table of contents - atnedu.lk · 2019-06-29 · gm # interface fastethernet 0/1 # switchport trunk...
TRANSCRIPT
CCNP
Switching (300-115)
1 | P a g e
Table of Contents Implementing CISCO IP switched networks (300-115) ............................................................................. 5
Structure and syllabus ............................................................................................................................... 5
Layer 2 technology ...................................................................................................................................... 5
Switch Database Management (SDM) template ....................................................................................... 5
Configuration ........................................................................................................................................ 5
Verification ........................................................................................................................................... 5
Managing MAC Address Table ............................................................................................................ 5
Troubleshooting Err – Disable Recovery .................................................................................................. 6
Third party software to log into CISCO devices ....................................................................................... 6
Configure and verify Layer 2 protocols ........................................................................................................ 7
Cisco Discovery Protocol (CDP) .............................................................................................................. 7
Global CDP information ....................................................................................................................... 7
CDP verifications .................................................................................................................................. 7
CDP lab ................................................................................................................................................. 7
Link Layer Discovery Protocol (LLDP) – IEEE 802.1AB ....................................................................... 8
Type – Length – Value (TLV) information .......................................................................................... 8
Global LLDP information ..................................................................................................................... 8
To enable LLDP .................................................................................................................................... 8
To disable LLDP ................................................................................................................................... 8
LLDP verifications ................................................................................................................................ 8
UniDirectional Link Detection (UDLD) ................................................................................................... 9
UDLD configuration ............................................................................................................................. 9
Verification ........................................................................................................................................... 9
UDLD recover ...................................................................................................................................... 9
Virtual Local Area Network (VLAN) ..................................................................................................... 10
Without VLAN ................................................................................................................................... 10
With VLAN ........................................................................................................................................ 10
VLAN configuration ........................................................................................................................... 10
VLAN numbers ................................................................................................................................... 11
Terminology ........................................................................................................................................ 11
Access VLAN ..................................................................................................................................... 11
Voice VLAN ....................................................................................................................................... 11
Switched Virtual Interface (SVI) ........................................................................................................ 11
CCNP
Switching (300-115)
2 | P a g e
Voice VLAN .................................................................................................... 11
Trunk port ........................................................................................................................................... 12
InterVLAN communication with EIGRP using MLS (LAB) ............................................................. 13
Trunk ....................................................................................................................................................... 14
Trunk port ........................................................................................................................................... 14
Without trunk ...................................................................................................................................... 14
With trunk ........................................................................................................................................... 14
Trunk types ......................................................................................................................................... 14
Switchport mode and Description ....................................................................................................... 15
Native VLAN ...................................................................................................................................... 17
VLAN pruning .................................................................................................................................... 17
............................................................................................................................................................ 17
VLAN Trunking Protocol (VTP) ............................................................................................................ 18
VTP Modes and descriptions .............................................................................................................. 18
Revision number ................................................................................................................................. 18
Domain ................................................................................................................................................ 20
Pruning ................................................................................................................................................ 20
VTP practice lab ................................................................................................................................. 20
Spanning-Tree Protocol (STP) (IEEE 802.1D) ....................................................................................... 21
The issues before STP ......................................................................................................................... 21
Introduction to STP ............................................................................................................................. 22
STP port states .................................................................................................................................... 22
Bridge Protocol Data Unit (BPDU) .................................................................................................... 23
MSTP theory ....................................................................................................................................... 26
Rapid PVST + ..................................................................................................................................... 27
Features that decrease the convergence time ...................................................................................... 28
BPDU filter ......................................................................................................................................... 30
Root guard ........................................................................................................................................... 30
Loop guard .......................................................................................................................................... 30
Stack Wise .............................................................................................................................................. 31
7-Stack Wise Advantages ................................................................................................................... 31
Stack wise and stack wise plus ........................................................................................................... 31
Switched Port ANalizer (SPAN)............................................................................................................. 31
................................................................................................................................................................ 31
Remote Switched Port ANalizer (RSPAN) ............................................................................................ 32
CCNP
Switching (300-115)
3 | P a g e
Infrastructure services .......................................................................................... 33
First Hop Redundancy Protocol (FHRP) ............................................................................................ 33
Hot Standby Router Protocol (HSRP) ................................................................................................ 34
Virtual Router Redundancy Protocol (VRRP) .................................................................................... 35
Gateway Load Balancing Protocol (GLBP) ........................................................................................ 36
INFASTRUCTURE SECURITY ........................................................................................................... 37
(Securing cisco catalyst switch) .............................................................................................................. 37
MAC flooding attack .......................................................................................................................... 37
Solution ................................................................................................................................................... 37
Port security ........................................................................................................................................ 37
Violation methods ............................................................................................................................... 37
Error disable port automatic recovery ..................................................................................................... 37
Strom control .......................................................................................................................................... 38
Private VLANS ....................................................................................................................................... 39
Primary VLANS ..................................................................................................................................... 39
Community VLAN ................................................................................................................................. 39
Isolated VLAN ........................................................................................................................................ 39
Promiscuous port .................................................................................................................................... 39
Community port ...................................................................................................................................... 39
Isolated port ............................................................................................................................................ 39
DHCP Snooping...................................................................................................................................... 41
DHCP Spoofing Attack ....................................................................................................................... 41
Router .................................................................................................................................................. 41
DHCP Spoofing .................................................................................................................................. 41
DHCP Snooping .................................................................................................................................. 41
DHCP Option 82 ................................................................................................................................. 41
IP Source guard ....................................................................................................................................... 42
IP Snooping ......................................................................................................................................... 42
Unicast reverse path forwarding (URPF) ............................................................................................ 42
IP Source guard ................................................................................................................................... 42
Dynamic ARP Inspection ....................................................................................................................... 43
Gratuitous ARP MAN- IN- THE- MIDDLE Attack ........................................................................... 43
Authentication, Authorization & Accounting (AAA) ............................................................................. 44
CCNP
Switching (300-115)
4 | P a g e
CCNP
Switching (300-115)
5 | P a g e
Implementing CISCO IP switched networks (300-115)
Structure and syllabus 1. Layer 2 technology 65%
2. Infrastructure security 20%
3. Infrastructure services 15%
Layer 2 technology
Switch Database Management (SDM) template
• Collection of settings that can allocate a switch’s resource (Eg: TCAM resource) in different
ways, depending on the role of the switch.
TCAM: Ternary Content Addressable Memory
Configuration
G.M # SDM prefer ?
Access –
The access template maximizes system resource for Access Control List (ACL)
to accommodate a large number of ACLs.
Default –
The default template gives balance to all functions.
Routing –
The routing template maximizes system resources for IPv4 unicast routing.
Typically required for a router or aggregator in the center of a network.
VLANs –
The VLAN template disables routing and supports the maximum number of
unicast MAC address (clients). It would typically be selected for a layer 2 switch.
Verification
PM# show SDM prefer
PM# Show platform team utilization
Managing MAC Address Table
PM # Show MAC Address – Table
PM # Show MAC Address – Table dynamic
PM # Show MAC Address – Table static
PM # Show MAC Address – Table count
PM # Show MAC Address – Table aging – time
To clear dynamic MAC Address – Table
PM # Clear MAC Address – Table dynamic
Configuring MAC – Address Statically
GM # MAC Address – Table static ______________ VLAN ______ Interface __________
CCNP
Switching (300-115)
6 | P a g e
Troubleshooting Err – Disable Recovery
Configuration
IM # Switchport mode access
IM # Switchport port – security
IM # Switchport port – security maximum _____
IM # Switchport port – security MAC – Address ___________________
IM # Switchport port – security violation ________________________
(Protect/Restrict/Shutdown)
Verification
PM # Show running – config
PM # Show port – security
PM # Show port – security address
PM # Show port – security interface _________
Err – disable recovery
GM # Errdisable recovery cause psecur-violation
GM # Errdisable recovery interval ________
Third party software to log into CISCO devices
• Putty
• Secure CRT
• Hyper terminal
• Super Putty
• Terra team
Sw1
CCNP
Switching (300-115)
7 | P a g e
Configure and verify Layer 2 protocols
Cisco Discovery Protocol (CDP)
• A cisco proprietary protocol that allows cisco devices to dynamically discover other cisco devices
that are layer 2 adjacent.
Global CDP information
Sending CDP packets every 60 second
Sending hold time value 180 second
CDP verifications
PM# Show CDP
PM# Show CDP neighbors
PM# Show CDP entry *
PM# Show CDP neighbors detail
CDP lab
To enable CDP
GM# CDP run
To disable CDP
GM# no CDP run
CDP timers
GM# CDP timers 60
GM# CDP hold time 180
CDP versions
GM# CDP advertise – v2
CCNP
Switching (300-115)
8 | P a g e
Link Layer Discovery Protocol (LLDP) – IEEE 802.1AB
• An industry standard protocol that allows network devices that supporting LLDP (that are layer 2
adjacent) to dynamically discover other.
Type – Length – Value (TLV) information
• Information about a specific characteristic of an LLDP – speaking devices, which can be
advertised to neighboring LLDP – speaking device.
Global LLDP information
Status – Active
LLDP advertise sends every 30 second
LLDP hold time advertise 102 second
LLDP interface re-initialization delay to 2 second
To enable LLDP
GM# LLDP run
To disable LLDP
GM# no LLDP receive
GM# no LLDP transmit
LLDP verifications
PM# show LLDP
PM# show LLDP neighbors
PM# show LLDP neighbors detail
CCNP
Switching (300-115)
9 | P a g e
UniDirectional Link Detection (UDLD)
UDLD configuration
GM# UDLD ?
Normal – Generate syslog messages
Aggressive – Port will be err – disable state
• If we want to enable in copper ports, have to configure under the interface mode.
GM# interface fastethernet 0/1
IM# UDLD port aggressive
Verification
PM# Show running-config
UDLD recover
PM# Show reset
CCNP
Switching (300-115)
10 | P a g e
Virtual Local Area Network (VLAN)
Without VLAN
With VLAN
VLAN configuration
Creating VLAN
GM # VLAN 2
# Name ______
(Name)
Verification
PM# Show VLAN
PM# Show VLAN _____
(ID)
PM# Show VLAN brief
CCNP
Switching (300-115)
11 | P a g e
VLAN numbers
0 – Reserved
1 – Default
1002 – FDDI-Default
1003 – TR-Default
1004 – FD net
1005 – TR net
1006-4094 – Extended
4095 – Reserved
Terminology
Access VLAN
• The VLAN which an access port is assigned.
Voice VLAN
• If configured, enables minimum trunking to support voice traffic in addition to data traffic on an
access port.
Switched Virtual Interface (SVI)
• A virtual interface which provides a routed gateway in and out of a VLAN.
• Layer 3 switch only can create SVI.
Access port configuration
GM # Interface Fastethernet 0/1
# Switchport mode access
# Switchport access VLAN 10
Verification
PM # Show running – config
PM # Show VLAN
Voice VLAN
• A VLAN that can be configured on a cisco catalyst switch for the purpose of carrying voice
packets to end from IP phones.
This port can be
1. Single VLAN access port
2. Multi VLAN access port
3. Trunk port
Voice VLAN 40 Data VLAN 30
CCNP
Switching (300-115)
12 | P a g e
Configuration
GM # Interface fastethernet 0/1
# Switchport mode access
# Switchport voice VLAN
Verification
PM # Show VLAN
PM # Show running – config
Single VLAN access port
• Access port
• One VLAN
• Useful for software based or third party IP phones
• Allows the IP phones to mark on IEEE 802.1p marking.
IEEE 802.1p
A layer 2 QOS marking similar to a COS marking, that is send over a non-trunking connection. 4
bytes are added to a layer 2 frame with 3 bits in those 4 bytes are used for priority marking and
with 12 bits in the VLAN field send to all zeros.
Class Of Service (COS)
A layer 2 Quality Of Service (QOS) marking sends over trunk in the range of 0 – 7 (where value
6 and 7 are reserved for network use). Cisco ip phones automatically send the COS of voice
frame in the range of 0 – 5.
Multiple VLAN access port
• Access port
• Two VLANs
• The cisco IP phones learns it’s VLAN via CDP message
• Does not works with LLDP – MED
• Frame look like dot1q trunk frame
Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP - MED) An extension of LLDP designated to work between network endpoints (Eg – IP phones) and
infrastructure devices (Eg – Switches).
Trunk port
• Trunk port
• Multiple VLANs
• Comparable with both CDP and LLDP – MED
• Frames are dot1q trunk frames
• No need of VLAN pruning
SVI configuration
GM # Interface VLAN 20
# IP address 10.1.1.1 255.255.255.0
# No shutdown
CCNP
Switching (300-115)
13 | P a g e
InterVLAN communication with EIGRP using MLS (LAB)
CCNP
Switching (300-115)
14 | P a g e
Trunk
Trunk port
A switch port that can simultaneously carry traffic for multiple VLAN.
Without trunk
With trunk
Trunk types
802.1Q ISL
Header size 4 bytes 26 bytes
Trailer size N/A 4 bytes
Standard IEEE ISL
Maximum VLANs 4094 1000
R1
Sales IT
R1
CCNP
Switching (300-115)
15 | P a g e
Inter Switch Link (ISL)
A cisco proprietary Ethernet trunking type which adds 30 bytes of header (26 bytes of payload and 4
bytes of checksum) to each trunk frame.
Untagged frame Tagged frame
IEEE 802.1Q
An industry standard Ethernet trunking type, which adds 4 bytes tag to each trunk frame except the
frames belongs to the native VLAN.
Untagged frame Tagged frame (802.1Q)
Dynamic Trunking Protocol (DTP)
A cisco proprietary protocol that allows a switch port to dynamically negotiate that formation of a trunk
between two switches.
Switchport mode and Description
Access –
• Forces a port to operate as an access port
Trunk –
• Forces a port to operate as a trunk port
Dynamic desirable –
• Initiate the negotiation of a trunk
Dynamic Auto –
• Passively waits for the remote switch to initiate the negotiation of a trunk.
DTP DTP
Fa0/1 Fa0/1
Destination
MAC
Source
MAC
Type Destination
MAC
Source
MAC
Type ISL
Header
FCS
Destination
MAC
Source
MAC
Type Destination
MAC
Source
MAC
802.1Q Type
CCNP
Switching (300-115)
16 | P a g e
Switch 1 mode Switch 2 mode Trunk forward
Access Any
Trunk Dynamic desirable ✓
Trunk Dynamic auto ✓
Trunk Trunk ✓
Dynamic desirable Dynamic desirable ✓
Dynamic desirable Dynamic auto ✓
Dynamic auto Dynamic auto
Trunk port configuration
Option 1 (2950 and below)
GM # Interface Fastethernet 0/1
# Switchport mode trunk
Option 2 (3560 above)
GM # Interface Fastethernet 0/1
# Switchport trunk encapsulation Dot1q
(Dot1q/ISL)
# Switchport mode trunk
CCNP
Switching (300-115)
17 | P a g e
Native VLAN
• By default frames are in this VLAN are untagged when sends across a trunk link.
Configuration
GM # Interface Fastethernet 0/1
# Switchport native VLAN 2
VLAN pruning
Option 1
GM # Interface Fastethernet 0/1
# Switchport trunk allowed VLAN 2
Option 2
GM # Interface Fastethernet 0/1
# Switchport trunk except VLAN 3
Allow V2 V2 V3 V2
Access port
remove the tag
Remove the tag
Tag
Trunk type
ISL 802.1q
Native VLAN
Feature
V2 V3 V2 V3
Trunk
V2 V3 V2 V3
Trunk
Write the tag
CCNP
Switching (300-115)
18 | P a g e
VLAN Trunking Protocol (VTP)
• VTP versions are
Version 1
Version 2
Version 3
Conditions
• Same VTP domain
• Same trunk links
• Same passwords
VTP Modes and descriptions
Server
• Can be used to create, delete and modify VLANs
• Update its VLAN database based on received advertisements.
• Forward received VTP messages.
• Can originate VTP advertisement.
Client
• Can’t be used to create, delete and modify VLANs
• Update its VLAN database based on received advertisements.
• Forward received VTP messages.
• Can originate VTP advertisement.
Transparent
• Can be used to create, delete and modify VLANs
• Doesn’t update its VLAN database based on received advertisements.
• Forward received VTP messages.
• Doesn’t originate VTP advertisement.
Revision number
A VLAN advertised via VTP including the version of a switches VLAN database, which gets increment
by one for any changes made to that VLAN database.
CCNP
Switching (300-115)
19 | P a g e
VTP configuration
GM # VTP mode _______________________
(Server/Client/Transparent)
GM # VTP domain CCNP
(Name)
GM # VTP password CISCO123
(Version)
GM # VTP pruning
Show commands
PM # Show VTP status
PM # Show VTP password
PM # VTP mode transparent
PM # delete flash : VLAN.dat
PM # erase startup-config
PM # Reload
Client Client
Client Transparent
Server
V2 V3 V4
V2 V3 V4
V2 V3 V4
V2 V3 V4
V2 V3 V4
Domain name “CCNP”
Password “CISCO123”
Server
Client Client
Client Transparent
Server
V2 V3 V4
V2 V3 V4
V2 V3 V4
V2 V3 V4
V2
V
V
V
V3 V4
CCNP
Switching (300-115)
20 | P a g e
Domain
Common to all switches which are participating in VTP.
Pruning
VLAN not having any access ports on an end switches are removed from the trunk to reduce
flooded traffic.
VTP practice lab
Server
V2 V3 V4
Client
V2 V3 V4
Client
V2 V3 V4
Client
V2 V3 V4
Have to configure VTP in servers
Core B Core A
CCNP
Switching (300-115)
21 | P a g e
Spanning-Tree Protocol (STP) (IEEE 802.1D)
The issues before STP
While implementing a network we always have a redundant link in order to avoid interruption of service.
But engineers’ faces below problems while connecting switches with redundant links.
• MAC address table corruption
.
• Broadcast storm
When two or more switches connected with an addition link for the purpose of
redundancy, the broadcast frame circulates endlessly within those switches. It happens
because the layer two frame has no TTL (Time To Live) field as layer three
TTL (Time To Live)
It’s a value in an IP packet’s header that is decremented by one when a packet enters router interface each
time. Since switches always works with MAC address, the layer two topology will never have TTL value.
Note – STP is the solution for above problems.
Sw1
Sw2
CCNP
Switching (300-115)
22 | P a g e
Introduction to STP
In the mid 80’s Radia Perlman developed STP who was worked at DEC (Digital Equipment
Cooperation). In 1990 the standard was borrowed by IEEE (Institute of Electrical and Electronic
Engineering) and they named the standard as IEEE 802.1D.
STP port states
Identifying STP port states
Root bridge
A STP topology has a single root bridge. The bridge (or switch) with the lowest bridge ID (UDI)
is selected as a root bridge.
Root port
The port on a non-root bridge which is closest to the root bridge in terms of cost.
Designated port
Each segment will have one designated port.
Non-designated port
Ports that block traffic in order to deliver a loop free layer 2 topology.
Disable port
A port that is administratively shutdown.
Port speed Port cost
10 Mbps 100
100 Mbps 19
1 Gbps 4
10 Gbps 2
Fa0/1 Fa0/1
MAC – 000d-2824-7c80
Priority - 32768
MAC – 0018-c985-1d04
Priority - 32768
MAC – 0018-67ab-2d00
Priority - 32768
CCNP
Switching (300-115)
23 | P a g e
Bridge Protocol Data Unit (BPDU)
A type of a packet exchange in a STP topology that is use to determine which switch is the root bridge.
BPDU packet
STP convergence time
Bridge ID
Bridge priority (0 - 61440)
Default 32768
MAC address
64 bits
Fa0/1 Fa0/1
MAC – 000d-2824-7c80
Priority - 32768
MAC – 0018-c985-1d04
Priority - 32768
MAC – 0018-67ab-2d00
Priority - 32768
Forwarding
Learning 15sec
Listing 15sec
Blocking 20sec
CCNP
Switching (300-115)
24 | P a g e
STP variants
• IEEE 802.1D
All VLANs use a common STP topology.
Common Spanning – Tree Protocol (CST)
All VLANs will use one instance of STP.
• Per VLAN Spanning – Tree (PVST) used over ISL trunk.
• Per VLAN Spanning – Tree Plus (PVST +) used over IEEE 802.1Q trunk.
• Multiple Instance Spanning – Tree Protocol (MISTP) used over ISL
• Multiple Spanning – Tree (MSTP) used over IEEE 802.1S trunk.
Root for VLAN 100
Root for VLAN 200
Root for VLAN 300 A B
C D
Root for VLAN 100
Root for VLAN 200
A B
C D
Root for VLAN 300
A B
C D
Instance 1 Instance 2
VLAN 100 VLAN 200
VLAN 300
Instance 1 Instance 2
A B
C D
CCNP
Switching (300-115)
25 | P a g e
• Rapid Per VLAN Spanning – Tree Plus (Rapid PVST +) used over ISL
trunk.
• Rapid Spanning – Tree Protocol (RSTP) used over IEEE 802.1W trunk.
STP configuration
Enable STP
GM # Spanning – Tree mode PVST
Change the bridge priority
GM # Spanning – Tree VLAN 10 priority _________
(0-61440)
Timers in sec
GM # Spanning – Tree VLAN 10_ hello-time _2_
GM # Spanning – Tree VLAN 10_ forward-time _15_
GM # Spanning – Tree VLAN 10_ max-time _20_
Verification commands
PM # Show Spanning – Tree
PM # Show Spanning – Tree detail
PM # Show Spanning – Tree VLAN _________
(VLAN ID)
PM # Show Spanning – Tree summary
PM # Show VLAN
PM # Show VLAN _________
(VLAN ID)
STP primary or secondary command
GM # Spanning – Tree VLAN 10_ root Primary
GM # Spanning – Tree VLAN 10_ root secondary
Root for VLAN 100
Root for VLAN 200
A B
C
Root for VLAN 300
The goal of RSTP is
fast convergence
D
(Priority value should be
given in increment of 4096)
CCNP
Switching (300-115)
26 | P a g e
MSTP theory
• Multiple Spanning – Tree protocol (MSTP) used over IEEE 802.1W trunk.
• Also written as “Multiple Spanning – Tree (MST)”.
• MSTP configuration
Name
Revision number
Mapping table
MSTP instance (Huge number of VLANs)
An STP process which defines the root bridge, root ports, designated ports and blocked ports for a
group of switches that can be shared by multiple VLANs.
MSTP region
A group of switches sharing the configuration attributes such as region name, revision number
and VLAN mapping table.
Configuration
GM # Spanning – Tree mode MST
Region name and Revision number
GM # Spanning – Tree MST configuration
# Name _______
(Name)
# Revision ________
(Number)
A B
C D
Instance 1 Instance 2
A B
C D
Instance VLANs Root
1 1,2,3,4 Sw A
2 5,6,7,8 Sw B
Instance VLAN Primary root Secondary root
1 100,300 Sw1 Sw3
2 200 Sw3 Sw1
Sw2 Sw3
Sw1
CCNP
Switching (300-115)
27 | P a g e
VLAN mapping
GM # Spanning – Tree MST configuration
# Instance ________ VLAN _______
(Number) (ID)
MSTP primary and secondary
GM # Spanning – Tree MST ________________ root _________________
(Instance number) (Primary/Secondary)
Verification
PM # Show Spanning – Tree summary
PM # Show Spanning – Tree MST configuration
PM # Show Spanning – Tree VLAN __________
(ID)
Rapid PVST +
Root bridge
A STP topology has a single root bridge. The bridge (or switch) with the lowest bridge ID (UDI)
is selected as a root bridge.
Root port
The port on a non-root bridge which is closest to the root bridge in terms of cost.
Designated port
Each segment will have one designated port.
Non-designated port
Ports that block traffic in order to deliver a loop free layer 2 topology.
Disable port
A port that is administratively shutdown.
Alternate port
A port on a switch that is currently discarding data frames, but could provide an alternate path to
reach the root bridge. (That is an alternative to the root port)
Backup port
A port currently discarding data frames, although it could be an alternate path to the root bridge,
and it’s also acting as a redundant link to a shared segment.
DP
/FW
D
Disable
Root bridge
Point-to-Point RP/FWD
AP/BLK
Back
up
DP/FWD
Sw1
Sw2 Sw3
Hub
DP/FWD Shared segment
Edge port
CCNP
Switching (300-115)
28 | P a g e
Port states
Discarding
Data is not being forwarded thru the port (Seen on alternate, backup and disabled ports)
Learning
The switch is learning MAC addresses which available on the port (Seen when a port is
transitioning into forwarding)
Forwarding
Data is being forwarded on the ports (Seen on the root and designated port)
Link types
Point to Point
A link type where the connected port is running in full-duplex mode and where the link is
typically connecting one switch with another switch.
Shared
A link type where the connected port is running in half-duplex mode and where the link is
typically connecting a switch to a shared media hub.
Edge port
A link type where the connected port is not connected to another switch or shared media hub.
Instead connected to a network end point.
Features that decrease the convergence time
Uplink fast
Typically used on an access port to re-converge in the event of a direct link failure.
• GM # Spanning – Tree uplink fast
• PM # Show Spanning – Tree uplink fast
No need if Rapid STP is enabled (mostly its build in)
Root bridge
Point-to-Point RP/FWD
AP/BLK
Back
up
DP/FWD
Sw1
Sw2 Sw3
Hub
DP/FWD Shared segment
Edge port
Distribution layer
Core layer
Access layer
CCNP
Switching (300-115)
29 | P a g e
Backbone fast
Allows a switch to initiate re-convergence in the event of an indirect link failure.
Configure on all switches.
Inferior BPDU
A BPDU from a switch
climbing that the switch is the root bridge, when the switch topology contains another switch sending out
the BPDUs with lower bridge ID.
GM # Spanning – Tree uplink fast
PM # Show Spanning – Tree uplink fast
Port fast
Allows a switchport to transition to the forwarding state almost instantly when an end station connects to
that port.
Configuration on end points
GM # Interface fastethernet ___
# Spanning – Tree portfast
OR
Enable globally will be applied on non-trunking ports
GM # Spanning – Tree port fast default
Fa0/1 Fa0/1 Fa0/1
This switch will think him as a root bridge
Then the block port will send inferior BPDU
Sw3
Sw2
Sw1
Fa0/1 Fa0/1 Fa0/1
1. This switch will think him as a
root bridge
2. Then the block port will send
inferior BPDU
Root
Bri
dge
3. Sends a RLQ to Sw1
(Root Link Query)
asking that “Do I still
have any path to the
root bridge”.
4. Replies RLQ
reply.
5. Sw3 will tell Sw2 that “Sw1 is the root
bridge”
CCNP
Switching (300-115)
30 | P a g e
Verification
PM # Show Spanning – Tree interface fastethernet ___
Features that increases STP stability
BPDU Guard
• STP feature that can help to preserve the stability of a STP topology by placing a port into an
error – disable state if a BPDU is received on that port. (Works along with portfast)
• Should be enable on ports which are enabled with portfast.
• Can be enable globally OR port – by – port basis.
Port – by – port
GM # Interface fastethernet ___
# Spanning – Tree BPDUguard enable
Globally
GM # Spanning – Tree portfast BPDUguard default
Verification
PM # Show Spanning – Tree summary
BPDU filter
• STP feature that can help to preserve the stability of a STP topology (although it also runs the risk
of introducing loops) by suppressing the transmission of BPDUs from specific switch port.
• Prevents the ports from sending BPDUs.
• Should only use when necessary.
• Most dangerous when enable at the port level.
Port – by – port
GM # Interface fastethernet ___
# Spanning – Tree BPDUfilter enable
Globally
GM # Spanning – Tree portfast BPDUfilter default
Verification
PM # Show Spanning – Tree interface fastethernet ___
Root guard
• A STP feature that can help to preserve the stability of STP topology by placing a port into a root
inconsistence state if a superior BPDU arrives on a port which the root bridge is not expected.
Loop guard
• A STP feature that can help to preserve the stability of STP topology by placing a port into a loop
inconsistence state if a non-designated port stops receiving BPDUs
CCNP
Switching (300-115)
31 | P a g e
Stack Wise
7-Stack Wise Advantages
• As many as 9 switches in a stack.
• Single management IP address.
• Redundant interconnect cable connection.
• Automatic election and re-election of master switch
Stack wise and stack wise plus
• Cisco catalyst 3750-E, 3750-X
• Cisco catalyst 3850
Verification
PM # Show switch
PM # Show switch Stack-port
PM # Show platform stack manager all
Switched Port ANalizer (SPAN)
Configuration
GM # Monitor session _____1_____ source interface fastethernet _0/3_
(Session No) (Interface) (No)
GM # Monitor session _____1_____ destination interface fastethernet _0/2_
(Session No) (Interface) (No)
Verification
PM # Show monitor
Sw1
Sw2
Sw3
Sw4
Sw5
Sw6
Sw7
Interconnect
cables
Fa0/1 Fa0/3
Fa0/2
Server Client
Sniffer
CCNP
Switching (300-115)
32 | P a g e
Remote Switched Port ANalizer (RSPAN)
Configuration
GM # VLAN __50__
# Name RSPAN
# Remote – SPAN
# Exit
GM # Monitor session ____________ source interface _________ ____
(Session No) (Interface) (No)
GM # Monitor session ____________ destination interface VLAN _____
(Session No) (ID)
Verification
PM # Show monitor
Trunk
Sw2 Sw1
Fa0/23
Fa0/24 Fa0/24
Fa0/5 Fa0/4
Client
Server
Sniffer
CCNP
Switching (300-115)
33 | P a g e
Infrastructure services
First Hop Redundancy Protocol (FHRP)
FHRP
HSRP VRRP GLBP
D/G
10.1.1.1
Fa0/1 10.1.1.3
Fa0/0
10.1.1.2
Dialog SLT
Internet
Virtual IP 10.1.1.1
CCNP
Switching (300-115)
34 | P a g e
Hot Standby Router Protocol (HSRP)
Configuration
IM # Standby ______________ IP ____________
(Standby no) (Virtual IP)
IM # Standby ______________ Preempt
(Standby no)
IM # Standby ______________ Priority ____________
(Standby no) (Value)
IM # Standby ______________ Track ___________ _________ _____________
(Standby no) (INT Name) (INT No) (Priority Value)
Verification
PM # Show Standby
D/G 10.1.1.1
Fa0/1 10.1.1.3
Fa0/0
10.1.1.2
Dialog SLT
Internet
Virtual IP 10.1.1.1
Virtual MAC
0000.0C07.AC____
OUI HSRP HSRP
number
• Default Priority 100
HSRP Timers Multicast Address
Hello 3 sec 224.0.0.2
Dead 10 sec 224.0.0.102
• Preempt default disable
CCNP
Switching (300-115)
35 | P a g e
Virtual Router Redundancy Protocol (VRRP)
Configuration
IM # VRRP _______________ IP ___________
(VRRP group no) (Virtual IP)
IM # VRRP _______________ Preempt
(VRRP group no)
IM # VRRP _______________ Priority ____________
(VRRP group no) (Value)
IM # VRRP ________________ Track ___________ _________ _____________
(VRRP group no) (INT Name) (INT No) (Priority Value)
Verification
PM # Show VRRP
Backup Master
D/G 10.1.1.1
Fa0/1 10.1.1.3
Fa0/0
10.1.1.2
Dialog SLT
Internet
Virtual IP 10.1.1.1
Virtual MAC
0000.0C07.AC ____
OUI VRRP VRRP
number
• Default Priority 100
VRRP Timers Multicast Address
Hello 3 sec 224.0.0.18
Dead 3 sec
• Preempt default enable
CCNP
Switching (300-115)
36 | P a g e
Gateway Load Balancing Protocol (GLBP)
Configuration
IM # GLBP ____________ IP ____________
(Group no) (Virtual IP)
IM # GLBP ______________ Preempt
(Group no)
IM # GLBP ______________ Priority ____________
(Group no) (Value)
IM # GLBP ____________ Track ___________ _________ _____________
(Group no) (INT Name) (INT No) (Priority Value)
Verification
PM # Show GLBP
R2
R3 R1
D/G 10.1.1.1
Fa0/1 10.1.1.3
Fa0/0
10.1.1.2
Dialog SLT
Internet
Virtual IP 10.1.1.1
Virtual MAC
0000.0C07.AC ____
OUI GLBP GLBP
number
• Default Priority 100
VRRP Timers
Hello 3 sec
Dead 10 sec
• Preempt default enable
CCNP
Switching (300-115)
37 | P a g e
INFASTRUCTURE SECURITY
(Securing cisco catalyst switch)
MAC flooding attack
Occur when an attacker overflows a switches CAM table by sending multiple frames into the switches,
each claiming to be from a different MAC address.
(NOTE: This causes the switch to act much like a hub, meaning that the attacker can capture packet
following the switch).
Solution
Port security
A cisco catalyst feature that can make sure we don’t have too many MAC address or only disallowed
MAC address connected of a specific switch port.
Sticky- Configure dynamic source address as sticky.
Violation methods
• Protect
A port security violation action that allows permitted MAC address to flow through a
port, while disallowed MAC address are dropped.
• Restrict
A port security violation action that allows permitted MAC address to flow through a
port, drops disallowed MAC address and increments that switches security violation
count.
• Shutdown
A port security violation action that places a port in the error disable state and sends a
SNMP trap (If the switch is configured for SNMP)
Error disable port automatic recovery A cisco catalyst switch feature that allows a port in an error disable state to attempt to come out of that
state if the condition causing the port to be in the error disable state has been resolved.
CAM – Table
overflow
Different MAC – Address
CCNP
Switching (300-115)
38 | P a g e
Strom control A cisco catalyst switch feature that can detect a multicast, broadcast or unicast traffic Strom on a switch
port and respond by putting the port in to an error disable state and/or sending SNMP trap.
Configuration
GM # Interface fastethernet ____
# Storm – control broadcast level ____________________ _____________________
(Rising threshold BW %) (Falling threshold BW %
# Storm – control multicast level BPS ____________________ ____________________
# Storm – control multicast level BPS ____________________
# Storm – control action
Verification
PM # Storm – control
CCNP
Switching (300-115)
39 | P a g e
Private VLANS VLANS inside of another VLAN which are isolated one another at layer 2, but can communicate with
another using layer 3 routing.
Primary VLANS A VLAN that can contain a collection of private VLAN (IE subdomain) (NOTE: All ports belonging to
the private VLANS should also be configured to belong to the private VLAN).
Community VLAN A type of private VLAN that can certain multiple port connected to the hosts that are able to communicate
with one another at layer 2.
Isolated VLAN A type of VLAN contain one hosts port that cannot communicate at layer 2 with port in any other private
VLAN.
Promiscuous port A port assigned to the primary VLAN can communicate with all community and isolated port.
Community port A port belonging to a community VLAN that shares a broadcast domain with other ports in the
community VLAN.
Isolated port A port belonging to an isolated VLAN that resides in its own broadcast domain.
Community VLAN: 151
Isolated VLAN: 152 Isolated VLAN: 153
Primary VLAN: 150
CCNP
Switching (300-115)
40 | P a g e
Configuration
GM # VTP mode Transparent
GM # VLAN 150
# Private – VLAN Primary
GM # VLAN 151
# Private – VLAN Community
GM # VLAN 152
# Private – VLAN Isolated
GM # VLAN 153
# Private – VLAN Isolated
IM # Switchport mode private – VLAN
Switch
Router
CCNP
Switching (300-115)
41 | P a g e
DHCP Snooping
DHCP Spoofing Attack
Router
GM # IP helper – address
• A command that allows a
router to forward a DHCP
broadcast (i.e. that DHCP
discover message) to a DHCP
server on a different subnet.
DHCP Spoofing
An attack where attacker has a DHCP sever, which responds to a DHCP discovery message sent from a
DHCP client. (NOTE: If the client user attacker’s DHCP sever, If can be convinced that is default
gateway is that IP address of one of the attacker’s devices).
DHCP Snooping
Allows a cisco catalyst switch port to reject packets coming in from a DHCP sever. If that port is set to an
untrusted state.
Configuration
GM # IP DHCP snooping
GM # IP DHCP snooping VLAN _______
Trusted port configuration
IM # IP DHCP snooping trust
Verification
PM # Show IP DHCP snooping
DHCP Option 82
A DHCP request packet to contain information indication the switch port from which the DHCP request
come.
Snooping
Untrusted DHCP
Trust
DHCP Client
Rogue DHCP
server
Cooperate
DHCP server
Switch
DHCP works with DORA
process.
D – Discover
O – Offer
R – Request
A – Acknowledgement
CCNP
Switching (300-115)
42 | P a g e
IP Source guard
IP Snooping
An attack where a malicious user falsifies (IE Spoofs). There IP address to an IP address that is allow the
access secured resource.
Unicast reverse path forwarding (URPF)
A router feature that can block a packet arriving on an interface if the router’s IP routing table indicate a
different interface should be used to reach the packets source IP address.
IP Source guard
A switch feature that creates an IP address (And optionally MAC address) to port mapping table, and can
drop a packet arriving on a specific port from a device claiming to have a source IP address. (And
optionally a source MAC address) mat is not consistent with the mapping table.
Configuration
❖ Remember DHCP snooping is already enable.
❖ Enable to untrusted port.
GM # Interface range fastethernet _____
# IP verify source
Verification
PM # Show verify Source
Authorized Client
10.1.1.100
Attacker
10.1.1.1
Secured Server
R1 I have an ACL that
only allow IP address
10.1.1.100 to reach the
secured server.
IP Source Guard
CCNP
Switching (300-115)
43 | P a g e
Dynamic ARP Inspection
Gratuitous ARP MAN- IN- THE- MIDDLE Attack
An attack where the attacker send unsolicited ARP replies to the attack target claiming that the attacker’s
MAC address of the attack to gets default gateway.
NOTE: Dynamic ARP inspection statics can be viewed using the show IP ARP inspection command.
Configuration
❖ Remember already enable DHCP snooping
GM # IP ARP inspection VLAN _1_
Fa 1/0/1
IM # IP ARP inspection trust
❖ Dynamic ARP inspection statics can be viewed using the “show IP ARP inspection” command.
R1
ISP
Fastethernet 0/0
IP 10.1.1.0/24
MAC – DDDD – DDDD -DDDD
CCNP
Switching (300-115)
44 | P a g e
Authentication, Authorization & Accounting (AAA)
1. Authentication – Who are you? (User name or password)
2. Authorization – What are you allowed to do?
3. Accounting – What did you do?
TACACS + RADIUS
Cisco proprietary
TCP
Separate authentication, authorization,
accounting functions
Two-way challenge response encrypts
entry password
Industry standard
UDP
Combines authentication, authorization,
accounting functions
One-way challenge response only encrypt
password
Configuration
Enable AAA
GM # AAA new – model
Config the server
GM # Radius – Server host 10.10.10.10 key CISCO
GM # Radius – Server host 20.20.20.20 key CISCO
GM # AAA group server radius A – Group
# Server 10.10.10.10
GM # Username CISCO Secret CISCO
GM # AAA authentication login default group R – Group Local
Resources
CCNP
Switching (300-115)
45 | P a g e
CCNP
Switching (300-115)
46 | P a g e