borrador estudio
Post on 13-Apr-2018
239 Views
Preview:
TRANSCRIPT
-
7/26/2019 borrador estudio
1/13
Three fundamental decisions must be made: one concerned with finding the egress switch port, and two
concerned with forwarding policies. All these decisions are made simultaneouslyby independent portions of
switching hardware and can be described as follows:
L2 forwarding table
Security ACLs
QoS ACLs
Now, the decision of where to forward the packet is based on two address tables, whereas the decision of how
to forward the packet still is based on access list results. As in Layer 2 switching, all these multilayer
decisions are performed simultaneously in hardware:
L2 forwarding table
L3 forwarding table
Security ACLs
QoS ACLs
By default, idle CAM table entries are kept for 300 seconds before they are deleted.Switch(config)# mac address-table aging-timeseconds
Switch(config)# mac address-table static mac-address vlan vlan-id interface type mod/num
Switch(config)# interface type module/number
Switch(config)# interface fastethernet 0/14
Switch(config)# interface range type module/number [, type module/number ...]
Switch(config)# interface range fastethernet 1/0/3 , fastethernet 1/0/7 ,fastethernet 1/0/9 , fastethernet 1/0/48
Switch(config)# interface range type module/first-numberlast-number
-
7/26/2019 borrador estudio
2/13
Switch(config)# interface range fastethernet 1/0/1 48
Switch(config)# define interface-range macro-name type module/number [, type module/ number ...] [type module/first-numberlast-number] [...]
Switch(config)# interface range macro macro-name
Switch(config)# define interface-range MyGroup gig 2/0/1 , gig 2/0/3 2/0/5 , gig 3/0/1 , gig 3/0/10, gig 3/0/32 3/0/48
Switch(config)# interface range macro MyGroup
Switch(config-if)# description description-string
Switch(config-if)# speed {10 | 100 | 1000 | auto}
Switch(config-if)# duplex {auto | full | half}
STATIC VLANS
Switch(config)# vlan vlan-num
Switch(config-vlan)# name vlan-name
Switch(config)# interface type module/number
Switch(config-if)# switchport
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-num
VLAN Trunk Configuration
Use the following commands to create a VLAN trunk link:Switch(config)# interface type mod/portSwitch(config-if)# switchport
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan {vlan-list | all |
{add | except | remove} vlan-list}
Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}
switchport nonegotiate (disables DTP)
show interface type mod/port trunk
show interface type mod/num switchport
STP
STP multicast address 01-80-c2-00-00-00.
Two types of BPDU exist:Configuration BPDU, used for spanning-tree computationTopology Change Notification (TCN) BPDU, used to announce changes in the network Topology
The bridge ID is an 8-bytevalue consisting of the following fields:Bridge Priority (2 bytes)The priority or weight of a switch in relation to all other
switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768
(or 0x8000) on every Catalyst switch.MAC Address (6 bytes)The MAC address used by a switch can come from the
Supervisor module, the backplane, or a pool of 1,024 addresses that are assigned toevery supervisor or backplane, depending on the switch model. In any event, thisaddress is hard-coded and unique, and the user cannot change it.
If an entire instance of STP has been disabled, you can reenable it with the following globalconfiguration command:Switch(config)# spanning-tree vlan vlan-id
If STP has been disabled for a specific VLAN on a specific port, you can reenable it withthe following interface configuration command:Switch (config-if)# spanning-tree vlan vlan-id
Switch(config)# spanning-tree extend system-id
Switch(config)# spanning-tree vlan vlan-list priority bridge-priority
-
7/26/2019 borrador estudio
3/13
Switch(config)# spanning-tree vlan vlan-id root {primary | secondary}[diameter diameter]
The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to65,535. If STP extended system ID is enabled, the default bridge-priority is 32,768
plus the VLAN number. In that case, the value can range from 0 to 61,440, but onlyas multiples of 4096. A lower bridge priority is preferable.Switch (config-if)# spanning-tree [vlan vlan-id] cost cost
Switch# show spanning-tree interface type mod/num [cost]
Switch(config-if)# spanning-tree [vlan vlan-list] port-priorityport-priority
Switch(config)# spanning-tree [vlan vlan-id] hello-timeseconds
Switch(config)# spanning-tree [vlan vlan-id] forward-timeseconds
Switch(config)# spanning-tree [vlan vlan-id] max-ageseconds
Switch(config)# spanning-tree vlan vlan-list root {primary | secondary} [diameter diameter [hello-time hello-time]]
PortFastEnables fast connectivity to be established on access-layer switch portsto workstations that are booting
UplinkFastEnables fast-uplink failover on an access-layer switch when dual uplinks
are connected into the distribution layerBackboneFastEnables fast convergence in the network backbone or core layer
switches after a spanning-tree topology change occurs
Switch(config)# spanning-tree portfast default
Switch(config-if)# [no] spanning-tree portfast
Switch(config)# interface type mod/num
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch# show spanning-tree interface type mod/num portfast
Switch(config)# spanning-tree uplinkfast [max-update-ratepkts-per-second]
Switch# show spanning-tree uplinkfast
Switch(config)# spanning-tree backbonefast
-
7/26/2019 borrador estudio
4/13
After an STP topology has converged and becomes loop free, switch ports are assignedthe following roles:
Root portThe one port on a switch that is closest (with the lowest root path cost)
to the root bridge.
Designated port
The port on a LAN segment that is closest to the root. This portrelays, or transmits, BPDUs down the tree.
Blocking portPorts that are neither root nor designated ports.
Alternate portPorts that are candidate root ports (they are also close to the root
bridge) but are in the Blocking state. These ports are identified for quick use by theSTP UplinkFast feature.
Forwarding portPorts where no other STP activity is detected or expected. These
are ports with normal end-user connections.
Switch(config-if)# spanning-tree guard root
-
7/26/2019 borrador estudio
5/13
Switch(config)# spanning-tree portfast bpduguard default
Switch(config-if)# [no] spanning-tree bpduguard enable
Switch(config)# spanning-tree loopguard default
Switch(config-if)# [no] spanning-tree guard loop
Switch(config)# udld {enable | aggressive | message timeseconds}
Switch(config-if)# udld {enable | aggressive | disable}
Switch(config)# spanning-tree portfast bpdufilter default
Switch(config-if)# spanning-tree bpdufilter {enable | disable}
Root guard: Apply to ports where root is never expected.BPDU guard: Apply to all user ports where PortFast is enabled.Loop guard: Apply to nondesignated ports but okay to apply to all ports.UDLD: Apply to all fiber-optic links between switches (must be enabled on both ends).Permissible combinations on a switch port:Loop guard and UDLDRoot guard and UDLD
Not permissible on a switch port:Root guard and Loop guardRoot guard and BPDU guard
STP 802.1DRSTP 802.1wMST 802.1s
802.1D
Root portDesignated portBlocking port (neither root nor designated)
each switch port also is assigned one of five possible states:Disabled
BlockingListeningLearning
Forwarding
802.1w
Root portThe one switch port on each switch that has the best root path cost to
the root. This is identical to 802.1D.Designated portThe switch port on a network segment that has the best root
path cost to the root.Alternate portA port that has an alternative path to the root, different from the
path the root port takes.Backup portA port that provides a redundant (but less desirable) connection to a
segment where another switch port already connects.
DiscardingIncoming frames simply are dropped; no MAC addresses are learned.
LearningIncoming frames are dropped, but MAC addresses are learned.ForwardingIncoming frames are forwarded according to MAC addresses that
have been (and are being) learned.
Edge portA port at the edge of the network, where only a single host connects.Traditionally, this has been identified by enabling the STP PortFast feature.Root portThe port that has the best cost to the root of the STP instance.Point-to-point portAny port that connects to another switch and becomes a designated
port.
-
7/26/2019 borrador estudio
6/13
-
7/26/2019 borrador estudio
7/13
-
7/26/2019 borrador estudio
8/13
Port SecuritySwitch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum max-addr
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address mac-addr
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
ShutdownThe port immediately is put into the Errdisable state, which effectively
shuts it down. It must be reenabled manually or through errdisable recovery to be
used again.RestrictThe port is allowed to stay up, but all packets from violating MAC addressesare dropped. The switch keeps a running count of the number of violating
packets and can send an SNMP trap and a syslog message as an alert of the violation.ProtectThe port is allowed to stay up, as in the restrict mode. Although packetsfrom violating addresses are dropped, no record of the violation is kept.
Switch# clear port-security dynamic [address mac-addr | interface type mod/num]
-
7/26/2019 borrador estudio
9/13
Port-Based Authentication802.1x ConfigurationRemote Authentication
Dial-In User Service (RADIUS), only RADIUS is supported for 802.1x
-
7/26/2019 borrador estudio
10/13
Step 1. Enable AAA on the switchSwitch(config)# aaa new-model
Step 2. Define external RADIUS servers.Switch(config)# radius-server host {hostname | ip-address} [keystring]
Step 3. Define the authentication method for 802.1x.Switch(config)# aaa authentication dot1x default group radius
Step 4. Enable 802.1x on the switch:Switch(config)# dot1x system-auth-control
Step 5. Configure each switch port that will use 802.1x:Switch(config)# interface type mod/num
Switch(config-if)# dot1x port-control {force-authorized | forceunauthorized| auto}
force-authorizedThe port is forced to always authorize any connected client. No authentication is necessary. This is thedefault state for all switch ports when 802.1x is enabled.force-unauthorizedThe port is forced to never authorize any connected client. As a result, the port cannot move to theauthorized state to pass traffic to a connected client.autoThe port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. Thisrequires an 802.1x-capable application on the client PC.
Step 6. Allow multiple hosts on a switch port.Switch(config-if)# dot1x host-mode multi-host
-
7/26/2019 borrador estudio
11/13
DHCP SnoopingSwitch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id]
Switch(config)# interface type mod/num
Switch(config-if)# ip dhcp snooping trust
Switch(config)# interface type mod/num
Switch(config-if)# ip dhcp snooping limit rate rate
The rate can be 1 to 2048 DHCP packets per second.
Switch(config)# [no] ip dhcp snooping information option
Switch# show ip dhcp snooping [binding]
IP Source Guard
Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num
Switch(config)# interface type mod/num
Switch(config-if)# ip verify source [port-security]
Switch# show ip verify source [interface type mod/num]
Switch# show ip source bindng [ip-address] [mac-address] [dhcp-snooping | static] [interface type mod/num] [vlan vlan-id]
Dynamic ARP InspectionSwitch(config)# ip arp inspection vlan vlan-range
Switch(config)# interface type mod/numSwitch(config-if)# ip arp inspection trust
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip hostsender-ip mac hostsender-mac [log]
[Repeat the previous command as needed]
Switch(config-acl)# exit
Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
src-macCheck the source MAC address in the Ethernet header against the sender
MAC address in the ARP reply.
-
7/26/2019 borrador estudio
12/13
dst-macCheck the destination MAC address in the Ethernet header against the
target MAC address in the ARP reply.
ipCheck the senders IP address in all ARP requests; check the senders IP addressagainst the target IP address in all ARP replies.
Best Practices for Securing Switches
Configure secure passwords
Use system banners
Secure the web interface
Secure the switch console
Secure virtual terminal Access
Use SSH whenever possible
Secure SNMP Access
Secure unused switch ports
Secure STP operation
Secure the use of CDP
Switch(config)# vlan access-map map-name [sequence-number]Switch(config-access-map)# match ip address {acl-number | acl-name}
Switch(config-access-map)# match ipx address {acl-number | acl-name}
Switch(config-access-map)# match mac address acl-nameSwitch(config-access-map)# action {drop | forward [capture] | redirect type mod/num}
Switch(config)# vlan filter map-name vlan-list vlan-list
Securing VLAN TrunksSwitch Spoofing
VLAN Hopping
-
7/26/2019 borrador estudio
13/13
top related