CCNP SWITCH Study Notes – Random Extras

By | March 13, 2012

This post is a collection of other random information, config examples etc. that I’ve cobbled together in preparation for the SWITCH exam:

AAA TACACS+ config

enable AAA gloablly on the switch

switch# conf t
switch# (config) aaa new-model

configure the switch with the IP of the TACACS+ server
switch(config)# tacacs-server host 10.10.10.150

configure the encryption used to encrypt traffic between the switch and TACACS+ server
switch(config)# tacacs-server key Str0ngK3y

create an authentication list named “primary” that uses the TACACS+ server  for authentication
switch(config)# aaa authentication login primary group tacacs+

apply the authentication list to the vty connections
switch(config)# line vty 0 4
switch(config)# login authentication primary

Syslog Message types:

There are eight different logging levels.

  • 0—emergencies
  • 1—alerts
  • 2—critical
  • 3—errors
  • 4—warnings
  • 5—notification
  • 6—informational
  • 7—debugging

 

IP SLA Phases

Control Phase –  establishes time, protocol and port numbers to be used during the probing phase.
  • SLA source sends a control message on UDP port 1967 to the responder
  • Responder opens agreed port and  sends acknowledgement back to the source

Probing Phase – the source device begins sending test packets to the responder for a specified period, and the source device stores the performance statistics in the MIB that can be accessed by SNMP

 

First Hop Redundancy Protocols

HSRP

  • Cisco proprietary
  • defined by RFC 2281
  • supports authentication
  • only one active router and one standby router, but can do load balancing by using different standby groups
  • uses a virtual IP address that is not the same as one of the actual router IP’s
  • hello packets sent are sent to multicast address 224.0.0.2 on UDP 1985
  • active virtual MAC address is 0000.0c07.acxx – where xx is the group number
  • default timers: Hello Time = 3 sec, Hold Time = 10 Sec
  • by default a standby router will take over if a hello packet is not received for the duration of the Hold Time
  • hello messages are only sent by routers in the Active, Standby or Speak states
  • only routers in the Standby state monitor hello messages from the active router

VRRP

  • standards based
  • supports authentication
  • only one active router, can do load balancing by using standby groups
  • virtual IP address that can be the same as the actual master router’s IP
  • one master and multiple back up routers
  • virtual MAC address is 0000.5e00.01xx – where xx is the group number

GLBP

  • Cisco proprietary
  • supports authentication
  • load balances using multiple routers
  • uses a virtual IP address that is not the same as one of the actual router IP’s
  • a GLBP group can only have one active virtual gateway (AVG’s) but can have multiple active virtual forwarders (AVF’s)
  • AVG is the router with highest priority or if a tie then with highest IP address
  • default load balancing method is per host, round-robin

 

Port Security

Config example – configure ports fa0/1 and fa0/2 to shut down if more than 2 mac addresses are learnt:

switch#(config) interface range fa0/1-2
switch#(config-if-range)#switchport port-security
switch#(config-if-range)#switchport port-security maximum 2

Violation Actions –

switch#(config-if-range)#switchport port-security violation {restrict | protect | shutdown}

Restrict – discards traffic from illegal host, increments Security Violation counter, send SNMP trap

Protect – discards traffic from illegal host

Shutdown – err-disables the port (default action), generates syslog message

 

 


Rapid Spanning Tree (802.1w) Port Roles

  • alternate – failover port for non-designated devices (discarding)
  • backup – redundant link that does not forward packets (discarding)
  • designated – receives frames sent to root (forwarding)
  • root – lowest path cost to root bridge (forwarding)

Default Spanning Tree Timers

  • hello – 2s
  • max age – 20s
  • forward delay – 15s

Etherchannel

LACP – 

  • standards based (802.3d)
  • modes On, Active or PAssive

PAgP – 

  • Cisco proprietary
  • modes On, Auto, Desirable

QoS 802.1D Traffic Types

  • Priority 7 – Network Control
  • Priority 6 –  Interactive Voice
  • Priority 5 – Interactive Video
  • Priority 4 – Controlled Load (Streaming video and multimedia)
  • Priority 3 – Excellent Effort  (loss sensitive, but not time sensitive)
  • Priority 2 – Best effort (typical data traffic)
  • Priority 0 – Background (bulk traffic)

 

 

 

VLAN Trunking Protocol Encapsulation Types

ISL:

  • Cisco
  • encapsulates the entire frame by adding a 30 byte ISL header and trailer
  • max frame size = 1548 bytes (max ethernet frame 1518 + 30 bytes)
802.1Q:
  • IEEE standard
  •  adds a 4 byte header to the orignal ethernet header
  • max frame size = 1522

 

 

Voice VLANs

  • disabled by default
  • 802.1X can be configured on a voice VLAN port
  • Spanning Tree Portfast is enabled by default when a port is configured for voice VLAN
  • to properly support Cisco IP phones CDP should be enabled on ports connecting to phones (it is by default)
  • use command switchport voice vlan dot1p to configure a switch port so that voice and data traffic are separated but do not require a unique voice VLAN to be created

 

 

Access Control Lists

  • PACL’s – filter inbound traffic on layer 2 ports.  will filter all VLAN traffic on a trunk link if applied to a trunk port
  • RACL’s – filter traffic on a layer 3 interface, cannot be applied to layer 2 traffic
  • VACL’s – filter traffic across a whole VLAN, not individual interfaces

 

example VACL config – drops traffic matching ACL 10 and forwards all other traffic

create ACL to match interesting traffic:

Switch(config)#ip access-list standard 10
Switch(config-std-nacl)#permit 10.10.10.0 0.0.0.255
Switch(config-std-nacl)#exit

define an access map that uses the ACL above

Switch(config)# vlan access-map Drop10 10
Switch(config-access-map)# match ip address 10
Switch(config-access-map)# action drop
!
Switch(config-access-map)# vlan access-map Drop10 20
Switch(config-access-map)# action forward
!
Switch(config)# vlan filter Drop10 vlan-list 10


Private VLAN’s

Only significant on one switch, and not acknowledged by VTP, so each PVLAN must be configured on every switch that connects them.

  • Primary – can communicate with any secondary VLAN
  • Secondary – can communicate with primary only (Isolated) or with the primary and specific secondary VLANS (community)
  • Promiscuous Port – can communicate with any interface in the PVLAN, connect a gateway device to this type of port
  • Host Port – connect only hosts to these ports

802.1X

enable AAA gloablly on the switch

switch# conf t
switch# (config) aaa new-model

enable 802.1X authentication globally:

switch(config)# dot1x system-auth-control

restore original 802.1X parameters:

switch(config)# dot1x default

enable 802.1X authentication on a single interface:

switch(config)# authentication port-control {auto | force-authorized | force unauthorized}

configure a port to allow traffic from multiple hosts:

switch(config)# authentication host-mode multi-host

Dynamic ARP Inspection

  • prevents man-in-the-middle attacks
  • intercepts, logs and discards ARP packets that have invalid MAC/IP bindings
  • legitimate MAC/IP bindings are stored in a trusted database
  • when DAI is enabled on a switch ports are untrusted by default, and ARP replies sent from untrusted ports are dropped
manually configure trusted ports, such as ports connecting to another switch:
switch(config)# ip arp inspection trust

enable DAI for VLAN’s 10,11,12,13 and 14:

switch(config)# ip arp inspection vlan 10-14


Protecting Spanning Tree

  • Loop Guard – places inconsistent ports in the blocking state.  prevents a switch port from transitioning to a forwarding state when it stops receiving BPDU’s.   A port protected by loop guard will be put in the “loop inconsistent” state if it stops receiving BPDU’s.
  • Root Guard – prevents newly introduced switches being elected the root.  is applied on a per port basis.  ports transition to “root inconsistent” state if it receives a superior BPDU
  • BPDU Guard – disables ports that receive BPDU’s when they shouldn’t.  applied to edge ports that have PortFast enabled

 

PPDIOO (example steps)

  • Prepare – implementation requirements are determined
  • Plan – current infrastructure is examined
  • Design – detailed implementation plan is created
  • Implement – a pre-defined test plan is implemented
  • Operate – routine maintenance is performed

 

 

Cisco Hierarchical Design functions for VLAN’s

  • Access Layer – protocol filtering, basic QoS
  • Distribution Layer – VLAN routing, VLAN Security
  • Core Layer – redundancy for HA, advanced QoS

 

 

IP Source Guard

  • designed to prevent DHCP spoofing attacks
  • prevents all IP traffic except for DHCP packets allowed by DHCP snooping or traffic that matches entries in the IP source binding table
  • enable static IP bindings or DHCP snooping before IP source guard can be used, otherwise all traffic will be dropped

 

 

SNMP Version 3 features

  • encryption
  • authentication (user names)
  • message integrity
  • requires IOS 12.0 or later

 

 

High Availability components

  • Network level – backup switches, redundant links with STP
  • System Level – redundant power supplies, Stack Wise technology
  • Management and Monitoring

 

Leave a Reply

Your email address will not be published. Required fields are marked *