dansk data sikkerhed · web view2017. 11. 8. · port access control list (pacl): applied on a...

CCNP “Guld” Switch 300 - 115 Kommandoer

Table of ContentsCAM Table - (Chapter 2)............................................................................................................................6

Verify CAM Table..........................................................................................................................................7

Clear Mac Table............................................................................................................................................7

TCAM Table - (Chapter 2)..........................................................................................................................7

VLAN – (Chapter 3)...................................................................................................................................7

Vlan database fil...........................................................................................................................................7

Ranges..........................................................................................................................................................7

Configure Vlan..............................................................................................................................................7

Verify VLANs.................................................................................................................................................8

Locally Deactivate et VLAN...........................................................................................................................8

Globally Suspend/Active et Vlan...................................................................................................................8

Verify vlan state............................................................................................................................................8

Dynamic Trunking Protocol (DTP) - (Chapter 3).........................................................................................8

DTP Modes...................................................................................................................................................8

Trunk mellem DTP enhed og non DTP enhed...............................................................................................9

Verify Trunks................................................................................................................................................9

Allow Vlans on a Trunk.................................................................................................................................9

Sæt native Vlan.............................................................................................................................................9

VTP - (Chapter 3).......................................................................................................................................9

VTP database fil..........................................................................................................................................10

VTP Revision number..................................................................................................................................10

VTP Server konfiguration............................................................................................................................10

VTP Client konfiguration.............................................................................................................................10

Verify VTP...................................................................................................................................................10

VTP v3 konfiguration..................................................................................................................................11

VTP v3 password........................................................................................................................................11

Etherchannel – (Chapter 3).....................................................................................................................11

L2 Link Aggregation With PAgP...................................................................................................................11

L3 Link Aggregation With PAgP...................................................................................................................11

Link Aggregation With LACP.......................................................................................................................12

EtherChannel Guard...................................................................................................................................12

Verify Etherchannel....................................................................................................................................12

STP – (Chapter 4)....................................................................................................................................13

STP Varianter..............................................................................................................................................13

STP Root Election Process...........................................................................................................................13

Sæt STP Cost...............................................................................................................................................13

STP 802.1D States og Timers......................................................................................................................13

Propagate new timers................................................................................................................................14

STP Portfast................................................................................................................................................14

STP BPDU Guard.........................................................................................................................................14

STP UplinkFast............................................................................................................................................14

STP BackboneFast.......................................................................................................................................14

STP Root Guard...........................................................................................................................................14

STP Loop Guard..........................................................................................................................................14

STP BPDU Filter...........................................................................................................................................15

STP Unidirectional Link Detection (UDLD)..................................................................................................15

Verify STP...................................................................................................................................................15

Cisco Storm Control – (Chapter 4)...........................................................................................................15

PVST (Per-VLAN Spanning Tree Protocol) – (Chapter 4)...........................................................................16

PVST+ konfiguration...................................................................................................................................16

Verify PVST+...............................................................................................................................................16

RSTP (Rapid Spanning Three Protocol) – (Chapter 4)...............................................................................16

Port States..................................................................................................................................................16

RSTP Port Roles..........................................................................................................................................17

RSTP Port Types..........................................................................................................................................17

MST (Multiple Spanning Tree) – (Chapter 4)............................................................................................17

Enable MST.................................................................................................................................................17

MST konfiguration......................................................................................................................................17

Verify MST..................................................................................................................................................18

MST og VTP 3..............................................................................................................................................18

Inter – VLAN Routing – (Chapter 5)..........................................................................................................18

Sub-interface konfiguration........................................................................................................................18

SVI adresse konfiguration...........................................................................................................................19

Enable routing............................................................................................................................................19

Multilayer Switch Routed Port Configuration.............................................................................................19

Verify routing / SVI.....................................................................................................................................19

L3 Etherchannel – (Chapter 5).................................................................................................................20

L3 Etherchannel konfiguration...................................................................................................................20

CEF (Cisco Express Forwarding)...............................................................................................................20

CEF Adjacencies..........................................................................................................................................20

Verify CEF...................................................................................................................................................21

DHCPv4 Konfiguration.............................................................................................................................21

Dynamisk konfiguration..............................................................................................................................21

Manual Konfiguration.................................................................................................................................22

IPv4 Helpter Addresses...............................................................................................................................22

Verify..........................................................................................................................................................22

IPv6 (fuck) – (Chapter 5)..........................................................................................................................22

Stateless DHCPv6 konfiguration.................................................................................................................22

Stateful DHCPv6 konfiguration...................................................................................................................23

DHCPv6 Relay Agent...................................................................................................................................23

Verify..........................................................................................................................................................23

HSRP (Hot Standby Routing Protocol) – (Chapter 6).................................................................................24

HSRP Summary...........................................................................................................................................24

Porte...........................................................................................................................................................24

HSRP Group Members................................................................................................................................24

HSRP Virtual Router MAC Address.............................................................................................................24

HSRP Active konfiguration..........................................................................................................................25

HSRP Standby konfiguration.......................................................................................................................25

HSRP Load-sharing konfiguration...............................................................................................................25

Verify HSRP.................................................................................................................................................26

HSRP Authentication..................................................................................................................................27

MLS HSRP Konfiguration.............................................................................................................................27

HSRP Tracking Object.................................................................................................................................27

VRRP (Virtual Router Redundancy Protocol) – (Chapter 6).......................................................................28

VRRP Summary...........................................................................................................................................28

VRRP Konfiguration – Virtual Interface.......................................................................................................29

VRRP Konfiguration – Physical Interface.....................................................................................................29

GLBP (Gateway Load Balancing Protocol) – (Chapter 6)...........................................................................30

GLBP Summary...........................................................................................................................................30

GLBP Virtual Router MAC Address..............................................................................................................30

GLBP konfiguration.....................................................................................................................................31

GLBP Authentication...................................................................................................................................31

GLBP Load Balancing..................................................................................................................................32

GLBP Weighting Configuration...................................................................................................................32

GLBP and STP Optimisation........................................................................................................................33

GLBP Verification........................................................................................................................................33

FHRP for IPv6 – (Chapter 6).....................................................................................................................33

Summary....................................................................................................................................................33

HSRP IPv6 konfiguration.............................................................................................................................33

Verify HSRP IPv6.........................................................................................................................................34

GLBP IPv6 konfiguration.............................................................................................................................35

Verify GLBP IPv6.........................................................................................................................................36

Syslog – (Chapter 7)................................................................................................................................36

Summary....................................................................................................................................................36

Syslog Default Configuration......................................................................................................................36

Syslog Server Configuration........................................................................................................................37

Set Timestamp............................................................................................................................................37

Verify..........................................................................................................................................................37

NTP (Network Time Protocol) – (Chapter 7).............................................................................................37

Summary....................................................................................................................................................37

NTP modes.................................................................................................................................................38

Set Clock.....................................................................................................................................................38

NTP Konfiguration Example........................................................................................................................39

NTP Broadcast Service................................................................................................................................39

NTP Access-Control....................................................................................................................................39

Simple Network Time Protocol (SNTP).......................................................................................................40

Verify..........................................................................................................................................................40

NTPv4 til IPv6..............................................................................................................................................40

NTPv4 IPv6 Multicast Service......................................................................................................................41

NTPv4 IPv6 Access Control.........................................................................................................................41

SNMP– (Chapter 7).................................................................................................................................41

SNMP Seciry models...................................................................................................................................42

SNMPv2c Konfiguration..............................................................................................................................42

SNMPv3 konfiguration................................................................................................................................42

AAA (Authentication, Authorisation, Accounting) – (Chapter 7)...............................................................43

Summary....................................................................................................................................................43

AAA Authentication konfiguration..............................................................................................................43

AAA Authorization kommandoer................................................................................................................44

Local AAA Authentication/Authorisation konfiguration.............................................................................44

AAA Accounting kommandoer...................................................................................................................45

AAA og 802.1x konfiguration......................................................................................................................45

Verify..........................................................................................................................................................45

CDP – Cisco Discovery Protocol – (chapter 8)...........................................................................................46

Verify..........................................................................................................................................................46

LLDP (Link Layer Discovery Protocol) – (Chapter 8)..................................................................................46

Global LLDP activation & configuration......................................................................................................46

Interface LLDP activation............................................................................................................................46

LLDP – MED for VoIP konfiguration............................................................................................................46

Verify..........................................................................................................................................................46

Power over Ethernet (PoE) – (Chapter 8).................................................................................................47

Versions......................................................................................................................................................47

802.3af (Power allocated)..........................................................................................................................47

PoE konfiguration.......................................................................................................................................47

Verify..........................................................................................................................................................48

SDM (Switching Database Management) – (Chapter 8)...........................................................................48

Templates types.........................................................................................................................................48

Change SDM Template...............................................................................................................................48

Verify..........................................................................................................................................................48

SPAN – (Chapter 8)..................................................................................................................................49

Local SPAN konfiguration...........................................................................................................................49

Configure RSPAN........................................................................................................................................49

IP SLA med Responder konfiguration.........................................................................................................50

IP SLA Echo Test konfiguration...................................................................................................................50

IP SLA Voice Quality Measurement konfiguration......................................................................................50

Verify..........................................................................................................................................................51

NSF – (Nonstop Forwarding) – (Chapter 9)..............................................................................................51

NFS konfiguration.......................................................................................................................................51

Switch devices and protol security – (Chapter 10)...................................................................................52

Summary....................................................................................................................................................52

Secure unused switch ports........................................................................................................................52

Port Security...............................................................................................................................................52

Port Security: Violation...............................................................................................................................52

Automatic Error Recovery..........................................................................................................................53

Verify..........................................................................................................................................................53

DHCP Snooping / Spoofing......................................................................................................................53

DHCP Snooping konfiguration....................................................................................................................53

Verify..........................................................................................................................................................54

IP Address Spoofing & IP Source Guard – (Chapter 10)............................................................................54

IP Source Guard konfiguration....................................................................................................................54

Verify..........................................................................................................................................................54

ARP Spoofing – (Chapter 10)...................................................................................................................55

Dynamic ARP Inspection konfiguration......................................................................................................55

Dynamic ARP Inspection Static konfiguration.............................................................................................55

Cisco Access Control Lists – (Chapter 10).................................................................................................55

Different ACS’s............................................................................................................................................55

ACL to block traffic......................................................................................................................................56

Block VLAN map to block and forward traffic.............................................................................................56

Apply Vlan map to VLAN.............................................................................................................................56

Protected Ports – (Chapter 10)................................................................................................................56

Protected ports konfiguration....................................................................................................................56

Create Private VLANs..................................................................................................................................57

Populate Private VLANs..............................................................................................................................57

Verify..........................................................................................................................................................57

CAM Table - (Chapter 2)

Verify CAM TableALS1#show mac address-table

ALS1#sh mac address-table dynamic

ALS1#show mac address-table count

Clear Mac TableALS1#clear mac address-table dynamic

TCAM Table - (Chapter 2)

SW1#show platform tcam utilization

VLAN – (Chapter 3)

Vlan database filKonfigurationen for Vlan databasen ligger I flash memory og bliver kaldt vlan.dat

Ranges1 – 1005, Normal Range

1002 – 1005, Token Ring / FDDI Vlans

1, 1002, 1005, bliver oprettet automatisk og kan ikke slettes

1025 – 4094, Extended Range

Configure VlanS1# configure terminal

S1(config)# vlan <Value>

S1(config-vlan)# name <Word>

S1(config-vlan)# exit

S1(config)#int fa <number>

S1(config-if)#switchport mode access

S1(config-if)# switchport access vlan <value>

Verify VLANsS1#show vlan

S1# show id vlan 20

S1# show vlan name Data

S1# show interfaces FastEthernet 0/18 switchport

Switch# show running-config interface Fa0/18

Locally Deactivate et VLANS1(config)#shutdown vlan 110

Globally Suspend/Active et VlanDLS1(config)#vlan 110

DLS1(config-vlan)#state suspend <eller active>

Verify vlan stateDLS1# show vlan brief | include suspended <eller active>

Dynamic Trunking Protocol (DTP) - (Chapter 3)

DTP ModesS1(config-if)#Switchport mode access

permanent non-trunking mode, regardless of neighbouring interface settings.

S1(config-if)#Switchport mode trunk

permanent trunking mode, regardless of neighbouring interface settings.

S1(config-if)#Switchport mode dynamic desirable

actively tries to convert the port to a trunk if the neighbouring interface is set to trunk, desirable or auto.

S1(config-if)#Switchport mode dynamic auto

port is willing to convert to a trunk if neighbouring interface is set to trunk or desirable.

S1(config-if)#Switchport mode nonegotiate

port does not generate DTP frames, and must be manually configured.

Trunk mellem DTP enhed og non DTP enhedS1(config-if)#Switchport mode trunk

S1(config-if)#Switchport nonegotiate

Verify TrunksS1#show interface trunk

S1# show interfaces FastEthernet 0/1 switchport

S1# show interfaces FastEthernet 0/1 trunk

Allow Vlans on a TrunkS1(config)#interface range fa0/1 – 2

S1(config-if)#switchport trunk allowed vlan 20

S1(config-if-range)#switchport trun allowed vlan 1,20

Sæt native Vlan S1(config-if)#switchport trunk native vlan 999

VTP - (Chapter 3)

VTP database filVTP konfigurationen ligger I vlan.dat files I flash memory.

VTP Revision numberEr et 32 bit nummer som indikerer hvad level af revision for en VTP frame

Default er 0

Hver gang et vlan bliver tilføjet eller fjernet, så bliver Revision nummeret forhøjet.

VTP domain name change resetter revision nummeret til 0

VTP Server konfigurationDLS1(config)#vtp mode server

DLS1(config)#vtp domain cisco2

DLS1(config)#vtp password cisco123

DLS1(config)#vtp version 2

VTP Client konfigurationALS1(config)#vtp version 2

ALS1(config)#vtp mode client

ALS1(config)#vtp domain cisco2

ALS1(config)#vtp password cisco123

Verify VTP DLS1#show vtp status

DLS1#show vtp password

VTP v3 konfigurationDLS1(config)#vtp version 3

DLS1#vtp primary vlan

VTP v3 passwordDLS1(config)#vtp password Cisco hidden

DLS1#show vtp password

Etherchannel – (Chapter 3)

PAgP (Cisco protocol)

LACP

L2 Link Aggregation With PAgPS1(config-if-range)#interface range fa0/1 – 2

S1(config-if-range)#channel-protocol pagp

S1(config-if-range)#channel-group 1 mode on

S1(config)#int po1

S1(config-if)#switchport mode trunk

S1(config-if)#switchport trunk native vlan 999

S1(config-if)#switchport trunk allowed vlan 10,20,30

L3 Link Aggregation With PAgPS1(config)#interface range fa0/1 - 2

S1(config-if-range)#no switchport

S1(config-if-range)#channel-group 1 mode desirable

S1(config-if-range)#interface port-channel 1

S1(config-if)#no switchport

S1(config-if)#ip address 10.0.0.1 255.255.255.0

Link Aggregation With LACP**Baseret på 1-10 forbindelser mellem 2 switche hvor man sætter alle I en pool og den vælger 9-10 som active, så kan de andre tager over hvis de fejler**

S1(config)#lacp system-priority 100

S1(config-if-range)#interface range fa0/1 – 8

S1(config-if-range)#channel-protocol lacp

S1(config-if-range)#channel-group 1 mode active

S1(config-if-range)#lacp port-priority 100

S1(config-if-range )# interface range fa0/9- 10

S1(config-if-range )#channel-protocol lacp

S1(config-if-range )#channel-group 1 mode active

EtherChannel GuardEtherChannel guard er enabled som default op opfanger EtherChannel misconfiguration hvis switche har PVST+ eller MSTP.

Slå EtherChannel Guard fra

S1(config)#no spanning-tree etherchannel guard misconfig

Verify EtherchannelS1#show etherchannel summary

STP – (Chapter 4)

STP Varianter• 802.1D-1998: legacy standard for bridging and STP. Uses Common Spanning Tree (CST) for the

entire switched network, regardless of the number of VLANs.

• PVST+: Cisco enhancement of STP that provides a separate 802.1D STP instance for each configured VLAN.

• 802.1w (RSTP): improved convergence over 802.1D-1998, incorporating Cisco STP enhancements. Uses CST.

• 802.1D-2004: Updated version of STP incorporating 802.1w.

• Rapid PVST+: Cisco enhancement of RSTP using PVST+

• 802.1s (MSTP): Uses RSTP to map multiple VLANs into separate instances.

STP Root Election Process1. Lowest root Bridge ID (BID)

2. Lowest path cost to root bridge

3. Lowest sender bridge ID

4. Lowest sender port ID

Sæt STP CostS3(config)#int fa0/1

S3(confif-if)#spanning-tree cost 25

• The cost value can be between 1 and 200,000,000

STP 802.1D States og TimersBlocking - (max age = 20 secs)

Listening - (forward delay = 15 secs)

Learning - (forward delay = 15 secs)

Forwarding

Propagate new timers S1(config)#spanning-tree vlan 10 root primary diameter 4

STP PortfastS3(config)#int fa0/8

S3(config-if)#spanning-tree portfast

eller

S3(config)#spanning-tree portfast default

STP BPDU GuardS3(config)#int fa0/8

S3(config-if)#spanning-tree bpduguard enable

eller

S3(config)#spanning-tree portfast bpduguard default

STP UplinkFast S3(config)#spanning-tree uplinkfast | max-update-rate

STP BackboneFast S3(config)#spanning-tree backbonefast

STP Root GuardS4(config-if)#spanning-tree guard root

Tjek med kommandoen

S4#sh spanning-tree inconsistentports

STP Loop GuardS4(config-if)#spanning-tree guard loop

Sætter på interface

S4(conf)#spanning-tree loopguard default

Sætter på alle porte

STP BPDU FilterS3(config-if)#spanning-tree bpdufilter enable | disable


S3(config)#spanning-tree portfast bpdufilter default

Sætter på alle porte

STP Unidirectional Link Detection (UDLD)S3(config-if)# udld port aggressive


S3(conf)#udld | enable | aggressive | message time

Sætte rpå alle porte

Tjek med kommandoen

ALS1#sh udld

Verify STPDLS1#show spanning-tree

Cisco Storm Control – (Chapter 4)S1(config)# int range fa0/1 – 4

S1(config-if-range)# storm-control broadcast level 50

S1(config-if)# storm-control action shutdown

PVST (Per-VLAN Spanning Tree Protocol) – (Chapter 4)

PVST+ konfigurationS1(config)#spanning tree vlan 10 root primary

S1(config)#spanning tree vlan 20 root secondary

S1(config )#spanning tree vlan 10 priority 4096

S1(config)#spanning tree vlan 20 priority 8192

S2(config)#spanning tree vlan 20 root primary

S2(config)#spanning tree vlan 10 root secondary

S2(config )#spanning tree vlan 20 priority 4096

S2(config)#spanning tree vlan 10 priority 8192

Verify PVST+S1#show spanning-tree vlan 10

RSTP (Rapid Spanning Three Protocol) – (Chapter 4)

Port States

Operational Port State 802.1D STP Port State 802.1w RSTP Port State

Enabled Blocking Discarding

Enabled Listening Discarding

Enabled Learning Learning

Enabled Forwarding Forwarding

Disabled Disabled Discarding

RSTP Port Roles• Alternative port: switch port that offers an alternative path toward the root bridge.

• The alternative port assumes a discarding state in a stable, active topology.

• Backup port: additional switch port on the designated switch with a redundant link to the segment for which the switch is designated.

• A backup port has a higher port ID than the designated port on the designated switch.

• The backup port assumes the discarding state in a stable, active topology.

RSTP Port Types• RSTP considers every switch port to be one of the following types:

1. Edge Port – a port at the ‘edge’ of the network, connecting to a single host, that transitions immediately to the forwarding state when activated.

2. Root Port – the port that has the best cost to the root of the STP instance.

3. Point-to-Point Port (P2P) – any port that connects to another switch and becomes a designated port (non-edge). A quick handshake with the neighbouring switch, rather than a timer expiration, decides the port state.

MST (Multiple Spanning Tree) – (Chapter 4)

Enable MSTS1(config)#spanning-tree mode mst

MST konfigurationS1(config)#spanning-tree mst config

S1(config-mst)#show current

S1(config-mst)#instance 1 vlan 1-500

S1(config-mst)#instance 2 vlan 501-1001

S1(config-mst)#name REGION12

S1(config-mst)#revision 1

S1(config-mst)#show pending

S1(config-mst)#exit

S1(config)#spanning-tree mst 1 root secondary

S1(config)#spanning-tree mst 2 root primary

Verify MSTS1#sh spanning-tree mst config

S1# sh spanning-tree mst 1

S1# sh spanning-tree mst detail

MST og VTP 3VTP skal være version 3 for at dele MST database mellem switche

S3(config)#spanning-tree mode mst

S3(config)#vtp version 3

S3(config)#vtp mode server mst

S3(config)#end

Inter – VLAN Routing – (Chapter 5)

Sub-interface konfigurationR1(config)#int fa0/0.10

R1(config-subif)#encap dot1q 10

R1(config-subif)#ip address 172.17.10.1 255.255.255.0

R1(config-subif)# int fa0/0.30

R1(config-subif)#encap dot1q 30

R1(config-subif)#ip address 172.17.30.1 255.255.255.0

R1(config-subif)#int fa0/0

R1(config)#no shut

SVI adresse konfigurationS1(config)#int vlan 10

S1(config-if)#ip add 172.17.10.1 255.255.255.0

S1(config-if)#int vlan 20

S1(config-if)#ip add 172.17.20.1 255.255.255.0

S1(config-if)#int vlan 30

S1(config-if)#ip add 172.17.30.1 255.255.255.0

Enable routingS1(config)#ip routing

S1(config)#exit

Multilayer Switch Routed Port ConfigurationS1(config)#int fa0/5


S1(config-if)#ip add 172.17.40.2 255.255.255.0

S1(config-if)#no sh

S1(config-if)#exit

S1(config)#router eigrp 1

S1(config-router)#network 172.17.40.2 0.0.0.0

Verify routing / SVIS1#show ip route

S1# show interfaces vlan 20

L3 Etherchannel – (Chapter 5)

L3 Etherchannel konfigurationS1(config)#int range fa0/2 - 3

S1(config-if-range)#no switchport

S1(config-if-range)#channel-group 1 mode on

S1(config-if-range)#exit

S1(config)#int port-channel 1


S1(config-if)#ip add 10.1.20.1 255.255.255.0

CEF (Cisco Express Forwarding)

CEF Adjacencies• Null adjacency: Packets destined for a null0 interface are dropped. This can be used as an effective

form of access filtering.

• Glean adjacency: When a router is connected directly to several hosts via a broadcast network, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.

• Punt adjacency: Features that require special handling, or features that are not yet supported in conjunction with CEF switching paths, are forwarded to the next switching layer for handling. For example, the packet may require CPU processing. Features that are not supported are forwarded to the next-higher switching level.

• Discard adjacency: Packets are discarded – usually due to ACLs.

• Drop adjacency: Packets are dropped, but the prefix is checked. Used to kill packets during ‘ARP Throttling’.

Verify CEFS1#sh ip cef

S1#sh ip cef fa0/1 detail

S1#sh adjacency fa0/1 detail

S1#show ip cef summary S1#show ip cef vlan 10

S1# show adjacency

DHCPv4 Konfiguration

Dynamisk konfigurationS1(config)#interface vlan 10

S1(config-if)#ip address 10.0.0.254 255.255.255.0

S1(config)#ip dhcp-excluded address 10.0.0.250 10.0.0.254

S1(config)#ip dhcp pool VLAN_10

S1(dhcp-config)#network 10.0.0.0 255.255.255.0

S1(dhcp-config)#default-router 10.0.0.254

S1(dhcp-config)#lease 0 8 0

S1(dhcp-config)#dns-server 10.10.10.10

**

S1(dhcp-config)option 150 ip 10.1.0.253 (Denne kommando er ikke nødvendig, men dette nummer kan ændres til følgende alt efter behov)

**

Option Number Function

43 Location of WLAN controller

69 Location of SMTP server

70 Location of POP3 server

150 Location of TFTP server for Cisco IP phones

Manual KonfigurationS1(config)#ip dhcp pool MAN_POOL

S1(dhcp-config)#host 10.0.0.1 255.255.255.0

S1(dhcp-config)#client-identifier 0100.1cc0.7d4a.d8

S1(dhcp-config)#default-router 10.0.0.254

IPv4 Helpter AddressesS1(config)#interface vlan 10

S1(config-if)#ip helper-address 172.24.1.9

Verify S1# debug ip dhcp server packet

S1#show ip dhcp binding

S1#show ip dhcp server statistics

S1#show ip dhcp pool

Slet conflicts I DHCP statestikken

S1# clear ip dhcp conflict *

IPv6 (fuck) – (Chapter 5)

Stateless DHCPv6 konfigurationDLS1(config)#ipv6 unicast-routing

DLS1(config)#ipv6 dhcp pool DLS1_LAN

DLS1(config-dhcpv6)#dns-server 2001:db8:1:1::2

DLS1(config-dhcpv6)#domain-name cisco.com

DLS1(config)#int vlan 10

DLS1(config-if)#ipv6 address 2001:db8:1:1::1/64

DLS1(config-if)#ipv6 dhcp server DLS1_LAN

DLS1(config-if)#ipv6 nd other-config-flag

Stateful DHCPv6 konfigurationDLS1(config)#ipv6 unicast-routing

DLS1(config)#ipv6 dhcp pool DLS1_LAN

DLS1(config-dhcpv6)#address prefix 2001:db8:1:1::/64 lifetime infinite

DLS1(config-dhcpv6)#dns-server 2001:db8:1:1::2

DLS1(config-dhcpv6)#domain-name cisco.com


DLS1(config-if)#ipv6 address 2001:db8:1:1::1/64

DLS1(config-if)#ipv6 nd prefix 2001:db8:1:1::/64 no-autoconfig | no-advertise

DLS1(config-if)#ipv6 dhcp server DLS1_LAN

DLS1(config-if)#ipv6 nd managed-config-flag

DHCPv6 Relay AgentDLS1(config)#int gi0/0

DLS1(config-if)#ipv6 dhcp relay destination 2001:db8:cafe:1::6

Eller hvis SVIs bliver brugt:


DLS1(config-if)#ipv6 dhcp relay destination 2001:db8:cafe:1::6

VerifyDLS1#show ipv6 interface vlan 10

DLS1#show ipv6 dhcp pool

DLS1#show ipv6 dhcp binding

HSRP (Hot Standby Routing Protocol) – (Chapter 6)

HSRP Summary• The group number can be from 0 – 255 (v1), 0-4095 (v2); Default is 0. HSRP supports a maximum of

16 groups.

• The priority value can be from 0 – 255; Default is 100. If no priority, router with highest IP address on HSRP interface becomes active.

• The hellotime can be from 1 – 255 seconds (15 to 999 msec); default is 3 seconds

• The holdtime can be from 1 – 255 (50 to 3000 msec); default is 10 seconds.

• Both Active and Standby devices send hellos.

• The track command default decrement of the priority is 10

PorteUse UDP port 1985(v1) or 2029(v2) multicast address 224.0.0.2(v1) or 224.0.0.102 (v2) TTL=1

HSRP Group Members• Active router: Does the forwarding of data packets and transmits hello messages to other routers

informing them of its status.

• Standby router: Monitors the status of the active router and quickly begins forwarding packets in the event of an active router failure. Also sends hello messages.

• Virtual router: Represents a consistently available router with an IP address and a MAC address to the hosts on a network.

• Other routers: Monitor HSRP hello messages but do not respond. function as normal routers that forward packets sent to them but do not forward packets addressed to the virtual router.

HSRP Virtual Router MAC Address• Vendor ID (Vendor Code): The first three bytes of the MAC address.

• HSRP Code (HSRP well-know virtual MAC address): The next two bytes of the MAC address (always 07.AC for v1, 9F.F for v2).

• Group ID (HSRP group number in hex): The last bits of the MAC address. Because v2 supports more VLAN IDs, it requires more bits for group IDs.

HSRP Active konfigurationR1(conf)#int fa0/0

R2(conf-if)#standby version 2

R1(conf-if)#standby 1 ip 192.168.10.1

R1(conf-if)#standby 1 priority 150

R1(conf-if)#standby 1 preempt

R1(conf-if)# standby 1 preempt delay min 225

R1 (conf-if)#standby 1 track s0/0 55

R1 (conf-if)#standby 1 timers msec 100 msec 300

HSRP Standby konfigurationR2(conf)#int fa0/0

R2(conf-if)#standby version 2




R2(conf-if)# standby 1 preempt delay min 225


R12(conf-if)#standby 1 timers msec 100 msec 300

HSRP Load-sharing konfigurationR1(conf)#int fa0/0.10

R1(conf-if)#ip address 192.168.10.2 255.255.255.0





R1(conf)#int fa0/0.20





R1(conf-if)#standby 20 track s0/0 55












R2(conf-if)#standby 20 track s0/0 55

Verify HSRPR1#show standby

HSRP AuthenticationPlain-Text (not recommended):


DLS1 (config-if)#standby 10 authentication text cisco123

MD5 (Interface):


DLS1 (config-if)#standby 10 authentication md5 key-string 0 cisco123

MD5 (key-chain):

DLS1(config)#key chain HSRP_CHAIN

DLS1(config-keychain)#key 1

DLS1(config-keychain-key )#key-string 0 cisco123


DLS1(config-if)#standby 10 authentication md5 key-chain HSRP_CHAIN

MLS HSRP KonfigurationDLS1(config)#interface vlan 10

DLS1(config-if)#ip address 10.1.1.2 255.255.255.0

DLS1(config-if)#standby 10 ip 10.1.1.1

DLS1(config-if)#standby 10 priority 125

DLS1(config-if)#standby 10 preempt

DLS1(config-if)#standby 10 track fa0/23 20

DLS1(config-if)#standby 10 track fa0/24

HSRP Tracking ObjectDLS1(config)#ip sla 18

DLS1(config-sla)#icmp-echo 10.9.9.1

DLS1(config-sla-echo)# frequency 10

DLS1(config)#ip sla schedule 18 start-time now life forever

DLS1(config)#track 90 ip sla 18 reachabilty

DLS1(config)# interface vlan 10

DLS1(config-if)# ip address 10.1.1.2 255.255.255.0

DLS1(config-if)# standby 10 ip 10.1.1.1

DLS1(config-if)# standby 10 priority 110

DLS1(config-if)# standby 10 preempt

DLS1(config-if)# standby 10 track 90 decrement 20

VRRP (Virtual Router Redundancy Protocol) – (Chapter 6)

VRRP Summary• Like HSRP, VRRP is a FHRP, providing a default gateway redundancy service.

• RFC 2338, Uses IP protocol 112, multicast address 224.0.0.18, TTL=1

• Similar in functionality to HSRP, supporting preemption (enabled by default), object tracking and authentication. However, interface tracking is not supported.

• Cisco switches and routers support VRRP on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, MPLS VPNs and VLAN SVIs.

• Not currently supported across all Cisco switch platforms.

• Virtual MAC address = 0000.5e00.0101

• The group number can be from 0 – 255; Default is 100.

• The priority value can be from 1 – 254; Default is 100. If no priority, router with highest IP address becomes master. 0 is reserved for graceful shutdown, 255 used by physical interface.

• Only the Master sends advertisements, every 1 second by default (max 255 seconds).

• The master down interval: number of seconds for the backup to declare the master down. Default is 3 x hello interval + skew time.

• Skew time (S) = (256 - priority) / 256, ensures that the backup router with the highest priority becomes the new master.

VRRP Konfiguration – Virtual InterfaceMaster

R1(conf)#int fa0/0

R1(conf-if)#vrrp 1 ip 192.168.10.1

R1(conf-if)#vrrp 1 priority 150

R1(conf-if)# vrrp 1 timers advertise msec 500

Backup

R2(conf)#int fa0/0

R2(conf-if)#vrrp 1 ip 192.168.10.1

R2(conf-if)#vrrp 1 priority 100

R2(conf-if)# vrrp 1 timers learn

VRRP Konfiguration – Physical InterfaceMaster

R1(conf)#int fa0/0

R1(conf-if)#ip add 192.168.10.1 255.255.255.0

R1(conf-if)#vrrp 1 ip 192.168.10.1

Backup

R2(conf)#int fa0/0

R2(conf-if)#vrrp 1 ip 192.168.10.1

GLBP (Gateway Load Balancing Protocol) – (Chapter 6)

GLBP Summary• Active virtual gateway (AVG): Members of a GLBP group elect one gateway to be the AVG for that

group. Other group members provide backup for the AVG if the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the group (max of 4 virtual MAC addresses per group).

• Active virtual forwarder (AVF): Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as AVFs.

• A GLBP group can contain 1 x AVG and 4 x AVF (AVG also fulfils AVF role).

• Standby Virtual Gateway (SVG) is automatically designated based on priority.

• Communication: GLBP group members communicate with each other using hello messages (TTL=1) sent every 3 seconds to the multicast address 224.0.0.102, port 3222 using UDP.

• The group number can be from 0 – 1023.

• The priority value can be from 1 – 255; Default is 100. If no priority, router with highest IP address on GLBP interface becomes AVG.

• The hellotime can be from 1 – 60 seconds (50 to 6000 msec); default is 3 seconds.

• The holdtime can be from 1 – 180 (70 to 180000 msec); default is 10 seconds.

• Weighting value controlling AVF operation can be 1 – 254, default is 100.

• Both AVG and AVF devices send hellos.

• The track command default decrement of the priority is 10

GLBP Virtual Router MAC Address

• Vendor ID (Vendor Code): The first three bytes of the MAC address.

• GLBP group ID (xx.xx): 6 x ‘0’ bits followed by the 10-bit GLBP group ID.

• AVF ID (yy): Vitual forwarder value (1-4).

GLBP konfigurationAVG + AVF

R1(conf)#int fa0/0

R1(conf-if)#glbp 1 ip 192.168.10.1

R1(conf-if)#glbp 1 priority 150

R1(conf-if)#glbp 1 preempt

R1(config-if)#glbp 1 prempt delay minimum 300

R1(config-if)#glbp 1 timers msec 200 msec 700

SVG + AVF

R2(conf)#int fa0/0

R2(conf-if)#glbp 1 ip 192.168.10.1



R2(config-if)#glbp 1 prempt delay minimum 300

R2(config-if)#glbp 1 timers msec 200 msec 700

GLBP AuthenticationPlain-Text (not recommended):

R1(config)#int Fa0/0

R1(config-if)#glbp 1 authentication text cisco123

MD5 (Interface):


R1(config-if)#glbp 1 authentication md5 key-string 0 cisco123

MD5 (key-chain):

R1(config)#key chain GLBP_CHAIN

R1(config-keychain)#key 1

R1(config-keychain-key )#key-string 0 cisco123


R1(config-if)#glbp 1 authentication md5 key-chain GLBP_CHAIN

GLBP Load BalancingR1(conf-if)#glbp 1 load-balancing round-robin | weighted |host-dependent

• Round-robin load-balancing algorithm: As clients send ARP requests to resolve the MAC address of the default gateway, the reply to each client contains the MAC address of the next possible router in round-robin fashion. All routers’ MAC addresses take turns being included in address resolution replies for the default gateway IP address.

• Weighted load-balancing algorithm: The amount of load directed to a router is dependent upon the interface weighting value advertised by that router (provided interface tracking is not configured).

• Host-dependent load-balancing algorithm: A host is guaranteed to use the same virtual MAC address as long as that virtual MAC address is participating in the GLBP group.

GLBP Weighting ConfigurationDLS1(config)#track 90 int fa0/24 line-protocol

DLS1(config)# track 91 int fa0/23 line-protocol

DLS1(config)#interface vlan 10

DLS1(config-if)#ip address 10.1.1.2 255.255.255.0

DLS1(config-if)#glbp 10 ip 10.1.1.1

DLS1(conf-if)#glbp 10 preempt

DLS1(conf-if)#glbp 10 load-balancing weighted

DLS1(config-if)#glbp 10 weighting 110 lower 85 upper 105

DLS1(config-if)#glbp 10 weighting track 90 decrement 10

DLS1(config-if)#glbp 10 weighting track 91 decrement 20

GLBP and STP Optimisation1. Use Rapid STP (RSTP).

2. Configure Po1 as a L3 link.

3. Configure the link between DLS1 and DLS2 as an STP blocking port:

DLS2(config)#int po1

DLS2(config-if)#spanning-tree cost 2000

GLBP VerificationR1#show glbp brief

FHRP for IPv6 – (Chapter 6)

Summary• HSRP for IPv4 and IPv6 are mutually exclusive.

• IPv6 hosts learn of available IPv6 routers through IPv6 neighbour discovery Router Advertisements (RA) messages.

• RA are multicast periodically by HSRP Active devices, or may be solicited by hosts.

• An HSRP IPv6 group has a virtual MAC address that is derived from the HSRP group number (0005.73a0.0xxx), and a virtual IPv6 link-local address that is, by default, derived from the HSRP virtual MAC address.

• HSRPv2 must be used to support IPv6.

• Hello messages multicast (FF02::66) to UDP port 2029.

• Supports authentication.

HSRP IPv6 konfigurationDLS1(config)#interface vlan 10

DLS1(config-if)#ipv6 address 2001:DB8:CAFE:10::1/64

DLS1(config-if)#ipv6 address FE80::D1 link-local

DLS1(config-if)#standby version 2

DLS1(config-if)#standby 10 ipv6 autoconfig


DLS1(config-if)# standby 10 preempt




















Verify HSRP IPv6DLS1# show standby

DLS1# show standby brief

GLBP IPv6 konfigurationR1(conf)#int Gi0/0

R1(conf)#ipv6 address 2001:db8:cafe:10::1/64

R1(config-if)#ipv6 address FE80::1 link-local

R1(conf-if)#glbp 10 ipv6 autoconfig



R1(conf-if)#glbp 10 weighting 200

R1(conf-if)#glbp 10 load-balancing weighted

R2(conf)#int Gi0/0








R3(conf)#int Gi0/0








Verify GLBP IPv6R1#show glbp

R1#show glbp brief

Syslog – (Chapter 7)

Summary Syslog uses UDP port 514 to send event notification messages across IP networks to event message

collectors

Syslog Messages Severity

Severity Name Severity Level ExplanationEmergency Level 0 System Unusable

Alert Level 1 Immediate Action NeededCritical Level 2 Critical ConditionError Level 3 Error Condition

Warning Level 4 Warning ConditionNotification Level 5 Normal, But Significant Condition

Informational Level 6 Informational MessageDebuggin Level 7 Debugging Message

Syslog Default ConfigurationLog to DLS1 memory:

DLS1(config)#logging buffered 16384

DLS1(config)#logging buffered debugging

DLS1(config)#logging console warnings

Monitor Logging:

DLS11#show logging

DLS1#clear logging

Syslog Server ConfigurationDLS1(config)#logging on

DLS1(config)#logging host 10.1.50.1

DLS1(config)#logging source-interface Gi0/0

DLS1(config)#logging trap 4 or warnings

DLS1(config)#no logging event link-status

DLS1(config)#logging console informational

DLS1(config)#service timestamps log datetime msec

DLS1(config)#service sequence-numbers

DLS1#clock set 10:23:00 23 April 2014

Set TimestampALS1#clock set 10:23:00 23 April 2014

Eller

R1(config)#ntp master 5

ALS1(config)#ntp server 192.168.1.254

VerifyDLS1#show logging

NTP (Network Time Protocol) – (Chapter 7)

Summary• NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, port

123, which in turn runs over IP.

• NTP is an Internet standard protocol currently at v4 and specified in RFC 1305 (v3 supports IPv4)/5905 (v4 supports IPv4/IPv6).

• An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network.

• NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another.

• NTP uses the concept of a stratum to describe how many NTP “hops” away a machine is from an authoritative time source.

• A stratum 1 time server typically has a radio or atomic clock directly attached to the server; a stratum 2 time server receives the time via NTP from a stratum 1 time server, etc, etc.

• A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machine’s time source. This strategy effectively builds a self-organising tree of NTP speakers.

NTP modesServer Will sync with NTP devices in a lower or higher stratum, but will only

act as a source to devices in a lower stratum.

Client Synchronises with NTP server

Peer Exchanges time information with another peer (can act as a server or a client)

Broadcast/Multicast Acts as NTP server, but pushes time info to any listening device.

Set ClockALS1#clock set 10:23:00 20 Jan 2015

ALS1#(config)#clock timezone GMT 0 0

DLS1(config)#clock summer-time GMT date 29 March 2015 01:00 25 Oct 2015 01:00

ALS1#show clock

ALS1#10:23:01.011 UTC Fri Jan 30 2015

NTP Konfiguration ExampleR1(config)#ntp master 5

R1(config)#ntp authenticate

R1(config)#ntp trusted-key 1

R1(config)#ntp authentication-key 1 md5 cisco123

R1(config)#ntp source loopback 0

DLS1(config)#ntp authenticate

DLS1(config)#ntp trusted-key 1

DLS1(config)#ntp authentication-key 1 md5 cisco123

DLS1(config)#ntp server 172.16.0.1

DLS1(config)#ntp peer 172.16.20.1

DLS1(config)#ntp source loopback 0




DLS2(config)#ntp peer 172.16.10.1


NTP Broadcast ServiceR1(config)#interface Gi0/0

R1(config-if)#ntp broadcast version 4

R2(config)#interface Gi0/0

R2(config-if)#ntp broadcast client

NTP Access-ControlR1(config)#access-list 1 permit 127.127.1.1

R1(config)#access-list 2 permit 172.16.0.0 0.0.255.255

R1(config)#ntp access-group peer 1

R1(config)#ntp access-group serve 2


Simple Network Time Protocol (SNTP)ALS1(config)#sntp authenticate

ALS1(config)#sntp trusted-key 1

ALS1(config)#sntp authentication-key 1 md5 cisco123

ALS1(config)#sntp server 172.16.0.1

VerifyDLS1#show ntp status

DLS1#show ntp associations

ALS1#show sntp

R1#show ntp information

NTPv4 til IPv6R1(config)#ntp master 5

R1(config)#ntp authenticate

R1(config)#ntp trusted-key 1

R1(config)#ntp authentication-key 1 md5 cisco123





DLS1(config)#ntp server 2001:db8:cafe:a1::1 version 4

DLS1(config)#ntp peer 2001:db8:cafe:a3:1::1





DLS2(config)#ntp peer 2001:db8:cafe:a2::1 version 4


NTPv4 IPv6 Multicast ServiceDLS1(config)#interface range Fa0/1

DLS1(config-if-range)#ntp multicast FF02::1:FF0E:8C6C version 4

ALS1(config)#interface range Fa0/1

ALS1(config-if-range)#ntp multicast client FF02::1:FF0E:8C6C

NTPv4 IPv6 Access ControlR1(config)#ipv6 access-list NTP

R1(config-ipv6-acl)#permit udp 2001:DB8:CAFE::/48 2001:DB8:CAFE:A1::/64 eq ntp

R1(config)#ntp access-group ipv6 serve NTP kod

The optional kiss-of-death (kod) command allows the NTP server to inform clients blocked by the ACL that they have been denied access.

SNMP– (Chapter 7)

SNMP Seciry modelsSecurity Model Security Level Authentication Strategy Encryption Type

SNMPv1 noAuthNoPriv Community string None

SNMPv2c noAuthNoPriv Community string None

SNMPv3 noAuthNoPriv Username None

SNMPv3 authNoPriv MD5 or SHA-1 None

SNMPv3 authPriv MD5 or SHA-1 DES, 3DES, AES

• noAuthNoPriv (no authentication, no privacy): uses a username for authentication.

• authNoPriv (authentication, no privacy): authentication using MD5 or SHA Hashed Message Authentication Code (HMAC).

• authPriv (authentication, privacy): authentication using MD5 or SHA HMAC, privacy via encryption.

SNMPv2c KonfigurationR1(config) #ip access-list standard SNMP_ACL

R1(config-std-nacl)#permit 10.1.50.1

R1(config) #snmp-server community cisco ro SNMP_ACL

R1(config) #snmp-server community cisco123 rw SNMP_ACL

R1(config) #snmp-server host 10.1.50.1 version 2c cisco

R1(config) #snmp-server host 10.1.50.1 informs version 2c cisco

R1(config) #snmp-server enable traps ?

R1(config) #snmp-server ifindex persist

R1(config) #snmp-server location NOC_SNMP_MANAGER

R1(config) #snmp-server contact [email protected]

SNMPv3 konfigurationR1(config)#ip access-list standard SNMP_ACL

R1(config-std-nacl)#permit 10.1.50.1

R1(config)#snmp-server group SNMP_1 v3 priv access SNMP_ACL

R11(config)#snmp-server user netadmin SNMP_1 v3 auth sha cisco123 priv aes 128 cisco123

R1(config)#snmp-server traps enable

R1(config)#snmp-server host 10.1.50.1 informs version 3 priv netadmin

Verify

R1#show snmp

R1#show snmp community

R1# show snmp group

R1#show snmp user

AAA (Authentication, Authorisation, Accounting) – (Chapter 7)

Summary • Authentication - Provides the method of identifying users, including login and password dialog,

challenge and response, messaging support, and, depending on the security protocol selected, encryption . RADIUS combines authentication and authorisation, whereas TACACS+ decouples them.

• Authorisation - Provides the method for remote access control, including one-time authorisation or authorisation for each service. RADIUS does not allow specification (or enforcement) of which commands can be and which commands cannot be executed on a router, whereas TACACS+ does.

• Accounting - Provides the method for collecting and sending security server information used for billing, auditing, and reporting. RADIUS has extensive accounting capabilities, while TACACS+ has limited accounting capabilities.

AAA Authentication konfigurationConfigure TACACS+

S1(config)#aaa new-model

S1(config)#tacacs-server host 192.168.229.76 single-connection

S1(config)#tacacs-server key ciscosecret

Configure RADIUS

S1(config)#aaa new-model

S1(config)#radius-server host 192.168.229.76 auth-port 1812

S1(config)#radius-server key ciscosecret

The authentication login command in global configuration mode enables the AAA authentication process: 1st 2nd 3rd

S1(config)#aaa authentication login default group radius local line

S1(config)#aaa authentication login TELNET_LINES group radius

S1(config)#line console 0

S1(config-line)#login authentication default

S1(config-line)#line vty 0 15

S1(config-line)#login authentication TELNET_LINES

AAA Authorization kommandoerS1(config)#aaa authorization exec default group tacacs+ local none

S1(config)#enable secret classS1(config)# aaa authorization commands 15 default if-authenticated group tacacs+

S1(config)#aaa authorization exec default group radius local

S1(config)#enable secret class

Local AAA Authentication/Authorisation konfigurationS1(config)#aaa new-model

S1(config)#username admin (privilege 15) secret cisco

S1(config)#enable secret class

S1(config)#aaa authentication login default local

S1(config) #aaa authorization exec default local

S1(config)#line console 0

S1(config-line)#login authentication default

S1(config-line)#authorization exec default

AAA Accounting kommandoerS1(config)#aaa accounting exec default start-stop group radius

S1(config)#aaa accounting exec default stop-only group tacacs+

AAA og 802.1x konfigurationALS1# configure terminal

ALS1(config)#aaa new-model

ALS1(config)#radius-server host 172.120.39.46 auth-port 1812 key rad123

ALS1(config)#aaa authentication dot1x default group radius none

ALS1(config)#dot1x system-auth-control

ALS1(config)#int fa0/1

ALS1(config-if)#authentication port-control auto | force-authorised | force-unauthorised

For switches om kører Cisco IOS version 12.2(50)SE ->:

ALS1(config-if)#dot1x pae authenticator

VerifyS1#debug aaa authentication

S1#debug aaa authorization

S1#debug radius

S1#debug tacacs+

S1#debug aaa accounting

CDP – Cisco Discovery Protocol – (chapter 8)

VerifyS1#show cdp neighbor detail

LLDP (Link Layer Discovery Protocol) – (Chapter 8)

Global LLDP activation & configurationALS1(config)#lldp run

ALS1(config)#lldp holdtime 120

ALS1(config)#lldp reinit 2

ALS1(config)#lldp timer 30

Interface LLDP activationALS1(config)#int gi0/1

ALS1(config-if)#lldp transmit

ALS1(config-if)#lldp receive

LLDP – MED for VoIP konfigurationALS1(config)#network-policy 1

ALS1(config-network-policy)#voice vlan 110 cos 5

ALS1(config)#int gi0/1

ALS1(config-if)#network-policy profile 1

ALS1(config-if)#lldp med-tlv-select network-policy

VerifyDLS1#show lldp

DLS1#show lldp neighbors

Power over Ethernet (PoE) – (Chapter 8)

Versions• 802.3af - switch applies voltage to determine if powered device is connected, and what power level

it requires.

• Cisco ILP - sends out a 340kHz test tone on the TX pair to detect powered devices, and uses CDP to discover power requirement.

802.3af (Power allocated)802.3af Power Class Power Allocated Actual Power Used

Class 0 15.4W 0.44 to 12.95W

Class 1 4.0W 0.44 to 3.84W

Class 2 7.0W 3.84 to 6.49W

Class 3 15.4W 6.49 to 12.95W

PoE konfigurationDLS1(config)#power inline consumption default 15400

DLS1(config)#int fa0/1

DLS1(config-if)#power inline ?

auto Automatically detect and power inline devices consumption Configure the inline device consumption never Never apply inline power static High priority inline power interface

VerifyDLS1# show power inline consumption default

DLS1# show power inline FastEthernet 0/1

SDM (Switching Database Management) – (Chapter 8)

Templates types• Access: The access template maximizes system resources for access control lists (ACLs) to

accommodate a large number of ACLs.

• Default: The default template gives balance to all functions.

• Routing: The routing template maximizes system resources for IPv4/v6 unicast routing, typically required for a router or aggregator in the centre of a network.

• VLANs: The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Change SDM TemplateALS1(config)#sdm prefer access

ALS1(config)#exit

ALS1#copy run start

ALS1#reload

VerifyALS1#show sdm prefer

IPv4 SDM Templates and Memory Partitions

Memory Partition Access

Default Routing VLAN

Unicast MAC address 4K 6K 3K 12K

IGMP Groups/Mcast Routes

1K 1K 1K 1K

Unicast Routes: 6K 8K 11K 0

• Directly connected hosts

4K 6K 3K 0

• Indirect routes 2K 2K 8K 0

Policy-based routing ACEs 0.5k 0 0 0.5k

QoS ACEs 0.5K 0.5K 0.5K 0.5K

Security ACEs 2K 1K 1K 1K

L2 VLANs 1K 1K 1K 1K

SPAN – (Chapter 8)

Local SPAN konfigurationSW1 (config)#monitor session 1 source int fa0/1 rx | tx

SW1 (config)#monitor session 1 destination int fa0/2

Capture VLAN tagging and management protocols

SW2(config)#monitor session 1 source int fa0/1

SW2(config)#monitor session 1 destination int fa0/2 encapsulation replicate

Configure RSPANSW1(config)#vlan 100

SW1(config-vlan)#remote-span

SW1(config)#monitor session 2 source int fa0/7

SW1(config)#monitor session 2 destination remote vlan 100

SW2(config)#vlan 100

SW2(config-vlan)#remote-span

SW2(config)#monitor session 3 source remote vlan 100

SW2(config)#monitor session 3 destination int fa0/8

IP SLA med Responder konfigurationR3(config)#ip sla responder

R3(config)#ip sla responder udp-echo ipaddress 10.10.10.1 port 5000

R1(config)#ip sla monitor 1

R1(config-ip-sla)#udp-jitter 10.10.20.1 5000

R1(config-ip-sla-jitter)#frequency 120

R1(config)#ip sla monitor schedule 1 life forever start-time now

IP SLA Echo Test konfigurationR1(config)#ip sla monitor 2

R1(config-ip-sla)#icmp-echo 10.10.30.10

R1(config-ip-sla)#frequency 120

R1(config)#ip sla monitor schedule 2 life forever start-time now

R(config)#track 1 ip sla 2 reachability

IP SLA Voice Quality Measurement konfigurationR1(config)#ip sla 3

R1(config-ip-sla)#udp-jitter 10.10.20.1 16384 codec g729a

R1(config-ip-sla-jitter)#frequency 10

R1(config)#ip sla schedule 3 life forever start-time now

R3(config)#ip sla responder

R3(config)#ip sla responder udp-echo ipaddress 10.10.10.1 port 16384

Verify SW1#show monitor

S1 (config)#monitor session 1 source cpu both

S1 (config)#monitor session 1 destination int fa0/8

R1#show ip sla configuration 1

R3#show ip sla responder

R1# show ip sla statistics 1

NSF – (Nonstop Forwarding) – (Chapter 9)

NFS konfigurationDLS1(conf)#router eigrp 1

DLS1(conf-router)#nsf

DLS1(conf)#router ospf 1

DLS1(conf-router)#nsf

DLS1(conf)#router bgp 65501

DLS1(conf-router)#bgp graceful-restart

Switch devices and protol security – (Chapter 10)

Summary• Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-

security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.

• Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.

• Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.

Secure unused switch portsS1(config)#interface range fa0/10 - 18

S1(config-if-range)#switchport host

S1(config-if-range)#shutdown

Port SecurityS1(config)#interface fa0/1

S1(config-if)# switchport port-security ?

aging Port-security aging commands mac-address secure mac address maximum max secure addrs violation security violation mode

Port Security: ViolationSwitch(config-if)#switchport port-security violation {protect | restrict | shutdown}

DLS1(config)# interface FastEthernet 0/1

DLS1(config-if)# switchport mode access

DLS1(config-if)# switchport port-security

DLS1(config-if)# switchport port-security mac-address 0000.0000.0008

DLS1(config-if)# switchport port-security maximum 1

DLS1(config-if)# switchport port-security violation shutdown

DLS1(config-if)# switchport block unicast

DLS1(config)# interface FastEthernet 0/2

DLS1(config-if)# switchport mode access

DLS1(config-if)# switchport port-security

DLS1(config-if)# switchport port-security mac-address sticky

DLS1(config-if)# switchport port-security maximum 3

DLS1(config-if)# switchport port-security violation restrict

Automatic Error RecoveryALS1(config)#errdisable recovery cause psecure-violation

ALS1(config)#errdisable recovery interval 60

VerifyS1# show cdp neighbor detail

DLS1# show running-config fastethernet 0/2

DLS1# show port-security

ALS1# show interface status err-disabled

DHCP Snooping / Spoofing

DHCP Snooping konfigurationALS1(config)#ip dhcp snooping

ALS1(config)#ip dhcp snooping vlan 10

ALS1(config)#interface Fa0/1

ALS1(config-if)#ip dhcp snooping trust

ALS1(config)#interface range fa0/2-3

ALS1(config-if-range)#ip dhcp snooping limit rate 1

DLS1(config)#ip dhcp snooping

DLS1(config)#ip dhcp snooping vlan 10

DLS1(config)#interface range Fa0/1-2

DLS1(config-if-range)#ip dhcp snooping trust

VerifyALS1#sh ip dhcp snooping

ALS1# show ip dhcp snooping binding

IP Address Spoofing & IP Source Guard – (Chapter 10)

IP Source Guard konfigurationDLS1(config)#ip source binding cccc.cccc.cccc vlan 10 192.168.10.20 int fa0/3

Eller


DLS1(config-if-range)#ip verify source port-security

VerifyDLS1# show ip source binding

ARP Spoofing – (Chapter 10)

Dynamic ARP Inspection konfigurationALS1(config)#ip arp inspection vlan 10

ALS1(config)#ip arp inspection validate src-mac | dst-mac | ip

ALS1(config)#int range fa0/2-3

ALS1(config-if-range)#ip arp inspection limit rate 2

ALS1(config)#interface Fa0/1

ALS1(config-if-range)#ip arp inspection trust

DLS1(config)#ip arp inspection vlan 10


DLS1(config-if-range)#ip arp inspection trust

Dynamic ARP Inspection Static konfigurationDLS1(config)#ip arp inspection vlan 10

DLS1(config)#arp access-list DAI_ACL

DLS1(config-arp-nacl)#permit ip host 192.168.10.1 mac host aaaa.bbbb.cccc

DLS1(config)#ip arp inspection filter DAI_ACL vlan 10

Cisco Access Control Lists – (Chapter 10)

Different ACS’s• Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It

controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction.

• Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port. PACLs only work inbound on an interface.

• VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).

ACL to block trafficDLS1(config)#ip access-list extended DENY_SERVER

DLS1(conf-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 host 192.168.10.10

Block VLAN map to block and forward trafficDLS1(config)# vlan access-map DENY_MAP 10

DLS1(config-access-map)#match ip address DENY_SERVER

DLS1(config-access-map)#action drop

DLS1(config-access-map)#exit

DLS1(config)#vlan access-map DENY_MAP 20

DLS1(config-access-map)#action forward

Apply Vlan map to VLANDLS1(config)#vlan filter DENY_MAP vlan-list 10

Protected Ports – (Chapter 10)

Protected ports konfigurationS1(config)#int range fa0/1-2

S1(config-if)#switchport protected

Create Private VLANsDLS2(config)#vtp mode transparent

DLS2(config)#vlan 10

DLS2(config-vlan)#private-vlan community


DLS2(config-vlan)#private-vlan community


DLS2(config-vlan)#private-vlan isolated

DLS2(config-vlan)#exit


DLS2(config-vlan)#private-vlan primary

DLS2(config-vlan)#private-vlan association 10,20,30

Populate Private VLANsDLS2(config)#int fa0/1

DLS2(config)# switchport mode private-vlan promiscuous

DLS2(config)# switchport private-vlan mapping 100 10,20,30

DLS2(config)# int fa0/2

DLS2(config)# switchport mode private-vlan host

DLS2(config)# switchport private-vlan host-association 100 10

VerifyDLS2#sh int fa0/2 switchport

DLS2#sh vlan private-vlan

dansk data sikkerhed · web view2017. 11. 8. · port access control list (pacl): applied on a...

Documents