CCNP SWITCH Study Notes – Random Extras

switch# conf t

switch# (config) aaa new-model

switch(config)# tacacs-server host 10.10.10.150

switch(config)# tacacs-server key Str0ngK3y

switch(config)# aaa authentication login primary group tacacs+

switch(config)# line vty 0 4

switch(config)# login authentication primary

Control Phase –  establishes time, protocol and port numbers to be used during the probing phase.

• SLA source sends a control message on UDP port 1967 to the responder
• Responder opens agreed port and  sends acknowledgement back to the source

Probing Phase – the source device begins sending test packets to the responder for a specified period, and the source device stores the performance statistics in the MIB that can be accessed by SNMP

 

First Hop Redundancy Protocols

HSRP

• Cisco proprietary
• defined by RFC 2281
• supports authentication
• only one active router and one standby router, but can do load balancing by using different standby groups
• uses a virtual IP address that is not the same as one of the actual router IP’s
• hello packets sent are sent to multicast address 224.0.0.2 on UDP 1985
• active virtual MAC address is 0000.0c07.acxx – where xx is the group number
• default timers: Hello Time = 3 sec, Hold Time = 10 Sec
• by default a standby router will take over if a hello packet is not received for the duration of the Hold Time
• hello messages are only sent by routers in the Active, Standby or Speak states
• only routers in the Standby state monitor hello messages from the active router

VRRP

• standards based
• supports authentication
• only one active router, can do load balancing by using standby groups
• virtual IP address that can be the same as the actual master router’s IP
• one master and multiple back up routers
• virtual MAC address is 0000.5e00.01xx – where xx is the group number

GLBP

• Cisco proprietary
• supports authentication
• load balances using multiple routers
• uses a virtual IP address that is not the same as one of the actual router IP’s
• a GLBP group can only have one active virtual gateway (AVG’s) but can have multiple active virtual forwarders (AVF’s)
• AVG is the router with highest priority or if a tie then with highest IP address
• default load balancing method is per host, round-robin

 

Port Security

Config example – configure ports fa0/1 and fa0/2 to shut down if more than 2 mac addresses are learnt:

switch#(config) interface range fa0/1-2

switch#(config-if-range)#switchport port-security

switch#(config-if-range)#switchport port-security maximum 2

Violation Actions –

switch#(config-if-range)#switchport port-security violation {restrict | protect | shutdown}

Restrict – discards traffic from illegal host, increments Security Violation counter, send SNMP trap

Protect – discards traffic from illegal host

Shutdown – err-disables the port (default action), generates syslog message

 

 

Rapid Spanning Tree (802.1w) Port Roles

• alternate – failover port for non-designated devices (discarding)
• backup – redundant link that does not forward packets (discarding)
• designated – receives frames sent to root (forwarding)
• root – lowest path cost to root bridge (forwarding)

Default Spanning Tree Timers

• hello – 2s
• max age – 20s
• forward delay – 15s

Etherchannel

LACP – 

• standards based (802.3d)
• modes On, Active or PAssive

PAgP – 

• Cisco proprietary
• modes On, Auto, Desirable

QoS 802.1D Traffic Types

• Priority 7 – Network Control
• Priority 6 –  Interactive Voice
• Priority 5 – Interactive Video
• Priority 4 – Controlled Load (Streaming video and multimedia)
• Priority 3 – Excellent Effort  (loss sensitive, but not time sensitive)
• Priority 2 – Best effort (typical data traffic)
• Priority 0 – Background (bulk traffic)

 

 

 

VLAN Trunking Protocol Encapsulation Types

ISL:

• Cisco
• encapsulates the entire frame by adding a 30 byte ISL header and trailer
• max frame size = 1548 bytes (max ethernet frame 1518 + 30 bytes)

• IEEE standard
•  adds a 4 byte header to the orignal ethernet header
• max frame size = 1522

 

 

Voice VLANs

• disabled by default
• 802.1X can be configured on a voice VLAN port
• Spanning Tree Portfast is enabled by default when a port is configured for voice VLAN
• to properly support Cisco IP phones CDP should be enabled on ports connecting to phones (it is by default)
• use command switchport voice vlan dot1p to configure a switch port so that voice and data traffic are separated but do not require a unique voice VLAN to be created

 

 

Access Control Lists

• PACL’s – filter inbound traffic on layer 2 ports.  will filter all VLAN traffic on a trunk link if applied to a trunk port
• RACL’s – filter traffic on a layer 3 interface, cannot be applied to layer 2 traffic
• VACL’s – filter traffic across a whole VLAN, not individual interfaces

 

example VACL config – drops traffic matching ACL 10 and forwards all other traffic

create ACL to match interesting traffic:

Switch(config)#ip access-list standard 10

Switch(config-std-nacl)#permit 10.10.10.0 0.0.0.255

Switch(config-std-nacl)#exit

define an access map that uses the ACL above

Switch(config)# vlan access-map Drop10 10
Switch(config-access-map)# match ip address 10
Switch(config-access-map)# action drop
!
Switch(config-access-map)# vlan access-map Drop10 20
Switch(config-access-map)# action forward
!
Switch(config)# vlan filter Drop10 vlan-list 10

Private VLAN’s

Only significant on one switch, and not acknowledged by VTP, so each PVLAN must be configured on every switch that connects them.

• Primary – can communicate with any secondary VLAN
• Secondary – can communicate with primary only (Isolated) or with the primary and specific secondary VLANS (community)
• Promiscuous Port – can communicate with any interface in the PVLAN, connect a gateway device to this type of port
• Host Port – connect only hosts to these ports

802.1X

switch# conf t

switch# (config) aaa new-model

enable 802.1X authentication globally:

switch(config)# dot1x system-auth-control

restore original 802.1X parameters:

switch(config)# dot1x default

enable 802.1X authentication on a single interface:

switch(config)# authentication port-control {auto | force-authorized | force unauthorized}

configure a port to allow traffic from multiple hosts:

switch(config)# authentication host-mode multi-host

Dynamic ARP Inspection

• prevents man-in-the-middle attacks
• intercepts, logs and discards ARP packets that have invalid MAC/IP bindings
• legitimate MAC/IP bindings are stored in a trusted database
• when DAI is enabled on a switch ports are untrusted by default, and ARP replies sent from untrusted ports are dropped

manually configure trusted ports, such as ports connecting to another switch:

switch(config)# ip arp inspection trust

enable DAI for VLAN’s 10,11,12,13 and 14:

switch(config)# ip arp inspection vlan 10-14

Protecting Spanning Tree

• Loop Guard – places inconsistent ports in the blocking state.  prevents a switch port from transitioning to a forwarding state when it stops receiving BPDU’s.   A port protected by loop guard will be put in the “loop inconsistent” state if it stops receiving BPDU’s.
• Root Guard – prevents newly introduced switches being elected the root.  is applied on a per port basis.  ports transition to “root inconsistent” state if it receives a superior BPDU
• BPDU Guard – disables ports that receive BPDU’s when they shouldn’t.  applied to edge ports that have PortFast enabled

 

PPDIOO (example steps)

• Prepare – implementation requirements are determined
• Plan – current infrastructure is examined
• Design – detailed implementation plan is created
• Implement – a pre-defined test plan is implemented
• Operate – routine maintenance is performed

 

 

Cisco Hierarchical Design functions for VLAN’s

• Access Layer – protocol filtering, basic QoS
• Distribution Layer – VLAN routing, VLAN Security
• Core Layer – redundancy for HA, advanced QoS

 

 

IP Source Guard

• designed to prevent DHCP spoofing attacks
• prevents all IP traffic except for DHCP packets allowed by DHCP snooping or traffic that matches entries in the IP source binding table
• enable static IP bindings or DHCP snooping before IP source guard can be used, otherwise all traffic will be dropped

 

 

SNMP Version 3 features

• encryption
• authentication (user names)
• message integrity
• requires IOS 12.0 or later

 

 

High Availability components

• Network level – backup switches, redundant links with STP
• System Level – redundant power supplies, Stack Wise technology
• Management and Monitoring