Upload
jamixciel
View
220
Download
2
Embed Size (px)
DESCRIPTION
advance
Citation preview
CCNP - CCIP
www.id-networkers.com
Course Breakup
Frame-Relay, Basic Switching & RIPv2 EIGRP, OSPF, Route Filtering & Redistribution OSPF & BGP Advanced Switching & Security IOS Services & QOS Multicasting & IPv6 MPLS & MPLS - VPN 100 Point Super Lab
www.id-networkers.com2
ADVANCE SWITCHINGSection 1
www.id-networkers.com3
Advance Switching
Task 1 Configure Cat-1 using the following policy:
The ports that routers R1-R6 are connected should be configured such that they only allow one MAC-address to be detected, if any other MAC address besides the pertaining router is detected on any of these ports, the appropriate switch should automatically shutdown that given port. You should use a regular and smart port macro to accomplish this task
On Cat-1
www.id-networkers.com4
Define interface-range router-ports f0/1-6Macro name port-secureEnter macro commands one per line. Ending with the character ‘@’Switchport mode accessSwitchport port-securitySwitchport port-security mac-address stickySwitchport port-security maximum 1
Advance Switching
Task 1 (cont’d) A smartport macro can be applied to an interface, interface range,
or a regular macro. Lastly the smartport macro is applied to the regular macro, as follows:
On Cat-2 port f0/14 configure the amount of bandwidth utilization for broadcast traffic to 50%
www.id-networkers.com5
Interface range macro router-portsMacro apply port-secure
Interface f0/14Storm-control broadcast level 50.00
Advance Switching
Strom Control Strom-control can be used for broadcast, unicast and multicast
traffic, this command specifies suppression level for a given type of traffic for a particular interface.
The level can be from 0 to 100 and an optional fraction of a level can also be configured from 0-99
A threshold value of 100 percent means that no limit is placed for a specified type of traffic; a value of 0.0 means that the particular type of traffic is blocked all together
When the rate of multicast traffic exceeds a predefined threshold, all incoming traffic (broadcast, multicast and unicast) is dropped until the level of multicast traffic is dropped below the threshold level. Once this occurs, only the spanning-tree packets are forwarded
When broadcast or unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold
www.id-networkers.com6
Advance Switching
Task 2 Cat-2’s ports f0/15 and f0/16 are connected to company’s web and
email server. These ports should be configured in VLAN 88. Ensure that these ports can’t communicate with each other.
On Cat-2
www.id-networkers.com7
Cat-2#Interface range f0/15-16Cat-2#Switchport protected
Cat-2#show interface f0/15 switchProtected: trueUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: None
The port is now in protected modeNote unknown unicast or multicast traffic is not blocked
Advance Switching
Task 2 (cont’d) Typically port blocking is implemented when protected ports are
configured. By default the switch will flood packets with unknown destination MAC addresses to all ports but the port that the packet/s was received
If unknown unicast or multicast traffic is forwarded to a protected port, there could be security issues. In order to prevent this behavior, unknown broadcast or unicast packets should be blocked as follows
www.id-networkers.com8
Interface range f0/15-16Switchport block unicastSwitchport block multicast
Advance Switching
Task 3 Configure Cat-1 such that the ports that the routers are connected
to bypass listening and learning state. If any of the ports receive a BPDU, that particular port should lose its configured portfast state
On Cat -1
Globally: Configuring this command in the global config mode will affect all the ports that are configured with portfast
The above command stops ports that are in portfast state from sending BPDUs; the ports will send few BPDUs on the link-up before the switch starts to filter outbound BPDUs. If a BPDU is received on a portfast enabled port, it will lose its status as a portfast
Interface:
www.id-networkers.com9
Interface range f0/1 – f0/6Spanning-tree portfast
Spanning-tree portfast bpdufilter default
Spanning-tree bpdufilter enable
Advance Switching
Task 3 (cont’d)
Once the portfast command is entered you should see the following warning message: % Warning: portfast should only be enabled on ports connected to a
single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION % portfast will be configured in 6 interfaces due to the range command
but will have effect when the interfaces are in a non-trunking mode
The ‘spanning-tree portfast bpduguard default’ command in the global config mode will shut the port down in err-disable mode if any portfast enabled port receives BPDU packets
www.id-networkers.com10
Cat-1(config)#spanning-tree portfast bpduguard defaultInterface range f0/1-6Spanning-tree portfast
Advance Switching
Task 4 You received a request from the IT department to monitor and
analyze all the packets sent and received by the host connected to port f0/14 on cat-1, you have connected the packet analyzer to port f0/15 on the same switch, configure the switch to accommodate this request
On Cat-1
Note the following: There can only be two monitor sessions configured on a given switch Their direction to monitor can be configured as Rx, Tx or both. Rx is for
received traffic, Tx is for transmitted traffic, and both is on both direction VLANs can only be configured in Rx direction To verify enter a ‘show monitor session 1’ command
www.id-networkers.com11
Monitor session 1 source interface f0/14 bothMonitor session 1 destination interface f0/15
Advance Switching
Task 5 The PCs that are connected or will be connected to Cat-1 port
f0/16 should get authenticated before they are allowed access to the network. This authentication should use CSACS located at 192.168.1.2 using ‘cisco’ as the key
On Cat-1
Note: By default Dot1x is disabled. Enter the following command to enable Dot1x
Dot1x system-auth-control The above command enables Dot1x globally on the switch
www.id-networkers.com12
Cat-1#show dot1xSysauthcontrol = disabledDot1x protocol version = 2Critical Recovery Delay 100Critical EAPOL Disabled
Advance Switching
Task 5 (cont’d) On Cat-1
On Cat-1 AAA new-model Enter the above command to enable AAA services AAA authentication dot1x default group radius Enter the above command to specify the authentication method list,
which describes the sequence and authentication methods to be queried in order to authenticate a given user
Radius-server host 192.168.1.2 key cisco The above command specifies the radius server and the password
www.id-networkers.com13
Cat-1#show dot1xSysauthcontrol = enabledDot1x protocol version = 2Critical Recovery Delay 100Critical EAPOL Disabled
Advance Switching
Task 5 (cont’d)
Note the error message tells us that Dot1x is not available on this port; the reason for this error message is because the port is in dynamic mode and dot1x is not available on ports that are in dynamic mode.
In order to fix this problem and satisfy the requirements of Dot1x configuration, port f0/16 must be configured in access mode as follows:
www.id-networkers.com14
Int f0/16Dot1x port-control auto ^% invalid input detected at ‘^’ marker
Int f0/16Switch mode accessDot1x port-control auto
Advance Switching
The port authentication state can be controlled as follows Force-authorized: It bypasses the authentication state and all traffic
is allowed Force-unauthorized: The port remains in unauthorized state
regardless of clients attempt to get authorized Auto: Enables 802.1x authentication, switch identifies the client by the
MAC address
To verify that it is enabled on a given port
www.id-networkers.com15
Cat-1#show dot1x interface f0/16Dot1x info for fastethernet0/16-------------------------------PAE = AuthenticatorPortcontrol = AUTO
THANK YOU
www.id-networkers.com16