dansk data sikkerhed · web view2017. 11. 8. · port access control list (pacl): applied on a...
TRANSCRIPT
CCNP “Guld” Switch 300 - 115 Kommandoer
Table of ContentsCAM Table - (Chapter 2)............................................................................................................................6
Verify CAM Table..........................................................................................................................................7
Clear Mac Table............................................................................................................................................7
TCAM Table - (Chapter 2)..........................................................................................................................7
VLAN – (Chapter 3)...................................................................................................................................7
Vlan database fil...........................................................................................................................................7
Ranges..........................................................................................................................................................7
Configure Vlan..............................................................................................................................................7
Verify VLANs.................................................................................................................................................8
Locally Deactivate et VLAN...........................................................................................................................8
Globally Suspend/Active et Vlan...................................................................................................................8
Verify vlan state............................................................................................................................................8
Dynamic Trunking Protocol (DTP) - (Chapter 3).........................................................................................8
DTP Modes...................................................................................................................................................8
Trunk mellem DTP enhed og non DTP enhed...............................................................................................9
Verify Trunks................................................................................................................................................9
Allow Vlans on a Trunk.................................................................................................................................9
Sæt native Vlan.............................................................................................................................................9
VTP - (Chapter 3).......................................................................................................................................9
VTP database fil..........................................................................................................................................10
VTP Revision number..................................................................................................................................10
VTP Server konfiguration............................................................................................................................10
VTP Client konfiguration.............................................................................................................................10
Verify VTP...................................................................................................................................................10
VTP v3 konfiguration..................................................................................................................................11
VTP v3 password........................................................................................................................................11
Etherchannel – (Chapter 3).....................................................................................................................11
L2 Link Aggregation With PAgP...................................................................................................................11
L3 Link Aggregation With PAgP...................................................................................................................11
Link Aggregation With LACP.......................................................................................................................12
EtherChannel Guard...................................................................................................................................12
Verify Etherchannel....................................................................................................................................12
STP – (Chapter 4)....................................................................................................................................13
STP Varianter..............................................................................................................................................13
STP Root Election Process...........................................................................................................................13
Sæt STP Cost...............................................................................................................................................13
STP 802.1D States og Timers......................................................................................................................13
Propagate new timers................................................................................................................................14
STP Portfast................................................................................................................................................14
STP BPDU Guard.........................................................................................................................................14
STP UplinkFast............................................................................................................................................14
STP BackboneFast.......................................................................................................................................14
STP Root Guard...........................................................................................................................................14
STP Loop Guard..........................................................................................................................................14
STP BPDU Filter...........................................................................................................................................15
STP Unidirectional Link Detection (UDLD)..................................................................................................15
Verify STP...................................................................................................................................................15
Cisco Storm Control – (Chapter 4)...........................................................................................................15
PVST (Per-VLAN Spanning Tree Protocol) – (Chapter 4)...........................................................................16
PVST+ konfiguration...................................................................................................................................16
Verify PVST+...............................................................................................................................................16
RSTP (Rapid Spanning Three Protocol) – (Chapter 4)...............................................................................16
Port States..................................................................................................................................................16
RSTP Port Roles..........................................................................................................................................17
RSTP Port Types..........................................................................................................................................17
MST (Multiple Spanning Tree) – (Chapter 4)............................................................................................17
Enable MST.................................................................................................................................................17
MST konfiguration......................................................................................................................................17
Verify MST..................................................................................................................................................18
MST og VTP 3..............................................................................................................................................18
Inter – VLAN Routing – (Chapter 5)..........................................................................................................18
Sub-interface konfiguration........................................................................................................................18
SVI adresse konfiguration...........................................................................................................................19
Enable routing............................................................................................................................................19
Multilayer Switch Routed Port Configuration.............................................................................................19
Verify routing / SVI.....................................................................................................................................19
L3 Etherchannel – (Chapter 5).................................................................................................................20
L3 Etherchannel konfiguration...................................................................................................................20
CEF (Cisco Express Forwarding)...............................................................................................................20
CEF Adjacencies..........................................................................................................................................20
Verify CEF...................................................................................................................................................21
DHCPv4 Konfiguration.............................................................................................................................21
Dynamisk konfiguration..............................................................................................................................21
Manual Konfiguration.................................................................................................................................22
IPv4 Helpter Addresses...............................................................................................................................22
Verify..........................................................................................................................................................22
IPv6 (fuck) – (Chapter 5)..........................................................................................................................22
Stateless DHCPv6 konfiguration.................................................................................................................22
Stateful DHCPv6 konfiguration...................................................................................................................23
DHCPv6 Relay Agent...................................................................................................................................23
Verify..........................................................................................................................................................23
HSRP (Hot Standby Routing Protocol) – (Chapter 6).................................................................................24
HSRP Summary...........................................................................................................................................24
Porte...........................................................................................................................................................24
HSRP Group Members................................................................................................................................24
HSRP Virtual Router MAC Address.............................................................................................................24
HSRP Active konfiguration..........................................................................................................................25
HSRP Standby konfiguration.......................................................................................................................25
HSRP Load-sharing konfiguration...............................................................................................................25
Verify HSRP.................................................................................................................................................26
HSRP Authentication..................................................................................................................................27
MLS HSRP Konfiguration.............................................................................................................................27
HSRP Tracking Object.................................................................................................................................27
VRRP (Virtual Router Redundancy Protocol) – (Chapter 6).......................................................................28
VRRP Summary...........................................................................................................................................28
VRRP Konfiguration – Virtual Interface.......................................................................................................29
VRRP Konfiguration – Physical Interface.....................................................................................................29
GLBP (Gateway Load Balancing Protocol) – (Chapter 6)...........................................................................30
GLBP Summary...........................................................................................................................................30
GLBP Virtual Router MAC Address..............................................................................................................30
GLBP konfiguration.....................................................................................................................................31
GLBP Authentication...................................................................................................................................31
GLBP Load Balancing..................................................................................................................................32
GLBP Weighting Configuration...................................................................................................................32
GLBP and STP Optimisation........................................................................................................................33
GLBP Verification........................................................................................................................................33
FHRP for IPv6 – (Chapter 6).....................................................................................................................33
Summary....................................................................................................................................................33
HSRP IPv6 konfiguration.............................................................................................................................33
Verify HSRP IPv6.........................................................................................................................................34
GLBP IPv6 konfiguration.............................................................................................................................35
Verify GLBP IPv6.........................................................................................................................................36
Syslog – (Chapter 7)................................................................................................................................36
Summary....................................................................................................................................................36
Syslog Default Configuration......................................................................................................................36
Syslog Server Configuration........................................................................................................................37
Set Timestamp............................................................................................................................................37
Verify..........................................................................................................................................................37
NTP (Network Time Protocol) – (Chapter 7).............................................................................................37
Summary....................................................................................................................................................37
NTP modes.................................................................................................................................................38
Set Clock.....................................................................................................................................................38
NTP Konfiguration Example........................................................................................................................39
NTP Broadcast Service................................................................................................................................39
NTP Access-Control....................................................................................................................................39
Simple Network Time Protocol (SNTP).......................................................................................................40
Verify..........................................................................................................................................................40
NTPv4 til IPv6..............................................................................................................................................40
NTPv4 IPv6 Multicast Service......................................................................................................................41
NTPv4 IPv6 Access Control.........................................................................................................................41
SNMP– (Chapter 7).................................................................................................................................41
SNMP Seciry models...................................................................................................................................42
SNMPv2c Konfiguration..............................................................................................................................42
SNMPv3 konfiguration................................................................................................................................42
AAA (Authentication, Authorisation, Accounting) – (Chapter 7)...............................................................43
Summary....................................................................................................................................................43
AAA Authentication konfiguration..............................................................................................................43
AAA Authorization kommandoer................................................................................................................44
Local AAA Authentication/Authorisation konfiguration.............................................................................44
AAA Accounting kommandoer...................................................................................................................45
AAA og 802.1x konfiguration......................................................................................................................45
Verify..........................................................................................................................................................45
CDP – Cisco Discovery Protocol – (chapter 8)...........................................................................................46
Verify..........................................................................................................................................................46
LLDP (Link Layer Discovery Protocol) – (Chapter 8)..................................................................................46
Global LLDP activation & configuration......................................................................................................46
Interface LLDP activation............................................................................................................................46
LLDP – MED for VoIP konfiguration............................................................................................................46
Verify..........................................................................................................................................................46
Power over Ethernet (PoE) – (Chapter 8).................................................................................................47
Versions......................................................................................................................................................47
802.3af (Power allocated)..........................................................................................................................47
PoE konfiguration.......................................................................................................................................47
Verify..........................................................................................................................................................48
SDM (Switching Database Management) – (Chapter 8)...........................................................................48
Templates types.........................................................................................................................................48
Change SDM Template...............................................................................................................................48
Verify..........................................................................................................................................................48
SPAN – (Chapter 8)..................................................................................................................................49
Local SPAN konfiguration...........................................................................................................................49
Configure RSPAN........................................................................................................................................49
IP SLA med Responder konfiguration.........................................................................................................50
IP SLA Echo Test konfiguration...................................................................................................................50
IP SLA Voice Quality Measurement konfiguration......................................................................................50
Verify..........................................................................................................................................................51
NSF – (Nonstop Forwarding) – (Chapter 9)..............................................................................................51
NFS konfiguration.......................................................................................................................................51
Switch devices and protol security – (Chapter 10)...................................................................................52
Summary....................................................................................................................................................52
Secure unused switch ports........................................................................................................................52
Port Security...............................................................................................................................................52
Port Security: Violation...............................................................................................................................52
Automatic Error Recovery..........................................................................................................................53
Verify..........................................................................................................................................................53
DHCP Snooping / Spoofing......................................................................................................................53
DHCP Snooping konfiguration....................................................................................................................53
Verify..........................................................................................................................................................54
IP Address Spoofing & IP Source Guard – (Chapter 10)............................................................................54
IP Source Guard konfiguration....................................................................................................................54
Verify..........................................................................................................................................................54
ARP Spoofing – (Chapter 10)...................................................................................................................55
Dynamic ARP Inspection konfiguration......................................................................................................55
Dynamic ARP Inspection Static konfiguration.............................................................................................55
Cisco Access Control Lists – (Chapter 10).................................................................................................55
Different ACS’s............................................................................................................................................55
ACL to block traffic......................................................................................................................................56
Block VLAN map to block and forward traffic.............................................................................................56
Apply Vlan map to VLAN.............................................................................................................................56
Protected Ports – (Chapter 10)................................................................................................................56
Protected ports konfiguration....................................................................................................................56
Create Private VLANs..................................................................................................................................57
Populate Private VLANs..............................................................................................................................57
Verify..........................................................................................................................................................57
CAM Table - (Chapter 2)
Verify CAM TableALS1#show mac address-table
ALS1#sh mac address-table dynamic
ALS1#show mac address-table count
Clear Mac TableALS1#clear mac address-table dynamic
TCAM Table - (Chapter 2)
SW1#show platform tcam utilization
VLAN – (Chapter 3)
Vlan database filKonfigurationen for Vlan databasen ligger I flash memory og bliver kaldt vlan.dat
Ranges1 – 1005, Normal Range
1002 – 1005, Token Ring / FDDI Vlans
1, 1002, 1005, bliver oprettet automatisk og kan ikke slettes
1025 – 4094, Extended Range
Configure VlanS1# configure terminal
S1(config)# vlan <Value>
S1(config-vlan)# name <Word>
S1(config-vlan)# exit
S1(config)#int fa <number>
S1(config-if)#switchport mode access
S1(config-if)# switchport access vlan <value>
Verify VLANsS1#show vlan
S1# show id vlan 20
S1# show vlan name Data
S1# show interfaces FastEthernet 0/18 switchport
Switch# show running-config interface Fa0/18
Locally Deactivate et VLANS1(config)#shutdown vlan 110
Globally Suspend/Active et VlanDLS1(config)#vlan 110
DLS1(config-vlan)#state suspend <eller active>
Verify vlan stateDLS1# show vlan brief | include suspended <eller active>
Dynamic Trunking Protocol (DTP) - (Chapter 3)
DTP ModesS1(config-if)#Switchport mode access
permanent non-trunking mode, regardless of neighbouring interface settings.
S1(config-if)#Switchport mode trunk
permanent trunking mode, regardless of neighbouring interface settings.
S1(config-if)#Switchport mode dynamic desirable
actively tries to convert the port to a trunk if the neighbouring interface is set to trunk, desirable or auto.
S1(config-if)#Switchport mode dynamic auto
port is willing to convert to a trunk if neighbouring interface is set to trunk or desirable.
S1(config-if)#Switchport mode nonegotiate
port does not generate DTP frames, and must be manually configured.
Trunk mellem DTP enhed og non DTP enhedS1(config-if)#Switchport mode trunk
S1(config-if)#Switchport nonegotiate
Verify TrunksS1#show interface trunk
S1# show interfaces FastEthernet 0/1 switchport
S1# show interfaces FastEthernet 0/1 trunk
Allow Vlans on a TrunkS1(config)#interface range fa0/1 – 2
S1(config-if)#switchport trunk allowed vlan 20
S1(config-if-range)#switchport trun allowed vlan 1,20
Sæt native Vlan S1(config-if)#switchport trunk native vlan 999
VTP - (Chapter 3)
VTP database filVTP konfigurationen ligger I vlan.dat files I flash memory.
VTP Revision numberEr et 32 bit nummer som indikerer hvad level af revision for en VTP frame
Default er 0
Hver gang et vlan bliver tilføjet eller fjernet, så bliver Revision nummeret forhøjet.
VTP domain name change resetter revision nummeret til 0
VTP Server konfigurationDLS1(config)#vtp mode server
DLS1(config)#vtp domain cisco2
DLS1(config)#vtp password cisco123
DLS1(config)#vtp version 2
VTP Client konfigurationALS1(config)#vtp version 2
ALS1(config)#vtp mode client
ALS1(config)#vtp domain cisco2
ALS1(config)#vtp password cisco123
Verify VTP DLS1#show vtp status
DLS1#show vtp password
VTP v3 konfigurationDLS1(config)#vtp version 3
DLS1#vtp primary vlan
VTP v3 passwordDLS1(config)#vtp password Cisco hidden
DLS1#show vtp password
Etherchannel – (Chapter 3)
PAgP (Cisco protocol)
LACP
L2 Link Aggregation With PAgPS1(config-if-range)#interface range fa0/1 – 2
S1(config-if-range)#channel-protocol pagp
S1(config-if-range)#channel-group 1 mode on
S1(config)#int po1
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk native vlan 999
S1(config-if)#switchport trunk allowed vlan 10,20,30
L3 Link Aggregation With PAgPS1(config)#interface range fa0/1 - 2
S1(config-if-range)#no switchport
S1(config-if-range)#channel-group 1 mode desirable
S1(config-if-range)#interface port-channel 1
S1(config-if)#no switchport
S1(config-if)#ip address 10.0.0.1 255.255.255.0
Link Aggregation With LACP**Baseret på 1-10 forbindelser mellem 2 switche hvor man sætter alle I en pool og den vælger 9-10 som active, så kan de andre tager over hvis de fejler**
S1(config)#lacp system-priority 100
S1(config-if-range)#interface range fa0/1 – 8
S1(config-if-range)#channel-protocol lacp
S1(config-if-range)#channel-group 1 mode active
S1(config-if-range)#lacp port-priority 100
S1(config-if-range )# interface range fa0/9- 10
S1(config-if-range )#channel-protocol lacp
S1(config-if-range )#channel-group 1 mode active
EtherChannel GuardEtherChannel guard er enabled som default op opfanger EtherChannel misconfiguration hvis switche har PVST+ eller MSTP.
Slå EtherChannel Guard fra
S1(config)#no spanning-tree etherchannel guard misconfig
Verify EtherchannelS1#show etherchannel summary
STP – (Chapter 4)
STP Varianter• 802.1D-1998: legacy standard for bridging and STP. Uses Common Spanning Tree (CST) for the
entire switched network, regardless of the number of VLANs.
• PVST+: Cisco enhancement of STP that provides a separate 802.1D STP instance for each configured VLAN.
• 802.1w (RSTP): improved convergence over 802.1D-1998, incorporating Cisco STP enhancements. Uses CST.
• 802.1D-2004: Updated version of STP incorporating 802.1w.
• Rapid PVST+: Cisco enhancement of RSTP using PVST+
• 802.1s (MSTP): Uses RSTP to map multiple VLANs into separate instances.
STP Root Election Process1. Lowest root Bridge ID (BID)
2. Lowest path cost to root bridge
3. Lowest sender bridge ID
4. Lowest sender port ID
Sæt STP CostS3(config)#int fa0/1
S3(confif-if)#spanning-tree cost 25
• The cost value can be between 1 and 200,000,000
STP 802.1D States og TimersBlocking - (max age = 20 secs)
Listening - (forward delay = 15 secs)
Learning - (forward delay = 15 secs)
Forwarding
Propagate new timers S1(config)#spanning-tree vlan 10 root primary diameter 4
STP PortfastS3(config)#int fa0/8
S3(config-if)#spanning-tree portfast
eller
S3(config)#spanning-tree portfast default
STP BPDU GuardS3(config)#int fa0/8
S3(config-if)#spanning-tree bpduguard enable
eller
S3(config)#spanning-tree portfast bpduguard default
STP UplinkFast S3(config)#spanning-tree uplinkfast | max-update-rate
STP BackboneFast S3(config)#spanning-tree backbonefast
STP Root GuardS4(config-if)#spanning-tree guard root
Tjek med kommandoen
S4#sh spanning-tree inconsistentports
STP Loop GuardS4(config-if)#spanning-tree guard loop
Sætter på interface
S4(conf)#spanning-tree loopguard default
Sætter på alle porte
STP BPDU FilterS3(config-if)#spanning-tree bpdufilter enable | disable
Sætter på interface
S3(config)#spanning-tree portfast bpdufilter default
Sætter på alle porte
STP Unidirectional Link Detection (UDLD)S3(config-if)# udld port aggressive
Sætter på interface
S3(conf)#udld | enable | aggressive | message time
Sætte rpå alle porte
Tjek med kommandoen
ALS1#sh udld
Verify STPDLS1#show spanning-tree
Cisco Storm Control – (Chapter 4)S1(config)# int range fa0/1 – 4
S1(config-if-range)# storm-control broadcast level 50
S1(config-if)# storm-control action shutdown
PVST (Per-VLAN Spanning Tree Protocol) – (Chapter 4)
PVST+ konfigurationS1(config)#spanning tree vlan 10 root primary
S1(config)#spanning tree vlan 20 root secondary
S1(config )#spanning tree vlan 10 priority 4096
S1(config)#spanning tree vlan 20 priority 8192
S2(config)#spanning tree vlan 20 root primary
S2(config)#spanning tree vlan 10 root secondary
S2(config )#spanning tree vlan 20 priority 4096
S2(config)#spanning tree vlan 10 priority 8192
Verify PVST+S1#show spanning-tree vlan 10
RSTP (Rapid Spanning Three Protocol) – (Chapter 4)
Port States
Operational Port State 802.1D STP Port State 802.1w RSTP Port State
Enabled Blocking Discarding
Enabled Listening Discarding
Enabled Learning Learning
Enabled Forwarding Forwarding
Disabled Disabled Discarding
RSTP Port Roles• Alternative port: switch port that offers an alternative path toward the root bridge.
• The alternative port assumes a discarding state in a stable, active topology.
• Backup port: additional switch port on the designated switch with a redundant link to the segment for which the switch is designated.
• A backup port has a higher port ID than the designated port on the designated switch.
• The backup port assumes the discarding state in a stable, active topology.
RSTP Port Types• RSTP considers every switch port to be one of the following types:
1. Edge Port – a port at the ‘edge’ of the network, connecting to a single host, that transitions immediately to the forwarding state when activated.
2. Root Port – the port that has the best cost to the root of the STP instance.
3. Point-to-Point Port (P2P) – any port that connects to another switch and becomes a designated port (non-edge). A quick handshake with the neighbouring switch, rather than a timer expiration, decides the port state.
MST (Multiple Spanning Tree) – (Chapter 4)
Enable MSTS1(config)#spanning-tree mode mst
MST konfigurationS1(config)#spanning-tree mst config
S1(config-mst)#show current
S1(config-mst)#instance 1 vlan 1-500
S1(config-mst)#instance 2 vlan 501-1001
S1(config-mst)#name REGION12
S1(config-mst)#revision 1
S1(config-mst)#show pending
S1(config-mst)#exit
S1(config)#spanning-tree mst 1 root secondary
S1(config)#spanning-tree mst 2 root primary
Verify MSTS1#sh spanning-tree mst config
S1# sh spanning-tree mst 1
S1# sh spanning-tree mst detail
MST og VTP 3VTP skal være version 3 for at dele MST database mellem switche
S3(config)#spanning-tree mode mst
S3(config)#vtp version 3
S3(config)#vtp mode server mst
S3(config)#end
Inter – VLAN Routing – (Chapter 5)
Sub-interface konfigurationR1(config)#int fa0/0.10
R1(config-subif)#encap dot1q 10
R1(config-subif)#ip address 172.17.10.1 255.255.255.0
R1(config-subif)# int fa0/0.30
R1(config-subif)#encap dot1q 30
R1(config-subif)#ip address 172.17.30.1 255.255.255.0
R1(config-subif)#int fa0/0
R1(config)#no shut
SVI adresse konfigurationS1(config)#int vlan 10
S1(config-if)#ip add 172.17.10.1 255.255.255.0
S1(config-if)#int vlan 20
S1(config-if)#ip add 172.17.20.1 255.255.255.0
S1(config-if)#int vlan 30
S1(config-if)#ip add 172.17.30.1 255.255.255.0
Enable routingS1(config)#ip routing
S1(config)#exit
Multilayer Switch Routed Port ConfigurationS1(config)#int fa0/5
S1(config-if)#no switchport
S1(config-if)#ip add 172.17.40.2 255.255.255.0
S1(config-if)#no sh
S1(config-if)#exit
S1(config)#router eigrp 1
S1(config-router)#network 172.17.40.2 0.0.0.0
Verify routing / SVIS1#show ip route
S1# show interfaces vlan 20
L3 Etherchannel – (Chapter 5)
L3 Etherchannel konfigurationS1(config)#int range fa0/2 - 3
S1(config-if-range)#no switchport
S1(config-if-range)#channel-group 1 mode on
S1(config-if-range)#exit
S1(config)#int port-channel 1
S1(config-if)#no switchport
S1(config-if)#ip add 10.1.20.1 255.255.255.0
CEF (Cisco Express Forwarding)
CEF Adjacencies• Null adjacency: Packets destined for a null0 interface are dropped. This can be used as an effective
form of access filtering.
• Glean adjacency: When a router is connected directly to several hosts via a broadcast network, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.
• Punt adjacency: Features that require special handling, or features that are not yet supported in conjunction with CEF switching paths, are forwarded to the next switching layer for handling. For example, the packet may require CPU processing. Features that are not supported are forwarded to the next-higher switching level.
• Discard adjacency: Packets are discarded – usually due to ACLs.
• Drop adjacency: Packets are dropped, but the prefix is checked. Used to kill packets during ‘ARP Throttling’.
Verify CEFS1#sh ip cef
S1#sh ip cef fa0/1 detail
S1#sh adjacency fa0/1 detail
S1#show ip cef summary S1#show ip cef vlan 10
S1# show adjacency
DHCPv4 Konfiguration
Dynamisk konfigurationS1(config)#interface vlan 10
S1(config-if)#ip address 10.0.0.254 255.255.255.0
S1(config)#ip dhcp-excluded address 10.0.0.250 10.0.0.254
S1(config)#ip dhcp pool VLAN_10
S1(dhcp-config)#network 10.0.0.0 255.255.255.0
S1(dhcp-config)#default-router 10.0.0.254
S1(dhcp-config)#lease 0 8 0
S1(dhcp-config)#dns-server 10.10.10.10
**
S1(dhcp-config)option 150 ip 10.1.0.253 (Denne kommando er ikke nødvendig, men dette nummer kan ændres til følgende alt efter behov)
**
Option Number Function
43 Location of WLAN controller
69 Location of SMTP server
70 Location of POP3 server
150 Location of TFTP server for Cisco IP phones
Manual KonfigurationS1(config)#ip dhcp pool MAN_POOL
S1(dhcp-config)#host 10.0.0.1 255.255.255.0
S1(dhcp-config)#client-identifier 0100.1cc0.7d4a.d8
S1(dhcp-config)#default-router 10.0.0.254
IPv4 Helpter AddressesS1(config)#interface vlan 10
S1(config-if)#ip helper-address 172.24.1.9
Verify S1# debug ip dhcp server packet
S1#show ip dhcp binding
S1#show ip dhcp server statistics
S1#show ip dhcp pool
Slet conflicts I DHCP statestikken
S1# clear ip dhcp conflict *
IPv6 (fuck) – (Chapter 5)
Stateless DHCPv6 konfigurationDLS1(config)#ipv6 unicast-routing
DLS1(config)#ipv6 dhcp pool DLS1_LAN
DLS1(config-dhcpv6)#dns-server 2001:db8:1:1::2
DLS1(config-dhcpv6)#domain-name cisco.com
DLS1(config)#int vlan 10
DLS1(config-if)#ipv6 address 2001:db8:1:1::1/64
DLS1(config-if)#ipv6 dhcp server DLS1_LAN
DLS1(config-if)#ipv6 nd other-config-flag
Stateful DHCPv6 konfigurationDLS1(config)#ipv6 unicast-routing
DLS1(config)#ipv6 dhcp pool DLS1_LAN
DLS1(config-dhcpv6)#address prefix 2001:db8:1:1::/64 lifetime infinite
DLS1(config-dhcpv6)#dns-server 2001:db8:1:1::2
DLS1(config-dhcpv6)#domain-name cisco.com
DLS1(config)#int vlan 10
DLS1(config-if)#ipv6 address 2001:db8:1:1::1/64
DLS1(config-if)#ipv6 nd prefix 2001:db8:1:1::/64 no-autoconfig | no-advertise
DLS1(config-if)#ipv6 dhcp server DLS1_LAN
DLS1(config-if)#ipv6 nd managed-config-flag
DHCPv6 Relay AgentDLS1(config)#int gi0/0
DLS1(config-if)#ipv6 dhcp relay destination 2001:db8:cafe:1::6
Eller hvis SVIs bliver brugt:
DLS1(config)#int vlan 10
DLS1(config-if)#ipv6 dhcp relay destination 2001:db8:cafe:1::6
VerifyDLS1#show ipv6 interface vlan 10
DLS1#show ipv6 dhcp pool
DLS1#show ipv6 dhcp binding
HSRP (Hot Standby Routing Protocol) – (Chapter 6)
HSRP Summary• The group number can be from 0 – 255 (v1), 0-4095 (v2); Default is 0. HSRP supports a maximum of
16 groups.
• The priority value can be from 0 – 255; Default is 100. If no priority, router with highest IP address on HSRP interface becomes active.
• The hellotime can be from 1 – 255 seconds (15 to 999 msec); default is 3 seconds
• The holdtime can be from 1 – 255 (50 to 3000 msec); default is 10 seconds.
• Both Active and Standby devices send hellos.
• The track command default decrement of the priority is 10
PorteUse UDP port 1985(v1) or 2029(v2) multicast address 224.0.0.2(v1) or 224.0.0.102 (v2) TTL=1
HSRP Group Members• Active router: Does the forwarding of data packets and transmits hello messages to other routers
informing them of its status.
• Standby router: Monitors the status of the active router and quickly begins forwarding packets in the event of an active router failure. Also sends hello messages.
• Virtual router: Represents a consistently available router with an IP address and a MAC address to the hosts on a network.
• Other routers: Monitor HSRP hello messages but do not respond. function as normal routers that forward packets sent to them but do not forward packets addressed to the virtual router.
HSRP Virtual Router MAC Address• Vendor ID (Vendor Code): The first three bytes of the MAC address.
• HSRP Code (HSRP well-know virtual MAC address): The next two bytes of the MAC address (always 07.AC for v1, 9F.F for v2).
• Group ID (HSRP group number in hex): The last bits of the MAC address. Because v2 supports more VLAN IDs, it requires more bits for group IDs.
HSRP Active konfigurationR1(conf)#int fa0/0
R2(conf-if)#standby version 2
R1(conf-if)#standby 1 ip 192.168.10.1
R1(conf-if)#standby 1 priority 150
R1(conf-if)#standby 1 preempt
R1(conf-if)# standby 1 preempt delay min 225
R1 (conf-if)#standby 1 track s0/0 55
R1 (conf-if)#standby 1 timers msec 100 msec 300
HSRP Standby konfigurationR2(conf)#int fa0/0
R2(conf-if)#standby version 2
R2(conf-if)#standby 1 ip 192.168.10.1
R2(conf-if)#standby 1 priority 100
R2(conf-if)#standby 1 preempt
R2(conf-if)# standby 1 preempt delay min 225
R2 (conf-if)#standby 1 track s0/0 55
R12(conf-if)#standby 1 timers msec 100 msec 300
HSRP Load-sharing konfigurationR1(conf)#int fa0/0.10
R1(conf-if)#ip address 192.168.10.2 255.255.255.0
R1(conf-if)#standby 10 ip 192.168.10.1
R1(conf-if)#standby 10 priority 150
R1(conf-if)#standby 10 preempt
R1 (conf-if)#standby 10 track s0/0 55
R1(conf)#int fa0/0.20
R1(conf-if)#ip address 192.168.20.2 255.255.255.0
R1(conf-if)#standby 20 ip 192.168.20.1
R1(conf-if)#standby 20 priority 100
R1(conf-if)#standby 20 preempt
R1(conf-if)#standby 20 track s0/0 55
R2(conf)#int fa0/0.10
R2(conf-if)#ip address 192.168.10.3 255.255.255.0
R2(conf-if)#standby 10 ip 192.168.10.1
R2(conf-if)#standby 10 priority 100
R2(conf-if)#standby 10 preempt
R2 (conf-if)#standby 10 track s0/0 55
R2(conf)#int fa0/0.20
R2(conf-if)#ip address 192.168.20.3 255.255.255.0
R2(conf-if)#standby 20 ip 192.168.20.1
R2(conf-if)#standby 20 priority 150
R2(conf-if)#standby 20 preempt
R2(conf-if)#standby 20 track s0/0 55
Verify HSRPR1#show standby
HSRP AuthenticationPlain-Text (not recommended):
DLS1(config)#int vlan 10
DLS1 (config-if)#standby 10 authentication text cisco123
MD5 (Interface):
DLS1(config)#int vlan 10
DLS1 (config-if)#standby 10 authentication md5 key-string 0 cisco123
MD5 (key-chain):
DLS1(config)#key chain HSRP_CHAIN
DLS1(config-keychain)#key 1
DLS1(config-keychain-key )#key-string 0 cisco123
DLS1(config)#int vlan 10
DLS1(config-if)#standby 10 authentication md5 key-chain HSRP_CHAIN
MLS HSRP KonfigurationDLS1(config)#interface vlan 10
DLS1(config-if)#ip address 10.1.1.2 255.255.255.0
DLS1(config-if)#standby 10 ip 10.1.1.1
DLS1(config-if)#standby 10 priority 125
DLS1(config-if)#standby 10 preempt
DLS1(config-if)#standby 10 track fa0/23 20
DLS1(config-if)#standby 10 track fa0/24
HSRP Tracking ObjectDLS1(config)#ip sla 18
DLS1(config-sla)#icmp-echo 10.9.9.1
DLS1(config-sla-echo)# frequency 10
DLS1(config)#ip sla schedule 18 start-time now life forever
DLS1(config)#track 90 ip sla 18 reachabilty
DLS1(config)# interface vlan 10
DLS1(config-if)# ip address 10.1.1.2 255.255.255.0
DLS1(config-if)# standby 10 ip 10.1.1.1
DLS1(config-if)# standby 10 priority 110
DLS1(config-if)# standby 10 preempt
DLS1(config-if)# standby 10 track 90 decrement 20
VRRP (Virtual Router Redundancy Protocol) – (Chapter 6)
VRRP Summary• Like HSRP, VRRP is a FHRP, providing a default gateway redundancy service.
• RFC 2338, Uses IP protocol 112, multicast address 224.0.0.18, TTL=1
• Similar in functionality to HSRP, supporting preemption (enabled by default), object tracking and authentication. However, interface tracking is not supported.
• Cisco switches and routers support VRRP on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, MPLS VPNs and VLAN SVIs.
• Not currently supported across all Cisco switch platforms.
• Virtual MAC address = 0000.5e00.0101
• The group number can be from 0 – 255; Default is 100.
• The priority value can be from 1 – 254; Default is 100. If no priority, router with highest IP address becomes master. 0 is reserved for graceful shutdown, 255 used by physical interface.
• Only the Master sends advertisements, every 1 second by default (max 255 seconds).
• The master down interval: number of seconds for the backup to declare the master down. Default is 3 x hello interval + skew time.
• Skew time (S) = (256 - priority) / 256, ensures that the backup router with the highest priority becomes the new master.
VRRP Konfiguration – Virtual InterfaceMaster
R1(conf)#int fa0/0
R1(conf-if)#vrrp 1 ip 192.168.10.1
R1(conf-if)#vrrp 1 priority 150
R1(conf-if)# vrrp 1 timers advertise msec 500
Backup
R2(conf)#int fa0/0
R2(conf-if)#vrrp 1 ip 192.168.10.1
R2(conf-if)#vrrp 1 priority 100
R2(conf-if)# vrrp 1 timers learn
VRRP Konfiguration – Physical InterfaceMaster
R1(conf)#int fa0/0
R1(conf-if)#ip add 192.168.10.1 255.255.255.0
R1(conf-if)#vrrp 1 ip 192.168.10.1
Backup
R2(conf)#int fa0/0
R2(conf-if)#vrrp 1 ip 192.168.10.1
GLBP (Gateway Load Balancing Protocol) – (Chapter 6)
GLBP Summary• Active virtual gateway (AVG): Members of a GLBP group elect one gateway to be the AVG for that
group. Other group members provide backup for the AVG if the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the group (max of 4 virtual MAC addresses per group).
• Active virtual forwarder (AVF): Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as AVFs.
• A GLBP group can contain 1 x AVG and 4 x AVF (AVG also fulfils AVF role).
• Standby Virtual Gateway (SVG) is automatically designated based on priority.
• Communication: GLBP group members communicate with each other using hello messages (TTL=1) sent every 3 seconds to the multicast address 224.0.0.102, port 3222 using UDP.
• The group number can be from 0 – 1023.
• The priority value can be from 1 – 255; Default is 100. If no priority, router with highest IP address on GLBP interface becomes AVG.
• The hellotime can be from 1 – 60 seconds (50 to 6000 msec); default is 3 seconds.
• The holdtime can be from 1 – 180 (70 to 180000 msec); default is 10 seconds.
• Weighting value controlling AVF operation can be 1 – 254, default is 100.
• Both AVG and AVF devices send hellos.
• The track command default decrement of the priority is 10
GLBP Virtual Router MAC Address
• Vendor ID (Vendor Code): The first three bytes of the MAC address.
• GLBP group ID (xx.xx): 6 x ‘0’ bits followed by the 10-bit GLBP group ID.
• AVF ID (yy): Vitual forwarder value (1-4).
GLBP konfigurationAVG + AVF
R1(conf)#int fa0/0
R1(conf-if)#glbp 1 ip 192.168.10.1
R1(conf-if)#glbp 1 priority 150
R1(conf-if)#glbp 1 preempt
R1(config-if)#glbp 1 prempt delay minimum 300
R1(config-if)#glbp 1 timers msec 200 msec 700
SVG + AVF
R2(conf)#int fa0/0
R2(conf-if)#glbp 1 ip 192.168.10.1
R2(conf-if)#glbp 1 priority 100
R2(conf-if)#glbp 1 preempt
R2(config-if)#glbp 1 prempt delay minimum 300
R2(config-if)#glbp 1 timers msec 200 msec 700
GLBP AuthenticationPlain-Text (not recommended):
R1(config)#int Fa0/0
R1(config-if)#glbp 1 authentication text cisco123
MD5 (Interface):
R1(config)#int Fa0/0
R1(config-if)#glbp 1 authentication md5 key-string 0 cisco123
MD5 (key-chain):
R1(config)#key chain GLBP_CHAIN
R1(config-keychain)#key 1
R1(config-keychain-key )#key-string 0 cisco123
R1(config)#int Fa0/0
R1(config-if)#glbp 1 authentication md5 key-chain GLBP_CHAIN
GLBP Load BalancingR1(conf-if)#glbp 1 load-balancing round-robin | weighted |host-dependent
• Round-robin load-balancing algorithm: As clients send ARP requests to resolve the MAC address of the default gateway, the reply to each client contains the MAC address of the next possible router in round-robin fashion. All routers’ MAC addresses take turns being included in address resolution replies for the default gateway IP address.
• Weighted load-balancing algorithm: The amount of load directed to a router is dependent upon the interface weighting value advertised by that router (provided interface tracking is not configured).
• Host-dependent load-balancing algorithm: A host is guaranteed to use the same virtual MAC address as long as that virtual MAC address is participating in the GLBP group.
GLBP Weighting ConfigurationDLS1(config)#track 90 int fa0/24 line-protocol
DLS1(config)# track 91 int fa0/23 line-protocol
DLS1(config)#interface vlan 10
DLS1(config-if)#ip address 10.1.1.2 255.255.255.0
DLS1(config-if)#glbp 10 ip 10.1.1.1
DLS1(conf-if)#glbp 10 preempt
DLS1(conf-if)#glbp 10 load-balancing weighted
DLS1(config-if)#glbp 10 weighting 110 lower 85 upper 105
DLS1(config-if)#glbp 10 weighting track 90 decrement 10
DLS1(config-if)#glbp 10 weighting track 91 decrement 20
GLBP and STP Optimisation1. Use Rapid STP (RSTP).
2. Configure Po1 as a L3 link.
3. Configure the link between DLS1 and DLS2 as an STP blocking port:
DLS2(config)#int po1
DLS2(config-if)#spanning-tree cost 2000
GLBP VerificationR1#show glbp brief
FHRP for IPv6 – (Chapter 6)
Summary• HSRP for IPv4 and IPv6 are mutually exclusive.
• IPv6 hosts learn of available IPv6 routers through IPv6 neighbour discovery Router Advertisements (RA) messages.
• RA are multicast periodically by HSRP Active devices, or may be solicited by hosts.
• An HSRP IPv6 group has a virtual MAC address that is derived from the HSRP group number (0005.73a0.0xxx), and a virtual IPv6 link-local address that is, by default, derived from the HSRP virtual MAC address.
• HSRPv2 must be used to support IPv6.
• Hello messages multicast (FF02::66) to UDP port 2029.
• Supports authentication.
HSRP IPv6 konfigurationDLS1(config)#interface vlan 10
DLS1(config-if)#ipv6 address 2001:DB8:CAFE:10::1/64
DLS1(config-if)#ipv6 address FE80::D1 link-local
DLS1(config-if)#standby version 2
DLS1(config-if)#standby 10 ipv6 autoconfig
DLS1(config-if)#standby 10 priority 150
DLS1(config-if)# standby 10 preempt
DLS1(config)#interface vlan 20
DLS1(config-if)#ipv6 address 2001:DB8:CAFE:20::1/64
DLS1(config-if)#ipv6 address FE80::D1 link-local
DLS1(config-if)#standby version 2
DLS1(config-if)#standby 20 ipv6 autoconfig
DLS1(config-if)#standby 20 preempt
DLS2(config)#interface vlan 10
DLS2(config-if)#ipv6 address 2001:DB8:CAFE:10::2/64
DLS2(config-if)#ipv6 address FE80::D2 link-local
DLS2(config-if)#standby version 2
DLS2(config-if)#standby 10 ipv6 autoconfig
DLS2(config-if)#standby 10 preempt
DLS2(config)#interface vlan 20
DLS2(config-if)#ipv6 address 2001:DB8:CAFE:20::2/64
DLS2(config-if)#ipv6 address FE80::D2 link-local
DLS2(config-if)#standby version 2
DLS2(config-if)#standby 20 ipv6 autoconfig
DLS2(config-if)#standby 20 priority 150
DLS2(config-if)#standby 20 preempt
Verify HSRP IPv6DLS1# show standby
DLS1# show standby brief
GLBP IPv6 konfigurationR1(conf)#int Gi0/0
R1(conf)#ipv6 address 2001:db8:cafe:10::1/64
R1(config-if)#ipv6 address FE80::1 link-local
R1(conf-if)#glbp 10 ipv6 autoconfig
R1(conf-if)#glbp 10 priority 200
R1(conf-if)#glbp 10 preempt
R1(conf-if)#glbp 10 weighting 200
R1(conf-if)#glbp 10 load-balancing weighted
R2(conf)#int Gi0/0
R2(conf)#ipv6 address 2001:db8:cafe:10::2/64
R2(config-if)#ipv6 address FE80::2 link-local
R2(conf-if)#glbp 10 ipv6 autoconfig
R2(conf-if)#glbp 10 priority 150
R2(conf-if)#glbp 10 preempt
R2(conf-if)#glbp 10 weighting 100
R2(conf-if)#glbp 10 load-balancing weighted
R3(conf)#int Gi0/0
R3(conf)#ipv6 address 2001:db8:cafe:10::3/64
R3(config-if)#ipv6 address FE80::3 link-local
R3(conf-if)#glbp 10 ipv6 autoconfig
R3(conf-if)#glbp 10 priority 120
R3(conf-if)#glbp 10 preempt
R3(conf-if)#glbp 10 weighting 100
R3(conf-if)#glbp 10 load-balancing weighted
Verify GLBP IPv6R1#show glbp
R1#show glbp brief
Syslog – (Chapter 7)
Summary Syslog uses UDP port 514 to send event notification messages across IP networks to event message
collectors
Syslog Messages Severity
Severity Name Severity Level ExplanationEmergency Level 0 System Unusable
Alert Level 1 Immediate Action NeededCritical Level 2 Critical ConditionError Level 3 Error Condition
Warning Level 4 Warning ConditionNotification Level 5 Normal, But Significant Condition
Informational Level 6 Informational MessageDebuggin Level 7 Debugging Message
Syslog Default ConfigurationLog to DLS1 memory:
DLS1(config)#logging buffered 16384
DLS1(config)#logging buffered debugging
DLS1(config)#logging console warnings
Monitor Logging:
DLS11#show logging
DLS1#clear logging
Syslog Server ConfigurationDLS1(config)#logging on
DLS1(config)#logging host 10.1.50.1
DLS1(config)#logging source-interface Gi0/0
DLS1(config)#logging trap 4 or warnings
DLS1(config)#no logging event link-status
DLS1(config)#logging console informational
DLS1(config)#service timestamps log datetime msec
DLS1(config)#service sequence-numbers
DLS1#clock set 10:23:00 23 April 2014
Set TimestampALS1#clock set 10:23:00 23 April 2014
Eller
R1(config)#ntp master 5
ALS1(config)#ntp server 192.168.1.254
VerifyDLS1#show logging
NTP (Network Time Protocol) – (Chapter 7)
Summary• NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, port
123, which in turn runs over IP.
• NTP is an Internet standard protocol currently at v4 and specified in RFC 1305 (v3 supports IPv4)/5905 (v4 supports IPv4/IPv6).
• An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network.
• NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another.
• NTP uses the concept of a stratum to describe how many NTP “hops” away a machine is from an authoritative time source.
• A stratum 1 time server typically has a radio or atomic clock directly attached to the server; a stratum 2 time server receives the time via NTP from a stratum 1 time server, etc, etc.
• A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machine’s time source. This strategy effectively builds a self-organising tree of NTP speakers.
NTP modesServer Will sync with NTP devices in a lower or higher stratum, but will only
act as a source to devices in a lower stratum.
Client Synchronises with NTP server
Peer Exchanges time information with another peer (can act as a server or a client)
Broadcast/Multicast Acts as NTP server, but pushes time info to any listening device.
Set ClockALS1#clock set 10:23:00 20 Jan 2015
ALS1#(config)#clock timezone GMT 0 0
DLS1(config)#clock summer-time GMT date 29 March 2015 01:00 25 Oct 2015 01:00
ALS1#show clock
ALS1#10:23:01.011 UTC Fri Jan 30 2015
NTP Konfiguration ExampleR1(config)#ntp master 5
R1(config)#ntp authenticate
R1(config)#ntp trusted-key 1
R1(config)#ntp authentication-key 1 md5 cisco123
R1(config)#ntp source loopback 0
DLS1(config)#ntp authenticate
DLS1(config)#ntp trusted-key 1
DLS1(config)#ntp authentication-key 1 md5 cisco123
DLS1(config)#ntp server 172.16.0.1
DLS1(config)#ntp peer 172.16.20.1
DLS1(config)#ntp source loopback 0
DLS2(config)#ntp authenticate
DLS2(config)#ntp trusted-key 1
DLS2(config)#ntp authentication-key 1 md5 cisco123
DLS2(config)#ntp peer 172.16.10.1
DLS2(config)#ntp source loopback 0
NTP Broadcast ServiceR1(config)#interface Gi0/0
R1(config-if)#ntp broadcast version 4
R2(config)#interface Gi0/0
R2(config-if)#ntp broadcast client
NTP Access-ControlR1(config)#access-list 1 permit 127.127.1.1
R1(config)#access-list 2 permit 172.16.0.0 0.0.255.255
R1(config)#ntp access-group peer 1
R1(config)#ntp access-group serve 2
R1(config)#ntp source loopback 0
Simple Network Time Protocol (SNTP)ALS1(config)#sntp authenticate
ALS1(config)#sntp trusted-key 1
ALS1(config)#sntp authentication-key 1 md5 cisco123
ALS1(config)#sntp server 172.16.0.1
VerifyDLS1#show ntp status
DLS1#show ntp associations
ALS1#show sntp
R1#show ntp information
NTPv4 til IPv6R1(config)#ntp master 5
R1(config)#ntp authenticate
R1(config)#ntp trusted-key 1
R1(config)#ntp authentication-key 1 md5 cisco123
R1(config)#ntp source loopback 0
DLS1(config)#ntp authenticate
DLS1(config)#ntp trusted-key 1
DLS1(config)#ntp authentication-key 1 md5 cisco123
DLS1(config)#ntp server 2001:db8:cafe:a1::1 version 4
DLS1(config)#ntp peer 2001:db8:cafe:a3:1::1
DLS1(config)#ntp source loopback 0
DLS2(config)#ntp authenticate
DLS2(config)#ntp trusted-key 1
DLS2(config)#ntp authentication-key 1 md5 cisco123
DLS2(config)#ntp peer 2001:db8:cafe:a2::1 version 4
DLS2(config)#ntp source loopback 0
NTPv4 IPv6 Multicast ServiceDLS1(config)#interface range Fa0/1
DLS1(config-if-range)#ntp multicast FF02::1:FF0E:8C6C version 4
ALS1(config)#interface range Fa0/1
ALS1(config-if-range)#ntp multicast client FF02::1:FF0E:8C6C
NTPv4 IPv6 Access ControlR1(config)#ipv6 access-list NTP
R1(config-ipv6-acl)#permit udp 2001:DB8:CAFE::/48 2001:DB8:CAFE:A1::/64 eq ntp
R1(config)#ntp access-group ipv6 serve NTP kod
The optional kiss-of-death (kod) command allows the NTP server to inform clients blocked by the ACL that they have been denied access.
SNMP– (Chapter 7)
SNMP Seciry modelsSecurity Model Security Level Authentication Strategy Encryption Type
SNMPv1 noAuthNoPriv Community string None
SNMPv2c noAuthNoPriv Community string None
SNMPv3 noAuthNoPriv Username None
SNMPv3 authNoPriv MD5 or SHA-1 None
SNMPv3 authPriv MD5 or SHA-1 DES, 3DES, AES
• noAuthNoPriv (no authentication, no privacy): uses a username for authentication.
• authNoPriv (authentication, no privacy): authentication using MD5 or SHA Hashed Message Authentication Code (HMAC).
• authPriv (authentication, privacy): authentication using MD5 or SHA HMAC, privacy via encryption.
SNMPv2c KonfigurationR1(config) #ip access-list standard SNMP_ACL
R1(config-std-nacl)#permit 10.1.50.1
R1(config) #snmp-server community cisco ro SNMP_ACL
R1(config) #snmp-server community cisco123 rw SNMP_ACL
R1(config) #snmp-server host 10.1.50.1 version 2c cisco
R1(config) #snmp-server host 10.1.50.1 informs version 2c cisco
R1(config) #snmp-server enable traps ?
R1(config) #snmp-server ifindex persist
R1(config) #snmp-server location NOC_SNMP_MANAGER
R1(config) #snmp-server contact [email protected]
SNMPv3 konfigurationR1(config)#ip access-list standard SNMP_ACL
R1(config-std-nacl)#permit 10.1.50.1
R1(config)#snmp-server group SNMP_1 v3 priv access SNMP_ACL
R11(config)#snmp-server user netadmin SNMP_1 v3 auth sha cisco123 priv aes 128 cisco123
R1(config)#snmp-server traps enable
R1(config)#snmp-server host 10.1.50.1 informs version 3 priv netadmin
Verify
R1#show snmp
R1#show snmp community
R1# show snmp group
R1#show snmp user
AAA (Authentication, Authorisation, Accounting) – (Chapter 7)
Summary • Authentication - Provides the method of identifying users, including login and password dialog,
challenge and response, messaging support, and, depending on the security protocol selected, encryption . RADIUS combines authentication and authorisation, whereas TACACS+ decouples them.
• Authorisation - Provides the method for remote access control, including one-time authorisation or authorisation for each service. RADIUS does not allow specification (or enforcement) of which commands can be and which commands cannot be executed on a router, whereas TACACS+ does.
• Accounting - Provides the method for collecting and sending security server information used for billing, auditing, and reporting. RADIUS has extensive accounting capabilities, while TACACS+ has limited accounting capabilities.
AAA Authentication konfigurationConfigure TACACS+
S1(config)#aaa new-model
S1(config)#tacacs-server host 192.168.229.76 single-connection
S1(config)#tacacs-server key ciscosecret
Configure RADIUS
S1(config)#aaa new-model
S1(config)#radius-server host 192.168.229.76 auth-port 1812
S1(config)#radius-server key ciscosecret
The authentication login command in global configuration mode enables the AAA authentication process: 1st 2nd 3rd
S1(config)#aaa authentication login default group radius local line
S1(config)#aaa authentication login TELNET_LINES group radius
S1(config)#line console 0
S1(config-line)#login authentication default
S1(config-line)#line vty 0 15
S1(config-line)#login authentication TELNET_LINES
AAA Authorization kommandoerS1(config)#aaa authorization exec default group tacacs+ local none
S1(config)#enable secret classS1(config)# aaa authorization commands 15 default if-authenticated group tacacs+
S1(config)#aaa authorization exec default group radius local
S1(config)#enable secret class
Local AAA Authentication/Authorisation konfigurationS1(config)#aaa new-model
S1(config)#username admin (privilege 15) secret cisco
S1(config)#enable secret class
S1(config)#aaa authentication login default local
S1(config) #aaa authorization exec default local
S1(config)#line console 0
S1(config-line)#login authentication default
S1(config-line)#authorization exec default
AAA Accounting kommandoerS1(config)#aaa accounting exec default start-stop group radius
S1(config)#aaa accounting exec default stop-only group tacacs+
AAA og 802.1x konfigurationALS1# configure terminal
ALS1(config)#aaa new-model
ALS1(config)#radius-server host 172.120.39.46 auth-port 1812 key rad123
ALS1(config)#aaa authentication dot1x default group radius none
ALS1(config)#dot1x system-auth-control
ALS1(config)#int fa0/1
ALS1(config-if)#authentication port-control auto | force-authorised | force-unauthorised
For switches om kører Cisco IOS version 12.2(50)SE ->:
ALS1(config-if)#dot1x pae authenticator
VerifyS1#debug aaa authentication
S1#debug aaa authorization
S1#debug radius
S1#debug tacacs+
S1#debug aaa accounting
CDP – Cisco Discovery Protocol – (chapter 8)
VerifyS1#show cdp neighbor detail
LLDP (Link Layer Discovery Protocol) – (Chapter 8)
Global LLDP activation & configurationALS1(config)#lldp run
ALS1(config)#lldp holdtime 120
ALS1(config)#lldp reinit 2
ALS1(config)#lldp timer 30
Interface LLDP activationALS1(config)#int gi0/1
ALS1(config-if)#lldp transmit
ALS1(config-if)#lldp receive
LLDP – MED for VoIP konfigurationALS1(config)#network-policy 1
ALS1(config-network-policy)#voice vlan 110 cos 5
ALS1(config)#int gi0/1
ALS1(config-if)#network-policy profile 1
ALS1(config-if)#lldp med-tlv-select network-policy
VerifyDLS1#show lldp
DLS1#show lldp neighbors
Power over Ethernet (PoE) – (Chapter 8)
Versions• 802.3af - switch applies voltage to determine if powered device is connected, and what power level
it requires.
• Cisco ILP - sends out a 340kHz test tone on the TX pair to detect powered devices, and uses CDP to discover power requirement.
802.3af (Power allocated)802.3af Power Class Power Allocated Actual Power Used
Class 0 15.4W 0.44 to 12.95W
Class 1 4.0W 0.44 to 3.84W
Class 2 7.0W 3.84 to 6.49W
Class 3 15.4W 6.49 to 12.95W
PoE konfigurationDLS1(config)#power inline consumption default 15400
DLS1(config)#int fa0/1
DLS1(config-if)#power inline ?
auto Automatically detect and power inline devices consumption Configure the inline device consumption never Never apply inline power static High priority inline power interface
VerifyDLS1# show power inline consumption default
DLS1# show power inline FastEthernet 0/1
SDM (Switching Database Management) – (Chapter 8)
Templates types• Access: The access template maximizes system resources for access control lists (ACLs) to
accommodate a large number of ACLs.
• Default: The default template gives balance to all functions.
• Routing: The routing template maximizes system resources for IPv4/v6 unicast routing, typically required for a router or aggregator in the centre of a network.
• VLANs: The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.
Change SDM TemplateALS1(config)#sdm prefer access
ALS1(config)#exit
ALS1#copy run start
ALS1#reload
VerifyALS1#show sdm prefer
IPv4 SDM Templates and Memory Partitions
Memory Partition Access
Default Routing VLAN
Unicast MAC address 4K 6K 3K 12K
IGMP Groups/Mcast Routes
1K 1K 1K 1K
Unicast Routes: 6K 8K 11K 0
• Directly connected hosts
4K 6K 3K 0
• Indirect routes 2K 2K 8K 0
Policy-based routing ACEs 0.5k 0 0 0.5k
QoS ACEs 0.5K 0.5K 0.5K 0.5K
Security ACEs 2K 1K 1K 1K
L2 VLANs 1K 1K 1K 1K
SPAN – (Chapter 8)
Local SPAN konfigurationSW1 (config)#monitor session 1 source int fa0/1 rx | tx
SW1 (config)#monitor session 1 destination int fa0/2
Capture VLAN tagging and management protocols
SW2(config)#monitor session 1 source int fa0/1
SW2(config)#monitor session 1 destination int fa0/2 encapsulation replicate
Configure RSPANSW1(config)#vlan 100
SW1(config-vlan)#remote-span
SW1(config)#monitor session 2 source int fa0/7
SW1(config)#monitor session 2 destination remote vlan 100
SW2(config)#vlan 100
SW2(config-vlan)#remote-span
SW2(config)#monitor session 3 source remote vlan 100
SW2(config)#monitor session 3 destination int fa0/8
IP SLA med Responder konfigurationR3(config)#ip sla responder
R3(config)#ip sla responder udp-echo ipaddress 10.10.10.1 port 5000
R1(config)#ip sla monitor 1
R1(config-ip-sla)#udp-jitter 10.10.20.1 5000
R1(config-ip-sla-jitter)#frequency 120
R1(config)#ip sla monitor schedule 1 life forever start-time now
IP SLA Echo Test konfigurationR1(config)#ip sla monitor 2
R1(config-ip-sla)#icmp-echo 10.10.30.10
R1(config-ip-sla)#frequency 120
R1(config)#ip sla monitor schedule 2 life forever start-time now
R(config)#track 1 ip sla 2 reachability
IP SLA Voice Quality Measurement konfigurationR1(config)#ip sla 3
R1(config-ip-sla)#udp-jitter 10.10.20.1 16384 codec g729a
R1(config-ip-sla-jitter)#frequency 10
R1(config)#ip sla schedule 3 life forever start-time now
R3(config)#ip sla responder
R3(config)#ip sla responder udp-echo ipaddress 10.10.10.1 port 16384
Verify SW1#show monitor
S1 (config)#monitor session 1 source cpu both
S1 (config)#monitor session 1 destination int fa0/8
R1#show ip sla configuration 1
R3#show ip sla responder
R1# show ip sla statistics 1
NSF – (Nonstop Forwarding) – (Chapter 9)
NFS konfigurationDLS1(conf)#router eigrp 1
DLS1(conf-router)#nsf
DLS1(conf)#router ospf 1
DLS1(conf-router)#nsf
DLS1(conf)#router bgp 65501
DLS1(conf-router)#bgp graceful-restart
Switch devices and protol security – (Chapter 10)
Summary• Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-
security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
• Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
• Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.
Secure unused switch portsS1(config)#interface range fa0/10 - 18
S1(config-if-range)#switchport host
S1(config-if-range)#shutdown
Port SecurityS1(config)#interface fa0/1
S1(config-if)# switchport port-security ?
aging Port-security aging commands mac-address secure mac address maximum max secure addrs violation security violation mode
Port Security: ViolationSwitch(config-if)#switchport port-security violation {protect | restrict | shutdown}
DLS1(config)# interface FastEthernet 0/1
DLS1(config-if)# switchport mode access
DLS1(config-if)# switchport port-security
DLS1(config-if)# switchport port-security mac-address 0000.0000.0008
DLS1(config-if)# switchport port-security maximum 1
DLS1(config-if)# switchport port-security violation shutdown
DLS1(config-if)# switchport block unicast
DLS1(config)# interface FastEthernet 0/2
DLS1(config-if)# switchport mode access
DLS1(config-if)# switchport port-security
DLS1(config-if)# switchport port-security mac-address sticky
DLS1(config-if)# switchport port-security maximum 3
DLS1(config-if)# switchport port-security violation restrict
Automatic Error RecoveryALS1(config)#errdisable recovery cause psecure-violation
ALS1(config)#errdisable recovery interval 60
VerifyS1# show cdp neighbor detail
DLS1# show running-config fastethernet 0/2
DLS1# show port-security
ALS1# show interface status err-disabled
DHCP Snooping / Spoofing
DHCP Snooping konfigurationALS1(config)#ip dhcp snooping
ALS1(config)#ip dhcp snooping vlan 10
ALS1(config)#interface Fa0/1
ALS1(config-if)#ip dhcp snooping trust
ALS1(config)#interface range fa0/2-3
ALS1(config-if-range)#ip dhcp snooping limit rate 1
DLS1(config)#ip dhcp snooping
DLS1(config)#ip dhcp snooping vlan 10
DLS1(config)#interface range Fa0/1-2
DLS1(config-if-range)#ip dhcp snooping trust
VerifyALS1#sh ip dhcp snooping
ALS1# show ip dhcp snooping binding
IP Address Spoofing & IP Source Guard – (Chapter 10)
IP Source Guard konfigurationDLS1(config)#ip source binding cccc.cccc.cccc vlan 10 192.168.10.20 int fa0/3
Eller
DLS1(config)#interface range Fa0/1-3
DLS1(config-if-range)#ip verify source port-security
VerifyDLS1# show ip source binding
ARP Spoofing – (Chapter 10)
Dynamic ARP Inspection konfigurationALS1(config)#ip arp inspection vlan 10
ALS1(config)#ip arp inspection validate src-mac | dst-mac | ip
ALS1(config)#int range fa0/2-3
ALS1(config-if-range)#ip arp inspection limit rate 2
ALS1(config)#interface Fa0/1
ALS1(config-if-range)#ip arp inspection trust
DLS1(config)#ip arp inspection vlan 10
DLS1(config)#interface range Fa0/1-2
DLS1(config-if-range)#ip arp inspection trust
Dynamic ARP Inspection Static konfigurationDLS1(config)#ip arp inspection vlan 10
DLS1(config)#arp access-list DAI_ACL
DLS1(config-arp-nacl)#permit ip host 192.168.10.1 mac host aaaa.bbbb.cccc
DLS1(config)#ip arp inspection filter DAI_ACL vlan 10
Cisco Access Control Lists – (Chapter 10)
Different ACS’s• Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It
controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction.
• Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port. PACLs only work inbound on an interface.
• VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).
ACL to block trafficDLS1(config)#ip access-list extended DENY_SERVER
DLS1(conf-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 host 192.168.10.10
Block VLAN map to block and forward trafficDLS1(config)# vlan access-map DENY_MAP 10
DLS1(config-access-map)#match ip address DENY_SERVER
DLS1(config-access-map)#action drop
DLS1(config-access-map)#exit
DLS1(config)#vlan access-map DENY_MAP 20
DLS1(config-access-map)#action forward
Apply Vlan map to VLANDLS1(config)#vlan filter DENY_MAP vlan-list 10
Protected Ports – (Chapter 10)
Protected ports konfigurationS1(config)#int range fa0/1-2
S1(config-if)#switchport protected
Create Private VLANsDLS2(config)#vtp mode transparent
DLS2(config)#vlan 10
DLS2(config-vlan)#private-vlan community
DLS2(config)#vlan 20
DLS2(config-vlan)#private-vlan community
DLS2(config)#vlan 30
DLS2(config-vlan)#private-vlan isolated
DLS2(config-vlan)#exit
DLS2(config)#vlan 100
DLS2(config-vlan)#private-vlan primary
DLS2(config-vlan)#private-vlan association 10,20,30
Populate Private VLANsDLS2(config)#int fa0/1
DLS2(config)# switchport mode private-vlan promiscuous
DLS2(config)# switchport private-vlan mapping 100 10,20,30
DLS2(config)# int fa0/2
DLS2(config)# switchport mode private-vlan host
DLS2(config)# switchport private-vlan host-association 100 10
VerifyDLS2#sh int fa0/2 switchport
DLS2#sh vlan private-vlan