PartI:DesigningCampusNetworks

Chapter1:EnterpriseCampusNetworkDesign

1. HierarchicalNetworkDesign
a. HierarchicalNetworkDesign
i.
aflat/linearnetworkwillleadtocollisionandbroadcasttraffic
1. halfduplexcommunicationonly
ii.
hierarchyofswitchesbreakupcollisiondomainsandVLANsbreakup
broadcastdomains
b. AccessLayer
i.
whereendusersaccessnetwork
ii.
lowcost,highdensity
iii.
scalable
c. DistributionLayer
i.
connectedtomultipleaccessswitches
ii.
layer3routing
iii.
VLANsconverge
d. CoreLayer
i.
veryhighlayer3
ii.
fast
iii.
canbecollapsedintodistributionlayerforsmallernetworks
2. ModularNetworkDesign
a. Redundancy
i.
asingleswitchcanbeapointoffailure:goodtohavemultiplebackup
switchesateachlayer
ii.
however,withmultipleswitchesandredundantlinescomesaspiderweb
ofcomplexity:theanswerismodulardesign
1. switchblock:agroupofaccessanddistributionswitches
2. coreblock:agroupofcoreswitches
iii.
networkgrowthcanbeaccommodatedbyaddingaccessswitchestoa
switchblock,orbyaddingmoreswitchblocks
b. SizingaSwitchBlock
i.
besttosizebasedontraffictypeandsizeofcommonworkgroups,rather
thanraw#ofusers
c. SwitchBlockRedundancy
i.
aVLANneedstobeonallswitchesinablock
1. butthisisnotoptimalsinceitisvulnerabletobroadcasttraffic
ii.
betteristohaveauniqueVLANoneachaccessswitch,segregatinglayer
2traffictoeachaccessswitch
iii.
bestpractices:
1. pairofswitchesforeachlayer

2. connecteachswitchtothenexthigherlayer
3. donotconnecttheaccessswitchestoeachother,butdoconnect
thedistributionswitchestoeachother
4. donotextendVLANsbeyonddistributionswitches
d. NetworkCore
i.
consistsoftwoormoreswitchblocksconnectedtoaccessblocks
redundantly
e. CollapsedCore
i.
smallernetworksmaynotrequireactualcoreswitches:usedistribution
switchestoperformcoreduties
f. CoreSizeinaCampusNetwork
i.
routingthatcoreswitcheshavetoperformissmallbecauseVLAN
boundariesareatdistributionswitches,sotheyonlyneedtoknowabout
distributionswitches

Chapter2:SwitchOperation

1. Layer2SwitchOperation
a. Layer2Collision
i.
hostsinanoisycollisiondomaincanonlyoperateinhalfduplex
ii.
alayer2switchlimitscollisionswhichallowsfullduplex,allowsmore
bandwidth,checksframesforerrors
b. TransparentBridging
i.
aswitchisamultiporttransparentbridge
ii.
looksupdestinationMACintableifnotthereitfloodsitoutallports
exceptthesourceport
c. FollowThatFrame!
i.
ingressqueue
ii.
L2forwardingtable(CAM)tolookupdestinationMAC
iii.
ACLlocatedinTCAMtodecideonaccessbasedonMAC,protocol,port
number,etc
iv.
QoSACLalsoconsulted
v.
egressqueue
2. MultilayerSwitchOperation
a. TypesofMultilayerSwitching
i.
routecaching(firstgeneration)
1. usedrouteprocessor(determinespacketdestination)andswitch
engine(createsshortcutbasedondestination)
ii.
topologybased(secondgeneration)
1. theRPcreatsatopologyofthenetworkbeforepassingittothe
SE
2. alsoknownasCiscoExpressForwarding(CEF),usesForwarding
InformationBase(FIB)

b. FollowThatPacket!
i.
similartoL2forwarding,butlooksatL3aswell
c. MultilayerSwitchingExceptions
i.
packetsthatcannotbeforwardedwithoutadditionaldecisionsgetpunted
totheswitchCPUformoreprocessing
3. TablesUsedinSwitching
a. ContentAddressableMemory
i.
sourceMAC,portofarrival,VLAN,andtimestamparerecorded
ii.
ageouttimeis300seconds
iii.
macaddresstableagingtime200 changeagingtime
iv.
macaddresstablestatic0456:9GF0:AC6Fvlan10intfa0/1forcea
CAMentry
b. TernaryContentAddressableMemory
i.
hardwarethatholdsACLs,tomakelookupsfaster
c. TCAMStructure
i.
abstractlookupscanbedonewithamasktohighlighttherelevantbits
ii.
entriesarecomposedofvalue,mask,andresultcombinations(VMR)
iii.
alwayssortedbymask,andthebest/longestmatchfirst
d. TCAMExample
e. PortOperationsinTCAM
i.
layer4(portnumbers)lookupscanbedonebyTCAM
4. ManagingSwitchingTables
a. CAMTableOperation
i.
showmacaddresstabledynamic[address,interface,vlan]shows
theCAM
ii.
showmacaddresstablecountshowshowmanystaticanddynamic
entriesthereare
iii.
clearmacaddresstabledynamic[address,interface,vlan]clears
theCAM
b. TCAMOperation
i.
selfsufficientrarelyanythingtomanage
ii.
showplatformtcamutilishowsTCAMresourcesbeingused
c. ManagingSwitchingTableSizes
i.
sincethetablescompeteforresources,tobegoodatL2theCAMshould
expandattheexpensetheFIB,andviceversaforL3focusedswitches
ii.
shsdmprefershowstheKilobytesallocatedtoMAC,IPv4,etc
iii.
sdmprefer[template]changepreference

Chapter3:SwitchPortConfiguration

1. EthernetConcepts
a. EthernetOverview

i.

becauseofcollisions,aswitchcanbreaktheseupandmakeanetwork
lessnoisy:collisiondomainlimitedtoasingleswitchport
b. ScalingEthernet
i.
FastEthernet
1. 100MbpsUTP
ii.
GigabitEthernet
1. faster
iii.
10GigabitEthernet
1. operatesonlyatfullduplex
iv.
Beyond10Gig
c. DuplexOperationoverEthernetLinks
i.
requiresonlyonedeviceateachend
ii.
speeddeterminedbyelectricalsignallingsothateitherendcandetermine
whattheotherendistryingtouse
iii.
forautonegotiation,bothsidesmustbesettoauto,otherwisethedefault
ishalf(tobesafe)
iv.
Ciscorecommendsmanuallysettingspeedandduplextoavoidoneend
changingitsconnections
2. ConnectingSwitchesandDevices
a. EthernetPortCablesandConnectors
i.
hotswappablemodulessupportingmanydifferentports
3. SwitchPortConfiguration
a. SelectingPortstoConfigure
i.
intfa1/0/14selectportwithstack,module,andinterface#
ii.
intrangefa0/124interfacewithrangeofports
iii.
intrangefa0/1,0/5interfacewithselectedports(notecommaand
space)
iv.
defineinterfacerangeMyGroupfa0/1,fa0/5createamacrowith
selectports
b. IdentifyingPorts
i.
descriptionWorkstationinSecretaryAreagiveadescriptiontoint
c. PortSpeed
i.
speed10[100,100,orauto]setthespeed
d. PortDuplexMode
i.
duplexauto[orfull,half]setduplex
e. ManagingErrorConditionsonaSwitchPort
i.
youcanspecifycertainerrorconditionstoshutdownaport
ii.
errdisabledetectcause[all,orspecificcondition]turnsonerror
disableforthespecifiedcondition
f. AutomaticallyRecoverfromErrorConditions
i.
anerrordisabledportmustbemanuallyenabledwith:
1. shutdown
2. noshutdown

ii.

automaticallyreenableaportafteranerrorwith(waittimeis300
seconds):
1. errdisablerecoverycause[all,orspecificcause]
2. errdisablerecoveryinterval100changethewaittime
g. TroubleshootingPortConnectivity
i.
shintfa0/1lookforline(L1)andprotocol(L2)status
h. LookingforthePortState
i.
shintstatusshowstatusofallports
ii.
shintstatuserrdisabledshowallerrorports
i. LookingforSpeedandDuplexMismatches
i.
lookforhighinputerrors=duplexorspeedmismatch
4. DiscoveringConnectedDevices
a. CDP
i.
runsatL2regularonewayadvertisements
ii.
showcdpneighborsshowsneighbors
iii.
showcdpneighborsintfa0/1showsneighborsonthatinterface
iv.
nocdprunturnoffCDPglobally
b. LinkLayerDiscoveryProtocol
i.
notCiscoproprietaryanddisabledbydefault
ii.
lldprunturniton
iii.
shlldpneighborsgettheneighbors
iv.
shlldpneighborsintfa0/1detailshowneighborsonthatinterfacein
detail
5. UsingPoweroverEthernet
a. HowPoEWorks
i.
CiscoInlinePower(proprietary)
ii.
802.3af,802.3at
iii.
CiscoUniversalPoE(proprietary)
b. DetectingaPoweredDevice
i.
switchdetectsresistancetoseeifthedeviceisdrawing(andtherefore
needs)powerornot
ii.
Powerclasses:
1. 015.4W
2. 14W
3. 27W
4. 315.4W
5. 4upto30W
c. ConfiguringPoE
i.
itworksautomatically
ii.
powerinline[autoorstatic]max[milliwatts]configurestaticto
provideaspecificormaxamountofpower
iii.
powerinlineneverdisablePoEonaninterface
d. VerifyingPoE

i.
ii.
iii.

switchmaynothaveenoughpowertoprovidealldevices
showpowerinlineshowscurrentPoEstates
showpowerinlineifa0/1showsPoEofthatoneinterface

PartII:BuildingaCampusNetwork

Chapter4:VLANsandTrunks

1. VLANs
a. VLANMembership
i.
StaticVLANs
1. VLANiscreatedandportsareassignedmanually
ii.
ConfiguringStaticVLANs
1. vlan10createdVLANwithID10
2. nameAccountingnametheVLAN
3. switchportmodeaccessmaketheportaccess
4. switchportaccessvlan10addtheporttotheVLAN
5. showvlan
6. showvlanbrief
iii.
DynamicVLANs
1. basedonMACratherthanportnotcoveredinthisbook
b. DeployingVLANs
i.
EndtoEndVLANs
1. VLANthatspansoneswitchblocktoanother,thuscrossingcore
switches
2. notrecommendedunlessnecessary
ii.
LocalVLANs
2. VLANTrunks
a. VLANFrameIdentification
i.
ISL
1. Ciscoproprietary
2. encapstheframewithitsownencapsulation
ii.
802.1Q
1.
b. DTP
i.
dynamicallychoosetheencapsulationtouse
3. VLANTrunkConfiguration
a. ConfiguringaVLANTrunk
i.
switchporttrunkencapsulationdot1q
ii.
switchporttrunknativevlan100
iii.
switchporttrunkallowedvlan100200(allallows14094)
iv.
switchporttrunkallowedvlanremove100

v.

switchportmodetrunkdynamicdesirabledynamicautoispassive,
dynamicdesirableisactive
4. TroubleshootingVLANsandTrunks
a. showvlanid100seetrunkingconfiguration
b. twoendsmustbeinagreement:
i.
trunkingmode(unconditional,negotiated,ornonnegotiated)
ii.
encapsulation
iii.
nativeVLAN
iv.
allowedVLANs
c. showintfa0/1switchportseetrunkingoperation(vsconfiguration)
d. showintfa0/1trunk
5. VoiceVLANs
a. VoiceVLANConfiguration
i.
carriesvoicetraffictoaCiscoIPphone
ii.
switchportvoicevlan100voicewillbetagged,datauntagged(native)
iii.
switchportvoicevlandot1pvoicewillbetaggedasvlan0,data
untagged
iv.
switchportvoicevlanuntaggedbothuntagged(native)
v.
switchportvoicevlannonebotuntaggedaccessvlan
b. VerifyingVoiceVLANOperation
i.
showinterfaceswitchportlookforVoiceVLAN
6. WirelessVLANs

Chapter5:VLANTrunkingProtocol

1. VTP
a. Domains
i.
VTPinfowillonlybesharedtoswitchesinthesamedomain
b. Modes
i.
server:sendsadvertisementsdefault
ii.
client:listensVLANscannotbechangedmanually
iii.
transparent:inVPT1onlypassesinfoalongifsamedomaininVTP2
passesitalongnomatterwhat
iv.
off:completelyoff
c. Advertisements
i.
summaryadvertisement:every300secondsandwhenachange
ii.
subsetadvertisement:consistsofnew/deletedVLAN
iii.
advertisementrequestsfromclients:clientcanrequestVLANinfo
d. Synchronization
i.
revisionnumberisincrementedandswitchupdatesitsVLANsifthe
revisionnumberishigherthanwhatithasstoredinNVRAMsorebootor
resetwonthelp

ii.

importanttochangeVTPversionto0onanewswitchsoitdoesntpush
outanyVLANinfoyoudontwant:
1. changeVTPtotransparentandthenbacktoserver,or:
2. changeVTPdomaintobogusnameandthenback
2. VTPConfiguration
a. ConfiguringtheVersion
i.
version1:default
ii.
version2:relaysmessageswithoutcheckingversionmismatch,token
ring,consistencycheck
iii.
version3:supports1through4094,encryptedauthentication,propogate
nonVTPdatabases,primary/secondaryservers,perportratherthan
perswitch
iv.
vtpversion1(2or3)
b. ConfiguringaDomain
i.
vtpdomainAccountingcreateaVTPdomainnamedAccounting
c. ConfiguringMode
i.
servermode:alldomainsshouldhaveatleastoneserver,andmorefor
redundancy
ii.
clientmode:newswitchesshouldbeclientsafteraswitchhaslearned
theVTPinfo,youcanturnitintoaserverifyouwant
iii.
transparentmode:VLANscanbecreatedandwillnotbeadvertised,but
willforwardanyVTPinfoitreceives
iv.
offmode:noVTPinfowillberelayedorprocessed
v.
vtpmodeserver(client,transparent,oroff)
d. Status
i.
showvtpstatus
3. VTPPruning
a. Pruning
i.
stopsbroadcastsfromcrossingatrunkevenifallowedonthattrunkifthe
remoteswitchdoesnthaveanyportsinthatVLAN(advertisedbythe
remoteswitch)
ii.
disabledbydefault
b. EnablingPruning
i.
vtppruningenablespruningforallVLANs
ii.
intfa0/2
iii.
switchporttrunkpruningvlanremove101(oradd,except,none)
removesthatVLANfrompruningeligibility,ifyouneedto
4. TroubleshootingVTP
a. transparentmode?
b. clientwithnoserver?
c. linkfromservernotintrunkmode?shintfa0/1switchport
d. VTPdomainname,password,andversion?

PartIII:WorkingwithRedundantLinks

Chapter6:TraditionalSpanningTreeProtocol

1. 802.1DOverview
a. BridgingLoops
i.
twoswitchesforredundancykeepforwardingframes
b. PreventingLoopswithSTP
i.
shutsdownaport
c. STPCommunication:BPDU
i.
usesBPDUswithsourceaddressasMACoftheport
ii.
sendstomulticast0180c2000
iii.
twotypes:
1. configurationBPDU:forSTPconfiguration
2. topologychangenotification:toannouncetopologychanges
d. ElectingaRootBridge
i.
bridgeIDconsistsof8bytes:
1. 2bytebridgeID(defaultis32,768)
2. 6byteMACaddress
e. ElectingRootPorts
i.
allswitchessendouttheirbridgeIDS
ii.
allswitchesdecidewhohasthelowestbridgeIDandthatbecomesthe
root
f. ElectingDesignatedPorts
i.
eachnonrootswitchnowfindstheportwiththelowestcosttotheroot
bridge
ii.
pathcosts:
1. 10Mbps=100
2. 100Mbps=19
3. 1Gbps=4
4. 100Gbps=2
iii.
rootbridgesendsBPDUwithcostof0,whichisthenincrementedbythe
receiving(nonroot)switchesbythepathcost
iv.
oneachnetworksegment,theportwiththelowestcosttotherootbridge
becomesthedesignatedportlowestbridgeIDbreaksties
1. allportsoftherootbridgeareautomaticallydesignated
v.
finally,allportsnotrootorbridgegointoablockingstate
g. STPStates
i.
blocking:nodataisforwardedorMAClearnedotherthanBPDUs
ii.
listening:onitswaytopossiblybecomingrootordesignated
iii.
learning:canaddtoMACtablebutcannotforwardframes
iv.
forwarding:fullyfunctional

v.
showspanningtreeintf0/1showportstate
h. STPTimers
i.
hello(fromroot):2seconds
ii.
forwarddelay:timespentinlisteningandlearning:15seconds
iii.
maxage:timeheldontoaBPDU:20seconds
i. TopologyChanges
i.
TopologyChange
1. whenachangeoccurs(portgoesintoforwarding,orblocking,
etc),theswitchsendsaTCNBPDUwhichonlyinformsupstream
neighborsthatachancehasoccured
2. eventuallytherootwillreceiveandacknowledgeit
3. theroottheninformsallswitchestoshortentheirbridgetable
agingtimesfrom300to15,inordertoflushthemquickly
ii.
Direct
1. aswitchdetectsthatoneofitslinksisdown
2. convergenceisaround30seconds
iii.
Indirect
1. whenalinkstaysupbutsomethinginbetweeniscausingfiltering
orblocking
2. aswitchstopsreceivingBPDUsonthatlinkfromroot,andso
mustwaittohearfromrootonanotherofitsports
iv.
Insignificant
2. TypesofSTP
a. CommonSTP(CST)
i.
oneforallVLANs802.1Q
ii.
reducesloadandcomplexity
iii.
cancauseissuesifblockingforoneVLAN
b. PerVLANSTP(PVST)
i.
proprietary,sorequiresISLtrunk
ii.
doesntworkwellwith
c. PerVLANSTPPlus(PVST+)
i.
supportsconcurrentCSTover802.1Q

Chapter7:TraditionalSpanningTreeProtocol

1. STPRootBridge
a. RootBridgePlacement
i.
itisbestpracticetosettherootyourself
ii.
therootcouldendupbeingaswitchthatclientsareattachedto,orthat
forcesclientstogointothedistributionlayer,backintotheaccesslayer,
andthenbackintothedistributionlayer,etc
b. RootBridgeConfiguration

i.

lowerthebridgeIDoftheoneyouwanttoberoot(inmultiplesof4096):
1. spanningtreevlan10priority4096
ii.
lettingthewouldberootsetitsownpriority(attemptstosetitselftoa
bridgeIDlowerthanthecurrentroot):
1. spanningtreevlan100rootprimary(orsecondary)
iii.
Examinethecurrentroot:
1. showspanningtreevlan100
2. SpanningTreeCustomization
a. TuningtheRootPathCost
i.
spanningtreevlan100cost2
ii.
showspanningtreevlan100
b. TuningthePortID
i.
portIDconsistsofportpriority+portnumber
ii.
theportpriorityisanumberfrom0to255butdefaultforallis128
iii.
portnumberisequaltotheactualphysicalport,butcanbecomplicated
bytherebeingdifferentmodules,etc
iv.
portnumbercannotbemodified(fixedtothephysicalhardware)butthe
portprioritycanbealtered
v.
intf0/1
vi.
spanningtreeportpriority64
3. TuningSTPConvergence
a. ModifyingSTPTimers
i.
ManuallyConfiguringSTPTimers
1. spanningtreevlan100hellotime3
2. spanningtreevlan100forwardtime20
3. spanningtreevlan100maxage30
ii.
AutomaticallyConfiguringSTPTimers
1. timersassumeaswitchtoswitchdiameterof7switches
2. youcanadjustthetimersbasedonasmallerswitchdiameter:
3. spanningtreevlan100rootprimarydiameter3hellotime1
4. RedundantLinkConvergence
a. PortFast:AccessLayerNodes
i.
plugginginaworkstationisatopologychangesocancausethenetwork
tonotworkforupto30seconds
ii.
POrtFastallowsaccesslinkstomoveintoforwardingstatesimmediately
iii.
global:
1. spanningtreeportfastdefault
iv.
perinterface:
1. intfa0/1
2. spanningtreeportfast
b. UplinkFast:AccessLayerUplinks

i.

considertwouplinksbetweenswitchesforredundancynormallyone
wouldbeblockingandtheotherforwardingbutifonegoesdown,itwill
takeupto50secondsforthenetworktoreachconvergence
ii.
UplinkFastwillkeeponeblockinguplinkreadyforimmediateuseifthe
othergoesdown
iii.
spanningtreeuplinkfast
iv.
showspanningtreeuplinkfast
c. BackboneFast:RedundantBackbonePaths
i.
switchdetectsinferiorBPDUsontherootorblockedportandfinds
alternatepathstotherootbridge
ii.
ifused,shouldbeenabledonallswitches
iii.
spanningtreebackbonefast
5. MonitoringSTP
a. showspanningtree
b. showspanningtreedetail
c. showspanningtreevlan100summary
d. showspanningtreevlan100root
e. showspanningtreevlan100bridge
f. showspanningtreeinterfacefa0/1
g. showspanningtreeuplinkfast
h. showspanningtreebackbonefast

Chapter8:ProtectingtheSpanningTreeProtocolTopology

1. ProtectingAgainstUnexpectedBPDUs
a. RootGuard
i.
causesaporttoonlypassBPDUs,notreceivethem
ii.
soanewswitchconnectedtoitcannotbecomeanewrootbridge
iii.
onlyworksonaperportbasis
iv.
intfa0/1
v.
spanningtreeguardroot
b. BPDUGuard
i.
supposeaswitchisconnectedtoaportwithPortFastaloopcouldform
ii.
BPDUguardshutsdownaportwitherrdisableifaBPDUisdetected
iii.
enablethisonallportswithPortFast(accessports)
iv.
spanningtreeportfastbpduguarddefaulttoenableglobally
v.
spanningtreeportfastbpduguardenabletoenableonaport
2. ProtectingAgainstSuddenLossofBPDUs
a. STPreliesonBPDUsreceivediftheystop,blockedportswillgounblockedbut
itcouldbebecauseofanerrororsomething
b. LoopGuard

i.

ifBPDUsstopbeingreceived,theportgoesintoblockinguntilBPDUsare
againreceived
spanningtreeloopguarddefaultglobal
spanningtreeguardloopperport

ii.
iii.
c. UDLD
i.
considerifaconnectionhasawireproblemetcinonedirection(physical
layer)theswitchesmightnotknowthatthelinkisdowninonedirection
thiscanobviouslycauseproblemswithSTP
1. notethatthisonlyoccursonfiberlinks,notUTPcable
ii.
UDLDmonitorsaconnectiontobesureitistrulybidirectionalbysending
anechototheotherend(defaultis15seconds)requiresbothendsto
haveUDLDenabled
iii.
youcansafelyenablethisgloballybecauseitonlyturnsitonforfiberlinks
iv.
twomodes:
1. normalportcontinuestooperateevenifaunidirectionallinkis
detected
2. aggressivesendsoutUDLDevery8secondsifthelinkdoesnt
comebackup,iterrdisablestheport
v.
udldenableaggressivemessagetime10enableaggressivemode
globally,andchangetheintervalto10seconds
vi.
udldresetbringaportbackupaftererrdisable
3. UsingBPDUFilteringtoDisableSTPonaPort
a. youmaysometimesneedtoturnoffBPDUsonaport,effectivelydisablingSTP
(becarefulwiththis)
b. spanningtreebpdufilter
4. TroubleshootingSTPProtection
a. showspanningtreeinconsistentports
b. showspanningtreeinterface
c. showspanningtreesummary
d. showudld

Chapter9:AdvancedSpanningTreeProtocol

1. RapidSTP
a. PortBehavior
i.
inadditiontorootportanddesignatedport:
1. alternateport:alternatepathtorootbridge
2. backupport:redundantconnectiontosegmentwhereanother
switchalreadyconnects
ii.
portstates:
1. discarding:framesaredropped,noMACaddresseslearned
2. learning:framesdropped,butMACaddressesarelearned

3. forwarding:framesareforwardedandMACaddressesarelearned
b. BPDUsinRSTP
i.
threemissedhellos=assumeneighborisdown=detectfailedneighbor
in6secondsratherthan30
ii.
workswithregularSTPBPDUs
c. RSTPConvergence
i.
PortTypes
1. edge:onlyonehostconnects
2. root:bestpathtorootbridge
3. pointtopoint:connectstoanotherswitch(designatedport)
a. fullduplex:assumedtobepointtopoint
b. halfduplex:assumedtopossiblyconnectmanyswitches
andthereforenotpointtopoint
ii.
Synchronization
1. allnonEdgeportsareplacedintoDiscardingstate
2. switchcontactsitsneighborandfindsoutifithassuperiodBPDUs
3. switchandneighbordecidewhichporttobedesignated
4. portsthenbeginforwarding
5. notimersareusedforthisprocessunlessaresponseisnotheard
fromneighbor:thenregularListeningandLearningstatesapply
d. TopologyChanges
i.
detectschangeonlywhennonEdgeportbecomesforwarding
1. TCbitissetwithatimerof2xHello
2. CAMtablesareflushed(exceptontheportthatreceivedTC)
e. Configuration
i.
toconfigureaportasanedgeport:
1. spanningtreeportfast
f. RapidPVSTP
i.
configurerapidSTPonaperVLANbasis
1. spanningtreemoderapidpvst
2. MultipleSTP
a. Overview
i.
atopologywithanSTPinstanceperVLANcanbewastefulsincethere
areonlysomanyportsthatcanbeblocked,etc
ii.
MSTallowsyoutohavemultipleVLANsforasingleSTPinstance
b. Regions
i.
aswitchwillparticipateinanMSTinstanceifitisinanMSTregion,which
hasthefollowingattributes:
1. name
2. revision#
3. VLANmappingtable
c. STPInstancesWithinMST
i.
ISTInstances

1. CommonSpanningTree(CST)maintainsaloopfreetechnology,
ignoringMSTboxesandnotcaringwhatisinsidethem
2. InternalSpanningTree(IST)maintainstheloopfreetopology
withineachMSTregion
ii.
MSTInstances
1. insideeachregionaretheMSTInstances(MSTIs),upto16
2. ISTpassesinformationviaMSTBPDUs
d. Configuration
i.
spanningtreemodemst
ii.
spanningtreemstconfiguration
iii.
nameAccountingMST
iv.
revision0
v.
instance1vlan110
vi.
showpending
vii.
exit
viii.
PVST+nowstopsandRSTPbegins
ix.
youcannotrunbothMSTandPVST+atthesametime

Chapter10:AggregatingSwitchLinks

1. SwitchPortAggregationwithEtherChannel
a. Overview
i.
youcanbundletwotoeightlinksofFastEthernet,GigEthernet,or10
GigEthernetintoasinglelogicalportchannel
1. FEC,GEC,or10GEC
ii.
youcanalsobundleseveralswitchestogetherinastackwiththe
EtherChannelforredundancy:MultiChassisEtherChannel(MEC)
b. BundlingPortswithEtherChannel
i.
allbundledportsmusthavethesamesettings:VLANs,trunk,
speed/duplex,etc
c. DistributingTrafficinEtherChannel
i.
theswitchperformsahashalgorithmonthedestinationand/orsourceIP
addressesofpackets,creatinganindexnumberwhichdetermineswhich
linkontheEtherChannelwillbeused
ii.
thiscanresultinimbalancedtrafficifonehostissendingmoretrafficthan
another
d. ConfiguringEtherChannelLoadBalancing
i.
youcanloadbalance(onlyglobally)basedonotherfactors:
1. srcip,dstip,srcdstip,srcmac,dstmac,srcdstmac,srcport,
dstport,srcdstport
ii.
portchannelloadbalance(choosefromabove)
iii.
showetherchannelloadbalance

2. EtherChannelNegotiationProtocols
a. PortAggregationProtocol
i.
Ciscoproprietary
ii.
dynamicallymodifiesparametersonallotherports:changeinVLANson
oneportpropagatestoallotherportsinthebundle
iii.
Desirable:activelytriestonegotiateanEtherchannel
iv.
Auto:createsanEtherChannelonlyiftheothersideisDesirable
b. LinkAggregationControlProtocol
i.
openstandard
ii.
assignsrolestoEtherChannelendpoints
iii.
portwithlowestsystemprioritymakesdecisions
iv.
lowestportpriorityportsbecomeactiveandtheothersarestandby
v.
Active:sameasDesirable
vi.
Passive:sameasAuto
3. EtherChannelConfiguration
a. ConfiguringaPAgPEtherChannel
i.
intrangefa0/14
ii.
channelprotocolpagp
iii.
channelgroup1modeon(auto,desirable,nonsilent)
iv.
silentmodeallowsanECtobebuiltevenifPAgPpacketsarenotheard,
soitcanbuilditwithafileserver,etc.
b. ConfiguringaLACPEtherChannel
i.
lacpsystempriority1(defaultis32,768)
ii.
intrangefa0/14
iii.
channelprotocollacp
iv.
channelgroup1modeon(passive,active)
v.
lacpportpriority1(defaultis32,768)
vi.
youcanaddmoreportsinthegroupthanareallowed,forstandby(give
higherprioritynumbersforstandby)
c. AvoidingMisconfigurationwithEtherChannelGuard
i.
unlikelyifusingPAgPorLACP
ii.
ECGuarderrdisablesportsinECifmisconfigured
iii.
ECGuardrunsbydefaultbutcanbeturnedoff:
iv.
nospanningtreeetherchannelguardmisconfig
v.
showintstatuserrdisabled
4. TroubleshootinganEtherChannel
a. ifusingonmodebesurebothsidesaresettoon(noPAgPorLACParesent)
b. ifdesirablebesureothersideisauto
c. ifdefaultsilentmode,nopacketsareexpectedfromtheotherend
d. showetherchannelsummary
i.
showsSUifthechannelisoperational
ii.
activeportsarePandphysicallydownonesareD
iii.
portswithIarenotinthechannel

e. showruninterfacefa0/1
i.
toseeifportsareconfiguredthesameforEC
f. showinterfacefa0/1etherchannel
g. showetherchannelloadbalance

PartIV:MultilayerSwitching

Chapter11:MultilayerSwitching

1. InterVLANRouting
a. TypesofInterfaces
i.
layer3addressonaphysicalinterface
ii.
layer3addressonalogicalinterface
b. ConfiguringInterVLANRouting
i.
Layer2PortConfiguration
1. showintfa0/1switchport
a. ifdisabled:itislayer3
2. switchportenablelayer2mode
ii.
Layer3PortConfiguration
1. noswitchport
2. ipaddress10.1.1.20255.255.255.0
iii.
SVIPortConfiguration
1. vlan10
2. intvlan10
3. ipaddress10.1.1.30255.255.255.0
c. MultilayerSwitchingwithCEF
i.
TraditionalMLSOverview
1. originalmethodofforwardingpacketsbasedonlayer3
2. routeprocessor(RP)andswitchingengine(SE)
ii.
CEFOverview
1. CiscoExpressForwardingisthenextgenerationofMLS
iii.
ForwardingInformationBase
1. CEFusestheFIBtokeeprouteandnexthopinfo
2. ifapacketcannotbeforwardedbecauseofvariousreasons(NAT,
encapnotsupported,TTLexpired,etc)itthenpuntsittolayer3
engineformoreprocessing
3. showipcefvlan10
d. AdjacencyTable
i.
containsthelayer2info(IPtoMACviaARP)toworkinconjunctionwith
FIBforfasterprocessing
e. PacketRewrite
i.
afterprocessing,theengineneedstorewritethepacketheader:

1. layer2dest:nexthop
2. layer2source:outboundport
3. layer3ttl:decrementbyone
4. layer3checksum:recalculated
5. layer2checksum:recalculated
f. ConfiguringCEF
i.
enabledbydefault
2. VerifyingMultilayerSwitching
a. VerifyingInterVLANRouting
i.
showintfa0/1switchport
ii.
showvlan
iii.
showipintbrief
b. VerifyingCEF
i.
showipcef

Chapter12:ConfiguringDHCP

1. UsingDHCPwithaMultilayerSwitch
a. Overview
i.
client:discoverbroadcast
ii.
server:offerbroadcast(sinceclientdoesnthaveanIPaddressyet)
iii.
client:requestbroadcast
iv.
server:ACKunicast(sinceclientnowhasanIPaddress)
b. ConfiguringanIPv4DHCPServer
i.
Overview
1. ipdhcpexcludedaddress10.1.1.110.1.1.50
2. ipdhcppoolFirstPool
3. network10.1.1.0255.255.255.0
4. defaultrouter10.1.1.1
5. lease10(defaultis1day)
6. showdhcpbindingtoseetheleases
1. cleardhcpbinding10.1.1.56todeletealease
ii.
ConfiguringaManualAddressBinding
1. host10.1.1.55255.255.255.0
2. hardwareaddress05a3:1bc3:475a
iii.
ConfiguringDHCPOptions
1. option(optionseebelow)10.1.1.22
a. 43wirelessLANcontroller
b. 69SMTPserver
c. 70POP3server
d. 150TFTPserver
iv.
ConfiguringaDHCPRelay

1. iphelperaddress10.1.60.10forwardbroadcastsontoaDHCP
server(unicast)
2. ConfiguringDHCPtoSupportIPv6
a. StatelessAutoconfiguration
i.
routeradvertisesIPinformation,whichtheclientcombineswithitsown
MACaddress(withFFFEinthemiddle)
ii.
ipv6address2001:db8:a::1/64
b. DHCPv6
i.
statelessautoconfigwillprovidebasicconnectivity,butiftheclientneeds
DNS,etcthenyouneedDHCP
ii.
ipv6dhcppoolMyV6Pool
iii.
addressprefix2001:db8:a::/64
iv.
dnsserver2001:db8:c12::10
v.
domainnamemydomain.com
vi.
intvlan10
vii.
ipv6address2001:db8:a::1/64
viii.
ipv6dhcpserverMyV6Pool
c. DHCPv6Lite
i.
usesstatelessautoconfiginstead,andDHCPjusttopushoutoptions
ii.
ipv6dhcppoolMyPool2
iii.
dnsserver2001:db8:c12::10
iv.
domainnamemydomain.com
v.
intvlan6
vi.
ipv6address2001:db8:a::1/64
vii.
ipv6dhcpserverMyPool2
viii.
ipv6ndotherconfigflaginformsclientsthatotheroptionsare
availableafterstatelessautoconfig
d. ConfiguringaDHCPv6RelayAgent
i.
ipv6dhcprelaydestination2001:db8:c12::10addressofremote
DHCPserver
e. VerifyingIPv6DHCPOperation
i.
showipv6dhcppool

PartV:MonitoringCampusNetworks

Chapter13:LoggingSwitchActivity

1. SyslogMessages
a. Overview
i.
messageshavethesefields:
1. timestamp
2. facilitycodethefunctionthatgeneratedit

3. severity0to7with0beingmostsevere
4. mnemonictextstringthatcategorizestheevent
5. messagetextdescription
ii.
youcanlogonlymessagesofacertainseverityandabove
1. 0emergencies
2. 1alerts
3. 2critical
4. 3errors
5. 4warnings
6. 5notifications
7. 6informational
8. 7debugging
b. LoggingtotheSwitchConsole
i.
defaultistosenddebugging(andhigher)messagestotheconsole
ii.
loggingconsole1changeloggingseverityto1
c. LoggingtotheInternalBuffer
i.
disabledbydefault
ii.
oldermessagesareerasedwhenfull(defaultis4096bytes)
iii.
loggingbuffered1logtothebufferanythingwith1orhigher
iv.
loggingbuffered4096changebuffersize
v.
showloggingshowthebufferedmessages
d. LoggingtoaRemoteSyslogServer
i.
senttoaserveronportUDP514
ii.
logginghost192.168.50.21
iii.
loggingtrap0severitylevel
2. AddingTimestampstoSyslogMessages
a. Overview
i.
bydefaulttimestampsarebasedonuptimecanbedifficulttoread
b. SettingtheInternalSystemClock
i.
showclock
ii.
clocktimezonePST
iii.
clocksummertimePDTrecurring
iv.
clockset15:23:00
c. UsingNTPtoSynchronizewithanExternalTimeSource
i.
synchronizetimeacrossalldevices
ii.
useastratum:publicserverisstratum1,firstswitchisstratum2,stratum
3pullstimefromstratum2,clientsfromstratum3,etc
iii.
ntpserver8.8.8.8prefer
iv.
ntpserver4.4.2.2
v.
showntpstatus
vi.
showntpassociationsseethestrata
d. SecuringNTP
i.
ntpauthenticationkey(keynumber)md5(keystring)

ii.
ntpauthenticate
iii.
ntptrustedkey(keynumber)
iv.
ntpserver8.8.8.8key(keynumber)
e. UsingSNTPtoSynchronizeTime
i.
removesstrata:onlyactsasaclient
ii.
samecommandsasabove,justsubstitutesntp
f. AddingTimestampstoLoggingMessages
i.
usethiscommandtotimestampmessages
ii.
servicetimestampslogdatetimelocaltimeshowtimezonemsec

Chapter14:ManagingSwitcheswithSNMP

1. SNMPOverview
a. Overview
i.
protocolthatenablesadevicetoshareinformationaboutitselfandits
activities
b. Parts
i.
SNMPmanager:systemthatusesSNMPtopollandreceivedataabout
networkdevices
ii.
SNMPagent:respondstothemanagertoprovidedataaboutitself
iii.
storedinaManagementInformationBase(MIB)inatreestructure,each
objectinitidentifiedbyanObjectIdentifier(OID)
c. Versions
i.
v1:communitystringauthentication,nodataprotection,32bitcounters
ii.
v2c:communitstringauth,noprotection,bulkrequestandinformrequest,
64bitcounters
iii.
v3:usernameauth,hashbasedMACencryption,dataintegrityand
restrictedviews
2. ConfiguringSNMP
a. ConfiguringSNMPv1
i.
accesslist1permit192.168.1.10permitonlyyourSNMPagent
machines
ii.
snmpservercommunityMyMonitoringro(orrw)readonlyor
read/writeaccess
iii.
snmpserverhost192.168.1.20IPofyourSNMPmanagermachine
b. ConfiguringSNMPv2C
i.
justaddversion2ccommandtoserverhostcommand
c. ConfiguringSNMPv3
i.
accesslist1permit192.168.1.10
ii.
snmpserverviewMyView(addOIDshere)limitstheviewtocertain
objects

iii.

iv.

v.

snmpservergroupMyGroupv3noauth(orauth,orpriv)sets
securitypoliciestonoauthorencryption(noauth),justauthentication
(auth)orauthandencryption(priv)
snmpserveruserMyUserNameMyGroupv3authmd5password123
privaes128asdf12310setsnamethatmanagerwilluseto
communicatewithswitch
snmpserverhost192.168.3.99informsversion3privMyUsername

Chapter15:MonitoringPerformancewithIPSLA

1. IPSLAOverview
a. allowsyoutotestthenetworkbetweenasourceandadestinationbysendingan
echorequest
b. otherenddoesnotneedtobesetupforSLAforalltests
c. tests:
i.
icmpecho
ii.
pathecho:hopbyhoptimes
iii.
pathjitter:requirestheotherendtohaveSLA
iv.
dns
v.
dhcp
vi.
ftp
vii.
http
viii.
tcpconnect:responsetimetobuildaTCPconnection
ix.
udpecho
x.
udpjitter:requirestheotherendtohaveSLA
2. ConfiguringIPSLA
a. ipslaresponderconfigurefarendtorespond(e.g.onlynecessaryforthejitter
tests)
b. ipsla1defineanewSLAoperationonthesourceswitch
c. icmpecho192.168.1.22createthetesttype(usingparametersfromabove)
d. frequency20setthetestfrequencyinseconds
e. ipslaschedule1lifeforever(orseconds)starttime13:30:00ageout40
recurringschedulethetestforoperation1tostartat1:30PM,keepitfor40
seconds,recurring,etc
3. UsingIPSLA
a. showipslaconfiguration1showstheconfigyousetupabove
b. showipslastatistics1showstheanalysis

Chapter16:UsingPortMIrroringtoMonitorTraffic

1. UsingLocalSPAN
a. Overview

i.

allowsyoutocapturetrafficenteringorexitinganinterfaceandmirroritto
anotherporttoexamineit
1. sourceports:thesourceyouaremirroring
2. destinationport:theportyouaremirroringto
ii.
youcanfilteroutcertainVLANsifatrunkportisthesource
iii.
youcanspecifyaphysicalportofanEtherChannelortheentireport
channelitself
iv.
localSPANsendsthedatatoaportonthesameswitch
v.
remoteSPANsendsittoadifferentphysicalswitch
b. LocalSPANConfiguration
i.
monitorsession1sourceintfa0/1(orvlan)rx(ortx,both)setthe
source
ii.
monitorsession1destinationintfa0/1setthedestinationadd
encapsulatereplicatetocopythelayer2andVLANtagginginfoaswell
iii.
ingressdot1qvlan100(orisl,oruntaggedvlan100)allowingress
trafficonthedestinationportdefaultbehaviorisnottoallowincoming
trafficonthatport
iv.
monitorsession1filtervlan100copyonlytrafficfromvlan100
2. RemoteSPAN
a. sendsthemirroredtrafficoveranetworktoaremoteswitch
b. requiresaspecialRSPANVLANconfiguredonalltheintermediateswitches
c. RemoteSPANConfiguration
i.
configuretheVLANsonallneededswitches
1. vlan100
2. remotespan
ii.
configurethesourceswitch
1. monitorsession1sourceintfa0/1(orvlan)rx(ortx,both)
2. monitorsession1destinationintfa0/1remotevlan100
iii.
configurethedestinationswitch
1. monitorsession1sourceintfa0/1(orvlan)rx(ortx,both)
remotevlan100
2. monitorsession1destinationintfa0/1
3. ManagingSPANSessions
a. showrun|includemonitor
b. showmonitor
c. nomonitorsession1

PartVI:ImplementingHighAvailability

Chapter17:UnderstandingHighAvailability

1. LeveragingLogicalSwitches

a. Overview
i.
switchblocks(withaccessanddistribution)canhaveredundancywith
multiplelinksandswitches
ii.
however,ifforexampleanaccessswitchgoesdownthentheusers
attachedtothatswitchcannotaccessthenetwork
iii.
insteadyoucanstacktheswitchesintoonelogicalswitch,andthen
bundletheredundantlinksintoanEtherChannel
b. StackWise
i.
specialcablesforcombiningswitches,attachedasdaisychainwithaloop
connectingthelastswitchbacktothefirstswitch
c. VirtualSwitchingSystem
i.
combinetwoidenticalchassistocreateonelogicalswitch,withone
modeleactingassupervisorhandlingallswitchingfunctions
ii.
VirtualSwitchingSystem(VSS)usingaVirtualSwitchLink(VSL)
2. SupervisorandRouteProcessorRedundancy
a. RedundantSwitchSupervisors
i.
someCatalystswitchescanaccepttwosupervisormodules
1. firsttobootbecomesactive,andthesecondbecomesstandby
2. standbyisreadytotakeoverifactivefails
ii.
Routeprocessorredundancy(RPR)passiveisonlypartiallybooted
takes2minutestogetuptospeed
iii.
Routeprocessorredundancyplus(RPR+)passiveisfullybootedbut
doesnotparticipateinLayer2or3untilneededtakes30secondstoget
uptospeed
iv.
StatefulswitchoverfullybootedandparticipatesinLayer2,syncedwith
theactivesupervisortakes1secondtogetuptospeed
b. ConfiguringtheRedundancyMode
i.
redundancy
ii.
moderpr(orrprplus,orsso)
iii.
showredundancystates
c. ConfiguringSupervisorSynchronization
i.
bydefaulttheactivesupervisorsyncswithpassive,butyoucanspecify
additionalsyncitems:
ii.
redundancy
iii.
maincpu
iv.
autosync(startupconfig,configregister,bootvar)
d. NonstopForwarding
i.
incaseofaswitchover,thestandbysupervisorwillneedtoquicklyrebuild
theroutinginformationbase(RIB)inordertobuildFIBforCEF
ii.
itcandothisbygettinginformationfromitsneighbrs
iii.
configureonBGP,OSPF,EIGRP,orISISusingthensfcommand

Chapter18:Layer3HighAvailability

1. PacketForwardingReview
a. ifgatewaygoesdown,packetscannotbeforwardedoffthelocalsubnet
2. HotStandbyRouterProtocol
a. Overview
i.
Ciscoproprietary
ii.
severalroutersgroupedtogetheractingasonegateway,oneasactive,
anotherasstandby,theothersaslistening
b. HSRPRouterElection
i.
highestprioritynumberbecomesactive(defaultis100,IPaddressbreaks
ties)
ii.
hellomessagessentevery3secondsonlystandbyroutermonitors
iii.
standby1priority200makesthisrouteractive
iv.
standby1timersmsec100msec200sethellotimerto100and
holdtimerto200
v.
fallbacktothepreviousactiverouterisnotautomatictoforceit:
vi.
standby1preempt
c. PlaintTextHSRPAuthentication
i.
thisavoidspeersusingdefaultauthbecomingpartofgroup
ii.
standby1authenticationBlah
d. MD5Authentication
i.
standby1authenticationmd5keystring0Blah(or7,ifyouwantto
copy/pasteapreencryptedpassword)
e. ConcedingtheElection
i.
configurearoutertoreduceitspriorityaslinksgodown
ii.
standby1trackintfa0/110setprioritydecrementvalueto10(so
priorityofthisrouterwouldbereducedby10)
f. HSRPGatewayAddressing
i.
thisisthevirtualinterfaceIPfortheHSRPgroup
ii.
itassignsaMACaddressoftheform000.0c07.acxx(xxistheHSRP
group#andahexnumber)
iii.
standby1ip192.168.1.1255.255.255.0
g. LoadBalancingwithHSRP
i.
thereisnowaytoloadbalancewithHSRP
ii.
theworkaroundistocreatetwoHSRPgroups,withtheactiverouteras
standbyintheothergroupandviceversa
iii.
youthenneedtoconfigureallworkstationstousetwodifferentgateways
ofthetwodifferentgroups
iv.
showstandby
3. VirtualRouterRedundancyProtocol
a. Overview

i.
openstandardsversionofCiscosHSRP
ii.
virtuallythesameasHSRP
iii.
theactiverouteriscalledmaster,andallothersarebackup
iv.
virtualMACis000.5e00.01xx(xxisgroupnumber)
v.
hellois1secondinterval
vi.
preemptisdefault
b. Configuration
i.
vrrp1priority200
ii.
vrrp1timersadvertisemsec100
iii.
vrrp1timerslearnlearnadvertisementintervalfrommaster
iv.
novrrp1preempt
v.
vrrp1preemptdelay10
vi.
vrrp1authenticationBlah
vii.
vrrp1ip192.168.1.1255.255.255.0secondary
viii.
showvrrp
4. GatewayLoadBalancingProtocol
a. Overview
i.
similartoHSRP/VRRPbutonlyonegatewayisneededforclients
becausetheprotocolhandsoutdifferentMACstodifferentclientsbased
onaloadbalancingalgorithm
b. ActiveVirtualGateway
i.
themainrouter(electedbyhighestpriority)thatpassesoutMAC
addressestoARPrequestsfromclients
ii.
uptofourMACaddressescanbeassignedtotheotherroutersbythe
AVG
iii.
glbp1priority100
iv.
glbp1preemptdelay10
v.
glbp1timersmsec100msec200defaulthellois3seconds
c. ActiveVirtualForwarder
i.
assignedbytheAVG
ii.
MACaddressis0007.b4xx.xxyyxx.xxissix0bitsfollowedby10bit
GLBPgroupnumber,andyyistheAVFnumber
iii.
ifanAVFstopssendinghellos,theAVGassignstheMACaddresstoa
newAVF
1. thatnewAVFmayalreadybeactingasagatewaywithanother
MAC,sotheAVGbeginstheredirectandtimeouttimerstodecide
whentoflushtheoldMAC
iv.
eachAVFhasaprioritythatdeterminesitbeingusedforaMAC
1. thisprioritycanbereducedifinterfacesgodown
2. defaultis100
3. track1intfa0/1lineprotocol(oriprouting)setaninterfaceto
track
d. GLBPLoadBalancing

i.

severalloadbalancingmethods:
1. roundrobin
2. weightedGLBPinterfacesweightingdeterminesproportionof
traffictosendtothatAVF
3. hostdependenteachclientthatgeneratesanARPisstuckwith
thatAVF
ii.
glbp1loadbalancingroundrobin(orweighted,hostdependent)
e. EnablingGLBP
i.
glbp1ip192.168.1.1255.255.255.0
i.
showglbp
1. notethattheAVGhasaintheforwardcolumn

PartVII:SecuringSwitchedNetworks

Chapter19:SecuringSwitchAccess

1. PortSecurity
a. switchportportsecuritymaximum1allowonlyoneMAContheport
b. switchportportsecuritymacaddressstickyallowonlythelearnedMAC
c. switchportportsecuritymacaddress059a.4c74.8dd5restrictporttothat
MAC
d. switchportportsecurityviolationshutdownerrdisablestheportifviolation
i.
restrict:packetsfromviolatingMACsaredroppedandlogiskept
ii.
Protect:samebutnolog
e. showportsecurityintfa0/1
f. showinterfacesstatuserrdisabled
2. PortBasedAuthentication
a. Overview
i.
use802.1X(portbasedaccesscontrol)toauthenticateclients
1. boththePCandswitchmustbecapableofit
2. ifthePCisbuttheswitchisnt,communicationstilloccurs
3. iftheswitchhasitbutthePCdoesnt,thePCcannot
communicate
b. 802.1XConfiguration
i.
aaanewmodel
ii.
radiusserverhost192.168.1.20Blah
iii.
aaaauthenticationdot1xdefaultgroupradius
iv.
dot1xsystemauthcontrol
v.
intfa0/1
vi.
dot1xportcontrolforceauthorized
1. forceauthorizedalwaysauthorizeanyclient
2. forceunauthorizedneverauthorizeanyclient

3. autorequireauthorization(802.1XcapablePC)
vii.
dot1xhostmodemultihostifyouhavemultiplehosts(viaahub)ona
singleport
3. UsingStormControl
a. intfa0/1
b. stormcontrolbroadcastlevel5040(maxandminimum)
i.
alsomulticast,unicast,andbpsorpps
c. stormcontrolactionshutdown(ortrap)
d. showstormcontrolintfa0/1broadcast
4. BestPracticesforSecuringSwitches
a. useenablesecretandservicepasswordencryption
b. usebanners
c. disablethewebinterfacewithnoiphttpserverifnotusingthewebconsole
i.
useiphttpsecureservertousehttps
d. physicallysecuretheswitch
e. securevtyaccess
f. useSSH
g. secureSNMP
h. secureunusedswitchportswithshut
i. secureSTPwithBPDUguard
j. secureCDPandLLDP

Chapter20:SecuringVLANs

1. VLANAccessLists
a. Overview
i.
regularACLsonlyaffecttrafficpassingbetweenVLANs
ii.
VLANACLsareneededifyouwanttofiltertrafficinsideaVLAN
b. VACLConfiguration
i.
vlanaccessmapMyMap1nameandsequencenumber
ii.
matchipaddress25(#ofregularACLcreatedseparately)
1. ormatchmacaddress26
ii.
actiondrop(orforward(capture),orredirect
iii.
vlanfilterMyMapvlanlist100
2. PrivateVLANs
a. Overview
i.
provideshostisolationfromoneanother
ii.
hostscangettothegatewaybutnoteachother
1. usefulfororganizationseparationinaserverfarmorclientsofan
ISP
iii.
involvestwoVLANs:
1. primaryVLANcancommunicatewiththesecondaryVLAN

2. secondaryVLANcancommunicatewiththeprimarybutnotother
hosts
a. isolated:nohostonthesamesecondaryVLANcan
communicatewithanother
b. community:hostsonasecondaryVLANcancommunicate
witheachotherbutnotoutsidethesecondaryVLAN
iv.
involvestwotypesofport:
1. promiscuous:connectstotherouterallowsalltraffic
2. host:residesinthesecondaryVLAN
b. PrivateVLANConfiguration
i.
ConfigurethePrivateVLANs
1. configuretheprimaryvlan:
2. vlan10
3. privatevlanisolated(orcommunity)
4. configurethesecondaryvlan:
5. vlan20
6. privatevlanprimary
7. privatevlanassociation10(oradd10,etc)
ii.
AssociatePortswithPrivateVLANs
1. switchportmodeprivatevlanhost(orpromiscuous)
2. switchportprivatevlanhostassociation1020
3. forpromiscuousport:
4. switchportprivatevlanmapping1020
iii.
AssociateSecondaryVLANstoaPrimaryVLANSVI
1. ifyouhaveanIPaddressassignedtoaVLAN:
2. privatevlanmapping20
3. SecuringVLANTrunks
a. SwitchSpoofing
i.
ifaswitchportislefttoitsdefaulttrunkmodeofauto,anattackercould
impersonateDTPandopenatrunkport,andifallVLANsareallowed
(alsodefault)thentheyhaveaccesstothenetwork
ii.
toavoidthis,setenduserportstoaccessandonlyallowtheVLANsyou
needoverthetrunk:
iii.
switchportaccessvlan10
iv.
switchportmodeaccess
b. VLANHopping
i.
Overview
1. anattackercanspoof802.1Qtagsandgetaccesstoanother
VLAN
2. vulnerableif:
a. attackerconnectedtoaccessport
b. switchhasan802.1Qtrunk
c. attackersVLANisthenativeVLAN

ii.

3. attackeraddsaVLANtagofthetargetVLAN,andthentheVLAN
tagoftheirnativeVLANtheswitchstripsthefirstonesincenative
VLANshouldbeuntagged,exposingthetargetVLANtag
underneath
Protection
1. setthenativeVLANtoanunusedVLANID
2. prunethenativeVLANoffthetrunk
a. switchporttrunknativevlan800
b. switchporttrunkallowedvlanremove800

Chapter21:PreventingSpoofingAttacks

1. DHCPSnooping
a. Overview
i.
anattackercouldaddarogueDHCPserverandhandoutitsownaddress
asthedefaultgateway,therebyinterceptingtraffic
ii.
youcanavoidthisbyconfiguringcertainportstobetrustedforDHCPif
DHCPcomesinonanyotherportitsassumedtobearogue
b. Configuration
i.
ipdhcpsnooping
ii.
ipdhcpsnoopingvlan100
iii.
intfa0/1
iv.
ipdhcpsnoopingtrust
v.
intrangefa0/224
vi.
ipdhcpsnoopinglimitrate10limittheDHCPrequeststo10pps
vii.
showipdhcpsnoopingbindingseeallleases
2. IPSourceGuard
a. Overview
i.
anattackercouldspoofsourceaddressestooverwhelmthesystem
ii.
IPsourceguardusestheDHCPsnoopingdatabasetobesureonly
IP/MACaddressmappingsareallowedthrough
b. Protection
i.
(configureDHCPsnoopingfirst)
ii.
intfa0/1
iii.
ipverifysourceaddportsecuritytoalsocheckMACaddresses
iv.
showipverifysource
3. DynamicARPInspection
a. Overview
i.
anattackercouldrespondtoARPbroadcastswithitsownspoofedMAC,
andintercepttraffic
ii.
DAIworkssimilartoDHCPsnooping

iii.

ifARPreplyisreceivedonuntrustedportitchecksagainststatically
configuredorDHCPsnoopingentries
b. Configuration
i.
iparpinspectionvlan100
ii.
intfa0/1
iii.
iparpinspectiontrust
iv.
showiparpinspection

Chapter22:ManagingSwitchUsers

1. Overview
a. security:
i.
authentication:whoauseris
ii.
authorization:whattheyareallowedtodo
iii.
accounting:whattheydid
b. TACACS+CiscoproprietaryprotocolthatseparatestheAAAfunctions
encryptedoverTCP49
c. RADIUSstandardsbasedthatcombinesauthenticationandauthorizationuses
UDP1812and1813(accounting),butisnotencrypted
d. whenauserwantstoconnect,theswitchaskstheAAAserver(running
TACACS+orRADIUS)ifitsok
2. ConfiguringAuthentication
a. enableaaa:
i.
aaanewmodel
b. definethesourceofauthentication:
i.
radiusserverhost192.168.1.27keyBlah
ii.
(ortacacsserverhost192.168.1.28keyBlahBlah)
iii.
aaagroupserverradiusRadiusGroup1
iv.
server192.168.1.27
c. definealistofauthenticationmethodstotry:
i.
aaaauthenticationloginMyListtacacs+radiuslocal
d. applyamethodlisttoaswitchline:
i.
linevt04
ii.
loginauthenticationMyList
3. ConfigurationAuthorization
a. aaaauthorizationcommands(orseebelow)
i.
commands:servermustauthorizetouseanyswitchcommand
ii.
configcommands:servermustauthorizeanyswitchconfiguration
command
iii.
configuration:servermustauthorizeabilitytoenterconfigmode
iv.
exec:servermustauthorizeabilitytoenterEXECmode
v.
network:servermustauthorizeabilitytousenetworkservices