This post is a collection of other random information, config examples etc. that I’ve cobbled together in preparation for the SWITCH exam:
AAA TACACS+ config
switch# conf t
switch# (config) aaa new-model
switch(config)# tacacs-server host 10.10.10.150
switch(config)# tacacs-server key Str0ngK3y
switch(config)# aaa authentication login primary group tacacs+
switch(config)# line vty 0 4
switch(config)# login authentication primary
Syslog Message types:
There are eight different logging levels.
- 0—emergencies
- 1—alerts
- 2—critical
- 3—errors
- 4—warnings
- 5—notification
- 6—informational
- 7—debugging
IP SLA Phases
- SLA source sends a control message on UDP port 1967 to the responder
- Responder opens agreed port and sends acknowledgement back to the source
Probing Phase – the source device begins sending test packets to the responder for a specified period, and the source device stores the performance statistics in the MIB that can be accessed by SNMP
First Hop Redundancy Protocols
HSRP
- Cisco proprietary
- defined by RFC 2281
- supports authentication
- only one active router and one standby router, but can do load balancing by using different standby groups
- uses a virtual IP address that is not the same as one of the actual router IP’s
- hello packets sent are sent to multicast address 224.0.0.2 on UDP 1985
- active virtual MAC address is 0000.0c07.acxx – where xx is the group number
- default timers: Hello Time = 3 sec, Hold Time = 10 Sec
- by default a standby router will take over if a hello packet is not received for the duration of the Hold Time
- hello messages are only sent by routers in the Active, Standby or Speak states
- only routers in the Standby state monitor hello messages from the active router
VRRP
- standards based
- supports authentication
- only one active router, can do load balancing by using standby groups
- virtual IP address that can be the same as the actual master router’s IP
- one master and multiple back up routers
- virtual MAC address is 0000.5e00.01xx – where xx is the group number
GLBP
- Cisco proprietary
- supports authentication
- load balances using multiple routers
- uses a virtual IP address that is not the same as one of the actual router IP’s
- a GLBP group can only have one active virtual gateway (AVG’s) but can have multiple active virtual forwarders (AVF’s)
- AVG is the router with highest priority or if a tie then with highest IP address
- default load balancing method is per host, round-robin
Port Security
Config example – configure ports fa0/1 and fa0/2 to shut down if more than 2 mac addresses are learnt:
switch#(config) interface range fa0/1-2
switch#(config-if-range)#switchport port-security
switch#(config-if-range)#switchport port-security maximum 2
Violation Actions –
switch#(config-if-range)#switchport port-security violation {restrict | protect | shutdown}
Restrict – discards traffic from illegal host, increments Security Violation counter, send SNMP trap
Protect – discards traffic from illegal host
Shutdown – err-disables the port (default action), generates syslog message
Rapid Spanning Tree (802.1w) Port Roles
- alternate – failover port for non-designated devices (discarding)
- backup – redundant link that does not forward packets (discarding)
- designated – receives frames sent to root (forwarding)
- root – lowest path cost to root bridge (forwarding)
Default Spanning Tree Timers
- hello – 2s
- max age – 20s
- forward delay – 15s
Etherchannel
LACP –
- standards based (802.3d)
- modes On, Active or PAssive
PAgP –
- Cisco proprietary
- modes On, Auto, Desirable
QoS 802.1D Traffic Types
- Priority 7 – Network Control
- Priority 6 – Interactive Voice
- Priority 5 – Interactive Video
- Priority 4 – Controlled Load (Streaming video and multimedia)
- Priority 3 – Excellent Effort (loss sensitive, but not time sensitive)
- Priority 2 – Best effort (typical data traffic)
- Priority 0 – Background (bulk traffic)
VLAN Trunking Protocol Encapsulation Types
ISL:
- Cisco
- encapsulates the entire frame by adding a 30 byte ISL header and trailer
- max frame size = 1548 bytes (max ethernet frame 1518 + 30 bytes)
- IEEE standard
- adds a 4 byte header to the orignal ethernet header
- max frame size = 1522
Voice VLANs
- disabled by default
- 802.1X can be configured on a voice VLAN port
- Spanning Tree Portfast is enabled by default when a port is configured for voice VLAN
- to properly support Cisco IP phones CDP should be enabled on ports connecting to phones (it is by default)
- use command switchport voice vlan dot1p to configure a switch port so that voice and data traffic are separated but do not require a unique voice VLAN to be created
Access Control Lists
- PACL’s – filter inbound traffic on layer 2 ports. will filter all VLAN traffic on a trunk link if applied to a trunk port
- RACL’s – filter traffic on a layer 3 interface, cannot be applied to layer 2 traffic
- VACL’s – filter traffic across a whole VLAN, not individual interfaces
example VACL config – drops traffic matching ACL 10 and forwards all other traffic
create ACL to match interesting traffic:
Switch(config)#ip access-list standard 10
Switch(config-std-nacl)#permit 10.10.10.0 0.0.0.255
Switch(config-std-nacl)#exit
define an access map that uses the ACL above
Switch(config)# vlan access-map Drop10 10 Switch(config-access-map)# match ip address 10 Switch(config-access-map)# action drop ! Switch(config-access-map)# vlan access-map Drop10 20 Switch(config-access-map)# action forward ! Switch(config)# vlan filter Drop10 vlan-list 10
Private VLAN’s
Only significant on one switch, and not acknowledged by VTP, so each PVLAN must be configured on every switch that connects them.
- Primary – can communicate with any secondary VLAN
- Secondary – can communicate with primary only (Isolated) or with the primary and specific secondary VLANS (community)
- Promiscuous Port – can communicate with any interface in the PVLAN, connect a gateway device to this type of port
- Host Port – connect only hosts to these ports
802.1X
switch# conf t
switch# (config) aaa new-model
enable 802.1X authentication globally:
switch(config)# dot1x system-auth-control
restore original 802.1X parameters:
switch(config)# dot1x default
enable 802.1X authentication on a single interface:
switch(config)# authentication port-control {auto | force-authorized | force unauthorized}
configure a port to allow traffic from multiple hosts:
switch(config)# authentication host-mode multi-host
Dynamic ARP Inspection
- prevents man-in-the-middle attacks
- intercepts, logs and discards ARP packets that have invalid MAC/IP bindings
- legitimate MAC/IP bindings are stored in a trusted database
- when DAI is enabled on a switch ports are untrusted by default, and ARP replies sent from untrusted ports are dropped
switch(config)# ip arp inspection trust
enable DAI for VLAN’s 10,11,12,13 and 14:
switch(config)# ip arp inspection vlan 10-14
Protecting Spanning Tree
- Loop Guard – places inconsistent ports in the blocking state. prevents a switch port from transitioning to a forwarding state when it stops receiving BPDU’s. A port protected by loop guard will be put in the “loop inconsistent” state if it stops receiving BPDU’s.
- Root Guard – prevents newly introduced switches being elected the root. is applied on a per port basis. ports transition to “root inconsistent” state if it receives a superior BPDU
- BPDU Guard – disables ports that receive BPDU’s when they shouldn’t. applied to edge ports that have PortFast enabled
PPDIOO (example steps)
- Prepare – implementation requirements are determined
- Plan – current infrastructure is examined
- Design – detailed implementation plan is created
- Implement – a pre-defined test plan is implemented
- Operate – routine maintenance is performed
Cisco Hierarchical Design functions for VLAN’s
- Access Layer – protocol filtering, basic QoS
- Distribution Layer – VLAN routing, VLAN Security
- Core Layer – redundancy for HA, advanced QoS
IP Source Guard
- designed to prevent DHCP spoofing attacks
- prevents all IP traffic except for DHCP packets allowed by DHCP snooping or traffic that matches entries in the IP source binding table
- enable static IP bindings or DHCP snooping before IP source guard can be used, otherwise all traffic will be dropped
SNMP Version 3 features
- encryption
- authentication (user names)
- message integrity
- requires IOS 12.0 or later
High Availability components
- Network level – backup switches, redundant links with STP
- System Level – redundant power supplies, Stack Wise technology
- Management and Monitoring