Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Core Layer
Distribution
Layer
Access Layer
• CatOS
• IOS
VLAN:
Facts:
1. Logical separation
2. Each VLAN is a separate subnet
3. Each VLAN is a separate broadcast domain
4. Each VLAN can have its own QoS and Access Control
5. VLANs are stored in flash as ‘vlan.dat’ file. So erasing the nvram won’t
delete vlans. Delete ‘vlan.dat’.
6. Each VLAN runs its own STP, thus called PVST (Per-VLAN Spanning Tree)
7. One Root bridge is elected for each VLAN
Guidelines:
1. Restrict VLANs to switch blocks, otherwise we have to use trunk to carry all
broadcast VLAN traffic. In other words, local VLANs shouldn’t extend
beyond the Distribution layer. VLANs should be created around physical
boundaries. For eg. Access Layer’s physical boundary is Distribution Layer
and Distribution Layer’s physical boundary is Core Layer.
2. Implement Management VLAN.
3. Separate Voice traffic not only for QoS but also for security.
4. Implement multicast support.
5. Implement inter VLAN routing.
Configuration:
1. Create VLAN
• Old way (through ‘vlan database’) Disadvantage: if we do ^Z then
VLAN configuration is lost. We need to type EXIT instead of ^Z to
save the configuration.
• New Way (through ‘user config mode’)
SW(Config)#vlan 10 name SALES
2. Change the mode of a port.
• Access – (for Access layer devices, for e.g. PC, Printers etc., no
advertisement) SW(Config-if)#switchport mode access
• Trunk – (for Trunking, advertise DTP [Dynamic Trunking Protocol] &
VTP)
• Dynamic Desirable – (dynamically negotiates and desires to be Trunk,
advertise DTP & VTP)
• Dynamic Auto – (dynamically negotiates but don’t have any desire, no
advertisement)
• Non-negotiate – (do not advertise any DTP & VTP, even if the port is
Trunk)
3. Assign that port to a VLAN SW(Config-if)#switchport access vlan 10
4. Verify VLAN with ‘show vlan’ command.
5. Verify port mode with ‘show int f0/0 switchport’. Check ‘Administrative mode
and Operational mode fields’
6. Make sure to turn all access layer ports to Access mode for security reasons.
SW(Config)#int range f0/0 - 15
SW(Config-if-range)#switchport mode access
Trunking:
1. Trunking protocols:
a. ISL (Inter-Switch Link) – Cisco proprietary & encapsulates the entire
frame. Thus adds 26 bytes header (out of which VLAN tag is only 2
byte, but rest is junk for future use) [not supported on 2950]
b. 802.1q – Open standard & inserts tag into frame instead of
encapsulation. Only 4 byte tag is inserted (including 3 bit for priority)
2. Configure Trunk protocol (either ISL or 802.1q)
SW(Config-if)#switchport trunk encapsulation dot1q
3. If using 802.1q, make sure Native VLAN is configured properly. Because if a
802.1q trunk port receives an untagged packet, it won’t know what to do with
it. Then if we configure Native VLAN, we must make sure it’s same on the
adjacent switch, otherwise we will receive Native VLAN mismatch error.
(Native VLAN is practically required in VOIP where we don’t want separate
ether for our PC in the cubical. We would just like to use the ether port on the
VOIP phone to connect our PC too. VOIP phone has the capability of sending
VLAN tagged packet, but PC always sends untagged packet, which will be
then discarded by switch if Native VLAN is not configured.)
SW(Config-if)#switchport trunk native vlan 10
4. Configure a port mode to Trunk and use Non-negotiate.
SW(Config-if)#switchport nonnegotiate
5. If not using VTP pruning then manually configure the allowed VLANs to pass
through the trunk.
SW(Config-if)#switchport trunk allowed vlan 10,20,30
6. Verify using ‘sh int f0/0 trunk’ command
Root
D D
19
19
R R
D 19 B
5. STATES:
Listening: 15 sec of listening for BPDU
Learning: 15 sec of learning MAC address
Forwarding: 0 sec of port is forwarding traffic
Blocking: Switch will wait upto 20 sec before moving a blocked port into
listening phase.
STATES:
• Learning
• Discarding
• Forwarding
PORT ROLES:
• Root
• Designated
• Alternate
• Edge
Root
D D
R R
D A
E
EtherChannel:
1. Combining multiple Ethernet links to get a high bandwidth single channel.
2. Negotiation Protocols:
a. PAGP (Port Aggregation Protocol): Cisco proprietary; port modes: Auto,
Desirable, On
b. LACP (Link Aggregation Control Protocol): Industry standard 802.3ad;
port modes: Passive , Active, On
3. Two flavors:
• Layer2 Etherchannel
SW(config)#int range f0/23 – 24
SW(config-if-range)#channel-protocol lacp
SW(config-if-range)#channel-group 1 mode on
• Layer3 Etherchannel
SW(config)#int port-channel 1
SW(config-if)#no switchport
SW(config-if)#ip add 10.1.1.1 255.255.255.0
SW(config-if)#int range f0/23 – 24
SW(config-if)#no switchport
SW(config-if-range)#channel-protocol lacp
SW(config-if-range)#channel-group 1 mode on
Inter-VLAN Routing:
Router-on-a-stick:
Advantage:
• Simple to setup
• Lower cost
Disadvantage:
• Congestion on link
• Single point of failure
• Delay of routing
Configuration:
• Configure Trunk connecting Router
SW(config-if)#switchport trunk encapsulation dot1q
SW(config-if)#switchport mode trunk
• Create sub interfaces on Router
Router(config)#int f0/0
Router(config-if)#no shut
Router(config-if)#speed 100
Router(config-if)#duplex full
Router(config-if)#int f0/0.10
Router(config-subif)#encapsulation dot1q
Router(config-subif)#ip add 10.1.10.1 255.255.255.0
Router(config-if)#int f0/0.20
Router(config-subif)#encapsulation dot1q
Router(config-subif)#ip add 10.1. 20.1 255.255.255.0
• Configure Default Gateway on PCs according to VLANs
Multilayer Switching:
Advantage:
• Routing at wire speed
• Backplane bandwidth
• Redundancy enabled
Disadvantage:
• Cost
Configuration:
• Create SVI
SW(config)#int vlan 10
SW(config-if)#ip add 10.1.10.1 255.255.255.0
SW(config-if)#no shut
SW(config)#int vlan 20
SW(config-if)#ip add 10.1.20.1 255.255.255.0
SW(config-if)#no shut
• Enable IP Routing
SW(config)#ip routing
• Create Routed Ports (optional)
SW(config)#int f0/0
SW(config-if)#no switchport
SW(config-if)#ip add 10.1.24.1 255.255.255.252
• Enable Routing protocols (optional)
SW(config)#router eigrp 1
SW(config-if)#no auto
SW(config-if)#net 10.0.0.0
Some Facts:
• Router and L3 switch both have IOS software routing
• Software routing is relatively slow compared to ASIC (Application
Computes Specific Integrated Circuitry)
routes and • L3 switches can play a little software – hardware trick.
copy those to
FIB First Time First Time
L3 Engine
Managing Redundancy:
Configuration:
a) Add VRRP groups and Virtual IP address on all switches.
SW(config)#int VLAN 70
SW(config-if)#vrrp 1 ip 172.30.70.1 [ip address of one of the physical
interface]
b) Verify
sh vrrp
c) Optimize and Tune
SW(config-if)#vrrp 1 priority 150
SW(config-if)#vrrp 1 preempt delay reload 180
SW(config-if)#vrrp 1 track f0/0 60
SW(config-if)#vrrp 1 timers advertise msec 100 [configure it on master]
WIRELESS LAN:
Facts:
• WAP (Wireless Access Point): Acts like a hub; i.e., shared signal & half
duplex.
o Autonomous AP: Standalone; IOS based; Can be centrally controlled
using Wireless Domain Services (WDS); Managed using Ciscoworks
WLAN Solution Engine (WLSE)
o Lightweight AP: Server dependent; Zero-configuration (Dumb); Can be
centrally controlled using Wireless LAN Controller that has all the
intelligence; Managed using Cisco Wireless Control System (WCS)
optional; Lightweight Access Point Protocol (LWAPP) is used between
controller and WAPs; MAC is associated with WLC instead of WAP.
o Indoor AP – 1130AG, 1240AG
o Outdoor AP – 1300 series, 1400 series (Autonomous only)
• Is a physical & data-link standard. 802.11b, 802.11g, 802.11a
• Uses CSMA/CA instead of CSMA/CD
• Faces connectivity issues because of interference.
• Uses SSID (Service Set Identifier) to uniquely identify and separate wireless
networks. When wireless is enables, client issues a probe and WAP responds with
a beacon. Client then associates itself with a chosen SSID. WAP adds client MAC
to association table.
• RF service areas should have 10-15% overlap. Solid coverage provides better
battery life. For seamless roaming, WAP should support roaming features,
because MAC are usually locked until the connectivity is lost.
Two flavors of Roaming:
a) Layer 2 Roaming
Same SSID, VLAN & subnet
b) Layer 3 Roaming
Same SSID; Source IP address gets encapsulated inside other service
area subnet IP, when they are in.
Topology:
WAP
Layer 2 Attack
1. Hacker can use any hacking tool and send MAC addresses continuously to a
port until the CAM table of that switch fills up and fails to learn any more
MAC addresses. The switch then turns into a Hub and starts sending
everything to everybody to make sure everybody gets the data they are
looking for. Hacker then use packet sniffer to have easy access to any data
that is passing through.
2. Hacker negotiates a Trunk connection with a switch and moves between
VLANs. This is called VLAN Hopping Attack. In this way, hacker can even
sneak into VOIP VLAN and record voice conversation into wav files.
3. Hacker can act as a Man-In-The-Middle. When host sends an ARP message
asking for MAC address of the Authentication server, hacker sends its own. In
this way, host starts sending packets to Hacker and hacker relays those
packets to Authentication Server, pretending as if it’s that host. In this way,
Authentication server also starts sending packets to Hacker.
Security Measures:
• Use secure MAC address
SW(config-if)#switchport mode access [access mode is necessary to enable port
security]
SW(config-if)#switchport port-security mac-address a000.hcs1.010f [make sure
you type as many MAC addresses as you defined using ‘maximum’ command, or
the security purpose of manually typing MAC addressed will be defeated]
‘OR’
SW(config-if)#switchport port-security mac-address sticky [It will start assigning
the MAC addresses to thee port everytime we plug into it, this will save manually
typing MAC addresses]
Verify using ‘sh mac-add int f0/0’
Remember to do Save run config
• Limit no. of MAC addresses per port
SW(config-if)#switchport port-security maximum 1
• Configure Violation mode
SW(config-if)#switchport port-security violation [shutdown/restrict/protect]
[Shutdown is default]
• Verify using ‘sh port-security int f0/0’
‘sh interface status’
• To re-enable a shutdown port, do ‘shut’ then ‘no shut’ on that interface
‘OR’
SW(config)#errdisable recovery cause security-violation
SW(config)#errdisable recovery interval 60
sh errdisable recovery
EAP doesn’t require Switch to look inside the EAP packet but still make the Switch
able to participate in authentication. Because of this, we can use thee same old switch
with many forthcoming technology of authentication. Whereas, other authentication
protocols like MD5 is totally opposite.
Configuration:
SW(config)#aaa new-model
SW(config)#aaa authentication dot1x default group radius
SW(config)#dot1x system-auth-control
SW(config)#int f0/0
SW(config-if)#dot1x port-control auto
Promiscuous VLAN
Connectivity
Isolated VLAN 50
Community
VLAN 70
Configuration:
• Verify:
sh vlan private-vlan type
• Associate ports
SW(config)#int f0/0
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 100 30
SW(config-if)#int f0/1
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 100 30
SW(config-if)#int f0/2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 100 50
SW(config-if)#int f0/3
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport mode private-vlan host-association 200 70
SW(config-if)#int f0/4
SW(config-if)#switchport mode private-vlan promiscuous
• Mapping on Promiscuous port
SW(config-if)#switchport mode private-vlan mapping 100 30,50
• Verify:
sh vlan private-vlan
‘OR’