Advance Switching

CCNP - CCIP

www.id-networkers.com

Course Breakup

Frame-Relay, Basic Switching & RIPv2 EIGRP, OSPF, Route Filtering & Redistribution OSPF & BGP Advanced Switching & Security IOS Services & QOS Multicasting & IPv6 MPLS & MPLS - VPN 100 Point Super Lab

www.id-networkers.com2

ADVANCE SWITCHINGSection 1


Advance Switching

Task 1 Configure Cat-1 using the following policy:

The ports that routers R1-R6 are connected should be configured such that they only allow one MAC-address to be detected, if any other MAC address besides the pertaining router is detected on any of these ports, the appropriate switch should automatically shutdown that given port. You should use a regular and smart port macro to accomplish this task

On Cat-1


Define interface-range router-ports f0/1-6Macro name port-secureEnter macro commands one per line. Ending with the character ‘@’Switchport mode accessSwitchport port-securitySwitchport port-security mac-address stickySwitchport port-security maximum 1

Advance Switching

Task 1 (cont’d) A smartport macro can be applied to an interface, interface range,

or a regular macro. Lastly the smartport macro is applied to the regular macro, as follows:

On Cat-2 port f0/14 configure the amount of bandwidth utilization for broadcast traffic to 50%


Interface range macro router-portsMacro apply port-secure

Interface f0/14Storm-control broadcast level 50.00

Advance Switching

Strom Control Strom-control can be used for broadcast, unicast and multicast

traffic, this command specifies suppression level for a given type of traffic for a particular interface.

The level can be from 0 to 100 and an optional fraction of a level can also be configured from 0-99

A threshold value of 100 percent means that no limit is placed for a specified type of traffic; a value of 0.0 means that the particular type of traffic is blocked all together

When the rate of multicast traffic exceeds a predefined threshold, all incoming traffic (broadcast, multicast and unicast) is dropped until the level of multicast traffic is dropped below the threshold level. Once this occurs, only the spanning-tree packets are forwarded

When broadcast or unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold


Advance Switching

Task 2 Cat-2’s ports f0/15 and f0/16 are connected to company’s web and

email server. These ports should be configured in VLAN 88. Ensure that these ports can’t communicate with each other.

On Cat-2


Cat-2#Interface range f0/15-16Cat-2#Switchport protected

Cat-2#show interface f0/15 switchProtected: trueUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: None

The port is now in protected modeNote unknown unicast or multicast traffic is not blocked

Advance Switching

Task 2 (cont’d) Typically port blocking is implemented when protected ports are

configured. By default the switch will flood packets with unknown destination MAC addresses to all ports but the port that the packet/s was received

If unknown unicast or multicast traffic is forwarded to a protected port, there could be security issues. In order to prevent this behavior, unknown broadcast or unicast packets should be blocked as follows


Interface range f0/15-16Switchport block unicastSwitchport block multicast

Advance Switching

Task 3 Configure Cat-1 such that the ports that the routers are connected

to bypass listening and learning state. If any of the ports receive a BPDU, that particular port should lose its configured portfast state

On Cat -1

Globally: Configuring this command in the global config mode will affect all the ports that are configured with portfast

The above command stops ports that are in portfast state from sending BPDUs; the ports will send few BPDUs on the link-up before the switch starts to filter outbound BPDUs. If a BPDU is received on a portfast enabled port, it will lose its status as a portfast

Interface:


Interface range f0/1 – f0/6Spanning-tree portfast

Spanning-tree portfast bpdufilter default

Spanning-tree bpdufilter enable

Advance Switching

Task 3 (cont’d)

Once the portfast command is entered you should see the following warning message: % Warning: portfast should only be enabled on ports connected to a

single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION % portfast will be configured in 6 interfaces due to the range command

but will have effect when the interfaces are in a non-trunking mode

The ‘spanning-tree portfast bpduguard default’ command in the global config mode will shut the port down in err-disable mode if any portfast enabled port receives BPDU packets


Cat-1(config)#spanning-tree portfast bpduguard defaultInterface range f0/1-6Spanning-tree portfast

Advance Switching

Task 4 You received a request from the IT department to monitor and

analyze all the packets sent and received by the host connected to port f0/14 on cat-1, you have connected the packet analyzer to port f0/15 on the same switch, configure the switch to accommodate this request

On Cat-1

Note the following: There can only be two monitor sessions configured on a given switch Their direction to monitor can be configured as Rx, Tx or both. Rx is for

received traffic, Tx is for transmitted traffic, and both is on both direction VLANs can only be configured in Rx direction To verify enter a ‘show monitor session 1’ command


Monitor session 1 source interface f0/14 bothMonitor session 1 destination interface f0/15

Advance Switching

Task 5 The PCs that are connected or will be connected to Cat-1 port

f0/16 should get authenticated before they are allowed access to the network. This authentication should use CSACS located at 192.168.1.2 using ‘cisco’ as the key

On Cat-1

Note: By default Dot1x is disabled. Enter the following command to enable Dot1x

Dot1x system-auth-control The above command enables Dot1x globally on the switch


Cat-1#show dot1xSysauthcontrol = disabledDot1x protocol version = 2Critical Recovery Delay 100Critical EAPOL Disabled

Advance Switching

Task 5 (cont’d) On Cat-1

On Cat-1 AAA new-model Enter the above command to enable AAA services AAA authentication dot1x default group radius Enter the above command to specify the authentication method list,

which describes the sequence and authentication methods to be queried in order to authenticate a given user

Radius-server host 192.168.1.2 key cisco The above command specifies the radius server and the password


Cat-1#show dot1xSysauthcontrol = enabledDot1x protocol version = 2Critical Recovery Delay 100Critical EAPOL Disabled

Advance Switching

Task 5 (cont’d)

Note the error message tells us that Dot1x is not available on this port; the reason for this error message is because the port is in dynamic mode and dot1x is not available on ports that are in dynamic mode.

In order to fix this problem and satisfy the requirements of Dot1x configuration, port f0/16 must be configured in access mode as follows:


Int f0/16Dot1x port-control auto ^% invalid input detected at ‘^’ marker

Int f0/16Switch mode accessDot1x port-control auto

Advance Switching

The port authentication state can be controlled as follows Force-authorized: It bypasses the authentication state and all traffic

is allowed Force-unauthorized: The port remains in unauthorized state

regardless of clients attempt to get authorized Auto: Enables 802.1x authentication, switch identifies the client by the

MAC address

To verify that it is enabled on a given port


Cat-1#show dot1x interface f0/16Dot1x info for fastethernet0/16-------------------------------PAE = AuthenticatorPortcontrol = AUTO

THANK YOU


Advance Switching

Documents

Transcript of Advance Switching