Switch

advertisement
Switch Study Note 642-803
HUB----------------------- Layer 2 Switch------------------------ Layer 3 Switch
Hub:
Brodacast Domain
Collision Domain
1
1
Layer 2 Switch:
Broadcast Domain
Collision Domain
1
Multi
Layer 3 Switch
Broadcast Domain
Collision Domain
Multi
Multi
This is a typical small business model.
This is a typical Cisco small business model.
Issue with Plug and Play Switches
1. Chances for Failure.
2. Broadcast Traffic
3. Multicasting issue.
4. Security issue
5. Mac Flooding. Switches lose MAC address if the PC is not sending any data (Sleep
Mode). And the switch will delete the MAC address from the table.
Cisco Network Model.
In the enterprise Model Cisco would like the setup in Blocks.
VLAN
Vlans divide the flat network into multi broadcast domains. No broadcast can come from
another VLAN. They help
 simplify network management
 troubleshooting
 gives better performance don’t slow the network by dividing the large network
into smaller broadcast domains.
 Scalibility
 Can help in summarization the network. When used with Routing.
Designing the Network.
When doing designing your network, keep these in mind.




Restrict VLANs to switch blocks. (don’t use the same VLAN number in different
Blocks).
Implement Management VLANs. To isolate the management for security reason.
Separate Voice traffic from Data traffic.
Implement MultiCast support. Switches treat MC like Broadcast.
Cisco Operating System flavors.
CatOS.

Was aquired by cisco whrn they bought the switches technology.

Uses SET base syntax command.

Combined with IOS for Layer 3 function.

No config terminal based command.

Large Switches still use CatOS.
Cisco IOS (Native OS)
Same OS that is used on Routers.
VLANs (Virtual LANs)
VLANs Foundations.





Logically Divide Groups of users/PC/Servers, etc into segments.
Segments Broadcast Domains.
Subnet Correlation.
Access Control
Quality of Service.
-Switch to switch ports connection is called Trunk ports.
Local Vlan
Are confined to one block. (Server Blocks, Users Blocks).
It is Cisco recommended Model.
Ideally they don’t extend beyond the Distribution Layer.
They are routed to other Vlans.
And should be created around physical boundaries.
Configuring basic VLAN. (LAB)
Show vlans.
Give you all the vlans that are configured.
There are 2 ways to configure VLANs
--The original way. Being fazed out.
Switch# vlan database
Switch(vlan)# vlan 10 name users
Switch(vlan)# vlan 20 name management
Switch(vlan)# vlan 30 name sales
Switch(vlan)# exit
(Note: when done make sure you type exit not Control-Z or you will lose everything.)
--The new and recommended way is.
Switch#config t
Switch(config)# vlan 10
Switch(config-vlan)# name management.
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name sales
Switch(config)# vlan 20
Now we assign ports to the vlans.
Switch(config)# Interface range f0/1 – 10
Switch(config-if-range)# Switchport
this put the port in switch mode (layer 2)
Switch(config-if-range)# Switchport mode access This hardcode the port in access
mode not in trunk (if left in autoNegotiate).
Switch(config-if-range)# Switchport mode access vlan 10
Switch(config)# Interface range f0/11 – 24
Switch(config-if-range)# Switchport
Switch(config-if-range)# Switchport mode access
Switch(config-if-range)# Switchport access vlan 20
VLAN info/data is stored in VLAN.DAT file NOT in the running-config.
They are stored on the flash memory.
Note: Delete this file if you need or want to erase the switch configuration along with the
startup-config.
VLAN TRUNK

ISL and 802.1Q

Native VLAN

Native VLAN Mismatch.
Trunking port are used to carry and tag vlans between switches and vlans.
Tags are removed by switches and the data is sent to the end device (PC,Server, etc)
Trunking works in layer 2.
ISL

Cisco propriety trunking protocol. works only on Cisco devices.

Encapsulate the whole frame.

Being fased out. Most new swiches may not include it.
26 byte header
| Ethernet Frame
|
|
Junk | VLAN | Junk |
802.1Q

Open Standard
| 4 byte CRC
 Insert Tags into frame rather than encapsulating.
Dest MAC | Source MAC | 4byte Tag | Ethernet Frame
|
|
3 Bit Pri | VLAN
| FCS
Native VLANs
It used in 802.1Q, may get error native vlan mismatch.
When a untagged package from a device connect through trunk port (hub). It tags them
with the a native vlan tag.
If a trunk port receive untagged packet on its port, it assign it to the native VLAN.
Example when connecting VOIP phone and PC together.
VOIP is assigned a VLAN number and since the PC can’t assign a VLAN, the switch
assigns it to the native vlan. The phone is acting as a hub.
DTP is a dynamic trunking protocol. Switches use to auto negotiate trunking between
them. Not recommended because of possible security issue.
Switch ports can have 5 different modes.
1. Access : used when connecting PC/servers to the switch. When connecting a
switch to it, it will not act as a trunk. Will only allow 1 VLAN.
2. Trunk : this will send DTP packet and will always stay as trunk. If the other side
is trunk D. Auto, D. Desirable it will make them trunk ports.
3. Dynamic Auto if both switch port are set to this they will not become trunk ports
rather they would be access ports. If one side is set to Dynamic Desirable then the
Auto port become a trunk port.
4. Dynamic Desirable : default port. When ever you plug anything to it it will
negotiate with the other device. If it is a switch it become a trunk, if you plug PC
it will become access port.
5. Non-Negotiate used with trunk mode and the port will not send any DTP
packets. Good for security, sniffer can’t see the packet going through the port.
Switch# show Interface f0/2 switchport
Will give the administrative mode (set by the admin) the port is in.
and operational Mode (what mode it is negotiating with the other side)
administrative mode: dynamic desirable
operational Mode: trunk
Switch# Switchport trunk encapsulation dot1q
Switch# Switchport mode trunk
Switch# Switchport nonnegotiate (used with trunk command) ( no DTP will be sent)
Note: On new IOS switches there is no ISL encapsulation command.
Switch# Switchport trunk native 10
Will assign this port native vlan 10, anything that comes in on this port without a tag it
will assign to the native vlan (10).
Pruning manually
Switch# Switchport trunk allowed vlan ?
Switch# Switchport trunk allowed vlan 10,20,30
? (will have multi choices to pick, add,all, except, none, remove word)
Show Command to use.
Switch# show run int f 0/2
Switch# show int f 0/2 switchport
Switch# show int f 0/2 trunk
Note: do nongeotiate command before trunk command this way you won’t lose the nonnegotiate option if you ever reboot the switch.
VTP
VLAN Trunking Protocol
VTP: is the VLAN trunking protocol, used to ease VLAN administration/ replication.
When connecting multiple switch and configure VLAN on one switch, it is copied to all
other switches.
Whenever new VLAN is created it is pushed to all other switches, the switch checks its
database revision and if this is newer it replace its database.
VTP MODES
1. SERVER:



Can change VLAN information
Send and receive VTP updates
Saves VLAN Configuration
2. CLIENT



Can’t change VLAN Information
Send and receive VTP Updates
Does not Save VLAN Config
3. TARANSPARENT




Can change VLAN information
Forward VTP updates, V2
Doesn’t listen to VTP advertisement
Saves VLAN configuration
VTP Pruning
VTP pruning is automatic way to remove unnecessary broadcast traffic from going
through trunk link.
Works only on VTP Server
If you have VLAN 20,30,40 on few switches and you have VLAN 20.30 on a particular
switch so there is no need to pass VLAN 40 to it, VTP can stop that VLAN broadcast
traffic from crossing the trunk link to it, but it does not remove the actual VLANs. You
will see the VLANs in that switch.
VTP Configuration
1. Verify the current VTP status
2. Configure VTP domain / password
3. Configure VTP mode
4. Set VTP Version number
5. Verify
Switch_A# show vtp status
Notice the
VTP version that it is in. must be turned on
Configuration revision. Should be 0 to start with. Has no VLAN passed to it and no vlan
configured.
VTP Operating mode : Server. Is the default for switches.
VTP Domain Name: Blank, by default this is the most Susceptible state for the switch.
You must change this ASAP.
Common VLAN issues
1. Native VLAN mismatch.
2. Trunk Negotiation issues

Auto-to-Auto does not become Trunk

Avoid DTP (trunk negotiating) when possible
3. VTP issues not updating/applying




Verify VTP domain / password. (name is case sensitive).
Verify VTP version (Ver 1, 2)
Verfy Trunk Links.
Delete flash:VLAN.DAT file and reboot.
STP
Spanning Tree Protocol
Spanning Tree checks for redundant ports and block them except for one port.
Only the active link will send traffic.
STP is used to eliminate broadcast storms.
TTL is layer 3.
STP facts.

Origianl STP 802.1D was created to prevent loop.

Switches send probes into the network to discover loops called Bridger Protocol
Data Units (BPDU) (boomerang). It is MultiCast packet

BPDU helps elect the core switch (Root Bridge). The oldest switch is elected as
RB ( lower Mac Address)

STP view is switches find the best way to reach the Root Bridge then Block all
other redundant links.
Bridge ID = priority( 2 bytes) + MAC address(6 bytes).
BPDU is sent every 2 Seconds.
BPDU is sent around the network with the root bridge ID, which at the beginning it
believe it is the Root Bridge, after an election is decided by the switches, every switch
send BPDU with the elected Root Bridge ID.
Lower Bridge ID wins the Root Bridge election. If all switches have the same Priority
value then the lower MAC address wins the election.
Priority is a value between 0 – 61440. the default is 32768. and increment by 4096. lower
value is better.
Prority is a vlue between 0 and 65535 the default is 32768, and you can only increment
by 4096.
Two type of BPDU exits.
Configuration BPDU. Used for Spanning tree computation.
BPDU (TCN) Topology Change Notification. Used to announce changes in the topology.
BPDU and RB Election.
Root Bridge has all its ports in Forwarding.

Root Port: used to reach the Root Bridge. It is decided by the lowest link cost to
the Root Bridge.

Designated Port: is a Forwarding port, one per link decided by the switch with
the lower Mac Address.

Blocking / Non-designated Port: STP block that port (where the STP Fell). The
other side of the designated port
How STP Finds the Best path.
1- Elect Root Bridge the lowest Bridge ID wins
2-Switch finds the lowest cost path to root. And makes that port the root port.
3- Use the lower bridge ID on equal cost path. (Bridge ID = 32768 + Mac Address)
4- Use lower port to break a tie (when multi link exist between the switches).
Link Bandwidth
STP Cost
4 MBPS
10
16
45
100
155
622
1GB
10GB
250
100
62
39
19
14
6
4
2
STP Port States
Disabled:
does not send or receive data
Blocking:
Receive BPDU. Does not send or receive data or Learn MAC address.
Listening:
Receive and Send BPDU. Does not send or receive data or Learn MAC.
Learning:
Receive and Send BPDU and MAC. Does not send or receive data.
Forwarding:
Receive and Send BPDU and MAC and data. (operational Mode).
CST vs PVST vs PVST+
Common spanning Tree (CST).
Is IEEE 802.1Q standard. It specify one Spanning Tree for all the VLANs. All CST
BPDU are transmitted on the trunk using the Native VLAN with untagged frames.
Per-VLAN Spanning tree (PVST)
Is Cisco Proprietary requires ISL Trunk encapsulation
Uses one Spanning Tree per VLAN with one Root Bridge elected per VLAN.
Helps Load Balance more effectively.
All new Cisco switches uses it.
It adds the VLAN number to the Priority value. 32768 + VLAN #.
Bridge ID = Priority + VLAN + MAC address
Example for VLAN 10. (Priority = 32768 + 10 = 32778).
By lowering Priority on one switch for one VLAN we make that switch the RB and lower
another prority on another switch for another VLAN and makes that switch the RB for
the other vlan.
Per-VLAN Spanning tree Plus (PVST+)
Another Cisco Proprietary
Allows switches to interoperate with both CST and PVST. Between 802.1Q and ISL
Spanning Tree Commands
Switch(config)# spanning-tree vlan X root primary
Switch(config)# spanning-tree vlan X root secondary
OR use this command.
Switch(config)# spanning-tree vlan X root <number>
Switch# show spanning-tree
RAPID SPANNING TREE
Rapid STP:

802.1W

Proactive System

Redefined Port Roles

Many STP Similarities.
Port Fast: applied to ports with devices connected to such servers/PC. Can’t be on a trunk
port.
Rapid STP port states

Discarding

Learning

Forwarding
Rapid STP port Roles.

Root Port

Designated Port

Alternate Port

Edge Port ( port Fast)
Rapid STP is better because:

It doesn’t forgot ports

Many timers of STP are elminated.

Any changes to the trunk ports flood through the network to other switches
(Topolgy Change Packet).
Configuring RSTP
Switch(config)# spanning-tree mode rapid-pvst
To group vlan under a single ST instance.
Switch(config)# spanning-tree mode mst
TherChannel
Aggregating redundant links
Ether Channel. Is using multi link and turning them into one link. Up to 8 ports/links and
using them as a trunk link. Load balance across them and automatic failover.
2 Negotiation Protocols.
1- PAGP port Aggregation Protocol
Cisco propriotery.
Ports modes.

Auto: wait for the other side and see if they are set as desirable to on to become
ether channel. If both side are set to Auto then both links will not become ether
channel.

Desirable: will be an aggregate link if link is detected, if other side is auto then
both will become ether channel

On: both side need to be on to become ether channel.
2- LACP link Aggregation Control Protocol.
Standard industry (802.3AD).
Ports modes.

Passive: same as Auto

Active: Same as Desirable

On: same as on.
Configuring EtherChannel
1- configuring EtherChannel at Layer 2
Switch(config)#int range f0/23 -24
Switch(config-if-range)#channel-protocol pagp
Switch(config-if-range)#channel-group 10 mode desirable
Switch(config-if-range)#do sh ip int br
Port-channel 1
unassigned
YES unset down
Switch#sh etherchannel
Switch#sh etherchannel port-channel
down
2- configuring EtherChannel at Layer 3
Same as Layer 2 plus this:
Switch(config)#int port-channel 1
Switch(config-if)#no switchport
Switch(config-if)# ip add 10.1.1.2 255.255.255.0
Load Balancing Cmd
Switch(config-if)# port-channel load-balance <Method>
Key notes:

All ports must use same speed/duplex

Interfaces in a bundle are redundant (1 port goes down doesn’t affect the channel).

No interface in bundle can be span ports

Interface in bundle must be in same vlan / trunk

Any changes to port-channel affect all bundle ports

Any changes to individual ports affect only that port not the channel.
Inter-VLAN Routing
Router on a Stick
Advantages


Easy to setup
Lower Cost
Disadvantages



Congestion on the link
Single point of Failure
Delay of Routing
Configuration

On the Switch Setup and configure the Trunk link

On the Router setup and configure the Sub_Interface.
The Switch configuration:
Switch# interface f0/24
Switch# Switchport trunk encapsulation dot1q
Switch# Switchport mode trunk
Switch# no shut
Also setup the vlans and assign the ports to the VLANs
Note: don’t forget to setup and match the Duplex and the speed on all the ports (switch,
router and PCs). And make sure all interface are up/up before you ping.
The Router configuration:
Router# Interface f0/0
Router# no shut
Router# interface f0/0.10
Router# encapsulation dot1q 10
Router# ip address 192.168.10.1 255.255.255.0
Router# interface f0/0.20
Router# encapsulation dot1q 20
Router# ip address 192.168.20.1 255.255.255.0
Do ping and trace route to test.
Multi_Layer Switching
Advantages

Routing at wire speed


Backplane bandwitdth
Redundancy enabled
Disadvantages

Cost
Configuration:
Setup/create SVI --SVI 10 192.168.10.1
SVI 10 192.168.20.1
Enable Ip Routing on the switch
(Optional)
Create Routed Ports
Enable Routing Protocols
Switch(Config)# Interface vlan 10
Switch(Config)# IP address 192.168.10.1 255.255.255.0
Switch(Config)# Interface vlan 20
Switch(Config)# IP address 192.168.20.1 255.255.255.0
Switch(Config)# IP Routing
(Optional) if you need to connect the switch to a router then you can enable routing and
routing protocol.
Switch(Config)# Router EIGRP 1
Switch(Config)# Network 192.168.10.0
Switch(Config)# Network 192.168.20.0
LAYER 3 vs MultiLayer Switching
(CEF) Multilayer Switching
Layer 3 switch is a switch with a router built-in it.
Multi layer switch is a switch that is capable to cache route information
Every layer 3 switch is Multi Layer switch
Not Every multi layer switch is a layer 3 switch
Layer 3 Routing vs Layer 3 Switching

Routers and Layer 3 switch both have IOS software routing.

Software Routing is slow compared to ASIC (wire Speed).

Layer 3 switches can play a little software / hardware trick.
FIB has all the next routing that are passed to it from the Layer 3 routing engine. It also
contain the next hop address for each route entry.
Adjacent table is a list of MAC address.
Packet are moved at wire speed.
To enable CEF on a switch just implement the cmd
Switch(config)# ip cef
Switch# show ip cef summary
Switch# show ip cef vlan 100
Switch# show ip arp 192.168.1.102
Switch# show ip cef 192.168.1.102
CEF support traffic statistic. To check usage on a switch.
CEF takes Layer 3 routing and apply it to layer 3 switching.
Redundancy
Layer 3 High availability
HSRP, VRRP, GLBP
HSRP: Hot standby router protocol.

Cisco proprietary

send messages to mulicast 224.0.0.2 (all routers).

Use a default timer of 3 seconds with the hold timer (gateway) of 10 seconds.

Timers are tunable and you need to add 1 second more for delay.

Gateways are organized into standby groups.

One gateway is active and the other is in standby state.

Virtual router IP (VIP) and MAC(virtual MAC) are created.

Virtual MAC is made up of Csico Vendor ID (6bits), HSRP ID (4 bits) and group
ID (2bits). Virtual MAC 0000.0C 07.AC XX
VRRP: Virtual Router Redundancy Protocol.

Created by IETF

Works on other vendor equipments.

Faster timer by default than HSPR. 1 second hello timer and 3 seconds Hold
timer.
GLBP: Gateway Load Balancing Protocol.

Cisco Proprietary

Same as HSRP, but allows an active-active connection that adds load balancing.
Configuring HSRP
1. created standby group
2. reassign IP address
3. Verify
4. optimize and tune :




Priority. Choose which switch is the primary switch for traffic
Preempt. Over throw the router with a lower priority.
Tracking. If wan link drop, then the switch would lower its priority by a
certain number
Timers.
Campus Security
Common layer 2 attacks. DSNIFF utility: (network Auditing utility) - MACOF . fill
the CAM table with MAC address then the switch turns into a hub. The user then sniff for
all the data that are going through the switch.
Note:
Create a list of best security practices.
Port Security on switches:
-Prevent Many layer 2 attacks
-Can use secure MAC address



Dynamic
Static
Sticky
-Limit the number of MAC addresses per port.
Limit # of MAC address:
Switch(config-if)# switchport mode access
This way no trunk can be used.
Switch(config-if)# switchport port-security maximum 1
Allow only 1 MAC address per port , no hub can be installed on this port.
Switch#show port security int f0/2
Switch(config-if)# switchport port-security violation (shutdown,protect,restrict)
Shutdown: is the default
Protect: will not tell you if the port was violated.
Restrict: will add count to security Violation Count.
Switch# show interface status
Shows more detail about the port’s status.
To get the port back up, shut the port then no shut cmd.
Switch#show errdisable recovery
Switch(config)# errdisable recovery cause
300 sec default
Switch(config)# errdisable interval 100
Secure MAC address
Switch(config-if)# switchport port-security mac-address <sticky, MAC_Address>
Hard code the MAC Add or use sticky to learn it the 1st time devices connect.
Switch(config-if)# switchport port-security mac-add sticky
NOTE: If you type the MAC add then you should limit the maximum address to 1
otherwise it will ignore it.
Switch#showmac-add int f0/2
Gives you detail about the port MAC,VLAN, type (Dynamic).
Identity-Based Network Services. (IBNS)
802.1X allows the switch to participate in authentication.
When a client needs to use the network port, it asks the switch to authenticate and the
switch asks the Radius/Tacac+ whether to allow or deny.
EAP allow to use or switch to new authentication technology. EAP is a shell that contain
TLS, PEAP, LEAP etc.
Switch(config)# AAA new-model
Switch(config)# AAA authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Turn 802.1x on the switch.
Switch(config)# inter f0/2
Switch(config-if)# dot1x port-control
How to setup 802.1X
http://www.cs.umd.edu/~mvanopst/8021x/howto/
Campus Security VLAN and Spoofing Attacks

Prevent VLAN hopping attacks

Private VLANs

Mitigating spoofing with snooping and IP source guard.
Prevent VLAN hopping attacks
Hackers negotiate a trunk connection with a switch, moves between VLANs
Simple yet easily forgotten prevention
Switch(config-if)# swtichport mode <access,dot1q-tunnel,dynamic,trunk>
Private VLANs
Are VLANs within VLANs (sub_VLANs).
You can have 3 differnet types of ports.

Promiscuous. Setup on the router default gateway

Isolated. FTP server. (One isolated VLAN per Primary) 320

Community. WWW server and the DB server. They need to exchange info
between each other. 310
Switch(config)# VTP mode transparent
Switch(config)# vlan 300
Switch(config-vlan)#private-vlan primary
Switch(config)# vlan 310
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 320
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 300
Switch(config-vlan)# private-vlan association 310, 320
Switch(config)#inter f0/20
Switch(config-if)# swtichport mode private-vlan host
Switch(config-if)# swtichport private-vlan host-association 300 320
Do the same to the other ports.
For promiscuous port do this
Switch(config-if)# swtichport mode private-vlan promiscuous
Switch(config-if)# swtichport private-vlan mapping 300 310,320
Man in the middle attacks
Cisco use DHCP snooping to stop this.
Switch(config)# ip dhcp snooping
If someone tries to connect some switch/router/dhcp server to give ip address it will stop
it.
Switch(config-if)# ip dhcp snooping trust.
Will ties the IP address to the MAC add of the device on this port.
IP source guard.
Create access list for the port that requested IP from a DHCP server.
Switch(config-if)# ip verify source vlan dhcp-snooping port-security.
Campus Security STP
Switch(config-if) spanning-tree bpduguard enable.
Put the port in error-disable state.
Don’t enable on the ports that are connected to other switches.
Switch(config-if) spanning-tree guard root
If a switch connect to this port it will flag it with a message of inconsistent
Best practices to swcure switches.

Disable CDP whenever possible

Lock down STP

Disable trunk negotiation on access ports

Physical security

Place unused ports in a black hole VLAN (999)

Use SSH when possible
Switch(config)# no cdp run
Switch(config-if)#no cdp enable
disable it per port
Switch(config-if)# switchport host.
Switch(config-if)# switch mode access
Switch(config)# line vty 04
Switch(config-line)#transport ssh
Campus Security VACL
VLAN Access List.

Allow you to filter all traffic on a VLAN: VLAN 10 has access only to
192.168.10.0, VLAN 30 has access to 192.168.30.0 subnet

Supported on MLS only

Typically found in large enviorment.

VACL works like route-map.
Switch(config)# access list 1 permit 192.168.10.0 0.0.0.255
Switch(config)# access list 2 permit 192.168.30.0 0.0.0.255
Switch(config)# vlan access-map TEST 10
Switch(config-access-map)# match ip address 1
Switch(config-access-map)# action forward
Switch(config)# vlan access-map TEST 20
Switch(config-access-map)# action drop
Switch(config)# mac access extended server
Switch(config)# permit any host 1111.1111.1111
PACL (port ACL)
ACL applied to a inbound of a ports.
Switch(config-if)#ip access-group 1 in
VOICE OVER IP
Benefit of VOIP.

Move, adds, and change (MAC). Are cheaper to implement. Less technicians.

Bandwidth and equipment efficiency. . Ex: One set of cabling

Lower cost of voice transmission. Same wan connection for data and voice.

New applications and devices. PBS need special equipment and propority
equipment, while VOIP doesn’t.
Each phone line uses 64kbps of bandwidth, voip can compress to 8 kbps. Without any
noticeable loss/degrading.
Phases of migration from PBX to IP phone.
Phase one:
Keep the PBX system and digital phones.
Calls routed over WAN rather than PSTN. Benfit free long distance, major requirement
QOS.
Phase two:
Voice and data network have become one
PBX and Digital phone decommed
True integration between voice and data
Typical new structure starts.
Campus issue with deploying VOIP.

Inline power

Dual VLANs. Daisy chain phone and PC.

QOS.
Dual VLAN.
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 200
Switch(config-if)# switchport voice vlan 100
QOS:
2 QOS marking: used so that we don’t need deep packet inspection
-
Class of service (COS) layer 2.
8 bits, 8 level of marking.
Type of service (TOS) Layer 3
3 to 6 bits many levels of marking,
TOS (ip precedence). Bit 6 DSCP.
Switch(config-if)# mls qos trust cos
Trust COS on this port.
Switch(config-if)# mls qos trust device cisco-phone
To make sure no hacker use the port as a phone. The switch will check to make sure that
a Cisco phone is plugged.
Switch(config-if)# auto qos voip cisco-phone
It will deploy all kind of QOS automatically.
WIRELESS
Type of Wireless Network
Personal area network (PAN). Blue Tooth
Local Area Network (LAN). Linksys routers/switches.
Metro Area Network (MAN). City Wide wireless network
Wide Area Network (WAN). City to City wireless network.
Wireless LAN facts.

Wireless access point (WAP) acts like a hub.
o Shares Signal
o Half Duplex. Only one user can send and receive data.

Uses unlicensed band of radio frequency

Wireless is a physical and data link standard

Uses CSMA/CA instead CSMA/CD

Faces connectivity issue because of interferences.
Layer 2 Roaming.
2 or more wireless AP with the same VLAN/subnet and SSID.
Monitoring
Syslog:
Switch(config)#line console 0
Switch(config-line)# logging synchronus.
Helps remove the annoying logging when you exit and puts you at CMD prompt.
Switch(config)#logging buffer
Adjust the logging buffer size. Logging is store in memory.
Syslog uses port UDP port 541
KIWI syslog server
Is a log server.
Switch(config)#logging 192.168.1.12
Switch(config)#logging trap <level 0-7>
SNMP
It collects statistics from devices.
monitoring application (ORION,PRTG) maniplulate and massage data
SNMP has 3 versions. Version 3 offer authentication/encryption.
RO default community string is public
RW default string is Private.
Highly recommended is to change them.
Switch(config)# access-list 10 permit 192.168.1.102 0.0.0.0
Switch(config)#snmp-server community <name> ro 10
IP SLA

A way to detect link failure using real time data

A way of testing service level on a line

A way to add valuable data to network monitoring

SLA endpoint can be either a device or IP SLA responder.
4.2.2.2 Is a public DNS server.
Switch(config)# ip sla 100
Switch(config-ip-sla)# icmp-echo <isp-gateway><or any IP>
Switch(config-ip-sla)# frequency 5
Now we schedule it.
Switch(config)# ip sla scheduale 100 start-time now life forever.
Switch# show ip sla statistic.
Switch(config)# track 1 rtr 100 reachability. (RTR is old version of SLA)
Switch(config)# ip route 172.25.25.25 0.0.0.0 track 100
The second link
Switch(config)# ip route 190.125.25.25 0.0.0.0 50 (this a back route)
SLA endpoint can be either a device or IP SLA responder.
Use a reliable router as a SLA responder to give better results.
Download