switch_notes-radical

advertisement
Campus Network Design
Access: Where end users are connected. Provides L2 connectivity between users. Low cost per switch, high port density, scalable
uplinks to higher layers, high availability (redundant power and supervisors, FHRP protocols), ability to converge network services
(phones, PCs, APs), security features (ARP Inspection, DHCP Snooping, BPDU Guard), and QoS.
Distribution: Interconnection between the network’s Access and Core layers. Aggregation of multiple Access layer switches. High L3
routing throughput. Segmentation and isolation of workgroups using a combo of L2 and L3 switching. Security and policy-based
connectivity functions, QoS, and scalable. Routing policies such as route selection, filtering, and summarization. Can be default
gateway for Access devices. High availability through redundant Distribution switches providing dual paths to Access and Core.
Core: Sometimes called the backbone. Provides connectivity between all Distribution layer devices. Must be capable of switching
traffic as efficiently as possible. Very high L3 routing throughput, no costly packet manipulations (ACLs, packet filtering), resilience
through redundant devices, components, and paths. Advanced QoS. Scalability through routing protocols and Gigabit+
connectivity. Core should consist of two multilayer switches that connect two or more switch blocks in a redundant fashion.
Sometimes called a dual Core, because it is usually built from two identical switches. Multinode Core = expanded Core.
Collapsed Core: When the Distribution and Core layers are combined into a single layer of switches.
Switch Block: Group of Access layer switches, together with their Distribution switches.
If all links between Distribution and Access switches are L2, loops are possible, and the entire topology is a single failure domain. A
better design prevents L2 loops by utilizing a unique VLAN per Access switch, and making links between Distribution switches L3.
Also allows for load balancing.
Switch Port Configuration
To detect speed/duplex mismatches, use sh interface. Will show the port’s settings, number of runts, input errors, queue, and drops.
By default, switches detect an error condition on every port for every cause. If an error is detected, the port is made “err-disabled.”
config)# (no) errdisable detect cause [ all | cause-name ] !!! to disable or define causes. all by default.
sh interface (fx/x) status (err-disabled) !!! to see which are disabled, regular sh int won’t show.
By default, “err-disabled” ports must be re-enabled manually. To setup auto recovery (globally):
config)# errdisable recovery cause [ all | cause-name ] !!! psecure = port security.
config)# errdisable recovery interval [ seconds ] !!! default of 300 secs.
sh errdisable recovery !!! to see which errors have recovery enabled.
CDP: L2 protocol. Rapid error tracking, HW platform, interfaces, encapsulation, MTU, 01-00-0c-cc-cc-cc multicast in clear text.
Version 2 is default (cdp advertise-v2), adds native vlan, port duplex, and VTP domain. 1 min interval, 3 min hold-down defs.
sh cdp | sh cdp neighbors (fx/x) (detail) | sh cdp entry (id*) | (no) cdp run {global} | (no) cdp enable
{interface} | cdp timer [#] | cdp holdtime [#]
LLDP: Standard alternative to CDP, extensible with type-length-values (TLVs). Cannot send both LLDP-MED and basic LLDP TLVs at
the same time! Does not provide VTP info!
sh lldp | sh lldp neighbors (fx/x) (detail) | (no) lldp run | (no) lldp (receive | transmit)
LLDP Media Endpoint Discovery (MED): Extension of LLDP, sent between network and endpoint devices (switches and phones).
Auto-discovers LAN policies: VLAN, Diffserv settings, PnP networking, device location, E911, L2 priority, Plug N Play, PoE, etc.
POE: DC power is supplied over Ethernet cables. Switch keeps power disabled when port is down, but continually tries to detect
whether a powered device is connected to a port. If so, the switch begins providing power so the device can initialize. The switch
begins by supplying a small voltage across the tx/rx pairs. If resistance is measured, it knows power is being drawn. The switch can
apply predetermined voltages to test for the power class of device, to use the appropriate maximum power. Switch begins with
15.4W, once the device is started, it can use CDP or LLDP to request more power. On by default. To configure:
config-if)# power inline (auto | static) (max [mw]) (consumption [mw]) !!! (static) for high priority,
(consumption) for initial power send to non cdp devices.
config-if)# power inline never !!! to disable.
sh power inline (fx/x) (detail)
Cisco InLine Power (ILP) = 7W | 802.3af (PoE) = 15.4W | 802.3at (PoE+) = 25.5W | Cisco Universal PoE (UPoE) = 60W.
Switch Operation
As a frame is received on a switch port, the switch inspects the source MAC; if it is not known, the source MAC, port, VLAN, and a
timestamp are recorded in the forwarding table (Content Addressable Memory, CAM). Incoming frames also include the
destination MAC; the switch looks this address up in the CAM to find the port/VLAN to send the frame out. If the address is not in
the table, the frame is flooded out all switch ports assigned to the source VLAN (Unknown unicast flooding). CAM commands:
config)# mac address-table static [mac] vlan [vlan #] interface [fx/x] !!! static entry.
1
config)# mac address-table notification [ mac-move | threshold | change ] !!! notifications.
sh mac address-table dynamic ( address [mac] | interface [fx/x] | vlan [vlan #] ) !!! to view the cam table.
sh mac address-table count !!! to see the cam size.
clear mac address-table dynamic [ address (mac) | interface (fx/x) | vlan (vlan #) ] !!! clear a cam entry.
The CAM table stores entries by default for 300 seconds (5 mins), after which, they are purged. Every time a frame is received, the
timestamp is renewed. To change the timer for purging stale entries:
config)# mac address-table aging-time [seconds] !!! 0 disables.
Multilayer Switching (MLS) has two types/generations:
Route Caching: First gen, requires a route processor (RP, hardware), and a switching engine (SE, software). The RP processes a
traffic flow’s first packet to determine a destination. The SE listens to that first packet and sets up a “shortcut path” in the cache
so that subsequent packets of the same flow can be switched directly to the destination port without passing through the RP.
Called NetFlow LAN switching, demand-based switching, fast switching, or route once, switch many. Slower.
Topology Based: Second gen, utilizes specialized hardware with distinct RP and SE functions. Uses L3 routing info to build and
prepopulate a single database of the entire known network topology, known as the FIB. The FIB is used for efficient table lookup
in hardware by the SE. Known as Cisco Express Forwarding (CEF).
Ternary CAM (TCAM): Contains ACLs in a compiled form so that a decision can be made on whether to forward a frame, in a single
table lookup. Acts as an L3 version of the CAM, uses ASICs combined with the CAM memory to route, do ACLs, and QoS via
hardware. ACLs can be used to identify frames according to their MACs, IPs, protocols, and L4 port numbers. Most switches have
multiple TCAMs so both in/outbound security and QoS ACLs can be evaluated simultaneously.
After TCAM, CAM, and FIB lookups to determine egress, some portions of the frame must be modified/rewritten such as the
destination and source MACs. L3 packets additionally have their TTL value decremented and checksum calculated.
Feature Manager (FM): After an ACL has been created, the FM compiles/merges the entries into the TCAM. If an ACL has a
gt/lt/range operator for port numbers, the FM compiles the entry to include the operator in a Logical Operation Unit (LOU).
The TCAM is organized by masks. Entries are composed of Value, Mask, and Result (VMR) combinations:
Value: 134-bit quantities of source/dest addresses and other protocol info, components depend on ACL type.
Masks: 134-bit quantities that select the bits of interest. A mask bit is set to mark a value bit to be exactly matched or is not set to
mark a value bit that doesn’t matter.
Results: Numeric values representing what action to take after the TCAM lookup occurs. Multiple results/actions: Permit/deny,
QoS policer value, pointer to a next-hop etc.
The TCAM is self-sufficient, to display utilization and max values:
sh platform tcam utilization
SDM-Templates: Most non high-end switches have fixed architecture where the CAM, FIB, and other tables share resources. You can
select a preferred type of switching to alter the sizes of the tables, depending on the desired functions, including dual stack IPv4/6.
L2 switching should have a large CAM while L3 routing should have a large FIB. To see and change the current setting:
sh sdm prefer (?) (option) !!! (?) will list the options, add in (option) to see values. blank for running.
config)# sdm prefer [template] !!! requires reboot.
access: maximizes system resources to accommodate a large number of acls.
default: default template, gives balance to all functions.
routing: maximizes system resources for ipv4 unicast routing, typically required for a router or
aggregator in the center of a network.
vlan: disables routing and supports the maximum number of unicast mac addresses. typically selected for
a layer 2 access switch.
dual-ipv4-and-ipv6: dual stack, doesn’t support ipv6 multicast.
L3 Switching
Switch Virtual Interface (SVI): Logical interface that represents one VLAN, used for inter-VLAN routing. The assigned L3 address
becomes the default gateway for the VLAN. The VLAN must be defined and active (no shut), and at least one L2 port assigned to
the VLAN must be active and STP converged before the SVI can be used. Not considered a routed port, but supports both routing
and switching protocols. A sh interface will display the hardware type as “EtherSVI.” VLANs and interface VLANs are separate!
config)# int vlan [#] !!! doesn’t need to match an existing vlan, and won’t create a new vlan.
config-if)# ip add [ip] [mask]
config-if)# no shut
config)# ip routing !!! to enable inter-vlan routing on the switch.
2
SVI Autostate: Automatically keeps the SVI down until the VLAN is ready so no other switching or routing can attempt to use the SVI
prematurely. To disable:
config-if)# switchport autostate exclude !!! per physical interface.
Routed Port: A physical L3 port on a switch that acts like a port on a router. Supports all routing protocols and can have an IP
address assigned. Does not support VLAN subinterfaces, is not associated with a VLAN, nor does it support any L2 protocols (STP).
If an L3 address is assigned to an EtherChannel, it’s assigned to the whole Port Channel, not just an individual port
config)# int (fx/x) !!! physical interface.
config-if)# no switchport
config-if)# ip add [ip] [mask]
Process Switching: Used in routers only. Each packet must be examined by the CPU and handled in software. Slowest method.
Cisco Express Forwarding (CEF): Topology based. High performance packet forwarding through the use of dynamic lookup tables.
config)# (no) ip cef !!! global, on by default.
config-if)# (no) ip route-cache cef !!! per interface.
Forward Information Base (FIB): The L3 routing table, reformatted into an ordered list of destination networks, masks, and next-hop
IP addresses for each IP destination subnet in the table. Most specific routes are placed at the top. Also contains host routes for
directly connected hosts. Show FIB with:
sh ip cef (fx/x) (vlan [x]) (detail)
version number: # of times the cef entry has been updated.
epoch: # of times the cef table has been flushed and regenerated as a whole.
sh ip cef [prefix ip] [prefix mask] (longer-prefixes) !!! to search per network.
Adjacency Table: The L2 MAC for each next-hop IP in the FIB that is a single hop away. Eliminates lag for ARP requests. Null adj.
used to switch packets destined for the null interface. Drop adj. used to switch packets that can’t be forwarded normally. Discard
adj. used when packets must be discarded due to an ACL or other. Punt adj. used when packets must be punted to L3 engine.
sh adjacency (fx/x) (vlan [x]) (summary) (detail) !!! address string: destmac sourcemac ethertype (0800=ip)
CEF Glean: If there is no L2 next-hop in the Adjacency table, the FIB entry is marked as “glean” because the L3 Forwarding Engine
can't forward the packet in hardware. The packet is sent to the L3 Engine so that it can “glean” the MAC via an ARP request/reply.
sh ip cef adjacency (glean | punt)
sh ip cef [ip] [mask] detail
Layer 3 Engine (Software): Acts like a router; builds the routing information using static routes or routing protocols, and ARP.
Layer 3 Forwarding Engine (Hardware): Uses the Layer 3 Engine's routing info and ARP table to switch packets in hardware.
Normal CEF Behavior:
Ingress packet
→ FIB
→ Adjacency Table
If CEF Punted to L3 Engine:
Ingress packet
→ Routing Table → ARP Table
→ Rewrite Engine
→ egress packet.
→ egress packet.
Reasons for Punting: Entry not in FIB, FIB or TCAM are full, TTL expired, MTU exceeded (must fragment packet), ICMP redirect,
encap. type not supported, packets tunneled/require compression/encryption, ACL with log, or NAT. Wildcard entry to RE.
sh cef (not-cef-switched | drop) !!! drop are dropped, not switched are punted.
Packet Rewrite: Header must be rewritten. Change L2 dest & source address, decrement L3 TTL, and recalc IP and frame checksum.
Accelerated CEF (aCEF): Distributed across multiple L3 engines, each engine stores the most often used entries.
Distributed (dCEF): Replicated across multiple L3 engines. Central engine maintains the routing table and generates the FIB, which is
downloaded to each line card. Better performance of the two.
VLANs and Trunks
VLANs are logical networks, they form a single broadcast domain; devices connected to different VLANs will not receive the same
broadcasts. A VLAN can have members located anywhere in the campus network as long as VLAN connectivity is provided among
all members. L2 switches are configured with VLAN mappings and provide the logical connectivity among the VLAN members.
1002-1005 are reserved.
Static VLANs: Manually assigned, normal range = 1-1005, extended range = 1006-4094 (with VTP in transparent mode or in v3).
Dynamic VLANs: Provide membership based on the MAC of an end-user device by querying a database (VMPS).
End-to-End VLANs: Span the entire switch fabric of the network, are flexible, and offer mobility. Users can be assigned to VLANs
regardless of their physical location. Users should be grouped according to common requirements, policies, and access to
resources. All users in a VLAN should have roughly the same traffic flow patterns. Not recommended because broadcast traffic is
carried all over, allowing a broadcast storm/L2 loop to spread far. More difficult to administrate.
3
Local VLANs: Should use 20/80 rule, 20% of traffic is local within the VLAN, while 80% is destine for a remote network. Local VLANs
are designed to contain user communities based on geographic boundaries. Allows L3 functionality to handle inter-VLAN traffic,
provides redundancy with multiple paths, scalability, and easier management.
Trunks: Routing traffic from one VLAN to another requires a router or external bridge between the VLANs. Instead of using a
separate link per VLAN to span VLANs between switches, a trunk can transport more than one VLAN through a single switch port.
The link itself is not assigned to a specific VLAN. One, many, or all active VLANs can be transported over a trunk. Can use all forms
of Ethernet switch links, including EtherChannels.
Tagging: Assigns a unique user-defined ID to each frame. On an access port, when a frame is sent out, the tag is removed, when a
frame is received, the tag is removed. Two methods to send tags over trunk links, ISL or 802.1Q; both add to the length of an
Ethernet frame, which cannot exceed 1518 bytes. Frames barely exceeding the MTU are called baby giant frames, and are
reported as errors or oversize frames.
ISL: Proprietary, encapsulates the original frame between an additional 26 byte header and 4 byte trailer (CRC). Discontinued.
802.1q: Standard, instead of adding a header/trailer, the tag (4 bytes) is embedded into the existing L2 frame header, immediately
after the Source Address field (single or internal tagging). CRC must be recalculated. All VLANs are sent by default, good practice
to only allow what’s used. Uses the native VLAN concept.
Native VLANs: Frames in this VLAN are not tagged as they’re sent over a trunk; behave as if the trunk is not being used, often used
for management traffic. Determines the VLAN that received untagged traffic belongs to, default is VLAN 1. Both ends must match.
802.1ad (QinQ): Service providers can use a single VLAN to support customers who have multiple VLANs. Instead of removing the
VLAN tag received from customers, the ISP’s edge switch puts that traffic into the VLAN assigned to that port and adds another
VLAN tag outside that tag. Double tagged, allows overlapping VLAN IDs. 1504 MTU or greater is required.
Dynamic Trunking Protocol (DTP): Proprietary, point-to-point protocol that negotiates a common trunking mode between switches
(prefers ISL). Negotiation will only happen if both ends are in the same VTP domain, or if one or both have not defined their VTP
domains. DTP frames are sent every 30 seconds, slows network convergence. Auto ↔ auto will not form a trunk. Otherwise, set
the links to mode = trunk, encapsulation = isl/dot1q, and nonegotiate to not use DTP.
config-if)# switchport trunk encapsulation [ isl | dot1q | negotiate ]
config-if)# switchport nonegotiate !!! turns off dtp. must set mode to trunk to form.
config-if)# switchport mode [ trunk | dynamic (desirable | auto) ] !!! desirable or auto are defaults.
config-if)# switchport trunk native vlan [ vlan # ]
config-if)# switchport trunk allowed vlan [ (vlan-list) | all | none | add (#) | except (#) | remove (#) ]
sh interface (fx/x) trunk !!! allowed, native, and active vlans, mode, encapsulation, and stp state.
sh interface (fx/x) switchport !!! operational mode, encap, allowed vlans, pruning, private vlans, span.
sh vlan (brief) (id [#]) !!! trunk ports don’t show. (id) will show mtu and type.
sh dtp (interface [fx/x]) !!! shows timers, adding interface shows detailed statistics.
For IP phones, the link to the switch can be negotiated (using CDP or LLDP and DTP); a special-case 802.1Q trunk or a single access
VLAN can be used. With a trunk, the voice traffic can be isolated from user data, providing security and QoS capabilities. As an
access link, both voice and data are combined in a single VLAN; this simplifies configuration but may compromise voice quality,
depending on traffic. Assigning a voice VLAN enables PortFast automatically.
config-if)# switchport voice vlan [ (vlan #) | dot1p | untagged | none ]
(vlan #): trunk, voice tagged with voice vlan #, pc traffic sent untagged, switch places in data vlan.
dot1p: trunk, voice goes over vlan 0 with a qos value while pc traffic is untagged.
untagged: trunk, voice traffic ends up on native vlan. define native vlan to place it.
none: not a trunk, voice and pc traffic are in access vlan. default. no security or qos.
Autonomous APs: Operate independently. Locally connect VLANs ↔ WLANs on a 1-to-1 basis. Must be connected as a trunk.
Lightweight APs (LWAP): Join and cooperate with a wireless controller; the AP connects each of its own WLANs with a VLAN
connected to the controller. All VLAN↔WLAN traffic is encapsulated and carried over a special tunnel between the AP and the
controller. Configured as an access link so that the CAPWAP protocol tunnel can be built to transport traffic.
VTP
VLAN Trunking Protocol (VTP): Proprietary protocol that only runs over L2 trunk links to synchronize VLAN information among a
group of switches within the domain. Manages addition, deletion, and renaming. Uses configuration revision numbers to keep
track of the most recent information. Starts in null domain. V1 and V2 only support up to VLAN 1000. Only runs over trunk links,
uses VLAN 1. Server, Client, Transparent, and Off modes.
4
Server and client switches store VTP/VLAN info in the “vlan.dat” file in flash memory; VLANs won’t be cleared by a reboot. To reset
the revision number, put the switch into transparent mode, then back to server, or change the domain away and back again.
Summary Advertisements: Domain servers send summary advertisements every 5 mins or whenever a database change occurs. List
info about the domain including VTP version, domain name, config revision number, time stamp, MD5 hash, and the number of
subset advertisements to follow.
Subset Advertisements: Domain servers send these after a VLAN config change occurs. List specific changes such as creating,
deleting, suspending, activating, renaming, or changing the MTU of a VLAN. VLANs are listed individually in sequential subset
advertisements.
Advertisement Requests: A VTP client can request any VLAN info it lacks. Used in case it’s reset, domain name changed, etc.
Join Messages: Similar to Advertisement Requests but with a different “Message Type” field value and a few more parameters.
While only VTP servers can change the VLAN database, VTP clients can advertise updates to other clients and even to a server! As
long as the revision number is higher, any switch will accept an update.
V2 added Token Ring support, consistency checks, transparent relays, and support for unknown “Type Length Value” records (TLVs).
V3 added the extended VLAN range (up to 4094), enhanced authentication, database propagation, primary/secondary servers, per
port VTP, private VLANs, off mode, and MST information.
Different versions can interoperate. Transparent mode in V1 does not relay VTP info, in V2/3 it forwards, acting as a relay. While in
transparent mode, a switch can create and delete VLANs only local to itself. Configuration revision stays at 0.
Multiple servers can coexist for redundancy, only V3 will elect a primary/secondary.
config)# vtp version [ 1 | 2 | 3 ] !!! exec or config mode!
config)# vtp domain [name] !!! case sensitive!
config)# vtp mode [ server | client | transparent | off ] !!! off is v3 only, like transparent, w/o relay.
config)# vtp password [password] ( hidden | secret ) !!! exec or config mode! case sensitive!
vtp primary vlan [#] !!! exec mode! to become v3 primary.
sh vtp password !!! doesn’t show in running config.
sh vtp ( status | counters ) !!! version, revision, domain, pruning, mode, etc.
VTP Pruning: Reduces unnecessary broadcast traffic over trunk links for VLANs that have no active hosts on a remote switch. Applies
to normal range VLANs; 1 & 1002-1005 are ineligible. V1/2: configure on server, it will advertise the setting to the VTP domain, V3:
configure on each switch.
config)# vtp pruning !!! disabled by default. exec or config mode!
config-if)# switchport trunk pruning vlan [ (list) | add | except | remove | none ] !!! makes vlan eligible.
sh int (fx/x) switchport | in Pruning !!! shows vlans pruning is enabled on. include is case sensitive.
Spanning Tree
Spanning Tree Protocol (STP): Designed to prevent problems related to bridging loops. STP solves the problem by blocking
redundant paths and allowing only a single active path. Works by selecting a root switch then selecting a loop-free path from the
root to every other switch. One root port per each non-root switch and a single designated port per network segment.
Common Spanning Tree (CST): 802.1D, One instance of STP runs for the entire switched network resulting in low CPU requirements,
but suboptimal traffic paths when multiple VLANs are used. It is also slow to converge. BPDUs sent on native VLAN (untagged).
Per VLAN Spanning Tree Plus (PVST+): One instance of STP per VLAN, more resources required, slow convergence, allows for load
balancing, includes Portfast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard. Shows as Type:P2p peer (STP) in sh span tree
if running in rapid mode. Original was ISL only, + version added support for 802.1Q and interoperation with CST.
Rapid STP (RSTP): 802.1w, One instance of STP, but very fast convergence time. Suboptimal traffic flows because only a single
instance exists for the entire switched network. See later section for operation.
PVRST+: Proprietary enhancement to RSTP that behaves similar to PVST+. It supports a separate instance of RSTP for each VLAN.
Largest CPU and memory requirements. Supports Portfast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.
Multiple Spanning Tree (MST): 802.1s, Standard that allows you to map groups of VLANs with similar traffic flow requirements into
a single STP instance. Also supports RSTP for fast convergence. See later section for operation.
MST and PVRST+ have become the dominate spanning-tree protocols of choice in Cisco switches, PVST+ is the default version of STP
that is enabled when a VLAN is created.
Bridge Protocol Data Unit (BPDU): STP initializing packet that exchanges information among bridges. Sent out a switch port using
the unique MAC address of the port itself as the source address. The destination address is a well-known multicast address.
5
Configuration BPDUs (every 2 secs) are used for STP computation while Topology Change Notification (TCN) BPDUs are used to
announce changes in the topology (link failures, port forwarding when there is already a designated port, TCN from neighbor).
A duplex mismatch may cause missed BPDUs, late collisions, and FCS errors, which can in turn cause a loop.
Bridge/System ID: Unique ID per bridge; first 2 bytes are the priority (0-65,535. Def = 32,768) plus the 6 byte MAC of the supervisor.
Extended System ID: STP requires a unique Bridge ID per instance; to save system MACs, Extended System ID takes the last 4 bits
from the priority field to include the VLAN # (priority + VLAN # + non-unique MAC). Uses a single MAC. Priority is in 4,096 intervals.
config)# spanning-tree extended system-id !!! new switches enabled by default. can’t disable if <1024 macs.
BPDUs containing a bridge’s own bridge ID are sent out during an election and messages are
compared to find the lowest bridge ID. When a switch hears of a better root bridge, it
replaces its own bridge ID with the root bridge ID found in the superior
BPDU. The switch then advertises the new root bridge ID in its own
BPDU messages, although it still identifies itself in the sender bridge
ID. The bridge with the lowest bridge ID becomes the root bridge. If
priorities are left to default, the bridge with lowest MAC will win.
Once the root bridge is found, root ports are determined: Each nonroot switch must figure out where it is in relation to the root
bridge. One root port per non-root bridge is selected, this is
the port pointing towards the root bridge. The root port is
selected based on the lowest root path cost; the cumulative
port cost of all the links leading to the root bridge, including own.
Port cost is inversely proportional to the port’s bandwidth. The root
path cost travels in a BPDU originating from the root; it’s incremented per
hop with each port’s cost as it’s received. The port with the lowest root path cost wins.
Common Costs: 10 Mb = 100 • 100 Mb = 19 • 1 Gb = 4 • 10 Gb = 2
Designated Ports: A single designated port is identified for each network segment, it’s responsible for forwarding BPDUs and frames
to that segment. All ports on a root bridge are designated ports. If two ports are eligible to become the designated port, then
there is a loop, one must be blocked to eliminate the loop. Similar to a root port, the designated port is determined by the lowest
cumulative path cost leading the Root Bridge. For DP ↔ DP selection, if path costs are equal, see tie breaker below. Any port not
elected as a designated or root port becomes a blocked port (non-designated).
If there are ties in the above processes, tiebreakers are: ① Lowest root bridge ID. ② Lowest cost path to the root. ③ Lowest
sender bridge ID. ④ Lowest sender port ID.
Port States: To participate in STP, each port of a switch must progress through several states:
Disabled: Administratively disabled; virtually non-operational.
Blocking: Ports start blocked when STP is enabled. Don’t send data or learn MACs, but process BPDUs. Non-designated: Remaining
ports after root/designated port election, become blocked. 20 secs.
Listening: Temporary. Send/receive BPDUs. Ensures no loops occur before passing data. MAC table not populated yet. 15 secs.
Learning: Temporary. Data is still not forwarded but MACs are learned to populate the MAC table. 15 secs.
Forwarding: Normal operation; both data and BPDUs are sent and received.
Convergence: 20 secs blocking → 15 secs listening → 15 secs learning = 50 seconds by default.
STP uses three timers to make sure the network converges properly before a bridging loop can form:
Hello: Time between Configuration BPDUs from the root, also when root expects to hear replies. 2 secs by default.
Forward Delay Timer: Amount of time spent in the Listening and Learning states. 15 secs each = 30 secs total by default.
Max Age Timer: Time a switch stores a BPDU before discarding. Missed BPDUs = change in topology. 20 secs by default.
TCN BPDU: Sent out the root port of a switch when the switch either moves a port into the forwarding state, or moves a port from
the forwarding or learning states into the blocking state. The TCN BPDU does not contain data about the change, only that it has
occurred. A TCN BPDU won’t be sent if the relevant port has PortFast enabled. Upstream switches forward the TCN to the root
and return an acknowledgment. Once the root receives the TCN, it acknowledges as well. The root will set the “Topology Change”
flag in a Configuration BPDU and relay it to every switch in the network. Receiving switches will shorten their MAC table (CAM)
6
aging times (300 secs by default) to the Forward Delay value (15 secs by default). This causes their MAC tables to be flushed much
sooner, preventing issues that may occur due to the topology change. Any hosts actively communicating are not flushed. This lasts
for the Forward Delay + Max Age (15 + 20).
STP can also detect and recover from indirect failures. Because the failed link is not on the bridge itself, a TCN will not be sent.
However, the bridge will flush its “best” BPDU after the Max Age Timer, at which point, the next best BPDU it receives over
another link will make that port the root port. That port will go through the states and then begin forwarding.
Insignificant TCNs can be caused by events such as PCs rebooting. When these happen, the normal TCN process occurs. This causes
all switches to flush their MACs, even though no actual topology changes occurred. This constant flushing of their CAM tables
causes many unknown unicasts, broadcasts, and flooded packets. To avoid this, use PortFast on user facing ports.
STP Configuration
To enable/disable (PVST+ is the default version):
config)# (no) spanning-tree vlan [ vlan # ] !!! global. caution!
config-if)# (no) spanning-tree vlan [ vlan # ] !!! per port.
sh spanning-tree interface [fx/x] (detail) (cost) !!! (detail) to see # of bpdus sent/received.
sh spanning-tree (vlan [#]) (summary) (root) (bridge) (detail) !!! root id, timers, ports, costs, etc.
Root bridge election is based on the idea that the root becomes the central hub to connect other legs of the network. If priorities
are left default, the lowest MAC will win. A poor selection may cause a longer than optimal path. Choose a root and a backup.
config)# spanning-tree vlan [ vlan # ] priority [0-65535] !!! def = 32768, lower preferred, 4096 intervals.
Timer defaults are based on a diameter of 7 switches. Changing the diameter value will automatically adjust the other timers
accordingly, which is a better method than manual selection. To have the switch choose its own priority (will not use 0, will go
4096 lower than the current root, 24,576 if all default) choose [primary] or [secondary]. Hello timer can be manually set too:
config)# spanning-tree vlan [ vlan # ] root [ primary | secondary ] ( diameter [x] ) ( hello-time [#] )
Timers only need to be modified on the root bridge; it will propagate all 3 timer values through the network in Configuration BPDUs.
Non-root switches will ignore their locally configured timer values.
config)# spanning-tree vlan [vlan-list] [hello-time | forward-time | max-age] [seconds]
The root path cost can be tuned; port cost is added as the BPDU is received on a port, lower is better:
config-if)# spanning-tree (vlan [vlan #]) cost [cost] !!! per vlan is optional.
Port ID can also be changed, ID = [Prio . Nbr]. Priority is 0-255, 128 by default. Ports in an EtherChannel have a higher port ID than if
they were not bundled. Lower is better.
config-if)# spanning-tree (vlan [#]) port-priority [ priority ]
PortFast: Causes L2 switch interfaces to enter forwarding state immediately, bypassing the Listening and Learning states. It should
be used on ports connected directly to end hosts or on trunks off to lone switches/servers. STP is still enabled; if a PortFast
enabled port receives a BPDU, it will transition through the normal process of STP states. Prevents insignificant TCNs.
config-if)# spanning-tree portfast (trunk) !!! (trunk) for trunk links.
config)# spanning-tree portfast default !!! global for access mode ports.
sh spanning-tree interface [fx/x] portfast !!! if enabled.
Macro to make a port access mode, enable PortFast, and disable EtherChannel negotiation:
config-if)# switchport host
BPDU Guard: Prevents problems related to switches being connected to PortFast enabled ports and causing loops, or from a rogue
switch becoming the new root bridge. The port is placed in the “err-disabled” state if it receives a BPDU, disabling the interface,
which must be reset manually or through err-disable recovery. Use with any port with PortFast enabled: all access ports.
config-if)# spanning-tree bpduguard enable !!! per port.
config)# spanning-tree portfast bpduguard default !!! global on any portfast ports.
BPDU Filtering: Combines with Portfast. Prevents BPDUs from being sent on a switch port. If configured globally, when a BPDU is
received on a Portfast enabled port, Portfast is disabled and the port begins transmitting BPDUs. Switch sends 10 BPDUs when it
first comes up as a check. If configured per interface, received BPDUs are ignored.
config-if)# spanning-tree bpdufilter [ enable | disable ] !!! per interface.
config)# spanning-tree portfast bpdufilter default !!! global, any portfast ports.
UplinkFast: For speeding convergence during a direct link failure. Use on access switches, not allowed on the root itself; bridge
(49152) and port (+3000) priorities are raised to prevent the bridge from becoming the root and so that the bridge is not used as a
transit switch. The switch identifies backup ports (held in standby state) for the root port, called an uplink group. If the root port
fails, one of the ports in the uplink group is unblocked and transitions immediately to Forwarding, bypassing Listening and
7
Learning. Will notify upstream switches of the new uplink by sending out dummy multicasts to 0100.0ccd.cdcd on behalf of hosts
in the CAM table. These updates are sent out at the (max-update-rate). Affects all VLANs on the switch.
config)# spanning-tree uplinkfast (max-update-rate [pkts/sec]) !!! global only, on all vlans.
sh spanning-tree uplinkfast !!! if enabled, update rate, and # of transitions.
BackboneFast: A switch actively determines whether alternate paths exist to the root bridge. Used in case the switch detects an
indirect link failure; when the switch receives an inferior BPDU from its designated bridge on either its root port or a blocked port.
Inferior BPDUs are sent from a designated bridge that has lost its connection to the root bridge, making it announce itself as the
new root. Normally a switch will wait for the Max Age timer to expire before responding, but with BackboneFast, the switch will
determine whether other alternative paths to the root exist, depending on the type of port that received the BPDU. Determining
the alternate path is done interactively with other switches by sending a Root Link Query (RLQ) out all non-designated ports. The
Max Age timer is immediately expired so that a new root port can be found. Ports still must go through a full-length forward delay.
Should be enabled on all switches in the network. Disabled by default.
config)# spanning-tree backbonefast !!! global only.
sh spanning-tree backbonefast !!! if enabled/disabled, rlq statistics.
Protecting STP Topology
Root Guard: Used to control where root bridges can be located within the network. Switches learn about and elect root bridges
based on BPDUs they receive. If a new switch is added to the network and becomes the root, it can/will disrupt traffic patterns. To
prevent this from occurring, apply Root Guard to ports where the root bridge should never been seen. If another switch advertises
a superior BPDU than the root (while still receiving BPDUs from the root), on a port with Root Guard enabled, the switch will not
allow the new switch to become the root, nor the port a root port. The port will be placed in the “root-inconsistent” STP state. No
data can be sent in this state (until BPDUs are no longer heard), but the switch can listen to BPDUs received to detect a new root.
Use on Distribution/Core uplinks on ports where you won’t expect the root bridge (designated ports). Can’t use on the root.
config-if)# spanning-tree guard root !!! per interface, all vlans.
sh spanning-tree inconsistentports !!! vlan, interface, reason, # of ports in this state.
sh spanning-tree vlan [#] !!! will display blocked port’s status as “bkn*” and “*root_inc” at end.
Loop Guard: Prevents situation where a port in the blocking state, which normally receives BPDUs, stops receiving them. When the
last BPDU is flushed due to the Max Age timer, the port will go through the states, then begin passing traffic, potentially forming a
loop. Loop Guard prevents this by keeping track of BPDUs; if they go missing, it will place the port in the “loop-inconsistent” state.
Doesn’t allow Alternate or Root ports to become Designated. Disabled by default, and takes action on a per-VLAN basis. Enable on
all switches, especially non-designated and trunk ports. Automatically re-enables a port if it starts receiving BPDUs again.
config-if)# spanning-tree guard loop !!! per interface.
config)# spanning-tree loopguard default !!! globally, on all point-to-point links.
UDLD: Proprietary, L2. When traffic is only flowing in one direction, it’s unidirectional. BPDUs will only
be received on one end of the link. If that end should normally be blocking, once the Max Age
timer ends, the port will move through the states and begin forwarding traffic. UDLD monitors a
port to ensure it’s bidirectional. UDLD sends frames identifying its ports, and expects the far-side
switch to echo the frames back. Both ends must be enabled. Timer can be changed, default is 15
secs, ends don’t have to match, must be less than [ Max Age + 2x Forward Delay ]. Has mechanism
to prevent issues when first bringing a link up at not the exact same time. Can block individual
links in an EtherChannel. Works with both fiber and copper. Methods: Normal: Default, fiber only;
when unidirection detected, port is allowed to continue operation, syslog message generated.
Aggressive: Switch will send out 8 UDLD messages, 1 per second, if none are heard, port becomes
“err-disabled.”
config)# udld [ enable | aggressive ] !!! global, on all fiber ports.
config)# udld message time (secs) !!! time between probe messages.
config-if)# udld port ( aggressive | disable ) !!! per interface, blank = normal.
udld reset !!! reenables all err-disabled udld ports, or use err-disable recovery.
sh udld (fx/x) !!! timers, status, remote switch info.
Advanced STP
Rapid STP: 802.1w, allows each switch to interact with its neighbors through each port. Interaction is based on a port’s role, not just
on BPDUs from the root. Root and designated ports are the same as CST, also uses Alternate ports (like UplinkFast, less desirable
backup root port, kept disabled), Backup ports (redundant designated port to another network segment), and Edge ports (act the
same as Portfast). Listening state is gone because RSTP can negotiate state changes without listening for BPDUs. Three states:
Discarding: Incoming frames dropped, no MACs learned. Combines disabled, blocking, and listening from CST.
8
Learning: Incoming frames dropped, but MACs learned.
Forwarding: Incoming frames are forwarded according to MACs that have been, and are being, learned.
BPDUs are still used, however extra bits are used; the sending port identifies itself by its RSTP role and state, version is set to 2. All
switches originate BPDUs, not just the root. Neighboring switches negotiate state changes. No forward delay or max age timers.
BPDUS sent out every switch port at hello interval (act as keep-alives), regardless of whether BPDUs are received from the root.
When 3 BPDUs are missed in a row (2s * 3 = 6s) a neighbor is presumed down, all info related to the neighbor’s port is aged out.
RSTP can coexist with CST switches due to the BPDU flag. If a CST BPDU is received on a port, the port will revert to CST operation.
When determining topology, decisions are based on types of ports:
Root: Best cost to root of STP instance. Only one root port selected/active on a switch at a time. Alternative paths to the root can
exist through other (Alternate) ports.
Point-to-Point: Port connecting to another switch becomes a designated port. Quick handshake instead of timer expiration.
BPDUs are exchanged as proposal/agreement. Automatically determined by duplex mode; if full, must be two switches. Halfduplex indicates shared medium, possibly more than 2 switches, traditional CST convergence used, slower.
Edge: Edge of network, where only a single host connects. If an edge port receives a BPDU, it will lose its edge port status and
transition normally through the RSTP process. Identified with PortFast.
Topology Change: RSTP detects a change when a non-edge port transitions to the Forwarding state. Instead of using a separate
TCN BPDU, Topology Change (TC) notifications are normal BPDUs with their TC bit set. They’re sent out all non-edge, designated
ports. This notifies neighbors, who then flush MACs associated with all ports, except the one that received the TC, and forward
the message. The original switch flushes all MACs associated with the non-edge designated port.
RSTP uses a proposal/agreement process where switches negotiate which port will become
Designated once a root bridge is elected. For each non-edge port, the switch sets the proposal
bit in a BPDU sent to its neighbor switch.
1) Switch (A) is proposing that its port should become Designated port for the segment (A-B).
2) If the proposal’s sender (A) has a superior BPDU, the neighbor switch (B) realizes the
sender (A) should have the designated port, and that its own (B) port should become the
root port. Switch (B) must now synchronize.
3) To not create a temporary loop during this synchronization process, all Non-Edge ports
on switch (B) are moved into the Discarding (blocking) state.
4,5) Switch (B) now sends an agreement back to the root bridge (A) agreeing that the port
on (A) is the designated, and the port on (B) is the root port. They begin forwarding.
6) For each Non-Edge port currently in the Discarding state on switch (B), a separate
proposal message is sent per segment, causing the neighbors to synchronize
themselves for (B → Any) segments. This process repeats in waves.
config)# spanning-tree mode [rapid-pvst | pvst] !!! change stp mode.
config-if)# spanning-tree portfast !!! rstp edge port.
config-if)# spanning-tree link-type point-to-point !!! force p2p for neighbor switches, may be half duplex.
sh spanning-tree (vlan [#]) !!! shows type of stp, and neighbor type.
Multiple Spanning Tree (MST): 802.1s, Concept of mapping a group of VLANs to a single STP instance. Multiple instances of RSTP can
be used, with each instance supporting a different group of VLANs. Reduces root bridges, root/designated ports, and BPDUs.
Switches participating in MST that have the same MST configuration info (name, rev #, vlan mapping) are referred to as a region.
Inside a region, individual MST Instances (MSTI) exist alongside the Internal Spanning Tree (IST). IST runs within a region to work
out a loop free topology between the links where CST meets a region boundary; represents the entire region as a single virtual
bridge to the CST outside. Only the IST is allowed to send/receive MST BPDUs to communicate with the outside.
BPDUs include info for all instances (MRecords) instead of unique BPDUs per instance. Entire instance-to-VLAN mapping table not
sent in a BPDU, instead, mapping is configured on each switch and sent as a hash.
Up to 16 MSTIs, IST exists as MSTI 0. By default, all VLANs are mapped to the IST instance (MSTI 0). VLANs must be explicitly mapped
to other instances as needed.
config)# spanning-tree mode mst
config)# spanning-tree mst [instance-id] root (primary|secondary) (diameter [#]) !!! (diameter) only msti 0.
9
config)# spanning-tree mst [instance-id] priority [#] !!! global. bridge priority.
config)# spanning-tree mst [hello time | forward-time | max-age ] [#] !!! global.
config-if)# spanning-tree mst [instance-id] cost [#] !!! port cost.
config-if)# spanning-tree mst [instance-id] port-priority [#] !!! port priority.
config)# spanning-tree mst configuration !!! you must enter configuration mode to do mapping and regions.
config-mst)# name [name] !!! region name.
config-mst)# revision [revision #] !!! manually increase with every change, must match between switches.
config-mst)# instance [instance-id] vlan [vlan-list] !!! map vlans to mst instance. instances can be 0-15.
config-mst)# sh [ pending | current ] !!! show config to be applied or already existing.
config-mst)# [ exit | end ] !!! apply the config
config-mst)# abort !!! cancel the config.
sh spanning-tree mst (instance-id) (detail) (int [fx/x]) !!! shows mapping, port states, root, priorities.
Aggregating Switch Links
EtherChannel: Also known as port channels and link aggregation (LAG) links. Bundle of 2-8 parallel links of same media type and
speed, acting as one logical link, providing full-duplex bandwidth. Although seen as a single logical link, the bundle does not have
the inherent total bandwidth equal to the sum of the links. Each link operates at its own inherent speed, as frames are distributed
across the individual links within the bundle by the EtherChannel hardware (depending on the load-distribution algorithm). If one
link within a bundle fails, adjacent links will be used transparently. Avoids loops by acting as a single logical access or trunk link;
ports must belong to the same VLAN if access, or if a trunk, have the same trunking mode, native VLAN, and pass the same VLANs.
Can also be L3 routed ports. Same speed, duplex, and STP config before being bundled. DTP & CDP send/receive over all physical
ports while STP only sends over the first operational port in the bundle. Configuring the port channel interface will automatically
modify interface parameters on all physical ports associated with the bundle. However, physical port properties (speed and
duplex), must be configured on the physical interfaces. Bundles can be created manually or with a negotiation protocol.
config-if)# channel-group [#] mode [ on | off ] !!! manual configuration.
config-if)# channel-protocol [ pagp | lacp ] !!! optional, restricts protocol. limits available options.
Port Aggregation Protocol (PAgP): Proprietary. Operates in silent sub-mode by default, allowing ports to be added to the bundle,
even if the switch does not hear anything from the far end. This allows a switch to form a bundle with a non-PAgP device such as a
network analyzer or server. Best practice is to always use “non-silent” mode when connecting switches together. [auto|desirable]
config-if)# channel-group [#] mode [ auto | desirable ] (non-silent)
Link Aggregation Control Protocol (LACP): Standard, 802.3ad. Uses priority system for switches (2 byte priority + MAC), lower
priority switch makes decisions about which ports are active. Ports are selected based on their port priority (priority + port #).
LACP selects 8 (of up to 16) of the lowest priority ports to be active, the rest are held in standby. [passive|active]
config-if)# channel-group [#] mode [ passive | active ]
config-if)# lacp port-priority [#] !!! optionally lower for interfaces you want to win port election if >8.
config)# lacp system-priority [#] !!! lower priority switch makes above decisions.
On PAgP, auto ↔ auto, and on LACP, passive ↔ passive, bundles will not form. If either end of the EtherChannel is set to [on], the
other must be as well. Both ends must be running the same protocol.
Traffic is distributed across links by an algorithm, not necessarily equally. A hashing algorithm is used on the end bits of
source/destination IPs or MACs, or TCP/UDP port numbers. More links = more bits considered. Combinations of methods uses an
XOR operation. Prefer powers of two to help the hash function load balance evenly. Perspective of packets being transmitted.
config)# port-channel load-balance [method] !!! global per switch.
sh etherchannel load-balance !!! shows configured method.
sh etherchannel (#) port-channel !!! to see how links are loaded, shows in hex.
Multichassis EtherChannel (MCEC): Links can be distributed among a switch stack or a VSS switch family. Multichassis LACP
(mLACP) is an extension of LACP, which forms a port channel from a single device, dual homed to two VSS peers. Conveys that the
device is connected to a single peer and not two separate devices, avoids loops.
Virtual Switch Link (VSL): Port channel used for control and data traffic in between VSS peers. Doesn’t support FastEthernet.
EtherChannel Guard: Used to reduce the chances of a misconfigured EtherChannel (which may cause a loop). If a misconfiguration is
detected, it will place the port into the “err-disabled” state. Enabled by default.
config)# (no) spanning-tree etherchannel guard misconfig
Troubleshooting:
sh etherchannel (#) ( summary | detail | port | brief | protocol ) !!! look for a capitol p.
sh [lacp | pagp] neighbor !!! ports, remote switch, remote mac, remote port, age.
sh interface [fx/x] ether-channel
10
DHCP
Discover: Client sends to broadcast address to find DHCP server. Client’s source MAC is included.
Offer: Server replies with offer of an IP, subnet mask, default gateway, and other parameters. Sent as broadcast, includes server’s IP.
There may be more than 1 offer if there is more than 1 server.
Request: Client sends request (when satisfied with offer), requesting to use an offered address. Includes record of offer so correct
server is used. Broadcast.
Acknowledge: Server replies to client, with IP and parameters for its use, as approval to start using the IP. ACK is a unicast, but may
also be a broadcast.
IPs are leased; before the lease time expires, clients must try to renew their addresses. Steps for creating a server:
config)# ip dhcp excluded-address [start-ip] (end-ip) !!! auto excludes svi ips. (end-ip) is optional.
config)# ip dhcp pool [pool name]
config-dhcp)# network [ip] [subnet mask] !!! subnet must match that of svi.
config-dhcp)# default-router [ip] (ip2) (ip3)... !!! should match the svi.
config-dhcp)# lease ( infinite | [days] (hours) (minutes) ) !!! default = 1 day = 86400 secs.
config-dhcp)# option [option number] [value] !!! 43 = lwap; 69 = smtp; 70 = pop3; 150 = voip tftp.
sh ip dhcp binding !!! shows mac <–> ip binding.
clear ip dhcp binding [ * | (ip) ] !!! * for all, (ip) for individual.
debug ip dhcp server !!! shows process of handing out addresses, or for static, wrong mac.
Manual bindings are possible; create a pool for each device:
config)# ip dhcp pool [pool name]
config-dhcp)# host [ip] [subnet mask]
config-dhcp)# [ client-identifier | hardware-address ] !!! client id is usually the mac prepended with 01.
DHCP Relay: Intercepts broadcast messages (DHCP, TFTP, BOOTP, NTP, TACACS, DNS, NetBios) from the client and forwards them to
the server address as a unicast message.
config-if)# ip helper-address [ip] !!! on svi. can be multiple, relayed simultaneously. set int ip first.
config)# (no) ip forward protocol [udp (port#)] !!! disable/enable protocols/ports to forward.
IPv6
To discover a neighboring router, the device can use its link-local address. Always begins with FE80::/10. Device appends its own
interface ID, including its MAC. Devices go through DAD.
Stateless Autoconfiguration: Client can create a globally unique address by combining info advertised from a router with info from
the client’s own network adapter. Router provides 64 bits from the L3 subnet prefix and client appends its EUI-64 ID (MAC + FFFE
in middle to make 64 bits, 7th bit [U/L] flipped). Router advertises default router, MTU, etc. Sent periodically or client can request.
config-if)# ipv6 add [ipv6 ip]
config)# sdm prefer dual-ipv4-and-ipv6 !!! to adjust tcam for dual ipv6-ipv4 usage.
DHCPv6: The above only provides basic info, for more (domain name, DNS server, etc.), a client needs a DHCP server.
config)# ipv6 dhcp pool [pool name] !!! can’t exclude addresses or do manual bindings.
config-dhcpv6)# address prefix [ipv6-prefix]
config-dhcpv6)# dns-server [ip]
config-dhcpv6)# domain-name [na.me]
config-if)# ipv6 add [ipv6-add] !!! can be an svi. no shut.
config-if)# ipv6 dhcp server [pool name]
sh ipv6 dhcp pool
clear ipv6 dhcp binding [ * | (ipv6-add) ]
DHCPv6 Lite: Mix of the above two. Clients use SLAC to form their own addresses based on the IPv6 prefix assigned to the SVI, but
get additional info from the DHCP pool. Config is same as above, but without the address prefix and with below:
config-if)# ipv6 nd other-config-flag
DHCPv6 Relay: IPv6 helper. Uses Relay-Forward (Solicit), Relay-Reply (Advertise), Relay-Forward (Request), Relay-Reply (Reply).
config-if)# ipv6 dhcp relay destination [ipv6-address] [fx/x] !!! switch can’t be a dhcp server.
SPAN
Switched Port Analyzer (SPAN): Used to monitor traffic on another port. If you’re in the same VLAN as the port you want to
monitor, you will only overhear broadcast and multicast traffic since ports are individual collision domains. SPAN can mirror traffic
from one source switch port or VLAN to a destination port. Can monitor data that is received, transmitted, or both. Out-of-band.
11
The source can be one or more physical switch ports on the same or a different VLAN, trunk ports, ports that are a member of an
EtherChannel, an entire port-channel interface, or an entire VLAN (VSPAN). Cannot monitor SVIs nor mix source types. If
monitoring multiple ports, repeat the source command, or use “-” or “,” for a list. Source traffic is never affected, but if source and
dest ports operate at different speeds, some destination traffic may be dropped. Different SPAN sessions cannot share a common
destination, only 1 destination per session. Session numbers must be unique. Session source & destination numbers must match.
config)# monitor session [session
config)# monitor session [session
config)# no monitor session [ (#)
sh monitor (session [ (#) | all |
#] source [interface (fx/x) | vlan (#)] (rx | tx | both) !!! both is def.
#] destination [interface (fx/x) | vlan (#) ] (encap. replicate) (ingress)
| range (range) | local | all ] !!! to delete.
local | range (list) | remote ] (detail) !!! sh run for tshooting too.
By default SPAN doesn’t copy VLAN tags nor L2 protocols (STP, CDP, BPDUs, etc). STP is disabled on the destination port to allow
BPDUs to be captured. CDP is not run. To enable, use [encapsulation replicate] on the destination command.
The destination interface can only transmit by default. Add following to the destination command to enable ingress traffic:
... ingress [ dot1q vlan (#) | isl | untagged vlan (#) ]
When using a trunk port as a source, you can select which VLANs to monitor; filter the VLANs you DO want.
config)# monitor session [session #] filter vlan [vlan range] !!! filter is for allowed!
SPAN destination ports will show as “up, line protocol down (monitoring)” in sh int.
Remote Span (RSPAN): A SPAN session split across two independent switches, mirrored data is transported over a special purpose
VLAN between them and/or intermediate switches, provided any intermediate switches are RSPAN enabled/capable.
RSPAN VLANs have MAC address learning disabled to prevent any intermediate switches from forwarding packets to their real dest.
Switches flood RSPAN packets out all ports belonging to the RSPAN VLAN. Limit RSPAN VLAN to appropriate links. RSPAN must
allow STP to prevent loops; as a result, BPDUs cannot be monitored.
Create one RSPAN VLAN per RSPAN session. Do not allow any normal hosts to join an RSPAN VLAN. VTP will duplicate an RSPAN
VLAN. If VTP is not being used, create the RSPAN VLAN on each intermediate switch. VTP will prune unnecessary links.
config)# vlan [#]
config-vlan)# remote-span
Reflector Port: Some switches need to sacrifice a port’s ASIC to perform remote mirroring. Appended to destination command.
Configure source AND dest on BOTH end points. On the mirroring side, use a source [ interface or vlan ] and a destination [remote
vlan]. On the receiving end, use a source [remote vlan] and a destination [interface].
config)# monitor session [session #] destination remote vlan [rspan-vlan-#] (ingress) (reflector-port fx/x)
High Availability
Redundant links between many switches gets very complicated and STP blocks many links. Aggregating switches with StackWise/VSS
and aggregating links with EtherChannel simplifies things, is more redundant, fails over quicker, and provides more bandwidth.
StackWise: Connects multiple switches together (up to 9) to form a single logical switch. The switch stack is controlled by one of the
member switches (master), while others can take over the role if needed. The master is elected by priority, if equal: best feature
set → pre-configuration → up time → lowest MAC. Member switches are connected to each other through a bidirectional dual
ring of StackWise cables, acting as the switch fabric. Due to the closed loop configuration, the ring can be broken to add or remove
a switch while the rest of the switches stay connected. Cutting the loop 1/2s the bandwidth, normally 32 GB/s (64 for X-series).
Ports on different physical switches in a stack can be bundled into a Multichasis EtherChannel (MEC). Includes RPR+ and NSF.
Virtual Switching System (VSS): Method to join two separate physical switch chassis together as one logical switch, can be
geographically separated. Eliminates need for FHRPs. The two chassis are managed by one supervisor, while the other can take
over if needed. The switch chassis are connected with VSS Links (VSL), up to 8 of them, using mLACP. If the VSL goes down, they
will go into “dual active recovery mode;” all interfaces except the VSL interfaces are shut down in the former active virtual switch
member. The new active virtual switch continues to forward traffic on all links.
Redundant Switch Supervisors: Modular platforms can accept 2 supervisor modules in a single chassis. The first to boot becomes
the active while the other is in standby mode. The standby will only initialize to a certain level. Can be configured in several
modes; mode affects how the supervisors handshake and synch info. Mode also limits standby’s state of readiness. The more
ready, the less failover time. Three listed in order of quickness:
Route Processor Redundancy (RPR): Standby is partially booted/initialized. When active fails, standby must reload every other
module in the switch and then initialize all the supervisor functions. Outage lasts several minutes.
12
RPR+: Redundant supervisor and routing engine are fully initialized, but no L2/3 functions are started. When active fails, standby
immediately finishes initializing without reloading other switch modules. Allows switch ports to retain their state. <1 minute.
Stateful Switchover (SSO): Standby is fully booted/initialized. Start/run config contents are synched between the sups as well as
L2 info (Protocols and FIB table) so that hardware switching can continue during a failover. Quickest failover, immediate.
For first time, enter commands on both switches. Once enabled, only make changes to active supervisor, as they’ll be replicated:
config)# redundancy
config-red)# mode [ rpr | rpr-plus | sso ] !!! ios images must match for rpr+. same on both ends!
sh redundancy states
By default, start/run configs are synched. Other info can be included:
config)# redundancy
config-red)# main-cpu
config-r-mc)# auto-sync [ startup-config | config-register | bootvar | standard ] !!! standard for default.
Nonstop Forwarding (NSF): Works with SSO. Interactive method that focuses on quickly rebuilding the Routing Information Base
after a sup switchover. RIB is used to generate the FIB for CEF. Instead of waiting on a L3 routing protocols to reconverge, a router
uses NSF to get assistance from other NSF-aware neighbors. Continues forwarding CEF flows during reconvergence, prevents
route flapping due to routing adjacencies resetting.
config-router)# nsf !!! ospf and eigrp.
config-router)# bgp graceful-restart !!! bgp.
L3 High Availability
First Hop Redundancy Protocols (FHRP): If the gateway for a subnet/VLAN goes down, packets have no way of being forwarded off
of the local subnet. FHRP protocols allow multiple routing devices to share a common virtual gateway IP so that if one goes down,
another can pick up the active gateway role. Configure the same switch as both the primary FHRP router and the STP root bridge.
Load balancing can be performed by splitting a subnet into different groups with different switches acting as the master per
group. Hosts must also be configured to choose the correct gateway. Make the link between distribution switches L3 or high cost
to prevent the STP blockage of leg links.
Hot Standby Router Protocol (HSRP): Proprietary, RFP 2281. Each router is assigned to a common standby group, one is elected
active, another is elected standby. All other routers in the group remain in the listen state. Active and standby devices exchange
hellos to the multicast address 224.0.0.2 (UDP 1985) with a TTL of 1 so they won’t escape the Ethernet segment.
Hello packets are only exchanged in the Speak, Standby, and Active states. Routers are in the speak state during elections. States:
disabled: disabled. either not configured or shutdown.
initial: state from which the router begins the hsrp process, not actually running yet.
learn: if no virtual ip is configured, currently learning from the active router.
listen: knows ip and mac of virtual router, but not elected active/standby. listens for hellos.
speak: sending hellos and participating in the election for the active or standby router.
standby: monitors hellos from active router and is the candidate to become the next active router.
active: router is currently forwarding packets on behalf of the virtual ip and sending hello packets.
Each router in a group has its own unique IP on an interface used for routing protocols and management traffic. In addition, each
router also has a shared virtual gateway IP (vIP), which is kept alive by HSRP; clients point to this vIP as their default gateway.
Physical and vIPs must be in the same subnet. So hosts won’t have to reARP during a failure, HSRP assigns the vIP a virtual MAC:
0000.0c07.acxx where xx = the group number in hex, 07.ac indicates HSRP.
Standby group #s are 0-255, good practice to have group #s match VLAN #s. Most switches only support 16. Group #s can match on
other interfaces since they’re only locally significant to an interface. If [Group #] is left off, Group 0 is used.
config-if)#
config-if)#
config-if)#
config-if)#
standby
standby
standby
standby
[group
[group
[group
[group
#]
#]
#]
#]
ip [ip] (secondary) !!! (secondary) for redundant secondary ip.
mac-address [mac] !!! optionally change vmac.
name [name] !!! optionally name a group, use for follow.
follow [name] !!! makes group slave of another group for simpler election.
Election is based on the priority (0-255) that is configured on each router, default is 100. Higher is better. If priorities are equal, the
tiebreaker is highest physical IP on an HSRP interface.
config-if)# standby [group #] priority [priority #]
sh standby (brief) (vlan [vlan #] | [fx/x]) !!! p indicates preempt. group #, state, timers, etc.
Only the standby monitors hellos (keepalives, def = 3 secs.). If hellos are missed for the hold time (def = 10 secs, or 3x hello), active
is considered down and standby takes the active role. If manually shutdown, there is a graceful shutdown goodbye.
config-if)# standby [group #] timers (msec) [hello #] (msec) [holdtime #] !!! don’t have to match.
13
By default, once the active router fails and the standby becomes the new active, the original active router cannot be reinstated as
the active until the new active fails. To allow the best router to take over the active role (coup) without a failure, use preemption.
Applies to device taking over. Delay/reload optionally prevents flapping and allows for convergence. Based only on priority, not IP.
config-if)# standby [group #] preempt ( delay ( minimum | reload | sync ) [#] )
If an uplink on the HSRP router fails, the router doesn’t have much use, but remains active. Use tracking to decrement priority. Can
track an interface or use a tracking object. Make sure routers are using preemption!
config-if)# standby [group #] track [track # | (fx/x)] (decrement value) !!! decrement of 10 by default.
Authentication prevents an unauthorized router from joining the HSRP group. All routers in the HSRP group must be configured with
an identical authentication string. MD5 uses service password-encryption to hash.
config-if)# standby [group #] authentication [string] !!! plain text.
config-if)# standby [group #] authentication md5 key-string (0|7) [string] !!! 0=plain text, 7=hash.
For MD5 authentication with a key chain:
config)# key chain [chain-name]
config-keychain)# key [key #]
config-keychain-key)# key-string (0|7) [string] !!! 0=plain text, 7=hash. lifetimes are optional.
config-if)# standby [group #] authentication md5 key-chain [chain-name]
IPv6 inherently has some support due to all routers connected to a subnet advertising their presence.
config-if)# standby version 2
config-if)# standby ipv6 autoconfig
Virtual Router Redundancy Protocol (VRRP): Standard alternative to HSRP, but very similar. Active is renamed to master, all other
routers are in the backup state. MAC is in the form of: 0000.5e00.01xx where xx = the group number in hex. Hellos are sent at 1
second intervals, dead/holddown timer is 3 secs + skew. Skew time (0-1 sec) is calculated as an inverse of the priority; higher
priority = lower time. Backup routers can optionally learn the advertisement interval from the master. Preemption is on by
default. Uses multicast 224.0.0.18 IP 112. Replace “standby” with “vrrp” for all commands. Virtual IP and real IP can match on 1
switch, making it the master and saving an IP. Uses track objects only, no built in interface tracking like HSRP.
config-if)# vrrp [group #] timers [{advertise (msec) [#]} | learn] !!! can’t be msec when advertised.
config-if)# vrrp [group #] track [track-object #] (decrement [#]) !!! object tracking only. 10 by default.
Gateway Load Balancing Protocol (GLBP): Proprietary. Overcomes limitations of above protocols and makes load balancing easier.
Instead of having just one active router forwarding, up to 4 routers in a group can participate and offer load balancing by
forwarding a portion of the overall traffic. All hosts can have their default gateway set to the same IP. Load balancing is performed
through the use of virtual router MAC addresses, sent in ARP replies returned to the clients by the AVG. Preemption is off by
default. Doesn’t run on all switch platforms, but most routers. Virtual MACs have the form of 0007.b400.xxyy where xx = the
group number (in hex) and yy = the AVF number. Max of 4 virtual MAC addresses. Multicast to 224.0.0.102.
Active Virtual Gateway (AVG): Router with highest priority or highest IP. Answers all ARP requests for the virtual (default) gateway
IP address. The returned MAC depends on the selected algorithm. Assigns the necessary vMAC to each router in the group, as well
as secondary roles. Is also an AVF. SVG: Standby, only 1, rest are listening.
Active Virtual Forwarder (AVF): Routers that take on vMACs and forward traffic received on their respective addresses, up to 3 (plus
the AVG). Remaining routers in the group become secondary (SVF)s in case an AVF fails.
config-if)# glbp [group #] ip [ip] (secondary) !!! only necessary on avg, others can learn.
config-if)# glbp [group #] priority [#] !!! max of 255, 100 is default. higher is better.
config-if)# glbp [group #] preempt (delay minimum [seconds]) !!! not enabled by default!
config-if)# glbp [group #] timers (msec) [hello] (msec) [hold] !!! only need to do on primary. 3&10 by def.
config-if)# glbp [group #] authentication text [pass]
config-if)# glbp [group #] authentication md5 { key-string [string] | key-chain [key-chain name] }
config-if)# glbp [group #] ipv6 autoconfigure !!! to allow ipv6 to autoconfigure addresses.
sh glbp (brief) (detail) !!! local is active, others are listen.
A router can temporarily be the AVF for two different vMACs in case of another’s failure. Timers determine length:
Redirect Timer: Determines when the AVG will stop giving out the vMAC of a failed AVF in ARP replies. The new AVF representing
the vMAC of the failed AVF continues to act as a gateway for any clients that try to use the failed vMAC. Default = 10 mins.
Timeout Timer: When it expires, the vMAC of a failed AVF, as well as the failed AVF itself, are flushed from all GLBP peers. The
AVG assumes that the failed AVF will not return to service, so the resources previously assigned to it must be reclaimed. Clients
using the old MAC in their ARP caches must refresh the entry to obtain the new vMAC. Default = 4 hours.
config-if)# glbp [group #] timers redirect [redirect #] [timeout #]
14
Weighting: Used to determine which router becomes the AVF per host MAC. Each router begins with a max weight (1-254, def =
100). If using tracking, as interfaces go down, the weight is decreased by the decrement amount. Thresholds are used to
determine if a router can be the AVF; if the weight falls below the (lower), the router must give up the AVF role, it can resume if
the weight returns (enable preemption!). Optionally, the weight at which the router can return to its AVF role can be set (upper).If
using “weighted” distribution method, weight is used for load-balancing. Lowering weight will only reduce traffic flow if the
(lower) isn’t passed!
config-if)# glbp [group #] weighting [weight] (lower [#]) (upper [#])
config-if)# glbp [group #] weighting track [object #] (decrement [#]) !!! dec of 10 by default.
config)# track [object #] interface [fx/x] (line-protocol | ip routing)
Supports three load-balancing methods:
Round Robin: Default distribution. Each ARP request for the vIP receives the next vMAC. Load is balanced if traffic is even.
Weighted: Interface weight values determine the relative proportion of traffic sent to each AVF. Higher weight = more ARP replies
with a router’s vMAC. Proportion % = weight / (total weight of all AVFs) * 100.
Host Dependent: Each client that sends an ARP always receives the same vMAC. Use if clients need a consistent gateway MAC.
config-if)# glbp [group #] load-balancing [round-robin | weighted | host-dependent]
Securing Switch Access
Port Security: Only available on access mode or static trunk ports (Not dynamic), not EtherChannels. Prevents “MAC Flood Attacks.”
By default, will limit 1 MAC per switch port. Max can be increased:
config-if)# switchport port-security !!! must be enabled first!
config-if)# switchport port-security maximum [max #] (vlan [access|voice]) !!! use vlan to limit per vlan.
PS learns MACs dynamically and stores them in the CAM and running config. If a switch reboots, PS will relearn a new set of MACs.
Sticky will learn and save MACs across a reboot, or MACs can be statically defined.
config-if)# switchport port-security mac-address [(mac) | sticky] !!! mac in dotted triple, change max.
config-if)# switchport port-security aging time [mins #] !!! learned macs can be aged out. not stickys.
config-if)# switchport port-security aging type [inactivity | absolute] !!! type of aging.
If more than the max MACs are learned, a violation occurs.
config-if)# switchport port-security violation [ shutdown | restrict | protect ]
shutdown: default. put in “err-disabled” state, must be bounced or err-disable recovery used.
restrict: port stays up, packets from violating macs dropped. switch can send snmp traps and syslog msg.
protect: ports stay up, violating macs have packets dropped, but no notifications/records.
sh port-security !!! lists interfaces, max, counts, and violation counts/modes.
sh port-security interface (fx/x) !!! lists enabled settings and counters.
sh port-security (address (vlan [#])) !!! per vlan configured macs, type of assignment, port, and aging.
sh int status err-disabled !!! lists int, name, status, and reason.
To clear learned MACs or entire cache:
config)# clear port-security [ all | configured | dynamic | sticky ] (address [mac] | int [fx/x])
Port Based Authentication (802.1x): A combination of AAA authentication and port security. Switch port will not pass traffic until a
user has authenticated with the switch. Both switch and PC (using an application) must support 802.1x, using Extensible
Authentication Protocol over LANs (EAPOL). Authenticates based on L2 MACs. Server is RADIUS only. Allows EAPOL, CDP, & STP
traffic without authentication. Port must be in access mode!
config)# radius-server host [ hostname | ip address ] (key [key string] ) !!! repeat for other servers.
config)# aaa new-model !!! first enable aaa, new-model uses method lists.
config)# aaa authentication dot1x default group radius !!! defined radius servers are used for auth.
config)# dot1x system-auth-control !!! enables 802.1x on the switch.
config-if)# switchport mode access !!! can’t enable on dynamic/trunk ports!
config-if)# dot1x host-mode multi-host !!! for multiple hosts on 1 port (off a hub/switch).
config-if)# dot1x port-control [ auto | force-authorized | force-unauthorized ] !!! per port.
auto: the port uses an 802.1x exchange to move from unauthorized to authorized, if successful.
force-authorized: the port is forced to always authorize any connected client. no auth necessary.
force-unauthorized: the port is forced to never authorize any connected client.
sh dot1x (all) !!! (all) gives far more details and port info.
Storm Control: Feature to set limits on flooded traffic before it can cause problems on your network. Configured per-interface to
monitor traffic that is arriving, before it is flooded. Configured via thresholds for amounts of broadcast, multicast, or unicast
(unknowns / ARP requests), and the action to be taken when exceeded.
15
Storm Control will take action when the flooded traffic rises above the configured value, then will stop taking action when the traffic
falls below that value. The falling value can be optionally changed with the (low#). Instead of large numbers, use k m and g (50k).
config-if)# storm-control [ broadcast | multicast | unicast ] [ level ( bps | pps ) [#] ] (low#)
level: percentage of interface bandwidth. can be a value with 2 decimal places, 0-100.
bps: bits per second, 1 decimal place, 0.0 – 10 gbps.
pps: packets per second, 1 decimal place, 0.0 – 10 gbps.
sh storm-control (interface) ( broadcast | multicast | unicast )
Traffic is dropped by default, you can additionally have the port go into “err-disabled” (shutdown) mode, or send an SNMP (trap):
config-if)# storm-control action [ shutdown | trap ]
Preventing Spoofing Attacks
DHCP Spoofing: When an attacker responds to DHCP requests, listing themselves as the default gateway or DNS server. Allows
attacker to intercept all traffic before forwarding it on to the real network gateway. Attackers may also flood the DHCP server with
requests, filling up the available IP space (DoS attack). May also be a rogue DHCP server.
DHCP Snooping: Protects against DHCP Spoofing. When enabled, only ports that uplink to an authorized DHCP server are trusted
and allowed to pass DHCP traffic. All other ports are untrusted (default) and can only send DHCP requests. If a DHCP response
(offer) is heard on an untrusted interface, it is shutdown. Keeps track of completed bindings as clients receive replies (MAC, IP,
lease, etc.) in the DHCP Snooping Database of untrusted hosts and their leased IPs.
First configure globally, then on specific VLANs, and finally for trusted interfaces. Remember to configure only ports that connect
directly to or uplink to a DHCP server as trusted.
config)# ip dhcp snooping !!! enable globally.
config)# ip dhcp snooping vlan ( [vlan list] | [first] [last] ) !!! per vlan.
config-if)# ip dhcp snooping trust !!! only on ports where trusted dhcp servers are located!
config-if)# ip dhcp snooping limit rate [ pkts/sec ] !!! to limit dos attacks on untrusted ports. optional.
ip dhcp snooping binding [mac] vlan [vlan #] [ip] interface [fx/x] !!! manual, dynamic like entry. exec.
sh ip dhcp snooping (binding) !!! shows settings. (binding) shows mac, ip, lease, vlan, and interface.
DHCP Information Option (Option 82): Commonly used in metro or large enterprise deployments to provide additional information
on physical attachment of the client. Supposed to be used in distributed DHCP server/relay environment, where relays insert
additional information to identify the client’s point of attachment. Enabled by default.
config)# ip dhcp snooping information option !!! enables dhcp option 82 data insertion by switch.
config)# ip dhcp snooping information option allow-untrusted !!! allow untrusted ports on an aggregation
switch to accept option 82 packets from an edge switch.
config)# no ip dhcp relay information check !!! disables check of option 82 info in reply/relayed request.
Snooping Database Agent: Will retain bindings on a remote server to prevent loss of info during a switch reload:
config)# ip dhcp snooping database [url] (write-delay [secs]) (timeout [secs])
IP Source Guard: Prevents IP Spoofing on L2 ports. Keeps track of host’s IP address and/or MAC address associated with each port
on the fly, with VACLs, in conjunction with DHCP Snooping. If traffic sourced from the wrong add enters an interface, it’s dropped:
config-if)# ip verify source !!! only ip address filtering.
config-if)# ip verify source port-security !!! ip and mac filtering, must support opt 82; includes port id.
config)# ip source binding [mac] vlan [vlan #] [ip] interface [fx/x] !!! static hosts/def gateway w/o dhcp.
sh ip source binding [mac] [vlan (#)] [ip] [interface (fx/x)] (dhcp-snooping | static)
sh ip verify source (interface [fx/x]) !!! interfaces, filter type, active, ip, vlan. 2nd line is smart log.
Dynamic ARP Inspection (DAI): Prevents ARP Attacks (Spoofing and Poisoning). ARP replies received on untrusted switch ports are
checked against known, good values contained in the DHCP Snooping database, or manually configured. Prevents attacker from
pretending to be the target machine by intercepting the ARP process, or using gratuitous ARPs, to become a man-in-the-middle.
Can apply to access, trunks, PVLANs, and EtherChannels. Ports are trusted or untrusted, inspection only done on untrusted ports
(ingress only). Requires DHCP Snooping.
config)# ip arp inspection vlan [vlan-range] !!! to enable.
config-if)# ip arp inspection trust !!! to make port trusted, ie. switch uplinks. untrusted by default.
config)# arp access-list [arp-acl-name] !!! to match device.
config-acl)# permit ip host [sender ip] mac host [sender mac] (log)
config)# ip arp inspection filter [arp-acl-name] vlan [vlan-range] (static) !!! to apply the arp-acl, per
vlan. (static) will prevent dhcp bindings from being checked.
config)# ip arp inspection validate [ src-mac | dst-mac | ip ] !!! optionally validate arp replies.
sh ip arp inspection (int fx/x) (statistics) (vlan)
16
Securing VLANs
Private VLANs: Use a single IP subnet (saves IPs) across multiple VLANs while still maintaining traffic isolation boundaries at L2.
Breaks up a single Primary VLAN into multiple non-overlapping Secondary VLANs. VTP 1/2 won’t work, use transparent mode.
Primary: A normal VLAN used as the basis for a PVLAN when it’s associated with unidirectional or Secondary VLANs. Only 1 per
PVLAN, all Secondaries share the same Primary and broadcast domain. Represents the set of Secondary VLANs to the outside
world, which can only see the Primary VLAN.
Secondary: Can communicate with ports on the Primary VLAN, but not with any other Secondary. Shares the same IP subnet as the
Primary, but each uses an individually assigned VLAN ID which is associated with the Primary VLAN. Trunking Secondary VLANs
across trunk links is supported by most switches. Isolated or Community:
Community: Isolates hosts between different Community VLANs while allowing hosts within the same Community to
communicate with one another and the Promiscuous port. Same behavior as a normal VLAN. Multiple Community VLANs can be
created and associated to the same Primary.
Isolated: Host aren’t able to communicate with other Isolated/Community ports, only the Promiscuous port. Only one Isolated
VLAN can be associated per Primary VLAN. Multiple hosts are assigned to the same Isolated VLAN, with their traffic separated.
Promiscuous Ports: Special ports assigned to the Primary VLAN that can communicate with any port within any Secondary VLAN.
Allows shared devices (routers, firewalls, printers, or other gateway devices) to communicate with any Secondary VLAN port,
usually connected to the default gateway. Assign port as promiscuous and do vlan mapping.
Host Ports: Any port that connects to a regular host that is in either an Isolated or Community VLAN. Only communicates with a
Promiscuous port or ports within the same Community VLAN. Assign port as host and do host-association.
config)# vlan [vlan #]
config-vlan)# private-vlan [ primary | isolated | community ]
config-vlan)# private-vlan association [2nd vlan (list | add | remove)] !!! under primary vlan.
config-if)# switchport mode private-vlan [ host | promiscuous ] !!! under interface.
config-if)# switchport private-vlan host-association [ pri vlan ] [ 2nd vlan ] !!! for host port.
config-if)# switchport private-vlan mapping [pri vlan] [2nd vlan (list | add | remove)] !!! for promiscuous.
config-if)# private-vlan mapping [2nd vlan (list | add | remove)] !!! for an svi, remove “switchport.”
sh int private-vlan mapping !!! interfaces, secondary #, type.
sh vlan private-vlan !!! primary, secondary, types, ports
sh int switchport
VLAN Access Lists: VLAN Maps or Bridged ACLs. Packets that stay within a VLAN do not cross a VLAN/interface boundary and don’t
have a direction in relation to an interface. These packets may also be non-IP or completely bridged; they won’t pass through the
L3 switching engine. VACLs filter packetks within a VLAN. Configured with a map, similar to a route map: If → then logic. Match
using ACLs. Use real ACLs for SVIs. Implicit deny at end. A sequence without a match statement will match all traffic and forward it.
config)# mac access-list extended [name] !!! or use normal acl for ip traffic.
config-ext-mac)# permit [any | mac | host] [any | mac | host] !!! use permit to match! source -> dest.
config)# vlan access-map [ map-name ] (sequence #)
config-access-map)# match [ ip | mac ] address [ acl # | acl-name | mac-acl-name]
config-access-map)# action [ drop | forward (capture) | redirect (fx/x) ]
A VACL is applied globally to one or more VLANs listed, not to a SVI. To apply:
config)# vlan filter [ map-name ] vlan-list [ (#) | (vlan-list) ]
sh vlan access-map (name) !!! shows configured rules.
sh vlan filter ( access-map [name] | vlan [#] ) !!! shows which vlans map is applied to.
17
Switch Spoofing: Using a computer to mimic a trunk link with a directly connected switch using DTP. DTP is enabled by default and
trunks pass all VLANs by default. If an attacker is able to trick the switch into establishing a trunk port, they are able to access (and
inject ino) all traffic going through the switch.
config-if)# switchport nonegotiate !!! to disable dtp.
config-if)# switchport mode [ access | trunk ] !!! explicitly set, don’t use dynamic modes.
VLAN Hopping or Double-Tagging: Possible because 802.1Q does not tag frames sent using the native VLAN. If an attacker’s access
VLAN is the trunk’s native VLAN, the attacker can send a payload with two VLAN tags, the first assigned to the native VLAN, the
second assigned to the target destination’s VLAN. The first switch strips the native VLAN tag off the packet and forwards it out all
trunk ports (That’s how 802.1Q handles native VLAN traffic). Once the next switch receives the packet, it sees only the second tag
and places the packet in the target destination’s VLAN. Must be 1 switch away from target. ISL is not affected.
config-if)# switchport trunk native vlan [ vlan # ] !!! change from 1, prune with below if bogus.
config-if)# switchport trunk allowed vlan [ add | remove ] !!! explicitly set, don’t send all.
config-if)# switchport trunk native vlan tag !!! per port native vlan tagging on a trunk.
config)# vlan dot1q tag native !!! forces switch to tag native vlan on all dot1q trunks. (control traffic)
Best Practices
Passwords: Use enable secret, stronger than enable password. Also use external AAA servers to authenticate admins. Service
password-encryption will encrypt passwords in the configuration (not very strong).
Banners: Let users be aware of access/acceptable use policies. banner motd is displayed to authenticated users.
Secure the Web Interface: If using the CLI only: no ip http server. If using the GUI, use HTTPS: ip http secure server. Limit http access
with ip http access-class [acl #].
Secure Virtual Terminal Access: Config user auth on all vty lines. Also use access lists to limit IP sources. access-class [acl #] in.
Secure Console: Appropriate to use same authentication config on console as vty lines.
Use SSH When Possible: Telnet is not secure. Use highest SSH version possible. Requires encryption IOS image.
ip ssh version 2 | crypto key generate rsa [x] | ip domain name [x] | username [x] pass [x] | line vty [x y]
login local | transport input ssh (method 2) | access-class [acl#] in
Secure SNMP Access: Always use SNMPv3. Disable v1 and v2c RW access, only allow RO. Use ACLs to limit source IPs.
Secure Unused Switch Ports: Disable unused switch ports, and make all ports switchport mode access. Good practice to put unused
ports into a bogus VLAN. switchport host will make a port access, enable STP Portfast, and disallow EtherChannel.
Secure STP: Malicious users can inject BPDUs and disrupt topology. Use BPDU Guard to shutdown access ports receiving BPDUs.
Secure CDP/LLDP: Only enable on switch ports connected to other trusted Cisco devices, including phones. no cdp enable.
IP SLA
Gathers realistic info about how specific types of traffic are being handled end-to-end across a network. Router generates traffic that
is destined for a far-end device. As the far side device replies, IP SLA gathers data about what happened. Types: ICMP-echo, pathecho, DNS, DHCP, FTP, HTTP, UDP-echo, TCP-connect. IP SLA Responder can additionally do: Path/UDP jitter.
If using IP SLA Responder, make sure clocks are synched and IP SLA is running on both ends. Adds a time stamp to account for
processing time and for calculation of unidirectional packet loss, latency, and jitter for more accurate readings. UDP port 1967.
config)# ip sla (monitor) responder !!! to configure the responder end. (monitor) depends on ios.
config)# ip sla (monitor) [operation #] !!! (monitor) depends on ios.
config-ip-sla)# type [test type] [parameters] !!! eg. icmp-echp [dest-ip] (source-ip)
config-ip-sla)# frequency [seconds] !!! default is 60 second intervals.
config)# ip sla schedule [operation #] [life (forever|seconds)] [start-time...] (ageout #) (recurring)
sh ip sla configuration
sh ip sla statistics (aggregated) [operation #]
Can be secured using MD5 auth through the use of a key chain:
config)# key chain [chain-name]
config-keychain)# key [key #]
config-keychain-key)# key-string [string]
config)# ip sla key-chain [chain-name]
18
Logging
Timestamp Facility-Severity-Mnemonic: Message Ex: 00:33:22 %SYS-5-CONFIG_I: Configured from console by console
Facility: Begins with %. System ID that categorizes the switch function or module that generated the message.
Severity: 0-7 that indicates how important. Lower # is higher priority, selecting a number includes selected and those lower in #:
0
1
2
3
4
5
6
7
emergencies: crashes, stopped processes.
alerts: platform errors.
critical: hardware issues, port security, stp.
errors: acl, tcam, pagp, ethernet controller, interface up/down.
warnings: dhcp snooping.
notifications: 802.1x, dtp, etherchannel, inline power, stp, interface line protocol.
informational: stack events, port security, dynamic arp inspection, vtp, udld, stp, hardware diagnostics.
debugging
Can be sent to console:
config)# logging console [ (severity #) | (name) ] !!! only seen in console when connected to console port.
terminal monitor !!! redirects above to telnet/ssh session. exec mode.
Internal memory buffer is disabled by default, to enable:
config)# logging buffered (size 4096-huge) ( [severity #] | [name] )
sh logging
To send over network to syslog server, port 514:
config)# logging (host) [ ip | hostname ] !!! with or without (host) is the same thing.
config)# logging trap [ (severity #) | (name) ]
To disable link up/down messages, per interface:
config-if)# no logging event link-status
To add time stamps to log messages, uptime is the default:
config)# service timestamps log [uptime | {datetime (localtime) (show-timezone) (msec) (year)} ]
Clock commands, default is March 1, 1993:
sh clock (detail) !!! (detail) states “time source is ntp” if ntp is configured.
clock set [hh:mm:ss] [month] [day] [year] !!! this is an enable mode command!
config)# clock timezone [name] [offset-hours] (offset-minutes)
config)# clock summer-time [name] [date | recurring] [start/end day/month/time] [offset-mins]
Stratum: Number that indicates in which layer of the NTP hierarchy a time source is located (# of hops); 1 is the most accurate.
config)# ntp master (stratum #) !!! to set switch/router as master server. def stratum of 8.
config)# ntp server [ip] (prefer) (version [3|4]) (key [#]) !!! client, if multiple, pick a (prefer)red.
config)# ntp authenticate !!! enable authentication.
config)# ntp authentication-key [key-number] md5 [key-string] !!! define an authorization key.
config)# ntp trusted-key [key-number] !!! specify which key to use.
config)# ntp update-calendar !!! for devices that have a calendar.
config)# ntp peer [ip] !!! to configure another device, with same stratum, as a peer. will share time.
sh ntp association (detail) !!! master info. * shows it’s peered. detail shows “authenticated.”
sh ntp status (detail) !!! local info. look for “clock is synchronized.”
Authentication only provides a means for the client to validate the server, any IP can still synch time. To secure:
config)# access-list [#] permit [ip] [mask]
config)# ntp access-group [serve-only | serve | peer | query-only] [acl#]
When using NTP, a switch becomes an NTP server for any devices that tries to synch with it over an L3 int. Alternatively, you can use
SNTP; commands are the same, just add the “s” before. Switch will be in client only mode.
19
SNMP
Manager: System that uses SNMP to poll and receive data from any number of network devices. Usually a central application.
Agent: Process that runs on the network device being monitored. Data is gathered by the device itself and stored locally. Agent
responds to SNMP polls and queries with info from the data, and can send unsolicited traps/informs to the manager.
Management Information Base (MIB): Database on an agent containing variables about itself. Organized in a structured hierarchical
fashion. Each MIB is referenced by an OID.
Object Identifier (OID): Long string of indexes that follows the path from the root of the tree all the way to the variable’s location.
Manager sends poll/query to the switch with the OID of a specific variable being requested. Uses UDP port 161.
Trap: News of an event that is sent without any acknowledgment that the trap has been received.
Inform Request: Same as a trap, but the manager is required to acknowledge the receipt by echoing the request back to the agent.
V1: Simple get (next)/set requests, traps, and unsolicited alert messages. Access is based on a community string, which is sent as
plain text (Use read only!).
config)# access-list [#] permit [ip]
config)# snmp-server community [comm.-string] ( ro | rw ) (acl #)
config)# snmp-server host [host ip] [comm.-string] (trap type) !!! manager where traps will be sent.
V2c: Adds 64-bit variable counters (allows for higher values), bulk requests, and inform requests. Same first 2 commands as above.
config)# snmp-server host [host ip] (informs) version 2c [comm.-string] !!! use (informs) instead of traps.
V3: Adds user authentication, security levels, data integrity, and encryption, and groups with read/write access.
View: What you’re able to see/access. Optional, if unused, full access.
config)# snmp-server view [view name] [oid tree] [included | excluded]
Group: Associates views, defines type of access, and security type.
config)# snmp-server group [group name]
(access [acl#])
noauth: no packet authentication or
auth: packets are authenticated but
priv: packets are authenticated and
v3 [noauth|auth|priv] (read [view]) (write [view]) (notify [view])
encryption.
not encrypted.
encrypted !!! only if ios is cryptographic.
User: Belongs to a group; user name/pass, levels of encryption, and authentication. Same user must be on the manager to work.
config)# snmp-server user [user-name] [group name] v3 auth [md5|sha] [auth password] priv [des|3des|aes(#)]
[priv password] (access [acl#])
sh snmp user !!! doesn’t show in running config.
You can use the host command to identify the manager that will receive the traps/informs:
config)# snmp-server host [ip] [informs|traps] version [1|2|3] [noauth|auth|priv] [username] (trap-type)
20
Managing Switch Users
Authentication: Who is the user? Authorization: What is the user allowed to do? Accounting: What did the user do?
config)# username [name] (privilege [#]) ([password | secret] [pass]) !!! local backup, use as last resort.
config)# aaa new-model !!! to enable aaa.
TACACS+: Cisco proprietary, separates each AAA function. Encrypts entire packet, sent over TCP: 49.
RADIUS: Standard, combines authentication and authorization into a single resource. Uses UDP: 1812-3. Not totally encrypted, only
sends password in initial client ↔ server packet.
config)# [radius|tacacs]-server host [hostname | ip] (key [0|7] [string]) !!! define a server.
Group is formatted as group [ name | radius | tacacs+ ]. Either name with the aaa group server command, or use [radius] or
[tacacs+] to use all respective configured servers. Type “group” before each [radius or tacacs+] when defining a method list.
config)# aaa group server [radius | tacacs+] [group name] !!! group name containing list of servers.
config-sg)# server [ip] !!! define each server of the group type.
config-sg)# server-private [ip] key [key] !!! if using authentication.
A mix of methods can be used for authentication, must be defined by grouping the desired methods into a (sequential) method list.
If request is denied, connection is refused; if request times out, next option in method list is used. Max of four methods.
config)# aaa authentication login [default | list-name] (group) [method1] (method2/3) !!! list of methods:
group [tacacs+ | radius]: use all defined servers of that type.
local: uses local user database.
local-case: same as above, but case-sensitive.
line: line passwords.
none: no authorization, always succeeds.
config-line)# login authentication [ default | list-name ] !!! line config.
To configure authorization for types of commands, RADIUS cannot limit commands a user can execute, but TACACS+ is granular. The
aaa command is global to all lines, but authorization can also be configured per line as seen in the second command.
config)# aaa authorization [see list below] [default | list-name] (group) [method1] (method2/3) (ifauthenticated) !!! global.
config-line)# authorization [ commands (#) | exec | reverse-access ] [default | list-name] !!! per line.
commands (#): permission to use exec commands at set privilege level.
config-commands: permission to use any switch configuration command.
configuration: permission to enter the switch configuration mode.
exec: permission to enter the enable mode, will immediately put user in enable mode.
network: network-related services: ppp, slip, arap.
reverse-access: allows access to a reverse telnet session on the switch.
if-authenticated: if server does not respond to commands, they will be accepted if you’re authenticated.
To configure accounting:
config)# aaa accounting [system | exec | commands (#)] [default | list-name] [start-stop | stop-only | waitstart | none] (group) [method1] (method2/3)
config-line)# accounting [commands (#) | connection | exec] [default | list-name]
system: major events such as reloads.
exec: user authentication into an exec session, along with user’s address and time/duration.
commands (#): info about any commands running at a specific privilege level is recorded with username.
start-stop: events recorded when they start and stop.
stop-only: events recorded only when they stop.
Example:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
username backup privilege 15 secret 5 password
tacacs-server host 192.168.1.1 key 7 !&$#@&*(
line console 0
login authentication default
line vty 0 15
login authentication default
Pelirrojoo 7/21
21
Download