined. The Internet class of
traffic is defined. The administrator must next associate actions with this traffic flow. The
policy action options are to forward traffic to IDS, perform specified protocol inspections,
police the bandwidth used by the specified flow, direct the flow to the low latency queue,
or set connection parameters on these flows.
To display all of the policy map configurations or the default policy map configuration,
use the show running-config policy-map command.
More information about the syntax of the policy-map command is available in the
Command Reference.
9.3.4
Configure a service policy
To activate a policy map globally on all interfaces or on a single interface, use the service-
policy command in privileged EXEC mode . The interface can be a VLAN interface or
a physical interface. In general, a service-policy command can be applied to any interface
that can be defined by the nameif command. To disable, use the no form of this command.
To display all currently running service policy configurations, use the show running-
config service-policy command in global configuration mode .
To display the configured service policies, use the show service-policy command in
global configuration mode .
The syntax for these commands is available in the Command Reference.
Advanced protocol inspection how to add an insepection and set a policy
se the ftp-map command to define which FTP commands should be blocked. After the
administrator enters the ftp-map command and a map name, the system enters the FTP map
configuration mode. The deny-request-cmd command enables the administrator to list which
FTP request commands should be blocked. In the example in Figure , the inbound_ftp ftpmap
was defined. The inbound_ftp ftp-map identifies the commands to be filtered.
In the example in Figure , the inbound_ftp ftp-map identifies six FTP request commands to
filter. The class map inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic
between any host and host 192.168.1.11, the FTP server. In the inbound policy map, the FTP
command request restrictions defined in the ftp map inbound_ftp, are associated with the
inbound_ftp_traffic class of traffic. Lastly, the inbound policy is enabled on the outside interface.
To enable enhanced HTTP inspection, use the inspect http http-map command. The enhanced
rules that apply to HTTP traffic are defined by http-map command.
9.4.5Enhanced HTTP Inspection Configuration
Configuring enhanced HTTP inspection is a four step process . The four steps in the process
are as follows:
Step 1 Configure the http-map command to define the enhanced HTTP inspection parameters
and the action taken when a parameter in the configured category is detected.
Step 2 Identify the flow of traffic using the class-map command. The administrator can use the
default class map, inspection_default. The administrator can also define a new traffic flow, for
example any hosts trying to access the corporate web server from the internet.
Step 3 Associate the HTTP map with a class of traffic with the policy-map command. The
administrator can use the default policy map, asa_global_fw_policy. The administrator can also
define a new policy, such as an inbound traffic policy for any hosts trying to access the corporate
web server from the internet.
Step 4 Apply the policy to an interface, or globally, using the service-policy command. The
administrator can use the default service-policy, asa_global_fw_policy. The administrator can
also define a new service policy, such as a policy for all inbound internet-sourced traffic, and
apply the service policy to the outside interface.
In the example in Figure , the administrator created a new modular policy for HTTP traffic
from the Internet to the corporate web server with an IP address of 192.168.1.11, rather than
modify the existing default global modular policy. To accomplish this, the administrator
configured a new HTTP map, class map, policy map and service policy. The administrator
created an HTTP map, inbound_http. In the HTTP map, they restricted RPC request methods,
defined message critera, and restricted HTTP applications. In the class map, they identified the
traffic flow with a matching ACL, access-list 102. In a new policy map, the administrator
associated the actions in the new HTTP map with traffic identified in the ACL. Lastly, the new
service policy is enabled on the outside interface.
When there are two IGMP routers on the same Ethernet segment (broadcast domain), the router with the
highest IP address is the designated querier.
Use the show ip igmp interface command to determine which version of IGMP is currently active
on an interface.
The solution is to implement IGMP snooping on high-end switches with special application-specific
integrated circuits (ASICs) that can perform the IGMP checks in hardware. CGMP is a better option for
low-end switches without special hardware.
There are basically two types of multicast routing protocols: dense mode and sparse mode:
• Dense mode protocols flood multicast traffic to all parts of the network and prune the flows where
there are no receivers, using a periodic flood-and-prune mechanism.
• Sparse mode protocols use an explicit join mechanism where distribution trees are built on
demand by explicit tree join messages sent by routers that have directly connected receivers
The global command ip multicast-routing enables support for IP multicast on a router.
• The interface command ip pim sparse-mode enables PIM-SM operation on the selected
interface. The ip pim sparse-dense-mode command enables the interface on the router to
operate in PIM-SM for sparse-mode groups (those with known RPs) and in dense mode for other
groups.
• The global command ip pim send-rp-announce {interface type} scope {ttl}
group-list {acl} is issued on the router that you want to be an RP. This router sends an
auto-RP message to 224.0.1.39, announcing the router as a candidate RP for the groups in the
range described by the access list.
• The global command ip pim send-rp-discovery {interface type} scope {ttl}
configures the router as an RP mapping agent. It listens to the 224.0.1.39 address and sends a
RP-to-group mapping message to 224.0.1.40. Other PIM routers listen to 224.0.1.40 to
automatically discover the RP.
• The ip pim spt-threshold {rate | infinity} command controls the switchover from
the shared distribution tree to the SPT in sparse mode. The keyword infinity means the
switchover will never occur.
Note
The recommended method for configuring an interface for PIM-SM operation is to use the ip pim
sparse-dense-mode interface command. This method permits auto RP, bootstrap router (BSR), or
statically defined RPs to be used with the least configuration effort.
The show ip mroute command is the most useful command for determining the state of multicast
sources and groups from the perspective of the selected router.
When PIM-SM is configured, the first step in verifying proper operation is to check PIM-enabled interfaces
and to determine whether the PIM neighbors are correct.
You can use the following commands to accomplish this:
• show ip pim interface: Displays the information about interfaces configured for PIM.
• show ip pim neighbor: Displays the discovered PIM neighbors.
• mrinfo: Displays information on multicast routers that are peering with the local router (no
address) or with the addressed router.
show ip pim interface
he RP for a certain multicast group operating in PIM-SM has to be reachable and known to the router. In
addition to using a unicast ping, you can use the following commands when troubleshooting RP
reachability:
• show ip pim rp: Displays, without arguments, RP information on active groups. If the group
address or name is provided, only the RP information for the selected group is shown (assuming
that it is an active group).
• show ip pim rp mapping: Displays the contents of the important group-to-RP mapping
cache that contains the information about which RP is active for which group range. This cache is
populated by the auto-RP or BSR mechanisms and by static RP assignments. It is very important
to check this information to verify that the router possesses the RP mapping information
consistent with proper network operation.
• show ip rpf: Displays RPF information for the RP or for the source.
The show ip pim rp command just lists all active groups and their associated RPs. This form of the
command is becoming obsolete, because it offers limited information. In most cases, you should use the
show ip pim rp mapping instead , because it provides details on the actual contents of the group-
to-RP mapping cache, such as the following:
show ip rpf command displays RPF information associated with the specified source address.
• ip igmp join-group <address>: The router accepts the multicast packets in addition to
forwarding them. Accepting the multicast packets prevents the router from fast switching.
• ip igmp static-group: The router does not accept the packets but forwards them. Hence,
this method allows fast switching. The outgoing interface appears in the IGMP cache, but the
router itself is not a member, as evidenced by the lack of an L (local) flag in the multicast route
entry.
show ip igmp snooping command to display the snooping configuration information for all VLANs on
the switch or for a specified VLAN.
show mac-address-table multicast command to display the entries in the MAC address table for
a VLAN that has IGMP snooping enabled.
7.2
Configuring 802.1x Port-Based Authentication
7.2.2
Enabling 802.1x authentication
7.2.3
Configuring the switch-to-RADIUS-server communication
RADIUS security servers are identified by host name or IP address, host name and
specific UDP port numbers, or IP address and specific UDP port numbers. The
combination of the IP address and UDP port number creates a unique identifier, which
enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP
address. If two different host entries on the same RADIUS server are configured for the
same service, such as authentication, the second host entry configured acts as the fail-over
backup to the first one. The RADIUS host entries are tried in the order that they are
configured.
Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server
parameters on the switch.
Step 1 Enter global configuration mode.
Step 2 Configure the RADIUS server parameters on the switch with the radius-server
host {hostname | ip-address} auth-port port-number key string command.
For hostname | ip-address, specify the host name or IP address of the remote RADIUS
server. For auth-port port-number, specify the UDP destination port for authentication
requests. The default is 1812. For key string, specify the authentication and encryption
key used between the switch and the RADIUS server. The key is a text string that must
match the encryption key used on the RADIUS server.
NOTE:
Always configure the key as the last item in the radius-server host command syntax
because leading spaces are ignored, but spaces within and at the end of the key are used. If
spaces are used in the key, do not enclose the key in quotation marks unless the quotation
marks are part of the key.
If multiple RADIUS servers are to be used, re-enter this command.
Step 3 Return to privileged EXEC mode.
Step 4 Verify the configuration.
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-
address} global configuration command.
The example in Figure shows how to specify the server with IP address 172.20.39.46 as
the RADIUS server, to use port 1612 as the authorization port, and to set the encryption
key to rad123, matching the key on the RADIUS server.
The timeout, retransmission, and encryption key values for all RADIUS servers can be
globally configured by using the radius-server host global configuration command. To
configure these options on a per-server basis, use the radius-server timeout, radius-
server retransmit, and the radius-server key global configuration commands.
Some settings on the RADIUS server need to be configured as well. These settings
include the IP address of the switch and the key string to be shared by both the server and
the switch.
Periodic 802.1x client re-authentication, as well as how often it occurs, can be configured . If a
time period before enabling re-authentication is not specified, the number of seconds between re-
authentication attempts is 3600.
Automatic 802.1x client re-authentication is a global setting and cannot be set for clients
connected to individual ports.
Beginning in privileged EXEC mode, the following steps are used to enable periodic re-
authentication of the client and to configure the number of seconds between re-authentication
attempts:
Step 1 Enter global configuration mode.
Step 2 Enable periodic re-authentication of the client, which is disabled by default, with the
dot1x re-authentication command.
Step 3 Set the number of seconds between re-authentication attempts with the dot1x timeout re-
authperiod seconds command. The range is 1 to 4294967295 and the default is 3600 seconds.
This command affects the behavior of the switch only if periodic re-authentication is enabled.
Step 4 Return to privileged EXEC mode.
Step 5 Verify the configuration.
To disable periodic re-authentication, use the no dot1x re-authentication global configuration
command. To return to the default number of seconds between re-authentication attempts, use the
no dot1x timeout re-authperiod global configuration command.
The example in Figure shows how to enable periodic re-authentication and set the number of
seconds between re-authentication attempts to 4000.
The client connected to a specific port can be manually re-authenticated at any time by
entering the dot1x re-authenticate interface interface-id privileged EXEC command.
-------
7.2.6
Enabling multiple hosts
Multiple hosts can be attached to a single 802.1x-enabled port. In this mode, only one of
the attached hosts must be successfully authorized for all hosts to be granted network
access. If the port becomes unauthorized, such as in the case that re-authentication fails or
an EAPOL-logoff message is received, all attached clients are denied access to the
network.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts on an
802.1x-authorized port that has the dot1x port-control interface configuration command
set to auto. The commands used in this process are shown in Figure .
Step 1 Enter global configuration mode.
Step 2 Enter interface configuration mode, and specify the interface to which multiple
hosts are indirectly attached.
Step 3 Allow multiple hosts on an 802.1x-authorized port with the dot1x multiple-hosts
command. Make sure that the dot1x port-control interface configuration command set is
set to auto for the specified interface.
Step 4 Return to privileged EXEC mode.
Step 5 Verify the configuration with the show dot1x interface interface-id command.
To disable multiple hosts on the port, use the no dot1x multiple-hosts interface
configuration command.
The example in Figure shows how to enable 802.1x on FastEthernet interface 0/1 and to
allow multiple hosts.
7.2
Configuring 802.1x Port-Based Authentication
7.2.7
Resetting the 802.1x configuration to the default values
Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration
to the default values :
Step 1 Enter global configuration mode.
Step 2 Reset the configurable 802.1x parameters to the default values with the dot1x
default command.
Step 3 Return to privileged EXEC mode.
Step 4 Verify the configuration with the show dot1x command.
---
To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC
command. To display 802.1x statistics for a specific interface, use the show dot1x statistics
interface interface-id privileged EXEC command.
To display the 802.1x administrative and operational status for the switch, use the show dot1x
privileged EXEC command. To display the 802.1x administrative and operational status for a
specific interface, use the show dot1x interface interface-id privileged EXEC command.
QoS
VOIP
2.5.
Cisco IOS Configurations for VoIP
6
Cisco IOS routers can be used as VoIP gateways. For a basic VoIP configuration, two
gateways are needed. Both need a connection to a traditional telephony device, such as an
analog telephone. The gateways themselves must have IP connectivity.
In Figure , the first router has these configuration settings:
• Name: R1
• IP address: 10.1.1.1/24
• IP interface: FastEthernet 0/0
• Voice port: 1/0/0
• Extension of the telephone connected to the voice port: 1111
The second router is configured with similar settings:
• Name: R2
• IP address: 10.2.2.2/24
• IP interface: FastEthernet 0/0
• Voice port: 1/0/0
• Extension of the telephone connected to the voice port: 2222
Based on this information, this configuration is applied to the first router:
hostname R1
interface FastEthernet 0/0
ip address 10.1.1.1 255.255.255.0
!
dial-peer voice 1 pots
destination-pattern 1111
port 1/0/0
!
dial-peer voice 2 voip
destination-pattern 2222
session target ipv4:10.2.2.2
!
The second router has these configuration commands:
hostname R2
interface FastEthernet 0/0
ip address 10.2.2.2 255.255.255.0
!
dial-peer voice 1 pots
destination-pattern 2222
port 1/0/0
!
dial-peer voice 2 voip
destination-pattern 1111
session target ipv4:10.1.1.1
!
The voice-specific commands in the configurations (two dial peers in each configuration) are
highlighted in gray. A dial peer describes where to find a telephone number, and the
collection of all dial peers makes up the call routing table of a voice gateway. Two types of
dial peers are shown in this example: POTS dial peers and VoIP dial peers. POTS dial peers
indicate that the telephone number that is specified in the dial peer is found at a physical
port. A VoIP dial peer refers to the IP address of a VoIP device. Figures and list the
commands used for dial peers. The Voice-Specific Commands table provides details.
Voice-Specific Commands
Command Description
dial-peer voice tag type Use the dial-peer voice command to
enter the dial peer subconfiguration mode.
The tag value is a number that must be
unique for all dial peers within the same
gateway. The type value indicates the type
of the dial peer (for example, POTS or VoIP).
destination-pattern The destination-pattern command,
telephone_number entered in dial peer subconfiguration mode,
defines the telephone number that applies to
the dial peer. A call that is placed to this
number is routed according to the
configuration type and port (in the case of a
POTS type dial peer) or session target (in the
case of a VoIP type dial peer) of the dial
peer.
port port-number The port command, entered in POTS dial
peer subconfiguration mode, defines the
port number that applies to the dial peer.
Calls that are routed using this dial peer are
sent to the specified port. The port command
can be configured only on a POTS dial peer.
session target ipv4:ip-address The session target command, entered in
VoIP dial peer subconfiguration mode,
defines the IP address of the target VoIP
device that applies to the dial peer. Calls that
are routed using this dial peer are sent to the
specified IP address. The session target
command can be configured only on a VoIP
dial peer.
-------------------=======================================
HSRP (hot standby routing protocol) Cisco proprietary
Switch#show running-config
Building configuration...
Current configuration:!
<output omitted>
interface Vlan11
ip address 172.16.11.113 255.255.255.0
no ip redirects
standby 11 ip 172.16.11.115
Another way to verify the HSRP configuration is with the show standby brief command, which
displays abbreviated information about the current state of all HSRP operations on the device.
To set the priority value of a router (default is 100), enter this command in interface configuration mode:
Switch(config-if)#standby group-number priority priority-value
Figure describes the variables for the standby command.
During the election process, the router with the highest priority in an HSRP group becomes the active
router. In the case of a tie, the router with the highest configured IP address is chosen.
-------
A former active router can be configured to resume the forwarding router role from a router with a lower
priority by using the following command in interface configuration mode:
Switch(config-if)#standby [group-number] preempt [{delay} [minimum delay]
[sync delay]]
If the routers do not have preempt configured, a router that boots up significantly faster than the others in
the standby group becomes the active router, regardless of the configured priority.
------
The default hello and hold times are 3 and 10 seconds, respectively, which means failover time could be
as much as 10 seconds for clients to start communicating with the new default gateway. In some cases,
this interval may be excessive for application support.
You can change the default values of the timers to milliseconds to accommodate subsecond failovers.
Lowering the hello timer results in increased traffic for hello messages and should be used cautiously.
The hold time should be at least three times the value of the hello time.
To change the timers, enter this command in interface configuration mode:
Switch(config-if)#standby group-number timers [msec] hellotime holdtime
Note:
Hello and dead timers intervals must be identical for all devices within an HSRP group.
-------
Interface tracking enables the priority of a standby group router to be automatically adjusted based on the
availability of that router’s interfaces. When a tracked interface becomes unavailable, the HSRP priority of
the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with
an unavailable key interface relinquishes the active router role.
VRRP IEEE adopted
A VRRP group has one master router and one or more backup routers. The LAN workstations are then
configured with the address of the virtual router as their default gateway. VRRP is supported on Ethernet,
Fast Ethernet, and Gigabit Ethernet interfaces, and with Multiprotocol Label Switching (MPLS), virtual
private networks (VPNs), and VLANs.
**The master virtual router may have the same IP address as the virtual router group.
With VRRP, only the master sends advertisements (the equivalent of HSRP hellos). Advertisements are
sent on multicast 224.0.0.18 protocol number 112 at a default interval of 1 second.
With GLBP, resources can be fully utilized without the administrative burden of configuring multiple groups
and managing multiple default gateway configurations as is required with HSRP and VRRP.
SwitchA#show glbp 7
++++++++++++++++++++++++++++++++++++++++
POE (power over Ethernet)
Switch port configuration for PoE:
• Enables and disables PoE
○ Auto (default)
Power detection enabled
Power is supplied if required by device
○ Never
Power disabled
Port shutdown turns power off
The show power inline command displays the configuration and statistics about the power drawn by
connected PDs and the capacity of the power supply.
• Ethernet pair 1,2 and 3,6
• Ethernet pair 4,5 and 7,8
The spare pairs 4,5 and 7,8 are used, which requires 8-wire cabling. This technique does not extend
the 100-meter Fast Ethernet cable limit. You cannot use this approach for 1000TX Gigabit Ethernet, which
uses all eight wires, so no spares wires are available.
Changing the IOS on a lightweight/wlan controller
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn4119124M.ht
ml#wp1086312
Note The access point reboots after entry of the conversion commands (CLI, GUI, and WCS
noted below), and initially reloads its existing non-mesh image (k9w8) and then rejoins the
controller. After successfully rejoining, the access point receives a download of the mesh image
(k9w9) from the controller. The mesh image then reloads and replaces the non-mesh image on
the access point. Afterwards, the access point rejoins the controller as a mesh access point
operating in the bridging mode as either a MAP or RAP as configured.
Note The indoor mesh access point image (k9w9) is a different image than the autonomous
(k9w7) and lightweight access point images (k9w8).
• To convert the access point to a mesh access point using the CLI, enter the commands noted
in either Step a or b below.
a. To convert from a lightweight access point to a MAP, enter the following CLI commands:
config ap mode bridge AP_name
The mesh access point image (k9w9) is downloaded.
b. To convert from a lightweight access point to a RAP, enter the following CLI commands:
config ap mode bridge AP_name
config ap role rootAP AP_name
The mesh access point image (k9w9) is downloaded and the mesh access point is configured to
operate as a RAP.
• To convert the access point to a mesh access point using the GUI, do the following.
a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point
you want to convert.
b. At the General Properties panel, select Bridge from the AP Mode drop-down menu.
The access point loads the new image (k9w9) and reboots.
c. At the Mesh panel, select either RootAP or MeshAP from the AP Role drop- down menu.
d. Click Apply and Save Configuration.
• To convert the access point to a mesh access point using Cisco WCS, do the following.
a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240
indoor access point you want to convert.
b. At the General Properties panel, select Bridge as the AP Mode (left-side) and either RAP or
MAP as the AP Role (right-side).
c. Click Save.
Changing MAP and RAP Roles for Indoor Mesh Access Points (1130AG,
1240AG)
Indoor mesh access points can function as either root access points (RAPs) or mesh access points
(RAPs). To change from one role to another, follow the appropriate step below.
1. To change the role of an indoor access point from MAP to RAP or RAP to MAP using the
CLI, enter the following command choosing the appropriate option:
config ap role {rootAP | meshAP} AP_name
2. To change the role of an indoor access point using the GUI, do the following.
a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point
you want to change.
b. At the Mesh panel, select MeshAP or RootAP from the AP Role drop-down menu.
c. Click Apply and Save Configuration.
3. To change the role of an indoor access point using Cisco WCS, do the following
a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240
indoor access point you want to change.
b. At the General Properties panel, select either RAP or MAP as the AP Role (right-side).
c. Click Save.
Note When changing from a MAP to RAP, a Fast Ethernet connection between the MAP and
controller is recommended.
Note After a RAP to MAP conversion, the MAP's connection to the controller is a wireless
backhaul rather than a Fast Ethernet connection. It is the responsibility of the user to ensure that
the Fast Ethernet connection of the RAP being converted is disconnected before the MAP comes
up so that the MAP can join over air.
Note The recommended power source for MAPs is either a power supply or power injector.
PoE is not a recommended power source for MAPs.
Note A Fast Ethernet connection to the controller for the conversion from a mesh (bridge) to
non-mesh (local) access point is recommended. If the backhaul is a radio, after the conversion
you must enable Ethernet and then reload the access image. After the reload and reboot the
backhaul is Fast Ethernet.
Note When a root access point is converted back to a lightweight access point, all of its
subordinate mesh access points lose connectivity to the controller. Consequently, a mesh access
point is unable to service its clients until the mesh access point is able to establish connectivity to
a different root access point in the vicinity. Likewise, clients might connect to a different mesh
access point in the vicinity to maintain connectivity to the network.
1. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access
point using the CLI, enter the following command.
config ap mode local AP_name
The access point loads the non-mesh image (k9w8).
2. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access
point using the GUI, do the following.
a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point
you want to convert.
b. At the General Properties panel, select Local from the AP Mode drop-down menu.
c. Click Apply and Save Configuration.
3. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access
point using Cisco WCS, do the following.
a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240
indoor access point you want to convert.
b. At the General Properties panel, select Local as the AP Mode (left-side).
c. Click Save.
Mitigate mac address flooding so the switch will forward all traffic out all of the ports
(DOS attack or information gathering
Can stop this my setting security mac addresses on the switch to access restrict it
– Could also use AAA method (like crown and firewall user
permissions)
–
– Until the workstation is authenticated, 802.1x access control allows only
Extensible Authentication Protocol over LAN (EAPOL) traffic through the
port to which the workstation is connected. After authentication
succeeds, normal traffic can pass through the port.
You control the port authorization state by using the dot1x port-control interface configuration
command and these keywords:
• force-authorized: Disables 802.1x port-based authentication and causes the port to transition to
the authorized state without any authentication exchange required. The port transmits and
receives normal traffic without 802.1x-based authentication of the client. This is the default
setting.
• force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts
by the client to authenticate. The switch cannot provide authentication services to the client
through the interface.
• auto: Enables 802.1x port-based authentication and causes the port to begin in the unauthorized
state, allowing only EAPOL frames to be sent and received through the port. The authentication
process begins when the link state of the port transitions from down to up (authenticator initiation)
or when an EAPOL-start frame is received (supplicant initiation). The switch requests the identity
of the client and begins relaying authentication messages between the client and the
authentication server. The switch uniquely identifies each client attempting to access the network
with the client MAC address.
–
–
“sticky learning,” which is available on some switch platforms, combines the features of dynamically
learned and statically configured addresses. When this feature is configured on an interface, the interface
converts dynamically learned addresses to “sticky secure” addresses. The addresses are added to the
running configuration as if they were configured using the switchport port-security mac-
address command.
The following command converts all dynamic port security–learned MAC addresses to sticky secure MAC
addresses:
switchport port-security mac-address sticky
This command cannot be used on ports where voice VLANs are configured.
To stop this
• Configure all unused ports as access ports so that trunking cannot be negotiated across those
links.
• Place all unused ports in the shutdown state and associate with a VLAN designated only for
unused ports, carrying no user data traffic.
• When establishing a trunk link, configure the following:
○ Make the native VLAN different from any data VLANs
○ Set trunking as “on,” rather than negotiated
○ Specify the VLAN range to be carried on the trunk
If you do a policy on the vty line then you won’t be able to port scan or see the
telnet option is available.
Can also do
• Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed
ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for
specific directions (inbound or outbound). You can apply one access list in each direction. To
improve performance in Cisco Catalyst multilayer switches, RACLs are supported in ternary
content addressable memory (TCAM).
• Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel
port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can
filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you
apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port.
• VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering
based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by
direction (input or output).
Which is only supported on certain equipment. 8.2.4 examples
8.2.
Configuring PVLANs
6
To configure a PVLAN on an IOS-based Catalyst 3560, 3750, 4500, or 6500, follow these steps:
Step 1 Set VTP mode to transparent.
Step 2 Create the secondary VLANs.
Note:
Isolated and community VLANs are secondary VLANs.
Step 3 Create the primary VLAN.
Step 4 Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be
mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary
VLAN.
Step 5 Configure an interface as an isolated or community port.
Step 6 Associate the isolated port or community port with the primary-secondary VLAN pair.
Step 7 Configure an interface as a promiscuous port.
Step 8 Map the promiscuous port to the primary-secondary VLAN pair.
Use these commands to configure a VLAN as a PVLAN:
Switch(config)#vlan vlan_ID
Switch(config-vlan)#[no] private-vlan {isolated | primary}
The following example shows how to configure VLAN202 as a primary VLAN and verify the
configuration:
Switch#configure terminal
Switch(config)#vlan 202
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#end
Switch#show vlan private-vlan type
DHCP snooping stops DHCP packets from being streamed into the network
8.3.3 configs and examples
Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based on the MAC address-to-IP
address bindings stored in a DHCP snooping database. Additionally, DAI can validate ARP packets based
on user-configurable ACLs for hosts that use statically configured IP addresses.
To prevent ARP spoofing or “poisoning,” a switch must ensure that only valid ARP requests and
responses are relayed. To ensure that only valid ARP requests and responses are relayed, DAI takes the
following actions:
• Forwards ARP packets received on a trusted interface without any checks
• Intercepts all ARP packets on untrusted ports
• Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding
packets that can update the local ARP cache
• Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings
Generally, all access switch ports should be cofigured as untrusted and all switch ports connected to
other switches as trusted. All ARP packets traversing the network from an upstream distribution or core
switch c
The following example shows how to configure DAI for hosts on VLAN 1, where client devices are located
for switch 2. All client ports are untrusted by default. Only port 3/3 is trusted, because this is the only port
where DHCP replies would be expected.
Switch S2(config)#ip arp inspection vlan 1
Switch S2(config)#interface fastethernet 3/3
Switch S2(config-if)#ip arp inspection trust
***Default to untrusted…must specify what is to be trusted to relieve packet
inspection
BPDU guard prevents loops and also stops other switches from being the root SPT
To enable root guard on a Layer 2 access port (to force it to become a designated port), use the following
command. To disable root guard, use the no form of the command.
Switch(config-if)#spanning-tree guard root
Figure demonstrates how to verify the root guard configuration. To display the interface configuration,
use the following command:
Switch#show running-config interface fastethernet 5/8
To determine whether any ports are in a root-inconsistent state, use the following command:
Switch#show spanning-tree inconsistentports
The function of UDLD is to prevent one-way communication between adjacent devices. When UDLD
detects a one-way conversation, it can do one of two things, depending on whether UDLD is configured in
normal or aggressive mode. In normal mode, UDLD changes the UDLD-enabled port to an undetermined
state when it stops receiving UDLD messages from its directly connected neighbor. Aggressive mode
makes eight attempts to re-establish the UDLD neighbor relation before error disabling the port.
Aggressive mode is the preferred method of configuring UDLD and is the only mode that can detect a
UDLD condition on twisted-pair cable.
UDLD is used when a link should be shut down because of a hardware failure that is causing
unidirectional communication. In an EtherChannel bundle, UDLD shuts down only the physical link that
has failed.
UDLD can be enabled globally for all fiber interfaces or on a per-interface basis.
To enable UDLD on an interface, use the following command:
Switch(config-if)#udld port
To enable UDLD globally on all fiber-optic interfaces, use the following command:
Switch(config)#udld enable
UDLD shuts down interfaces. To reset all interfaces that have been shut down, use the following
command:
Switch#udld reset
To verify the UDLD configuration for an interface, use this command:
Switch#show udld interface
CDP is necessary for management applications and cannot be disabled without impairing some network-
management applications. However, CDP can be selectively disabled on interfaces where management is
not being performed. The interface command no cdp enable disables CDP on an individual interface.
Figure describes how CDP can be used maliciously.
8.6.
vty ACLs
4
Cisco provides ACLs to permit or deny Telnet access to the vty ports of a switch. Cisco devices
vary in the number of vty ports that are available by default. When configuring vty ACLs, ensure
that all default ports are removed or have a specific vty ACL applied.
Telnet filtering is normally considered an extended IP ACL function because it is filtering a higher
level protocol. However, because the access-class command filters incoming Telnet sessions
by source address and applies filtering to vty lines, you can use standard IP ACL statements to
control vty access. The access-class command also applies standard IP ACL filtering to vty
lines for outgoing Telnet sessions originating from the switch.
You can apply vty ACLs to any combination of vty lines. You can apply the same ACL to all vty
lines or specifically to each vty line. The most common practice is to apply the same ACL to all vty
lines.
To configure vty ACLs on a Cisco switch, create a standard IP ACL and apply it to the vty interfaces.
Different from applying an ACL to a data interface, apply it to a vty line or range of lines with the access-
class command.
Consider this example. Permission is granted to any device on network 192.168.1.0/24 to establish a
virtual terminal (Telnet) session with the switch. Of course, the user must know the appropriate passwords
to enter user mode and privileged mode. Identical restrictions have been set on every vty line, because
the line on which the vty user connects cannot be controlled. The implicit deny any statement at the end
of the access list still applies to the ACL when it is used as an access-class entry.
Switch(config)# access-list 12 permit 192.168.1.0 0.0.0.255
Switch(config)# line vty 0 15
Switch (config-line)# access-class 12 in
8.6.
Best Practices for Switch Security
6
Network security vulnerabilities include loss of privacy, data theft, impersonation, and loss of
integrity. Basic security measures should be taken on every network to mitigate adverse effects of
user negligence or acts of malicious intent.
The following steps are required whenever placing new equipment in service:
Step 1 Consider or establish organizational security policies.
Step 2 Secure switch devices.
Step 3 Secure switch protocols.
Step 4 Mitigate compromises launched through a switch.
You should consider the policies of an organization when determining which level and type of
security to implement. You must balance the goal of reasonable network security with the
administrative overhead of extremely restrictive security measures.
A well-established security policy has these characteristics:
• Provides a process for auditing existing network security
• Provides a general security framework for implementing network security
• Defines disallowed behaviors toward electronic data
• Determines which tools and procedures are needed for the organization
• Communicates consensus among a group of key decision-makers and defines the
responsibilities of users and administrators
• Defines a process for handling network security incidents
• Enables an enterprise-wide, all-site security implementation and enforcement plan
Follow these best practices for secure switch access:
• Set system passwords: Use the
enable secret command to set the password that grants enabled access to the Cisco
IOS system. Because the enable secret command simply implements a Message
Digest 5 (MD5) hash on the configured password, that password still remains vulnerable
to dictionary attacks. Therefore, apply standard practices in selecting a feasible
password. Try to pick passwords that contain letters, numbers, and special characters, for
example, “$pecia1$” instead of “specials,” where the “s” has been replaced by “$,” and
the “l” has been replace with "1" (one).
• Secure access to the console: Console access requires a minimum level of security
both physically and logically. An individual who gains console access to a system can
recover or reset the system-enable password, thus allowing that person to bypass all
other security implemented on that system. Consequently, it is imperative to secure
access to the console.
• Secure access to vty lines: The minimum recommended steps for securing Telnet
access are:
○ Apply the basic ACL for in-band access to all vty lines.
○ Configure a line password for all configured vty lines.
• Use SSH: The SSH protocol and application provide a secure remote connection to a
switch. It encrypts all traffic, including passwords, between a remote console and a
switch. Because SSH sends no traffic in clear text, network administrators can conduct
remote access sessions that casual observers cannot view. The SSH server in Cisco IOS
software works with publicly and commercially available SSH clients.
• Configure system-warning banners: For both legal and administrative purposes,
displaying a system-warning banner prior to login is a convenient and effective way of
reinforcing security and general usage policies. By clearly stating the ownership, usage,
access, and protection policies before a login, you provide more solid backing for
potential future prosecution.
• Disable unneeded services: By default, Cisco devices implement multiple TCP and
User Datagram Protocol (UDP) servers to facilitate management and integration into
existing environments. For most installations, these services are typically not required,
and disabling them can greatly reduce overall security exposure. These commands
disable services not typically used:
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
• Disable the integrated HTTP daemon if not in use: Although Cisco IOS software
provides an integrated HTTP server for management, it is highly recommended that it be
disabled to minimize overall exposure. If HTTP access to the switch is absolutely
required, use basic ACLs to permit access from only trusted subnets.
• Configure basic logging: To assist and simplify problem troubleshooting and security
investigations, monitor the switch subsystem information received from the logging facility.
View the output in the on-system logging buffer memory. To render the on-system logging
useful, increase the default buffer size.
Follow these best practices for switch security :
• Use CDP only as needed: CDP does not reveal security-specific information, but it is
possible for an attacker to exploit this information in a reconnaissance attack, whereby an
attacker learns device and IP address information for the purpose of launching other
types of attacks. Two practical guidelines should be followed for CDP.
○ If CDP is not required, or the device is located in an unsecure environment,
disable CDP globally on the device.
○ If CDP is required, disable CDP on a per-interface basis on ports connected to
untrusted networks. Because CDP is a link-level protocol, it is not transient
across a network (unless a Layer 2 tunneling mechanism is in place). Limit it to
run only between trusted devices and disable it everywhere else. However, CDP
is required on any access port when you are attaching a Cisco phone to establish
a trust relationship.
• Secure the spanning tree topology: It is important to protect the STP process of the
switches that compose the infrastructure. Inadvertent or malicious introduction of STP
BPDUs could potentially overwhelm a device or pose a DoS attack. The first step in
stabilizing a spanning tree installation is to positively identify the intended root bridge in
the design and to hard set the STP bridge priority of that bridge to an acceptable root
value. Do the same for the designated backup root bridge. These actions protect against
inadvertent shifts in STP due to an uncontrolled introduction of a new switch.
On some platforms, the BPDU guard feature may be available. If so, enable it on access ports in
conjunction with the PortFast feature to protect the network from unwanted BPDU traffic injection.
Upon receipt of a BPDU, the feature automatically disables the port.
Follow these best practices to mitigate compromises through a switch:
• Proactively configure unused router and switch ports:
○ Execute the shut command on all unused ports and interfaces.
○ Place all unused ports in a “parking-lot” VLAN used specifically to group unused
ports until they are proactively placed into service.
○ Configure all unused ports as access ports, disallowing automatic trunk
negotiation.
• Disable automatic trunk negotiation: By default, Cisco Catalyst switches running Cisco
IOS software are configured to automatically negotiate trunking capabilities. This situation
poses a serious hazard to the infrastructure because an unsecured third-party device can
be introduced to the network as a valid infrastructure component. Potential attacks
include interception of traffic, redirection of traffic, and DoS. To avoid this risk, disable
automatic negotiation of trunking and manually enable it on links that require it. Ensure
that trunks use a native VLAN that is dedicated exclusively to trunk links.
• Monitor physical device access: Avoid rogue device placement in wiring closets with
direct access to switch ports.
• Establish port-based security: Specific measures should be taken on every access port
of any switch placed into service. Ensure that a policy is in place outlining the
configuration of both used and unused switch ports. For ports enabled for end-device
access, the macro
switchport host takes the following actions when executed on a specific switch port:
○ Sets the switch port mode to access
○ Enables spanning tree PortFast
○ Disables channel grouping.