Router Switch Commandsc

  • April 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Router Switch Commandsc as PDF for free.

More details

  • Words: 26,988
  • Pages: 121
Router Commands

Router# Terminal History Size 256 Show history sh processes

cpu

Line con 0Logging sync

Keeps it on the same line

No ip domain lookup

keeps it from auto searching

use ip subnet 0 on the router to allow you to use subnet 0 with a router Switch#show running-config interface fastethernet 5/6 RouterP(config)#service password-encryption

---encrypts all paswds in wr

Can also do a search on the run configs – sh run | begin line vty alias exec

--not quite sure

check

Create a vlan with DLS2(config)#vlan 10 DLS2(config-vlan)#no shut %VLAN 10 is not shutdown. DLS2(config-vlan)#vlan 20 DLS2(config-vlan)#no shut %VLAN 20 is not shutdown. DLS2(config-vlan)#vlan 30 DLS2(config-vlan)#no shut %VLAN 30 is not shutdown. DLS2(config-vlan)#^Z Then can make it an SVI with ip routing and then add an address to each vlan under the interface command Int vlan 10 Network … SSH setup on a switch/router config Switch(config)# username cisco password cisco Switch(config)# ip domain-name cisco

Switch(config)# crypto key generate rsa Switch(config)# line vty 0 15

Switch(config-line)# login local

Switch(config-line)# transport input ssh ssh -l cisco 172.16.254.241 ---to connect to a remote host with ssh

To control the protocols that will be accepted on the vty, use the transport input <protocol> Remember that the command to create a standard access list for a single host is access-list permit host . b. Use this access list to define the access-class for the vty connections. Set the access-class to the vty lines (0 – 4) for inbound connections. Setting up local accounts on the router and what level to authenticate them as ----Only use login local when you have a user account setup 1st****8 http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios .htm conf t key chain ^_^ key 1 key-string cisco conf t banner motd ~ __ _ /\ \ \__ _| |_ ___ _ __ / \/ / _` | __/ _ \ '__| / /\ / (_| | || __/ | \_\ \/ \__,_|\__\___|_| .ed"""" """$$$$be. -" ^""**$$$e. ." Authorized Access'$$$c / ONLY "4$$b d 3 $$$$ $ * .$$$$$$ .$ ^c $$$$$e$$$$$$$$. d$L 4. 4$$$$$$$$$$$$$$b $$$$b ^ceeeee. 4$$ECL.F*$$$$$$$ e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$ z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c 4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$. ^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$ "**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P"" "*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***" ^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP" "$$$$$$"'$=e....$*$$**$cz$$" "..d$*" "*$$$ *=%4.$ L L$ P3$$$F $$$P" "$ "%*ebJLzb$e$$$$$b $P" %.. 4$$$$$$$$$$ " $$$e z$$$$$$$$$$% "*$c "$$$$$$$P" ."""*$$$$$$$$bc .-" .$***$$$"""*e.

.-" .e$" .=*"""" .e$*" .$" .z*" $$ee$c .d" ^*$E")$..$" $.d$$$* """""

~ Exit Conf t No ip domain-lookup ip domain-name cisco.com crypto key generate rsa

"*$c ^*b. "*bc "*$e.. ^*$e. "*****e. "*$. 3. * .ee==d% * J$$$e* "$$$"

ip ssh time-out 15 ip ssh authentication-retries 3 username cisco priv 15 password cisco service password-encryption enable secret class line con 0 login local password class login logging synchronous line vty 0 4 transport input ssh password cisco login local int s0/0 ip authentication key-chain eigrp 1 ^_^ ip authentication mode eigrp 1 md5

R1# conf t R1(config)# interface serial 0/0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS Now, apply the key chain to the interface with the ip authentication mode eigrp as_number md5 command: R1(config-if)# ip authentication mode eigrp 1 md5 Apply these commands on all active EIGRP interfaces. R1# conf t R1(config)# interface serial 0/0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5 R1(config-if)# interface serial 0/0/1 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5 R1(config-if)# interface fastethernet 0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5

run tcl script from each router!!! tclsh

foreach address { 192.168.1.1 192.168.1.129 192.168.1.130 192.168.1.161 192.168.1.162 192.168.1.133 192.168.1.134 10.1.1.3 10.1.1.4 10.4.4.4 192.168.1.5 192.168.100.1 192.168.1.101 192.168.1.105 192.168.1.109 192.168.1.113 } { ping $address }

show controllers - indicates the state of the interface channels and whether a cable is attached to the interface •

debug serial interface - Verifies whether HDLC keepalive packets are incrementing. If they are not, a possible timing problem exists on the interface card or in the network.



debug arp - Indicates whether the router is sending information about or learning about routers (with ARP packets) on the other side of the WAN cloud. Use this command when some nodes on a TCP/IP network are responding, but others are not.



debug frame-relay lmi - Obtains Local Management Interface (LMI) information which is useful for determining whether a Frame Relay switch and a router are sending and receiving LMI packets.



debug frame-relay events - Determines whether exchanges are occurring between a router and a Frame Relay switch.



debug ppp negotiation - Shows Point-to-Point Protocol (PPP) packets transmitted during PPP startup where PPP options are negotiated.



debug ppp packet - Shows PPP packets being sent and received. This command displays low-level packet dumps.



debug ppp - Shows PPP errors, such as illegal or malformed frames, associated with PPP connection negotiation and operation.



debug ppp authentication - Shows PPP Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) packet exchanges.

router# show ip route -> show routing table router# show ip route static  shows static routes router# show ip int brief router# show int router(config)#ip route 0.0.0.0 0.0.0.0  default route router (config)# logging on router (config)# logging console SSH Configuration refer to CCSP Module 2 Step 7 Setting Privilege Levels By default, the Cisco IOS software has two modes of password security: user mode (EXEC) and privilege mode (enable). There are 16 hierarchical levels of commands for each mode that can be defined. By configuring multiple passwords, different sets of users are allowed access to specified commands. The command to assign allowed commands to a privilege mode is privilege exec level level. In this task, assign an enable secret password for privilege level 10 for system operators, and make specific debug commands available to anyone with that privilege level enabled. a. Begin by entering the global configuration mode, RouterP(config)#, and complete the following steps: i. Assign privilege level passwords ii. It is recommended to assign a password to each privilege level that is defined. To set a privilege level password use the enable secret level level password command. iii. Define an enable secret of pswd10 for level 10 by entering the following command: RouterP(config)#enable secret level 10 pswd10 What are the available arguments for the enable secret level 10 command? Displaying current privilege level d. To verify the current privilege level, enter the show privilege command. What privilege level is shown? e. Login to privilege level 10 i. To enter into a specific privilege level, use the enable level command. Exit out of the router and then reconnect. Enter the following commands to enter privilege level 10: RouterP>enable 10 Password: pswd10 RouterP# How can current privilege level be displayed? What is the current privilege level? Using the debug ? command, what debug options are available at level 10? d. Exit out of privilege level 10 and return to level 15.

Next, assign specific commands to be used in privilege level 10. To configure a new privilege level for users and associate commands to that privilege level, use the privilege command. The syntax for the privilege command is privilege mode {level level | reset} command-string. Enter the following commands to assign specific commands to the privilege level 10: RouterP(config)# privilege exec level 10 debug ppp auth RouterP(config)# privilege exec level 10 debug ppp error RouterP(config)# privilege exec level 10 debug ppp negotiation In the above commands, specific debug commands were allowed for anyone logging in with privilege level 10. f. Verify privilege level commands i. Exit the router and return to privilege level 10. After the current privilege level of 10 is confirmed, verify the previously configured privilege level 10 commands. Enter the following commands to verify the defined privileges enter the following commands: RouterP#debug ? RouterP#debug ppp ? What are the available parameters for the debug ? command? --------------------------------------------------------OSPF IP OSPF cost – can be used to manually set link costs for calculation show ip ospf database – shows link-state age and sequence numbers are kept in the database. debug ip ospf packet command is used in troubleshooting and to verify that OSPF packets are flowing properly between two routers Using the router-id command is the preferred procedure to set the router ID and is always used in preference to the other two procedures. If not set will use highest loopback ip then physical After the router-id command is configured, use the clear ip ospf process command. This command restarts the OSPF routing process so that it will reselect the new IP address as its router ID. Highest ID wins the battle show ip ospf command to verify the OSPF router ID - also displays OSPF timer settings and other statistics, including the number of times the SPF algorithm has been run



show ip protocols—Displays IP routing protocol parameters about timers, filters, metrics, networks, and other information for the entire router.



show ip route ospf—Displays the OSPF routes known to the router. This command is one of the most useful in determining connectivity between the local router and the rest of the internetwork. Optional parameters allow you to further specify the information to be displayed, including the OSPF process ID.



show ip ospf interface—Verifies that interfaces are configured in the intended areas. In addition, this command displays the timer intervals (including the hello interval) and shows the neighbor adjacencies.



show ip ospf—Displays the OSPF router ID, OSPF timers, the number of times the SPF algorithm has been executed, and LSA information.



show ip ospf neighbor—Displays a list of neighbors, including their OSPF router ID, their OSPF priority, their neighbor adjacency state (for example, init, exstart, or full), and the dead timer.



show ip route ospf command to verify the OSPF routes in the IP routing table. In Figure , the O code represents OSPF routes, and IA is “interarea.” The 10.2.1.0 subnet is recognized on FastEthernet 0/0 via neighbor 10.64.0.2. The entry [110/782] represents the administrative distance assigned to OSPF (110), and the total cost of the route to subnet 10.2.1.0 (782). The show ip ospf interface [type number] [brief] command displays OSPFrelated interface information. The command output in Figure is from router A from the previous configuration example and details the OSPF status of FastEthernet 0/0 interface. This command verifies that OSPF is running on this particular interface and lists the OSPF area that it is in. This command also displays other OSPF information, such as the process ID, router ID, network type, DR and BDR, timers, and neighbor adjacency.



• • •

show ip ospf neighbor command. OSPF does not send or receive updates without having full adjacencies established between neighbors. The show ip ospf neighbor [type number] [neighbor-id] [detail] Show ip ospf database nssa-external – this displays specific details of each lsa type 7 update in database To clear all routes from the IP routing table, use the following command: Router#clear ip route * To clear a specific route from the IP routing table, use the following command: Router#clear ip route A.B.C.D To debug OSPF operations, use the debug ip ospf command with an option listed in Figure Useful options when troubleshooting include:

.

Router#debug ip ospf events Router#debug ip packet To configure an area as a stub, use the following steps: ***must be a different area than area 0 backbone network Step 1

Configure OSPF.

Step 2

Define the area as a stub by issuing the area area-id stub command to all routers within the area. Figure lists the parameters of this command.

To configure an area as totally stubby, use the following steps: Step 1

Configure OSPF.

Step 2

Define the area as a stub area by issuing the area area-id stub command to all routers within the area.

Step 3

At the ABR only, add the no-summary keyword to the area area-id stub command.

Example on 3.7.6 Example 3.7.8 To configure an area as an NSSA, use the following steps: Step 1

Configure OSPF.

Step 2

Define the area as an NSSA by issuing the area area-id nssa command to all routers within the area. All routers in the NSSA must have this command configured. Routers cannot form an adjacency unless both are configured as NSSA. Figure lists the parameters of this command. To cause router 2 (the NSSA ABR) to generate an O *N2 default route (O *N2 0.0.0.0/0) into the NSSA, use the default-information-originate option of the area area-id nssa command on router 2.

In a multiaccess broadcast environment, each network segment has its own DR and BDR. A router connected to multiple multiaccess broadcast networks can be a DR on one segment and a regular router on another segment.Use the ip ospf priority interface command to designate which router interfaces on a multiaccess link are the DR and the BDR. The default priority is 1, and the range is from 0 to 255. The interface with the highest priority becomes the DR, and the interface with the secondhighest priority becomes the BDR. Interfaces set to zero priority cannot be involved in the DR or BDR election process. Here is a configuration example: interface FastEthernet 0/0 ip ospf priority 10 --add encap frame-relay if that type is needed Also in NBMA networks you can yse the neighbor command in conf t to statically assign a neighbor To configure basic single-area and multiarea OSPF, complete the following steps: Step 1

Enable OSPF on the router using the router ospf process-id command as shown in Figure . Note Unlike the process ID in EIGRP, the OSPF process ID is not an autonomous system number. The process-id an be any positive integer and only has significance to the local router.

Step 2

Identify which interfaces on the router are part of the OSPF process, using the network area command, as shown in Figure . This command also identifies the OSPF area to which the network belongs. Figure describes the parameters of this command. Uses wild card masks OSPF can be enabled directly on the interface using the ip ospf area command, which simplifies the configuration of unnumbered interfaces. Since the command is configured explicitly on the interface, it takes precedence over the network area command Router A uses a general network 10.0.0.0 0.255.255.255 statement. This technique assigns all interfaces defined in the 10.0.0.0 network to OSPF process 1. Router B uses a specific host address technique. The wildcard mask of 0.0.0.0 requires a match on all four octets of the address. This technique allows the operator to define which specific interfaces will run OSPF. Network 10.1.1.1 0.0.0.0 area 0

Figure shows an example of a multiarea OSPF configuration. Router A is in area 0, router C is in area 1, and router B is the ABR between the two areas. The configuration for router A is the same as in the previous example. Router B has a network statement for area 0. The configuration for area 1 in this example uses the ip ospf 50 area 1 command. Alternatively, a separate network router configuration command could have been used.

Virtual links Use the area area-id virtual-link router-id router configuration command, along with any necessary optional parameters, to define an OSPF virtual link. To remove a virtual link, use the no form of this command. The area virtual-link command includes the router ID of the far-end router. To find the router ID in the far-end router, use the show ip ospf, show ip ospf interface, or show ip protocol commands on that remote router, as illustrated in Figure .

show ip ospf virtual-links command to verify that the configured virtual link works properly. show ip ospf neighbor, show ip ospf database, and debug ip ospf adj nterarea Route Summarization on an ABR To configure manual interarea route summarization on an ABR, use the following steps:

Step 1

Configure OSPF.

Step 2

Use the area range command to instruct the ABR to summarize routes for a specific area before injecting them into a different area via the backbone as type 3 summary LSAs. Figure describes the command parameters.

Cisco IOS software creates a summary route to interface null0 when manual summarization is configured to prevent routing loops.



area 0 range 172.16.96.0 255.255.224.0: Identifies area 0 as the area containing the range of networks to be summarized into area 1. ABR router R1 summarizes the range of subnets from 172.16.96.0 to 172.16.127.0 into one range: 172.16.96.0 255.255.224.0.



area 1 range 172.16.32.0 255.255.224.0: Identifies area 1 as the area containing the range of networks to be summarized into area 0. ABR router R1 summarizes the range of subnets from 172.16.32.0 to 172.16.63.0 into one range: 172.16.32.0 255.255.224.0.

For OSPF to generate a default route, you must use the default-information originate command.

To configure OSPF simple password authentication, use the following steps: Step 1

Assign a password to be used with neighboring routers using the ip ospf authentication-key command, as shown in Figure .

Note In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a password longer than eight characters, and only the first eight characters will be used. Some earlier Cisco IOS releases did not provide this warning. The password created by this command is used as a key that is inserted directly into the OSPF header when Cisco IOS software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.

Note If the service password-encryption command is not used when configuring OSPF authentication, the key is stored as plain text in the router configuration. If you configure the service passwordencryption command, the key is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key. Step 2

Specify the authentication type using the ip ospf authentication command, as shown in Figure .

For simple password authentication, use the ip ospf authentication command with no parameters. Before using this command, configure a password for the interface using the ip ospf authentication-key command. To configure OSPF MD5 authentication, a key and key ID must be configured on each router. To configure MD5 authentication, use the following steps: Step 1

Assign a key ID and key to be used with neighboring routers that are using the OSPF MD5 authentication, using the ip ospf message-digest-key command, as shown in Figure .

Note In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a password longer than 16 characters, and only the first 16 characters are used. Some earlier Cisco IOS releases did not provide this warning. The key and the key ID specified in the ip ospf message-digest-key command are used to generate a message digest (also called a hash) of each OSPF packet. The message digest is appended to the packet. A separate password can be assigned to each network on a per-interface basis. Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. All neighboring routers on the same network must have the same password to be able to exchange OSPF information. Therefore, the same key ID on the neighbor router must have the same key value. The key ID allows for uninterrupted transitions between keys, which is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router sends multiple copies of the same packet, each authenticated by different keys. The router stops sending duplicate packets when it detects that all of its neighbors have adopted the new key. For example, if this is the current configuration: interface FastEthernet 0/0 ip ospf message-digest-key 100 md5 OLD You change the configuration to the following: interface FastEthernet 0/0 ip ospf message-digest-key 101 md5 NEW The system assumes that its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the system sends out two copies of the same packet, the first one authenticated by key 100 and the second one authenticated by key 101. Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops when the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key. After all neighbors have been updated with the new key, the old key should be removed. In this example, you would enter the following:

interface FastEthernet 0/0 no ip ospf message-digest-key 100 Then only key 101 is used for authentication on Fast Ethernet interface 0/0. It is recommended that you do not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Note If the service password-encryption command is not used when configuring OSPF authentication, the key is stored as plain text in the router configuration. If you configure the service passwordencryption command, the key is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key. Step 2

Specify the authentication type using the ip ospf authentication command, as shown in Figure . For MD5 authentication, use the ip ospf authentication command with the message-digest parameter. Before using this command, configure the message digest key for the interface with the ip ospf message-digest-key command.

The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. For backward compatibility, the MD5 authentication type for an area is still supported using the area areaid authentication message-digest router configuration command.

debug ip ospf adj command displays OSPF adjacency-related events and is very useful when troubleshooting authentication. --------------------------------------------------------EIGRP

Perform the following steps to configure EIGRP for IP: Step 1

Enable EIGRP and define the autonomous system using the router eigrp autonomous-system-number command. The autonomous system number value must match on all routers within the autonomous system.

Step 2

Indicate which networks are part of the EIGRP autonomous system using the network command. This command determines which interfaces of the router are participating in EIGRP and which networks the router advertises. Figure lists the parameters for the network command. USE wildcard mask on that

Step 3

When using serial links, define the bandwidth of the link for the purpose of sending routing update traffic, using the bandwidth kilobits command. In this command, the parameter kilobits indicates the intended bandwidth in kilobits per second. For example, for a 64-kbps link, use the following command: router(config-if)#bandwidth 64

If you do not change the bandwidth for serial interfaces, EIGRP assumes that the bandwidth on the link is the default T1 speed. If the link is actually slower, the router might not be able to converge, or routing updates might be lost. For generic serial interfaces such as PPP or High-Level Data Link Control (HDLC), set the bandwidth to the line speed. For Frame Relay on point-to-point interfaces, set the bandwidth to the committed information rate (CIR). For Frame Relay multipoint connections, set the bandwidth to the sum of all CIRs, or if the permanent virtual circuits (PVCs) have different CIRs, set the bandwidth to the lowest CIR multiplied by the number of PVCs on the multipoint connection. You can create an EIGRP default route with the ip default-network network-number global configuration command. The configured router advertises the specified network listed as the gateway of last resort. Other routers use their next-hop address to the advertised network as their default route. Static Default Routes EIGRP and IGRP behave differently than RIP when you are using the ip route 0.0.0.0 0.0.0.0 command. For example, EIGRP does not redistribute the 0.0.0.0 0.0.0.0 default route by default. The configuration in Figure router.

results in the 0.0.0.0 route being passed to the EIGRP neighbors of the

Show ip eigrp neighbors Show ip eigrp topology show ip eigrp neighbors command to verify that the router recognizes its neighbors. Use the show ip route eigrp command to verify that the router recognizes routes from its neighbors. show ip protocols command gives information about all dynamic routing protocols running on the router--- Shows current K value settings Because the routers must have identical K values for EIGRP to establish an adjacency The internal distance (administrative distance 90) applies to networks from other routers inside the autonomous system. The external distance (administrative distance 170) applies to networks introduced to EIGRP from outside this autonomous system through redistribution. show ip eigrp interfaces command displays information about interfaces configured for EIGRP. show ip eigrp topology –



P (Passive): Network is available, and installation can occur in the routing table. Passive is the correct state for a stable network.



A (Active): Network is currently unavailable, and installation cannot occur in the routing table. Active means that there are outstanding queries for this network.



U (Update): Network is being updated (placed in an update packet). This code also applies if the router is waiting for an acknowledgment for this update packet.



Q (Query): Outstanding query packet for this network. This code also applies if the router is waiting for an acknowledgment for a query packet. Basically, this code indicates that the router has sent a query packet to a neighbor router.



R (Reply status): Router is generating a reply for this network or is waiting for an acknowledgment for the reply packet.



S (Stuck-in-active status): EIGRP convergence problem for the network with which it is associated.

show ip eigrp traffic command - To display the number of various EIGRP packets sent and received no auto-summary- use when having discontinuous networks between your access Create your own summarization

EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequalcost load balancing. The degree to which EIGRP performs load balancing is controlled with the variance command,

ip bandwidth-percent eigrp as-number percent command to specify the maximum percentage of the bandwidth of an interface that EIGRP will use. --use when link is shared in wan topology to divide bandwidth into half of each link has equally. To configure MD5 authentication for EIGRP, complete the following steps:

Step 1

Enter configuration mode for the interface on which you want to enable authentication.

Step 2

Specify MD5 authentication for EIGRP packets using the ip authentication mode eigrp md5 command, as shown in Figure

.

Step 3

Enable the authentication of EIGRP packets with a key specified in a key chain by using the ip authentication key-chain eigrp command, as shown in Figure .

Step 4

Enter the configuration mode for the key chain using the key chain command, as shown Figure .

Step 5

Identify a key ID to use, and enter configuration mode for that key using the key command, as shown in Figure .

Step 6

Identify the key string (password) for this key using the key-string command, as shown in Figure .

Step 7

Optionally, specify the time period during which this key is accepted for use on received packets using the accept-lifetime command, as shown in Figure . Figure displays the parameters for this command.

Step 8

Optionally, specify the time period during which this key can be used for sending packets using the send-lifetime command, as shown in the Figure . Figure displays the parameters for this command.

Note If the service password-encryption command is not used when implementing EIGRP authentication, the key string is stored as plain text in the router configuration. If you configure the service password-encryption command, the key string is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key string.

Eigrp default network

-----------------------------------------------------------------------------Passwords conf t enable secret <password> line con 0 password <enter password here> login line vty 0 4 password <enter password here> login

exit conf t enable secret cisco line con 0 password class login line vty 0 4 password class login exit example Router#configure terminal Router(config)#hostname ISP ISP(config)#enable password cisco ISP(config)#enable secret class ISP(config)#line console 0 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)#line vty 0 4 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)#interface loopback 0 ISP(config-if)#ip add 172.16.1.1 255.255.255.255 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface serial 0 ISP(config-if)#ip add 200.2.2.17 255.255.255.252 ISP(config-if)#clock rate 64000 no shut - to interfaces PPP

The following example enables PPP encapsulation on serial interface 0/0: Router#configure terminal Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation. Compression is performed in software and might significantly affect system performance. Compression is not recommended if most of the traffic consists of compressed files. To configure compression over PPP, enter the following commands: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#compress [predictor | stac] Enter the following to monitor the data dropped on the link, and avoid frame looping: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp

Router(config-if)#ppp quality percentage The following commands perform load balancing across multiple links: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp multilink Use the show interfaces serial command to verify proper configuration of HDLC or PPP encapsulation. When PPP is configured, its Link Control Protocol (LCP) and Network Control Protocol (NCP) states can be checked using the show interfaces serial command.

ISDN BRI

SPIDs are specified in interface configuration mode. To enter interface configuration mode, use the interface bri command in the global configuration mode: Router(config)#interface brislot/port Router(config)#interface bri0/0 Router(config-if)#isdn spid1 51055540000001 5554000 Router(config-if)#isdn spid2 51055540010001 5554001 ISDN PRI

Defining static routes for DDR (Dial on demand routing) Clear int bri 0  to erase spid id

Show Dialers Show ISDN stat

To configure a static route for IP use the following command: Router(config)#ip route net-prefix mask {address | interface } [distance ] [permanent]

DDR calls are triggered by interesting traffic. This traffic can be defined as any of the following: •

IP traffic of a particular protocol type



Packets with a particular source address or destination



Other criteria as defined by the network administrator

Use the dialer-list command to identify interesting traffic. The command syntax is as follows: Router(config)#dialer-listdialer-group-num protocolprotocol-name {permit | deny | listaccesslist-number } Thedialer-group-num is an integer between 1 and 10 that identifies the dialer list to the router. The command dialer-list 1 protocol ip permit will allow all IP traffic to trigger a call. Instead of permitting all IP traffic, a dialer list can point to an access list in order to specify exactly what types of traffic should bring up the link. The reference to access list 101 in dialer list 2 prevents FTP and Telnet traffic from activating the DDR link. Any other IP packet is considered interesting, and will therefore initiate the DDR link. Dialer group command is given on the interface and is the same as the dialer list #.

Configure routing protocols as uninteresting so line doesn’t keep coming up. Also use no cdp to keep the line from going up (MAKE INTERFACE PASSIVE TO NOT GIVE OUT UPDATE TRAFFIC) A dialer list specifying the interesting traffic for this DDR interface needs to be associated with the DDR interface. This is done using the dialer-group group-number command: Home(config-if)#dialer-group 1 In the command, group-number specifies the number of the dialer group to which the interface belongs. The group number can be an integer from 1 to 10. This number must match the dialerlistgroup-number . Each interface can have only one dialer group. However, the same dialer list can be assigned to multiple interfaces with the dialer-group command. The correct dialing information for the remote DDR interface needs to be specified. This is done using the dialer map command. The dialer map command maps the remote protocol address to a telephone number. This command is necessary to dial multiple sites. Router(config-if)#dialer map protocol next-hop-address [name hostname ] [speed 56 | 64] [broadcast] dial-string If dialing only one site, use an unconditional dialer string command that always dials the one phone number regardless of the traffic destination. This step is unique to legacy DDR. Although the information is always required, the steps to configure destination information are different when using dialer profiles instead of legacy DDR.

To configure PPP on the DDR interface use the following commands: Home(config)#username Central password cisco Home(config)#interface bri0/0 Home(config-if)#encapsulation ppp Home(config-if)#ppp authentication chap Home(config-if)#ip address 10.1.0.1 255.255.255.0 The dialer idle-timeoutseconds command may be used to specify the number of idle seconds before a call is disconnected. The seconds represent the number of seconds until a call is disconnected after the last interesting packet is sent. The default is 120.

Multiple dialer interfaces may be configured on a router. Each dialer interface is the complete configuration for a destination. The interface dialer command creates a dialer interface and enters interface configuration mode. To configure the dialer interface, perform the following tasks: 1. Configure one or more dialer interfaces with all the basic DDR commands: •

IP address



Encapsulation type and authentication



Idle-timer



Dialer-group for interesting traffic

2. Configure a dialer string and dialer remote-name to specify the remote router name and

phone number to dial it. The dialer pool associates this logical interface with a pool of physical interfaces. 3. Configure the physical interfaces and assign them to a dialer pool using the dialer pool-

member command. An interface can be assigned to multiple dialer pools by using multiple dialer pool-member commands. If more than one physical interface exists in the pool, use the priority option of the dialer pool-member command to set the priority of the interface within a dialer pool. If multiple calls need to be placed and only one interface is available, then the dialer pool with the highest priority is the one that dials out. A combination of any of these interfaces may be used with dialer pools: •

Synchronous Serial



Asynchronous Serial



BRI



PRI

**Clear int Bri  To get the clear out of REFER TO LAB FOR EXACT SETUP FRAME RELAY

encapsulation frame-relay[cisco | ietf] command. cisco Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting to another Cisco router. Many non-Cisco devices also support this encapsulation type. This is the default. ietf Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF) standard RFC 1490. Select this if connecting to a non-Cisco router.

Set an IP address on the interface using the ip address command. Set the bandwidth of the serial interface using the bandwidth command. Bandwidth is specified in kilobits per second (kbps). This command is used to notify the routing protocol that bandwidth is statically configured on the link. The bandwidth value is used by Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) to determine the metric of the link.

The local DLCI must be statically mapped to the network layer address of the remote router when the remote router does not support Inverse ARP. This is also true when broadcast traffic and multicast traffic over the PVC must be controlled. These static Frame Relay map entries are referred to as static maps. Use the frame-relay map protocol protocol-address dlci [broadcast] command to statically map the remote network layer address to the local DLCI---Used on HQ Router Split-horizon updates reduce routing loops by not allowing a routing update received on one interface to be forwarded out the same interface. One way to solve the split-horizon problem is to use a fully meshed topology. However, this will increase the cost because more PVCs are required. The preferred solution is to use subinterfaces. Create a subinterface by Int s0.301 point-to-point

To enable the forwarding of broadcast routing updates in a hub-and-spoke Frame Relay topology, configure the hub router with logically assigned interfaces. These interfaces are called subinterfaces. Subinterfaces are logical subdivisions of a physical interface. In split-horizon routing environments, routing updates received on one subinterface can be sent out another subinterface. In a subinterface configuration, each virtual circuit can be configured as a point-to-point connection. This allows each subinterface to act similarly to a leased line. Using a Frame Relay point-to-point subinterface, each pair of the point-to-point routers is on its own subnet. Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode: •

Point-to-point - A single point-to-point subinterface is used to establish one PVC connection to another physical interface or subinterface on a remote router. In this case, each pair of the point-to-point routers is on its own subnet and each point-to-point subinterface would have a single DLCI. In a point-to-point environment, each subinterface is acting like a point-to-point interface. Therefore, routing update traffic is not subject to the split-horizon rule.



Multipoint - A single multipoint subinterface is used to establish multiple PVC connections to multiple physical interfaces or subinterfaces on remote routers. All the participating interfaces would be in the same subnet. The subinterface acts like an NBMA Frame Relay interface so routing update traffic is subject to the split-horizon rule.

The encapsulation frame-relay command is assigned to the physical interface. All other configuration items, such as the network layer address and DLCIs, are assigned to the subinterface. Multipoint configurations can be used to conserve addresses that can be especially helpful if Variable Length Subnet Masking (VLSM) is not being used. However, multipoint configurations may not work properly given the broadcast traffic and split-horizon considerations. The point-to-point subinterface option was created to avoid these issues. In the figure, Router A has two point-to-point subinterfaces. The s0/0.110 subinterface connects to router B and the s0/0.120 subinterface connects to router C. Each subinterface is on a different subnet. To configure subinterfaces on a physical interface, the following steps are required: •

Configure Frame Relay encapsulation on the physical interface using the encapsulation frame-relay command



For each of the defined PVCs, create a logical subinterface

router(config-if)#interface serialnumber.subinterface-number [multipoint | point-to-point] To create a subinterface, use the interface serial command. Specify the port number, followed by a period (.), and then by the subinterface number. Usually, the subinterface number is chosen to be that of the DLCI. This makes troubleshooting easier. The final required parameter is stating whether the subinterface is a point-to-point or point-to-multipoint interface. Either the multipoint or point-to-point keyword is required. There is no default. The following commands create the subinterface for the PVC to router B: routerA(config-if)#interface serial 0/0.110 point-to-point If the subinterface is configured as point-to-point, then the local DLCI for the subinterface must also be configured in order to distinguish it from the physical interface. The DLCI is also required for multipoint subinterfaces for which Inverse ARP is enabled. It is not required for multipoint subinterfaces configured with static route maps. The frame-relay interface-dlci command is used to configure the local DLCI on the subinterface router(config-subif)#frame-relay interface-dlci dlci-number The show interfaces command displays information regarding the encapsulation and Layer 1 and Layer 2 status. It also displays information about the following: •

The LMI type



The LMI DLCI



The Frame Relay data terminal equipment/data circuit-terminating equipment (DTE/DCE) type

show frame-relay lmi command to display LMI traffic statistics. Use the show frame-relay pvc [interface interface] [dlci] command to display the status of each configured PVC as well as traffic statistics. This command is also useful for viewing the number of BECN and FECN packets received by the router. The PVC status can be active, inactive, or deleted. show frame-relay pvc command displays the status of all the PVCs configured on the router. show frame-relay map command to display the current map entries and information about the connections.

debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properlyThe "out" is an LMI status message sent by the router. The "in" is a message received from the Frame Relay switch. A full LMI status message is a "type 0". An LMI exchange is a "type 1". The "dlci 100, status 0x2" means that the status of DLCI 100 is active. The possible values of the status field are as follows: •

0x0 - Added/inactive means that the switch has this DLCI programmed but for some reason it is not usable. The reason could possibly be the other end of the PVC is down.



0x2 - Added/active means the Frame Relay switch has the DLCI and everything is operational.



0x4 - Deleted means that the Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.

------------------------------------------------------------------------------------------------------------Switch Commands

switch(config)#ip default-gateway --> sets the default gateway for the switch (to be set under conf t)

**More detailed spanning tree info spanning-tree portfast —> to be used with conf t and maybe on the interface itself to make the interface instantly up and connected (Use the spanning-

tree portfast global configuration command to globally enable BPDU filtering on Port Fast-enabled ports, the BPDU guard feature on Port Fast-enabled ports, or the Port Fast feature on all nontrunking ports. The BPDU filtering feature prevents the switch port from sending or receiving BPDUs. The BPDU guard feature puts Port Fast-enabled ports that receive BPDUs in an error-disabled state.) show trunk show interface vlan 1 --> used in priv exec mode, shows mac, ip, and port info show spanning-tree or show spanning-tree brief --> used in priv exec mode, shows port status (forwarding/blocking) root router, priority and mac address use only on non trunking ports Show mac-address-table clear mac-address-table dynamic --> clearsmac addresses #password configs and hostname is setup the same way (except for line vty 0 15) ***Add trunking commands to the tutorial guide (DTP) stuff Switchport mode trunk 802.1q (or How to setup VLAN -- and what not to forget to setup switch(config)#int vlan 1 switch(config)#ip add
dat 101 102 103 104 105 106 107 108 109 110

name name name name name name name name name name

Voice101 Voice102 Voice103 Voice104 Voice105 Voice106 Voice107 Voice108 Voice109 Voice110

To setup VTP (designated switch to duplicate vlan configurations to other switches that are connected together) VLAN Trunking Protocol vlan dat vtp client vtp domain Cisco

vlan dat---old way – try new commands on the next pict vtp server vtp domain Cisco

2.5. 6

Best Practice for VTP Configuration

Following is a list of general best practices with regard to configuring VTP in the enterprise composite network model: •

Plan boundaries for the VTP domain. Not all switches in the network need information on all VLANs in the network. In the enterprise composite model, the VTP domain should be restricted to redundant distribution switches and the access switches that they serve.



Have only one or two switches specifically configured as VTP servers and the remainder as clients.



Configure a password so that no switch can join the VTP domain with a domain name only (which can be derived dynamically).



Manually configure the VTP domain name on all switches that are installed in the network so that the mode can be specified and the default server mode on all switches can be overwritten.



When you are setting up a new domain, configure VTP client switches first so that they participate passively. Then configure servers to update client devices.



In an existing domain, if you are performing VTP cleanup, configure passwords on servers first. Clients may need to maintain current VLAN information until the server contains a complete VLAN database. After the VLAN database on the server is verified as complete, client passwords can be configured to be the same as the servers. Clients will then accept updates from the server.



WHEN ADDING A DIFFERENT SWITCH TO A NETWORK (MOVING CABLES) TAKE IT OUT OF THE VTP DOMAIN, CHANGE, THEN RE-ADD SO THE REVISION NUMBR IS RESET TO ONE SO IT DOESN’T OVERRIDE THE OTHER ONE

What VLan you belong to and mode for each interface interface FastEthernet0/1 switchport access vlan 101 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/2

switchport access vlan 101 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/3 switchport access vlan 102 switchport mode access no ip address spanning-tree portfast int range fa 0/2 – 5 delete vlan.dat or delete flash:vlan.dat

2.5. 2

Resolving Issues with 802.1Q Native VLANs

Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link: •

The native VLAN interface configurations must match at both ends of the link or the trunk may not form.



By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a trunk should be set to a specific VID that is not used for normal operations elsewhere on the network.

Switch(config-if)#switchport trunk native vlan vlan-id



OR switchport trunk



If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning) issues a “native VLAN mismatch” error.



On select versions of Cisco IOS software, CDP may not be transmitted or automatically turns off if VLAN1 is disabled on the trunk.



If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address (0180.c200.0000) untagged.



When troubleshooting VLANs, note that a link can have one native VLAN association when in access mode, and another native VLAN association when in trunk mode.

When implementing VLANs, you should consider a few measures to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation. •

Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)



Disable unused switch ports, depending on the security policy of the organization.

Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation. (show dtp interface)



To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.



Use the switchport trunk encapsulation isl or switchport trunk

encapsulation dot1q interface to select the encapsulation type on the trunk port. Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring the interface to trunk and nonegotiate.

2.3. Configuring Trunking---has pictures for more examples 7 Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as an 802.1Q or an ISL trunking port, follow these steps on each trunk interface. Step 1 Enter interface configuration mode. Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration. Step 3 Select the trunking encapsulation. Note that some switches support only ISL or 802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q. Step 4 Configure the interface as a Layer 2 trunk. Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at both ends of an 802.1Q trunk.

Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to certain trunk links. This is best practice with the Enterprise Composite Network Model and leads to the correct operation of VLAN interfaces. Step 7 Use the no shutdown command on the interface to activate the trunking process. Step 8 Verify the trunk configuration using show commands. Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode for the interface is trunk (on), and no DTP messages will be sent on the interface. Note: For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be discussed in more detail later. Figure 3. 1

describes the commands used to configure a switch port as an 802.1Q trunk link.

Describing STP Describin g the Root Bridge STP uses a root bridge, root ports, and designated ports to establish a loop free path through the network. The first step in creating a loop free spanning tree is to select a root bridge to be the reference point that all switches use to establish forwarding paths. The STP topology is converged after a root bridge has been selected, and each bridge has selected its root port, designated bridge, and the participating ports. STP uses BPDUs as it transitions port states to achieve convergence. 3.1. 5

Spanning tree elects a root bridge in each broadcast domain on the LAN. Path calculation through the network is based on the root bridge. The bridge is selected using the bridge ID (BID), which consists of a 2-byte Priority field plus a 6-byte MAC address. In spanning tree, lower BID values are preferred. The Priority field value helps determine which bridge is going to be the root and can be manually altered. In a default configuration, the Priority field is set at 32768. When the default Priority field is the same for all bridges, selecting the root bridge is based on the lowest MAC address. The root bridge maintains the stability of the forwarding paths between all switches for a single STP instance. A spanning tree instance is when all switches exchanging BPDUs and participating in spanning tree negotiation are associated with a single root. If this is done for all VLANs, it is called a Common Spanning Tree (CST) instance. There is also a Per VLAN Spanning Tree (PVST) implementation that provides one instance, and therefore one root bridge, for each VLAN. The BID and root ID are each 8-byte fields carried in a BPDU. These values are used to complete the root bridge election process. A switch identifies the root bridge by evaluating the root ID field in the BPDUs that it receives. The unique BID is carried in the Root ID field of the BPDUs sent by each switch in the tree. When a switch first boots and begins sending BPDUs, it has no knowledge of a root ID, so it populates the Root ID field of outbound BPDUs with its own BID. The switch with the lowest numerical BID assumes the role of root bridge for that spanning tree instance. If a switch receives BPDUs with a lower BID than its own, it places the lowest value into the Root ID field of its outbound BPDUs. Spanning tree operation requires that each switch have a unique BID. In the original 802.1D standard, the BID was composed of the Priority Field and the MAC address of the switch, and all VLANs were represented by a CST. Because PVST requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information, which is accomplished by reusing a portion of the Priority field as the extended system ID.

To accommodate the extended system ID, the original 802.1D 16-bit Bridge Priority field is split into two fields, resulting in these components in the BID :



Bridge Priority: A 4-bit field that carries the bridge priority. Because of the limited bit count, priority is conveyed in discrete values in increments of 4096 rather than discrete values in increments of 1, as they would be in a full 16-bit field. The default priority, in accordance with IEEE 802.1D, is 32,768, which is the mid-range value.



Extended System ID: A 12-bit field that carries the VID for PVST.



MAC address: A 6-byte field with the MAC address of a single switch.

By virtue of the MAC address, a BID is always unique. When the priority and extended system ID are appended to the switch MAC address, each VLAN on the switch can be represented by a unique BID. If no priority has been configured, every switch has the same default priority and the election of the root for each VLAN is based on the MAC address. This is a fairly random means of selecting the ideal root bridge and, for this reason, it is advisable to assign a lower priority to the switch that should serve as root bridge. Only four bits are used to set the bridge priority. Because of the limited bit count, priority is configurable only in increments of 4096. A switch responds with the possible priority values if an incorrect value is entered: Switch(config)#spanning-tree vlan 1 priority 1234 % Bridge Priority must be in increments of 4096. % Allowed values are:

0 4096 8192 12288 16384 20480 24576 28672

32768 36864 40960 45056 49152 53248 57344 61440 If no priority has been configured, every switch will have the same default priority of 32768. Assuming all other switches are at default priority, the spanning-tree vlan vlan-id root primary command sets a value of 24576. Also, assuming all other switches are at default priority, the spanning-tree vlan vlan-id root secondary command sets a value of 28672. The switch with the lowest BID becomes the root bridge for a VLAN. Specific configuration commands are used to determine which switch will become the root bridge. A Cisco Catalyst switch running PVST maintains an instance of spanning tree for each active VLAN that is configured on the switch. A unique BID is associated with each instance. For each VLAN, the switch with the lowest BID becomes the root bridge for that VLAN. Whenever the bridge priority changes, the BID also changes. This results in the recomputation of the root bridge for the VLAN. To configure a switch to become the root bridge for a specified VLAN, use the spanning-tree vlan vlan-ID root primary command. CAUTION: Spanning tree commands take effect immediately, so network traffic is disrupted while the reconfiguration occurs. A secondary root is a switch that may become the root bridge for a VLAN if the primary root bridge fails. To configure a switch as the secondary root bridge for the VLAN, use the command spanning-tree vlan vlan-ID root secondary. Assuming that the other bridges in the VLAN retain their default STP priority, this switch will become the root bridge in the event that the primary root bridge fails. This command can be executed on more than one switch to configure

multiple backup root bridges. BPDUs are exchanged between switches, and the analysis of the BID and root ID information from those BPDUs determines which bridge is selected as the root bridge. and In the example shown, both switches have the same priority for the same VLAN. The switch with the lowest MAC address is elected as the root bridge. In the example, switch X is the root bridge for VLAN 1, with a BID of 0x8001:0c0011111111.

BETTER TO USE RAPID SPANNING TREE PROTOCOL

The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with that VLAN. Only one SVI can be associated with a VLAN. You configure an SVI for a VLAN for the following reasons: •

To provide a default gateway for a VLAN so that traffic can be routed between VLANs



To provide fallback bridging if it is required for non-routable protocols



To provide Layer 3 IP connectivity to the switch



To support routing protocol and bridging configurations

By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration. Additional SVIs must be explicitly created. SVIs are created the first time a VLAN interface configuration mode is entered for a particular VLAN SVI. The VLAN corresponds to the VLAN tag associated with data frames on an Ethernet trunk or to the VLAN ID (VID) configured for an access port. An IP address is assigned in interface configuration mode to each VLAN SVI that is to route traffic off of and on to the local VLAN.

Inter-VLAN Routing

Routed Switch ports A routed port has the following characteristics and functions: •

Physical switch port with Layer 3 capability



Not associated with any VLAN



Serves as the default gateway for devices out that switch port



Layer 2 port functionality must be removed before it can be configured

conf t int range fa0/1 – 6 switchport port-security <specific mac address> sets the specific mac address to that interface switchport port-security max (1-132) how many mac addresses the port is to remember switchport port-security violation {shutdown, restrict, protect} port security max-mac-count{1-132}enables port security and sets the max mac count port security action shutdown  if more than specified mac address is hit the port is shutdown arp timeout seconds to a smaller time to mitigate the mac address spoofing to verify do a show port-security or show port-security interface To access this mode, the vlan database command is executed from privileged EXEC mode. From this mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005. Note: This mode has been deprecated and will be removed in some future release. The move to the global VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach. ---Configuring Multiple Spanning Tree protocol (MSTP) -refer to 3.3.5-3.3.6 cpt176 Switch#show spanning-tree mst Switch#show spanning-tree mst <mst instance #>

However, the switch does not automatically revert to Rapid PVST+ or MSTP mode if it no longer receives IEEE 802.1D BPDUs, because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the following command in this situation :

Switch#clear spanning-tree detected-protocols Switch#show spanning-tree mst interface fastethernet 4/4

Switch#show spanning-tree mst 1 interface fastethernet 4/4 This example displays detailed MSTP information for a specific instance. Switch#show spanning-tree mst 1 detail ----EtherChannel Configuration 3.4.3---more on part 2 of same page3.4.4

Load balancing is applied globally for all EtherChannel bundles in the switch. To configure EtherChannel load balancing, use the port-channel load-balance command. Load balancing can be based on the following variables: • src-mac: Source MAC address



dst-mac: Destination MAC address



src-dst-mac: Source and destination MAC addresses



src-ip: Source IP address



dst-ip: Destination IP address



src-dst-ip: Source and destination IP addresses (default)



src-port: Source TCP/User Datagram Protocol (UDP) port



dst-port: Destination TCP/UDP port



src-dst-port: Source and destination TCP/UDP ports

This example shows an example of how to configure and verify EtherChannel load balancing. Switch(config)# port-channel load-balance src-dst-ip Switch(config)# exit

Switch# show etherchannel load-balance Source XOR Destination IP address

Switch DHCP spoofing

DHCP Snooping Configuration Guidelines These are the configuration guidelines for DHCP snooping. •

DHCP snooping must be enabled globally on the switch.



DHCP snooping is not active until DHCP snooping is enabled on a VLAN.



Before configuring the DHCP information option on the switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude must be specified, or DHCP options for devices must be configured.

Conf t Ip dhcp snooping  Must be specified to a vlan to take effect Ip dhcp snooping vlan vlan_id {,vlan_ID} Interface Ip dhcp snooping trust  make that port a trusted DHCP port snooper Ip dhcp snooping limit rate 100 set rate to limit dhcp snooping on that interface (DHCP packets per second (100) usually don’t do more than 100 packets–do both commands on the same interface

The show ip dhcp snooping binding command displays the DHCP snooping binding entries for a switch, as shown in Figure One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to non-trunking mode by explicitly turning off DTP on those ports. This is accomplished on IOS switches by setting the switch port mode to access with the switchport mode access interface configuration command. ACLs can be configured on the router port to mitigate private VLAN attacks. VLAN ACLs (VACLs) can also be used to help mitigate the effects of private VLAN attacks. An example of using ACLs on the router port is if a server farm segment were 172.16.34.0/24, then configuring the ACLs shown in Figure on the default gateway would mitigate the private VLAN proxy attack.

Conf t Int Use the spanning-tree guard interface configuration command to enable root guard or loop guard on all the VLANs associated with the selected

interface. Root guard restricts which interface is allowed to be the Spanning-Tree root port or the path to the root for the switch. Loop guard prevents alternate or root ports from becoming designated ports when a failure creates a unidirectional link. **Put loop guard on the trunks Globally enable spanning-tree portfast bpduguard default **Don’t put portfast on trunks or other routers prevent it from sending default BPDUs out that interface. ---------------------------------------------------------------------------------NAT

Dynamic

To define the pool of public addresses, use the ip nat pool command: Gateway(config)#ip nat pool public-access 199.99.9.40 199.99.9.62 netmask 255.255.255.224 Step 8 Define an access list that will match the inside private IP addresses To define the access list to match the inside private addresses, use the access list command: Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Step 9 Define the NAT translation from inside list to outside pool To define the NAT translation, use the ip nat inside source command: Gateway(config)#ip nat inside source list 1 pool public-access router(config-if)#ip nat inside --can be defined inside or outside --translations occur between inside and outside --on router must have and in and out on 2 interfaces int fa0/0 ip add ip nat inside convert from private to public for an IP (from a server) that needs internet access/wan ip nat inside source static <external ip>

Display active translation router#show ip nat translations [verbose] router#show ip nat stat

Debug ip nat Debug ip nat detailed

Overloading Overloading is configured in two ways depending on how public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Figure shows how to configure overloading in this situation. Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure . Figure

shows an example configuration of PAT.

-----------------------------------------------------------------------------------DHCP router(config)#ip dhcp pool --> specifies the DHCP pool router(dhcp-config)#network --> specifies the range *multiple DHCP pools can be created on a server ---------Configure DHCP excluding IP router(config)#ip dhcp excluded-address ip-add [end-ip-address] router(config)#ip dhcp excluded-add 172.16.1.1 172.16.1.10 range> router(config)#ip dhcp excluded-add 172.16.1.254


*address is reserved for the router interface so it needs to be blocked out of the lits

Create the DHCP address pool To configure the campus LAN pool, use the following commands: campus(config)#ip dhcp pool campus

campus(dhcp-config)#network 172.16.12.0 255.255.255.0 campus(dhcp-config)#default-router 172.16.12.1 campus(dhcp-config)#dns-server 172.16.1.2

campus(dhcp-config)#domain-name foo.com

campus(dhcp-config)#netbios-name-server 172.16.1.10 ----------------------------Verifying DHCP Router#show ip dhcp binding router#show ip dhcp server events ---> shows leases and expiration ------------------------------To get a DHCP from the server that is on a different network ex. server on 172.17.1.0 clients on 172.16.1.0 --look at last slide for ip helpers in module 1

ip helper-addresscommand to relay broadcast requests for these key UDP services. -> when DHCP tries to broadcast between routers ip helpers don’t block it.

6.2.7 Configuring SNMP

In order to have the NMS communicate with networked devices, the devices must have SNMP enabled and the SNMP community strings configured. These devices are configured using the command line syntax described in the following paragraphs. More than one read-only string is supported. The default on most systems for this community string is public. It is not advisable to use the default value in an enterprise network. To set the read-only community string used by the agent, use the following command: Router(config)#snmp-server community string ro •

String – Community string that acts like a password and permits access to the SNMP protocol



ro – (Optional) Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.

More than one read-write string is supported. All SNMP objects are available for write access. The default on most systems for this community string is private. It is not advisable to use this value in an enterprise network. To set the read-write community string used by the agent, use the following command: Router(config)#snmp-server community string rw •

rw – (Optional) Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects

There are several strings that can be used to specify location of the managed device and the main system contact for the device. Router(config)#snmp-server location text

Router(config)#snmp-server contact text •

text – String that describes the system location information

These values are stored in the MIB objects sysLocation and sysContact .

Network management in an internetworked environment typically requires one monitor per subnetwork.

SNMP Configuration (string values are private or public)  other apps to monitor

Host commands C:\host1>arp –an Route commands Netstat Route print and other route commands Ping Sweep Another method for collecting MAC addresses is to employ a ping sweep across a range of IP addresses. A ping sweep is a scanning method that can be executed at

the command line or by using network administration tools. These tools provide a way to specify a range of hosts to ping with one command. Using the ping sweep, network data can be generated in two ways. First, many of the ping sweep tools construct a table of responding hosts. These tables often list the hosts by IP address and MAC address. This provides a map of active hosts at the time of the sweep. As each ping is attempted, an ARP request is made to get the IP address in the ARP cache. This activates each host with recent access and ensures that the ARP table is current. The arp command can return the table of MAC addresses, as discussed above, but now there is reasonable confidence that the ARP table is up-to-date. SDM Configuration

Use the following process to access SDM for the first time . This procedure assumes that an out-of-box router with SDM installed is being used, or that a default SDM configuration was loaded into flash. Step 1 Connect a PC to the lowest number LAN Ethernet port of the router using a cross-over cable. Step 2 Assign a static IP address to the PC. It is recommended to use 10.10.10.2 with a 255.255.255.0 subnet mask. Step 3 Launch a supported web browser. Step 4 Use the URL https://10.10.10.1. A login prompt will appear. Step 5 Log in using the default user account: Username: sdm Password: sdm The SDM startup wizard opens, requiring a basic network configuration to be entered . To access SDM after the initial startup wizard is completed, use either http: or https:, followed by the router IP address. When you enter https: it specifies that the Secure Sockets Layer (SSL) protocol be used for a secure connection. If SSL is not available, use http: to access the router. Once the WAN interface is configured, SDM is accessible through a LAN or WAN interface. NOTE: The startup wizard information needs to be entered only once and will only appear when a default configuration is detected. Troubleshooting SDM Access Use the following tips to troubleshoot SDM access problems: •

First determine if there is a web browser problem by checking the following:

○ Are Java and JavaScript enabled on the browser? Enable them. ○ Are popup windows being blocked? Disable popup blockers on the PC, since SDM requires popup windows. ○ Are there any unsupported Java plug-ins installed and running? Disable them using the Windows Control Panel. •

Is the router preventing access? Remember that certain configuration settings are required for SDM to work. Check the following: ○ Is one of the default configurations being used, or is an existing router configuration being used? Sometimes new configurations disable SDM access. ○ Is HTTP server enabled on the router? If it is not, enable it and check that other SDM prerequisite parameters are configured as well. Refer to the "Downloading and Installing Cisco SDM" document for the required settings. This document can be found at the weblink below. ○ Did SDM access work before, but now its not? Ensure that the PC is not being blocked by a new ACL. Remember that SDM requires HTTP, SSH, and Telnet access to the router, which could have been inadvertently disabled in a security lockdown.



Is SDM installed? ○

The quickest way to determine this is to access it using the appropriate HTTP or HTTPS method https:///flash/sdm.shtml.



Use the show flash command to view the flash file system and make sure that the required SDM files are present.

Refer to NS1 labs PIX

The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without an access control list (ACL). Security levels range from 0 to 100.



Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization.



Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used.



Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level.



hostname – assigns a hostname to the PIX.



interface – Configures the type and capability of each perimeter interface.



nameif – Assigns a name to each perimeter interface.



ip address – Assigns an IP address to each interface.



security level – Assigns the security level for the perimeter interface.



speed – Assigns the connection speed.



duplex – Assigns the duplex communications.

n the interface configuration sub-commands, hardware speed and duplex, interface name, security level, IP address, and many other settings can be configured. For an

interface to pass traffic, the nameif, ip address, security level, and no shutdown interface configuration sub-commands are necessary nameif assigns a name to each interface on the PIX Security Appliance. The first two interfaces have the default names inside and outside ip address dhcp – have it acquire ip information If it is necessary that interfaces with the same security level are able to communicate, use the same-security-traffic command. Two interfaces could be assigned to the same level to allow them to communicate without using NAT •

nat-control – Enable or disable NAT configuration requirement.



nat – Shields IP addresses on the inside network from the outside network.



global – Creates a pool of one or more IP addresses for use in NAT and PAT.



route – Defines a static or default route for an interface.



he nat Command The first step in enabling NAT on a PIX Security Appliance is entering the nat command. The nat command can specify translation for a single host or a range of hosts. The nat command has two major components, nat_id and IP address or range of IP addresses. A nat_id is a number from 1 to 2147483647 which specifies the hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command. The nat command nat_id number must match the nat_id number in the global command if you want to use that specific global pool of IP addresses for the dynamic address translation. For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound connections from a host within the specified network, 10.0.0.0, can pass through the PIX Security Appliance with address translation. The nat (inside) 1 10.0.0.11 255.255.255.255 command means that only outbound connections originating from the inside host 10.0.0.11 are translated as the packet passes through the PIX. Administrators can use 0.0.0.0 to allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the Figure all inside hosts making outbound connections with the nat (inside) 1 0.0.0.0 0.0.0.0 command are translated. The nat_id identifies the global address pool the PIX will use for the dynamic address translation. The syntax for the nat command is shown in Figure . The global Command In order for a local address to be translated using NAT, a global pool of addresses must be defined. In a PIX Security Appliance configuration, there may be more than one global pool configured. Each outbound network address translation is associated with a nat id. Each global pool has a corresponding nat_id. The PIX uses the nat_id of the outbound IP packet to identify which global pool of addresses to select a translation IP address from. The nat_id of the outbound packet must match the nat_id of the global pool. The PIX assigns addresses from the designated global pool starting from the low end to the high end of the range specified in the global command. The pool of global IP addresses is configured with the global command.



• •





In Figure , host 10.0.0.11 starts an outbound connection. The nat_id of the outbound packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also identified with a nat_id of 1. The PIX assigns an IP address of 192.168.0.20. It is the lowest available IP address of the range specified in the global command. Packets from host 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20. The syntax for the global command is shown in Figure . If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses. Use the no global command to delete a global entry.

NOTE: The PIX Security Appliance uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.

route command to enter a static route for an interface. Static routes can be created to access specific networks beyond the locally connected networks. For example, in Figure , PIX Security Appliance sends all packets destined to the 10.0.1.0 255.255.255.0 network out the inside interface to the router at IP address 10.0.0.102. This static route was created by using the command route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knows how to route the packet to the destination network of 10.0.1.0.

Commonly Used show Commands The show memory command displays a summary of the maximum physical memory, current used memory, and current free memory available to the PIX Security Appliance operating system. The show cpu usage command displays CPU use. Use the show version command to display the PIX Security Appliance software version, operating time since the last reboot, processor type, Flash memory type, interface boards, serial number, BIOS identification, and activation key value . The show ip address command is used to view the IP addresses that are assigned to the network interfaces. The show interface command is used to view network interface information. This is one of the first commands that should be used when trying to establish connectivity. Use the show nameif command to view the named interfaces. In Figure , the first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, and the outside interface has a default security level of 0. Ethernet2 is assigned a name of dmz with a security level of 50. If it is necessary to allow internal hosts to be able to ping external hosts, an ACL for echo reply is necessary. If pings through the PIX Security Appliance between hosts or routers are not successful, use the debug icmp trace command to monitor the success of the ping.

The show run nat command to display a single host or range of hosts to be translated. In Figure , all hosts on the 10.0.0.0 network will be translated when traversing the PIX Security Appliance. The nat-id is 1. The show run global command displays the global pools of addresses configured in the PIX Security Appliance. In Figure there is currently one pool configured. The pool is configured on the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. The nat_id is 1. The show xlate command displays the contents of the translation slot. In Figure , the number of currently used translations is 1 with a maximum count of 1. The current translation is a local IP address of 10.0.0.11 to a global IP address of 192.168.0.20. NTP The ntp server command synchronizes the PIX Security Appliance with a specified network timeserver . The PIX can be configured to require authentication before synchronizing with the NTP server. To enable and support authentication, there are several forms of the ntp command that work with the ntp server command. Additional information about the ntp command forms and their uses is available in the Command Reference. The show run ntp command can be used to display the current NTP configuration. The show ntp status •

0 – emergencies – System unusable messages



1 – alerts – Take immediate action



2 – critical – Critical condition



3 – errors – Error message



4 – warnings – Warning message



5 – notifications – Normal but significant condition



6 – informational – Information message



7 – debugging – Debug messages and log FTP commands and WWW URLs

The show logging Command Use the show logging command to see the logging configuration and any internally buffered messages. Use the clear logging

The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level.

Two Interfaces with NAT In Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to start outbound connections using the IP addresses from a global pool. The second nat command statement permits all hosts on the 10.2.0.0 network to do the same. The nat_id in the first nat command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to those in the global pool containing the same nat_id . Likewise, the nat_id in the second nat command statement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in the global pool containing nat_id 2. Three Interfaces with NAT In Figure , the first nat command statement enables hosts on the inside interface, which has a security level of 100, to start connections to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The second nat command statement enables hosts on the DMZ, which has a security level of 50, to start connections to hosts on interfaces with lower security levels. In this case, that includes only the outside interface. Because both global pools and the nat (inside) command statement use a nat_id of 1, addresses for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when users on the inside interface access hosts on the DMZ, their source addresses will be translated to addresses in the 172.16.0.20−172.16.0.254 range from the global (dmz) command statement. When they access hosts on the outside, their source addresses will be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.

When users on the DMZ access hosts on the outside, their source addresses will always be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.

Use the static command for outbound connections that must be mapped to the same global IP address. the address 192.168.0.9 is not translated. When the command nat (DMZ) 0 192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance displays the following message: NAT 0 enables the Internet server address to be visible on the outside interface. The administrator also needs to add a static in combination with an access-list to allow users on the outside to connect with the Internet server. The show conn command displays information about the active TCP connections.

The show conn detail Command When the show conn detail option is used, the system displays information about the translation type, interface information, IP address/port number, and connection flags. In Figure , the two connections display a flag value of UIO. According the flag definition, the connections are up. The connections are passing inbound and outbound data. The show local-host Command The show local-host command displays the network states of local hosts. A local-host entry is created for any host that forwards traffic to, or through, the PIX Security Appliance. This command shows the translation and connection slots for the local hosts. In Figure , the inside

host 10.0.0.11 establishes a web connection with server 192.168.10.11. The output of the show local-host command is displayed in Figure .

To configure OSPF on the PIX Security Appliance requires the administrator to do the following: •

Enable OSPF



Define the PIX Security Appliance interfaces on which OSPF runs



Define OSPF areas

Enable OSPF To enable OSPF routing, use the router ospf command. The syntax for the router ospf command is shown in Figure . The PIX Security Appliance can be configured for one or two processes, or OSPF routing domains. If the PIX is functioning as an ABR and it is configured for one process, the PIX will pass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configured for one OSPF process, OSPF 1. Define Network Interfaces To define the interfaces on which OSPF runs and the area ID for those interfaces, use the network area subcommand. The syntax for the network area command is shown in Figure

.

FWSM, the following tasks must be completed: •

Initialize the FWSM.



Configure the switch VLANs.



Associate VLANs with the FWSM.

The switch CLI is accessible through a Telnet connection to the switch or through the switch console interface. Verify FWSM Installation Before the FWSM can be used, it must be verified that the card is installed and recognized by the switch. Enter the show module command to verify that the system acknowledges the new module and has brought it online . The syntax for the show module command is shown in Figure

.

Configure the Switch VLANs The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces . Hosts are connected to ports VLANs are assigned to these physical switch ports. To prevent mismatched VLANs, the administrator should first configure a VLAN on the MSFC, and then configure the VLANs on the FWSM. VLAN IDs must be the same for the switch and the FWSM. After the MSFC VLAN is configured, specific VLANs can be associated with a FWSM. The first step was to add VLANS to the MSFC. The next step is to associate VLANs to be inspected by the FWSM. A VLAN can be linked with a specific FWSM by using the firewall command. The firewall vlan-group command creates a group of firewall VLANs named by the vlan-group parameter. The syntax for the firewall vlan-group command is shown in Figure .

Once a group of VLANs are assigned to a group, the firewall module command associates a VLAN group with a specific FWSM. The syntax for the firewall module command is shown in Figure In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLANgroup 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300. Verify the MSFC Configuration The administrator can verify that the MSFC is properly configured for interaction with the FWSM. The show firewall vlan-group command verifies which VLANs are assigned to each firewall. VLAN-group. The show firewall module command verifies that the VLAN-groups are assigned to the associated slot where the FWSM resides . Configure the FWSM Interfaces The FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are associated with a specific FSWM. The next step is to configure the security policy on the FWSM. The FWSM can be accessed by using the session command. Use the default password cisco for the FWSM when prompted. A prompt for an enable mode password is then displayed. By default, there is no password, and the Enter key can be pressed to access the enable mode. It is recommended that you change the enable password to a valid value and use this for future access to this mode. Once on the FWSM, standard security appliance commands are used to configure interface names, add security levels, and specify IP addresses. The example in Figure shows the use of the nameif command and associates VLAN 100 as the outside interface and sets the interface with a security level of 0. It also defines VLAN 200 as the inside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ip address command is used to add an IP address to each interface. Configure A Default Route A default route may also need to be added. In the example in Figure pointing to the VLAN 100 interface of the MSFC.

, a default route is created,

It may also be necessary to create static routes. Multiple context mode does not support dynamic routing, so static routes must be used to reach any networks to which the FWSM is not directly connected, such as when a router is between the destination network and the FWSM. Static routes might be appropriate in single context mode if: •

The network uses a routing protocol other than RIP or OSPF.



The network is small and static routes can be easily managed.



The traffic or CPU overhead associated with routing protocols is to be avoided.

Configure the FWSM access-lists The administrator needs to create ACLs to allow outbound as well as inbound traffic because the FWSM, unlike the security appliances, denies all inbound and outbound connections that are not explicitly permitted by ACLs . Explicit access rules need to be configured using the access-list command and attached to the appropriate interface using the access-group command to allow traffic to pass through that interface. Traffic that has been permitted into an interface can exit through any other interface. Return traffic matching the session information is permitted without an explicit ACL.

Firewall Services Module Operation

3.8

3.8. Using PDM with the FWSM 3

PDM v. 4.0 can be used to configure and monitor FWSM v. 2.2. Figure shows the steps needed to prepare the FWSM to use PDM. Be sure to initialize the FWSM before attempting to install PDM. •

Use the copy tftp flash command to copy the PDM image into FWSM flash

copy tftp://10.1.1.1/pdm-XXX.bin flash:pdm (where XXX = pdm image version number) •

Enable the http server on the FWSM. Without it, PDM will not start.

http server enable •

Identify the specific hosts/networks that can access the FWSM using HTTP.

http 1.1.1.0 255.255.255.0 inside Hosts from network 10.1.1.0 (on the inside interface) are permitted http access. •

Launch the browser and enter the following address:

https://10.1.1.1 (FWSM inside interface) Resetting and Rebooting the FWSM If the module cannot be reached through the CLI or an external Telnet session, enter the hwmod module module_number reset command to reset and reboot the module. The reset process requires several minutes. The syntax for the command is shown in Figure . The example in Figure

shows how to reset the module, installed in slot 4, from the CLI.

When the FWSM initially boots, by default it runs a partial memory test. To perform a full memory test, use the hw-module module module_number mem-test-full command. The syntax of the command is shown in Figure . A full memory test takes more time to complete than a partial memory test depending on the memory size. The table in Figure lists the memory and approximate boot time for a long memory test.

PIX ACLs

The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command is used to clear an access list counter. If no ACL is specified, all of the access list counters are cleared. If the counters option is specified, it clears the hit count for the specified ACL. If no ACL is specified all the access lists counters are cleared. The no access-list command removes an access-list command from the configuration. If all of the access-list command statements in an ACL group are removed, the no access-list command also removes the corresponding access-group command from the configuration. The access-list mode command allows the administrator to specify whether the defined ACL should be active immediately or when specified. . The access-list commit command activates the previously created ACL . Use the access-list id line line-num command to insert an access-list command statement, and the no access-list id line line-num command to delete an accesslist command statement. Line numbers are maintained internally in increasing order, starting from 1. A user can insert a new entry between two consecutive ACEs by choosing the line number of the ACE with the higher line

n Figure the users in the corporate office wish to communicate with the branch site over a VPN tunnel. To accomplish this, the administrator employs nat 0 access-list. The IP source network, 10.0.0.0/24, and IP destination network, 10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command. Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not translated by the PIX.

ActiveX Filtering Another application that can be filtered by the PIX Security Appliance in order protect against malicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or other applications. They were formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding Control (OCX). ActiveX controls create a potential security problem because they provide a way for someone to attack servers. Due to this security threat, administrators have the option of using the PIX to block all ActiveX controls. The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. In the example in Figure , the command specifies that ActiveX is being filtered on port 80 from any internal host and for connection to any external host. The Command Reference provides more information about the commands and syntax for blocking ActiveX or Java.

Use the url-server command to designate the server on which the URL filtering application runs, and then enable the URL filtering service with the filter url command. PIX Security Appliance Software Versions 6.1 and earlier do not support the filtering of URLs longer than 1159 bytes. PIX version 6.2 supports the filtering of URLs up to 6 KB for the Websense filtering server. The maximum allowable length of a single URL can be increased by entering the url-block url-size command. This option is available with Websense URL filtering only. HTTPS and FTP Filtering This feature extends Web-based URL filtering to HTTPS and FTP. The filter ftp and filter https commands were added to the filter command in PIX Security Appliance Software Version 6.3. The filter ftp command enables FTP filtering. The filter https command enables HTTPS filtering. The filter ftp and filter https commands are available with Websense URL filtering only. The example command in Figure instructs the PIX Security Appliance to send all URL requests to the URL filtering server to be filtered. The allow option in the filter command is crucial to the use of the PIX URL filtering feature. If the allow option is used and the URL filtering server goes offline, the PIX lets all FTP and HTTPS URL requests continue without filtering. If the allow option is not specified, all FTP and HTTPS URL requests are stopped until the server is back online. •

Network – Used to group client hosts, server hosts, or subnets.



Protocol – Used to group protocols. It can contain one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. Use the keyword ip to match any Internet protocol, including ICMP, TCP, and UDP.



Service – Used to group TCP or UDP port numbers assigned to a different service.



ICMP-type – Used to group ICMP message types which are permitted or dennied access.

Applying a PIX Security Appliance object group to a command is the equivalent of applying every element of the object group to the command. In the example shown in Figure , the group DMZ_Servers contains servers 192.168.0.10, 192.168.0.11, and 192.168.0.12. The group DMZ_Services supports HTTP, HTTPS, and FTP protocols. Applying the groups DMZ_Servers and DMZ_Services to an ACE is the same as applying all of the hosts and protocols individually.

9.2.2 Getting started with object groups

Complete the following steps to configure an object group and to use it in the configuration of ACLs:

Step 1 Use the object-group command to enter the appropriate subcommand mode for the type of group to be configured. All subcommands entered from the subcommand prompt apply to the object group identified by the object-group command. Step 2 In subcommand mode, define the members of the object group. In subcommand mode, object grouping subcommands as well as all other PIX Security Appliance commands can be entered, including show commands and clear commands. Enter a question mark (?) in the subcommand mode to view the permitted subcommands. Step 3 (Optional) Use the description subcommand to describe the object group. Step 4 Return to configuration mode by entering the exit command or the quit command. When any valid configuration command other than one designed for object grouping is entered, the subcommand mode is terminated. Step 5 (Optional) Use the show object-group command to verify that the object group has been configured successfully. This command displays a list of the currently configured object groups of the specified type. Without a parameter, the command displays all object groups. Step 6 Apply the object group to the access-list command. Replace the parameters of the access-list command with the corresponding object group, as summarized in Figure . Step 7 (Optional) Use the show access-list command to display the expanded ACEs.

The group-object command is used to construct hierarchical, or nested, object groups. The group-object command, which is not to be confused with the object-group command, places one object group into another . The difference in object groups and group objects is as follows: •

An object group is group consisting of objects.



A group object is an object in a nested group and is itself a group.

Nested Object Group Examples In Figure , the access-list named ALL enables all hosts in HOSTGROUP1 and HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP addresses in HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the ALLHOSTS group. With nesting, however, the duplicated definitions of the hosts are eliminated. Figure illustrates multiple nested object groups configured so that one ACL entry enables remote hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all local hosts in the ALLHOSTS group. Note that with object grouping configured, only one ACL entry is required. •

show object-group



no object-group



clear object-group

9.3.2 Configure a class map

The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two step process. The steps are to name a class of traffic and define the attributes of the traffic. A name is assigned to each

individual class of traffic. For example in Figure , there are four traffic classes named. The class-map se command identifies the system engineer remote VPN traffic from the system engineers. The class-map s2s command identifies the remote VPN traffic from the system engineers. The syntax of the class-map commands is as follows: class-map class_map_name After a class of traffic is named, the characteristics of the traffic flow are identified. To be considered part of a named class, a traffic flow must match a defined set of attributes. There are various types of match criteria in a class map. One example of match criteria is an access list that defines all traffic from the Internet to the DMZ. Another match is VPN tunnel-group. This includes all members of the SE and EXEC tunnel-groups. Another such match is a TCP or UDP port number. This could be used to define all HTTP or FTP traffic. The following is the class matching criteria

:



match access-list – This keyword specifies to match an entry in an access-list.



match any – This keyword specifies that all traffic is to be matched. Match any is used in the class-default class-map.



match dcsp – This keyword specifies to match the IETF defined Differentiated Service Code Point (DSCP) value in the IP header. This allows the administrator to define classes based on the DCSP values defined within the TOS byte in the IP header.



match flow – This keyword specifies to match each IP flow within a tunnel-group. This match command must be used in conjunction with the match tunnel-group command.



match port – This keyword specifies to match traffic using a TCP or UDP destination port.



match precedence – This keyword specifies to match the precedence value represented by the TOS byte in the IP header. This allows the administrator to define classes based on the precedence defined within the TOS byte in the IP header.



match rtp – This keyword specifies to match Real-Time Transport Protocol (RTP) destination port. This allows the administrator to match on a UDP port number within the specified range. The allowed range is targeted at capturing applications likely to be using RTP.



match tunnel-group – This keyword specifies to match tunnel traffic.

A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 21 and 80 may be classified as an Internet traffic class.

9.3.3 Configure a policy map

The policy-map command is used to configure various policies. A policy consists of a class command and its associated actions. The PIX Security Appliance supports one policy per interface and one global policy. Each policy map may support multiple classes and policy actions. In the example in Figure , there are two policy maps, the outside policy map and the global policy map. The outside policy map supports four class maps, these are the Internet, SE, EXEC, and S2S class maps. IDS, Inspect, police, and priority actions are associated with the aforementioned classes. The global policy map supports default inspection criteria for all traffic. The following steps are use to define a policy map: Step 1 Name the policy. Step 2 Identify a class of traffic covered by this policy. Step 3 Associate an action or actions with each traffic flow. The first step is to define the policy maps. In the example in Figure policy maps, outside and global.

, there are two

The next step is to identify which traffic flows, or classes, are specified in a policy map. Each traffic flow is identified by a class map name. In the example in Figure , the outside policy map is identified. Internet class traffic flow is assigned to the outside policy map. The syntax of the policy-map commands is as follows: policy-mappolicymap_name description text classclassmap_name The last step is to associate actions with specific traffic flows within a policy map. In the example in Figure , the policy map name, outside, is defined. The Internet class of traffic is defined. The administrator must next associate actions with this traffic flow. The policy action options are to forward traffic to IDS, perform specified protocol inspections, police the bandwidth used by the specified flow, direct the flow to the low latency queue, or set connection parameters on these flows. To display all of the policy map configurations or the default policy map configuration, use the show running-config policy-map command. More information about the syntax of the policy-map command is available in the Command Reference.

9.3.4 Configure a service policy

To activate a policy map globally on all interfaces or on a single interface, use the servicepolicy command in privileged EXEC mode . The interface can be a VLAN interface or a physical interface. In general, a service-policy command can be applied to any interface that can be defined by the nameif command. To disable, use the no form of this command.

To display all currently running service policy configurations, use the show runningconfig service-policy command in global configuration mode . To display the configured service policies, use the show service-policy command in global configuration mode . The syntax for these commands is available in the Command Reference. Advanced protocol inspection how to add an insepection and set a policy

se the ftp-map command to define which FTP commands should be blocked. After the administrator enters the ftp-map command and a map name, the system enters the FTP map configuration mode. The deny-request-cmd command enables the administrator to list which FTP request commands should be blocked. In the example in Figure , the inbound_ftp ftpmap was defined. The inbound_ftp ftp-map identifies the commands to be filtered. In the example in Figure , the inbound_ftp ftp-map identifies six FTP request commands to filter. The class map inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic between any host and host 192.168.1.11, the FTP server. In the inbound policy map, the FTP command request restrictions defined in the ftp map inbound_ftp, are associated with the inbound_ftp_traffic class of traffic. Lastly, the inbound policy is enabled on the outside interface.

To enable enhanced HTTP inspection, use the inspect http http-map command. The enhanced rules that apply to HTTP traffic are defined by http-map command. 9.4.5Enhanced HTTP Inspection Configuration Configuring enhanced HTTP inspection is a four step process are as follows:

. The four steps in the process

Step 1 Configure the http-map command to define the enhanced HTTP inspection parameters and the action taken when a parameter in the configured category is detected. Step 2 Identify the flow of traffic using the class-map command. The administrator can use the default class map, inspection_default. The administrator can also define a new traffic flow, for example any hosts trying to access the corporate web server from the internet. Step 3 Associate the HTTP map with a class of traffic with the policy-map command. The administrator can use the default policy map, asa_global_fw_policy. The administrator can also define a new policy, such as an inbound traffic policy for any hosts trying to access the corporate web server from the internet. Step 4 Apply the policy to an interface, or globally, using the service-policy command. The administrator can use the default service-policy, asa_global_fw_policy. The administrator can also define a new service policy, such as a policy for all inbound internet-sourced traffic, and apply the service policy to the outside interface. In the example in Figure , the administrator created a new modular policy for HTTP traffic from the Internet to the corporate web server with an IP address of 192.168.1.11, rather than modify the existing default global modular policy. To accomplish this, the administrator configured a new HTTP map, class map, policy map and service policy. The administrator created an HTTP map, inbound_http. In the HTTP map, they restricted RPC request methods, defined message critera, and restricted HTTP applications. In the class map, they identified the traffic flow with a matching ACL, access-list 102. In a new policy map, the administrator associated the actions in the new HTTP map with traffic identified in the ACL. Lastly, the new service policy is enabled on the outside interface. Passive interface on Redistributing Routes However, sending updates out E0 is a waste of resources, since no other routers on the 10.4.4.0 subnetwork can receive the updates. Meanwhile, sending updates creates a slight overhead and may cause a potential security risk. A malicious user could use a packet sniffer to capture routing updates and glean key network information. A passive interface essentially makes a router a silent host on a network. Identifying an interface as passive prevents routing updates for a routing protocol from being sent through a router interface. You can use the passive-interface command with most IP interior gateway protocols, including RIP, EIGRP, OSPF, and IS-IS. To configure a passive interface, use the following procedure: Step 1

Select the router and routing protocol that requires the passive interface.

Step 2

Determine the interfaces through which you do not want routing update traffic (or hellos for link-state routing protocols and EIGRP) to be sent.

Step 3

Configure the router using the passive-interface command. displays the command parameters.

Figure

5.3.3 To solve this configuration scalability, the passive-interface default command can be used to set all interfaces to passive. You can then enable routing on individual interfaces where you require adjacencies using the no passive-interface command.

Block propagation of distributed lists with Distribute Lists (5.3.5)

Multicast show ip igmp group When there are two IGMP routers on the same Ethernet segment (broadcast domain), the router with the highest IP address is the designated querier. In IGMPv3, reports are sent to 224.0.0.22 rather than 224.0.0.2. Use the show ip igmp interface command to determine which version of IGMP is currently active on an interface. The solution is to implement IGMP snooping on high-end switches with special application-specific integrated circuits (ASICs) that can perform the IGMP checks in hardware. CGMP is a better option for low-end switches without special hardware. There are basically two types of multicast routing protocols: dense mode and sparse mode: •

Dense mode protocols flood multicast traffic to all parts of the network and prune the flows where there are no receivers, using a periodic flood-and-prune mechanism.



Sparse mode protocols use an explicit join mechanism where distribution trees are built on demand by explicit tree join messages sent by routers that have directly connected receivers

The global command ip multicast-routing enables support for IP multicast on a router.



The interface command ip pim sparse-mode enables PIM-SM operation on the selected interface. The ip pim sparse-dense-mode command enables the interface on the router to operate in PIM-SM for sparse-mode groups (those with known RPs) and in dense mode for other groups.



The global command ip pim send-rp-announce {interface type} scope {ttl} group-list {acl} is issued on the router that you want to be an RP. This router sends an auto-RP message to 224.0.1.39, announcing the router as a candidate RP for the groups in the range described by the access list.



The global command ip pim send-rp-discovery {interface type} scope {ttl} configures the router as an RP mapping agent. It listens to the 224.0.1.39 address and sends a RP-to-group mapping message to 224.0.1.40. Other PIM routers listen to 224.0.1.40 to automatically discover the RP.



The ip pim spt-threshold {rate | infinity} command controls the switchover from the shared distribution tree to the SPT in sparse mode. The keyword infinity means the switchover will never occur.

Note The recommended method for configuring an interface for PIM-SM operation is to use the ip pim sparse-dense-mode interface command. This method permits auto RP, bootstrap router (BSR), or statically defined RPs to be used with the least configuration effort. The show ip mroute command is the most useful command for determining the state of multicast sources and groups from the perspective of the selected router. When PIM-SM is configured, the first step in verifying proper operation is to check PIM-enabled interfaces and to determine whether the PIM neighbors are correct. You can use the following commands to accomplish this:



show ip pim interface: Displays the information about interfaces configured for PIM.



show ip pim neighbor: Displays the discovered PIM neighbors.



mrinfo: Displays information on multicast routers that are peering with the local router (no address) or with the addressed router.

show ip pim interface show ip pim neighbor he RP for a certain multicast group operating in PIM-SM has to be reachable and known to the router. In addition to using a unicast ping, you can use the following commands when troubleshooting RP reachability:



show ip pim rp: Displays, without arguments, RP information on active groups. If the group address or name is provided, only the RP information for the selected group is shown (assuming that it is an active group).



show ip pim rp mapping: Displays the contents of the important group-to-RP mapping cache that contains the information about which RP is active for which group range. This cache is populated by the auto-RP or BSR mechanisms and by static RP assignments. It is very important to check this information to verify that the router possesses the RP mapping information consistent with proper network operation.



show ip rpf: Displays RPF information for the RP or for the source.

The show ip pim rp command just lists all active groups and their associated RPs. This form of the command is becoming obsolete, because it offers limited information. In most cases, you should use the show ip pim rp mapping instead , because it provides details on the actual contents of the groupto-RP mapping cache, such as the following: show ip rpf command displays RPF information associated with the specified source address.



ip igmp join-group
: The router accepts the multicast packets in addition to forwarding them. Accepting the multicast packets prevents the router from fast switching.



ip igmp static-group: The router does not accept the packets but forwards them. Hence, this method allows fast switching. The outgoing interface appears in the IGMP cache, but the router itself is not a member, as evidenced by the lack of an L (local) flag in the multicast route entry.

show ip igmp snooping command to display the snooping configuration information for all VLANs on the switch or for a specified VLAN. show mac-address-table multicast command to display the entries in the MAC address table for a VLAN that has IGMP snooping enabled.

7.2 Configuring 802.1x Port-Based Authentication 7.2.2 Enabling 802.1x authentication

To enable 802.1x port-based authentication, AAA must be enabled and an authentication method list must be specified. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle,

the authentication process stops, and no other authentication methods are attempted. Beginning in privileged EXEC mode, the following steps are used to configure 802.1x port-based authentication. The associated commands are shown in Figure . Step 1 Enter global configuration mode. Step 2 Enable AAA. Step 3 Create an authentication method list with the aaa authentication dot1x {default} method1 [method2...] command. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. At least one of the following keywords must be entered: •

group radius – Use the list of all RADIUS servers for authentication.



none – Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.

Step 4 Enter interface configuration mode, and specify the interface connected to the client that is to be enabled for 802.1x authentication. Step 5 Enable 802.1x authentication on the interface. The port authorization state is controlled by using the dot1x port-control interface configuration command and the following keywords: •

force-authorized – disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default setting.



force-unauthorized – causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.



auto – enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client's MAC address.

Step 6 Return to privileged EXEC mode. Step 7 Verify the configuration. To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1x

authentication, use the dot1x port-control force-authorized or the no dot1x portcontrol interface configuration command. The example in Figure 0/12.

shows how to enable AAA and 802.1x on Fast Ethernet port

7.2.3 Configuring the switch-to-RADIUS-server communication

RADIUS security servers are identified by host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, such as authentication, the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they are configured. Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. Step 1 Enter global configuration mode. Step 2 Configure the RADIUS server parameters on the switch with the radius-server host {hostname | ip-address} auth-port port-number key string command. For hostname | ip-address, specify the host name or IP address of the remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812. For key string, specify the authentication and encryption key used between the switch and the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server. NOTE: Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If spaces are used in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. If multiple RADIUS servers are to be used, re-enter this command. Step 3 Return to privileged EXEC mode. Step 4 Verify the configuration. To delete the specified RADIUS server, use the no radius-server host {hostname | ipaddress} global configuration command. The example in Figure shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server. The timeout, retransmission, and encryption key values for all RADIUS servers can be globally configured by using the radius-server host global configuration command. To

configure these options on a per-server basis, use the radius-server timeout, radiusserver retransmit, and the radius-server key global configuration commands. Some settings on the RADIUS server need to be configured as well. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.

Periodic 802.1x client re-authentication, as well as how often it occurs, can be configured . If a time period before enabling re-authentication is not specified, the number of seconds between reauthentication attempts is 3600. Automatic 802.1x client re-authentication is a global setting and cannot be set for clients connected to individual ports. Beginning in privileged EXEC mode, the following steps are used to enable periodic reauthentication of the client and to configure the number of seconds between re-authentication attempts: Step 1 Enter global configuration mode. Step 2 Enable periodic re-authentication of the client, which is disabled by default, with the dot1x re-authentication command. Step 3 Set the number of seconds between re-authentication attempts with the dot1x timeout reauthperiod seconds command. The range is 1 to 4294967295 and the default is 3600 seconds. This command affects the behavior of the switch only if periodic re-authentication is enabled. Step 4 Return to privileged EXEC mode. Step 5 Verify the configuration. To disable periodic re-authentication, use the no dot1x re-authentication global configuration command. To return to the default number of seconds between re-authentication attempts, use the no dot1x timeout re-authperiod global configuration command. The example in Figure shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000. The client connected to a specific port can be manually re-authenticated at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. -------

7.2.6 Enabling multiple hosts

Multiple hosts can be attached to a single 802.1x-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized, such as in the case that re-authentication fails or an EAPOL-logoff message is received, all attached clients are denied access to the network.

Beginning in privileged EXEC mode, follow these steps to allow multiple hosts on an 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. The commands used in this process are shown in Figure . Step 1 Enter global configuration mode. Step 2 Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. Step 3 Allow multiple hosts on an 802.1x-authorized port with the dot1x multiple-hosts command. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Step 4 Return to privileged EXEC mode. Step 5 Verify the configuration with the show dot1x interface interface-id command. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command. The example in Figure allow multiple hosts.

shows how to enable 802.1x on FastEthernet interface 0/1 and to

7.2 Configuring 802.1x Port-Based Authentication 7.2.7 Resetting the 802.1x configuration to the default values

Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration to the default values : Step 1 Enter global configuration mode. Step 2 Reset the configurable 802.1x parameters to the default values with the dot1x default command. Step 3 Return to privileged EXEC mode. Step 4 Verify the configuration with the show dot1x command. ---

To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC command. To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command. To display the 802.1x administrative and operational status for the switch, use the show dot1x privileged EXEC command. To display the 802.1x administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command.

QoS

VOIP 2.5. 6

Cisco IOS Configurations for VoIP

Cisco IOS routers can be used as VoIP gateways. For a basic VoIP configuration, two gateways are needed. Both need a connection to a traditional telephony device, such as an analog telephone. The gateways themselves must have IP connectivity. In Figure

, the first router has these configuration settings:



Name: R1



IP address: 10.1.1.1/24



IP interface: FastEthernet 0/0



Voice port: 1/0/0



Extension of the telephone connected to the voice port: 1111

The second router is configured with similar settings:



Name: R2



IP address: 10.2.2.2/24



IP interface: FastEthernet 0/0



Voice port: 1/0/0



Extension of the telephone connected to the voice port: 2222

Based on this information, this configuration is applied to the first router: hostname R1 interface FastEthernet 0/0 ip address 10.1.1.1 255.255.255.0 ! dial-peer voice 1 pots destination-pattern 1111 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 2222 session target ipv4:10.2.2.2 ! The second router has these configuration commands: hostname R2 interface FastEthernet 0/0 ip address 10.2.2.2 255.255.255.0 ! dial-peer voice 1 pots destination-pattern 2222 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 1111 session target ipv4:10.1.1.1 ! The voice-specific commands in the configurations (two dial peers in each configuration) are

highlighted in gray. A dial peer describes where to find a telephone number, and the collection of all dial peers makes up the call routing table of a voice gateway. Two types of dial peers are shown in this example: POTS dial peers and VoIP dial peers. POTS dial peers indicate that the telephone number that is specified in the dial peer is found at a physical port. A VoIP dial peer refers to the IP address of a VoIP device. Figures and list the commands used for dial peers. The Voice-Specific Commands table provides details. Voice-Specific Commands Command

Description

dial-peer voice tag type

Use the dial-peer voice command to enter the dial peer subconfiguration mode. The tag value is a number that must be unique for all dial peers within the same gateway. The type value indicates the type of the dial peer (for example, POTS or VoIP).

destination-pattern telephone_number

The destination-pattern command, entered in dial peer subconfiguration mode, defines the telephone number that applies to the dial peer. A call that is placed to this number is routed according to the configuration type and port (in the case of a POTS type dial peer) or session target (in the case of a VoIP type dial peer) of the dial peer.

port port-number

The port command, entered in POTS dial peer subconfiguration mode, defines the port number that applies to the dial peer. Calls that are routed using this dial peer are sent to the specified port. The port command can be configured only on a POTS dial peer.

session target ipv4:ip-address

The session target command, entered in VoIP dial peer subconfiguration mode, defines the IP address of the target VoIP device that applies to the dial peer. Calls that are routed using this dial peer are sent to the specified IP address. The session target command can be configured only on a VoIP dial peer.

--more picts and examples in the section -------------------======================================= HSRP (hot standby routing protocol) Cisco proprietary

Switch#show running-config Building configuration... Current configuration:! interface Vlan11

ip address 172.16.11.113 255.255.255.0 no ip redirects

standby 11 ip 172.16.11.115 Another way to verify the HSRP configuration is with the show standby brief command, which displays abbreviated information about the current state of all HSRP operations on the device. To set the priority value of a router (default is 100), enter this command in interface configuration mode: Switch(config-if)#standby group-number priority priority-value Figure

describes the variables for the standby command.

During the election process, the router with the highest priority in an HSRP group becomes the active router. In the case of a tie, the router with the highest configured IP address is chosen.

------A former active router can be configured to resume the forwarding router role from a router with a lower priority by using the following command in interface configuration mode:

Switch(config-if)#standby [group-number] preempt [{delay} [minimum delay] [sync delay]]

If the routers do not have preempt configured, a router that boots up significantly faster than the others in the standby group becomes the active router, regardless of the configured priority. -----The default hello and hold times are 3 and 10 seconds, respectively, which means failover time could be as much as 10 seconds for clients to start communicating with the new default gateway. In some cases, this interval may be excessive for application support. You can change the default values of the timers to milliseconds to accommodate subsecond failovers. Lowering the hello timer results in increased traffic for hello messages and should be used cautiously. The hold time should be at least three times the value of the hello time. To change the timers, enter this command in interface configuration mode: Switch(config-if)#standby group-number timers [msec] hellotime holdtime Note: Hello and dead timers intervals must be identical for all devices within an HSRP group.

------Interface tracking enables the priority of a standby group router to be automatically adjusted based on the availability of that router’s interfaces. When a tracked interface becomes unavailable, the HSRP priority of the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with an unavailable key interface relinquishes the active router role.

VRRP IEEE adopted A VRRP group has one master router and one or more backup routers. The LAN workstations are then configured with the address of the virtual router as their default gateway. VRRP is supported on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, and with Multiprotocol Label Switching (MPLS), virtual private networks (VPNs), and VLANs. **The master virtual router may have the same IP address as the virtual router group. With VRRP, only the master sends advertisements (the equivalent of HSRP hellos). Advertisements are sent on multicast 224.0.0.18 protocol number 112 at a default interval of 1 second.

With GLBP, resources can be fully utilized without the administrative burden of configuring multiple groups and managing multiple default gateway configurations as is required with HSRP and VRRP. GLBP is supported on select Cisco Catalyst platforms. The following example configures GLBP on two multilayer switches: SwitchA(config)#interface vlan7

SwitchA(config-if)#ip address 10.1.7.5 255.255.255.0 SwitchA(config-if)#glbp 7 ip 10.1.7.1

SwitchA(config-if)#glbp 7 priority 150

SwitchA(config-if)#glbp 7 timers msec 250 msec 750

SwitchB(config)#interface vlan7

SwitchB(config-if)#ip address 10.1.7.6 255.255.255.0 SwitchB(config-if)#glbp 7 ip 10.1.7.1

SwitchB(config-if)#glbp 7 priority 100

SwitchB(config-if)#glbp 7 timers msec 250 msec 750 SwitchA#show glbp 7

++++++++++++++++++++++++++++++++++++++++ POE (power over Ethernet) Switch port configuration for PoE: •

Enables and disables PoE ○



Auto (default) 

Power detection enabled



Power is supplied if required by device

Never 

Power disabled



Port shutdown turns power off

The show power inline command displays the configuration and statistics about the power drawn by connected PDs and the capacity of the power supply. •

Ethernet pair 1,2 and 3,6



Ethernet pair 4,5 and 7,8

The spare pairs 4,5 and 7,8 are used, which requires 8-wire cabling. This technique does not extend the 100-meter Fast Ethernet cable limit. You cannot use this approach for 1000TX Gigabit Ethernet, which uses all eight wires, so no spares wires are available.

Changing the IOS on a lightweight/wlan controller Need to use the controller to upload the ioses

-go through the GUI prompt to download and upload the IOSs and the logs under the management tab -must go into rommon and upgrade the IOS for the lightweights (ctrl +r during reload) -the controller pushes the IOSs to the lightweights - in rommon set ip address -set server ipaddress -IMAGE=”image name from tftp” -then do a tftp download (or transfer command) -type set to see what needs to be configured -set the gateway to the server addy -that didn’t work for use so we are using the GUI under commands and download file to controller -file type is code -file path is ./ (root of the tftp server share) http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn4119124M.ht ml#wp1086312

Converting Indoor Access Points to Mesh Access Points (1130AG, 1240AG) Before you can install a 1130AG or 1240AG indoor access point into an indoor mesh deployment you must do the following. 1.

Convert the autonomous access point (k9w7 image) to a lightweight access point.

A detailed explanation of this process is located at: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804 fc3dc.html 2. Convert the lightweight access point to either a mesh access point (MAP) or root access point (RAP). Indoor mesh access points (1130 and 1240) can function as either a root access point (RAP) or a mesh access point (MAP). By default, all are configured as MAPs. At least one access point within a mesh network must be configured to function as a RAP.

Note The access point reboots after entry of the conversion commands (CLI, GUI, and WCS noted below), and initially reloads its existing non-mesh image (k9w8) and then rejoins the controller. After successfully rejoining, the access point receives a download of the mesh image (k9w9) from the controller. The mesh image then reloads and replaces the non-mesh image on the access point. Afterwards, the access point rejoins the controller as a mesh access point operating in the bridging mode as either a MAP or RAP as configured.

Note The indoor mesh access point image (k9w9) is a different image than the autonomous (k9w7) and lightweight access point images (k9w8).

• To convert the access point to a mesh access point using the CLI, enter the commands noted in either Step a or b below. a.

To convert from a lightweight access point to a MAP, enter the following CLI commands:

config ap mode bridge AP_name The mesh access point image (k9w9) is downloaded. b.

To convert from a lightweight access point to a RAP, enter the following CLI commands:

config ap mode bridge AP_name config ap role rootAP AP_name The mesh access point image (k9w9) is downloaded and the mesh access point is configured to operate as a RAP. •

To convert the access point to a mesh access point using the GUI, do the following.

a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point you want to convert. b.

At the General Properties panel, select Bridge from the AP Mode drop-down menu.

The access point loads the new image (k9w9) and reboots. c.

At the Mesh panel, select either RootAP or MeshAP from the AP Role drop- down menu.

d.

Click Apply and Save Configuration.



To convert the access point to a mesh access point using Cisco WCS, do the following.

a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240 indoor access point you want to convert. b. At the General Properties panel, select Bridge as the AP Mode (left-side) and either RAP or MAP as the AP Role (right-side). c.

Click Save.

Changing MAP and RAP Roles for Indoor Mesh Access Points (1130AG, 1240AG) Indoor mesh access points can function as either root access points (RAPs) or mesh access points (RAPs). To change from one role to another, follow the appropriate step below. 1. To change the role of an indoor access point from MAP to RAP or RAP to MAP using the CLI, enter the following command choosing the appropriate option: config ap role {rootAP | meshAP} AP_name 2.

To change the role of an indoor access point using the GUI, do the following.

a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point you want to change. b.

At the Mesh panel, select MeshAP or RootAP from the AP Role drop-down menu.

c.

Click Apply and Save Configuration.

3.

To change the role of an indoor access point using Cisco WCS, do the following

a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240 indoor access point you want to change. b.

At the General Properties panel, select either RAP or MAP as the AP Role (right-side).

c.

Click Save.

Note The access point reboots after the role is changed.

Note When changing from a MAP to RAP, a Fast Ethernet connection between the MAP and controller is recommended.

Note After a RAP to MAP conversion, the MAP's connection to the controller is a wireless backhaul rather than a Fast Ethernet connection. It is the responsibility of the user to ensure that the Fast Ethernet connection of the RAP being converted is disconnected before the MAP comes up so that the MAP can join over air.

Note The recommended power source for MAPs is either a power supply or power injector. PoE is not a recommended power source for MAPs.

Converting Indoor Mesh Access Points to Non-Mesh Lightweight Access Points (1130AG, 1240AG) The access point reboots after entry of the conversion commands (noted below), and initially reloads its existing mesh image (k9w9) and then rejoins the controller. After successfully rejoining, the access point receives a download of the non-mesh image (k9w8) from the controller. The non-mesh image reloads and replaces the mesh image on the access point. Afterwards, the access point rejoins the controller as a non-mesh lightweight access point operating in the local mode.

Note A Fast Ethernet connection to the controller for the conversion from a mesh (bridge) to non-mesh (local) access point is recommended. If the backhaul is a radio, after the conversion you must enable Ethernet and then reload the access image. After the reload and reboot the backhaul is Fast Ethernet.

Note When a root access point is converted back to a lightweight access point, all of its subordinate mesh access points lose connectivity to the controller. Consequently, a mesh access point is unable to service its clients until the mesh access point is able to establish connectivity to a different root access point in the vicinity. Likewise, clients might connect to a different mesh access point in the vicinity to maintain connectivity to the network.

1. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access point using the CLI, enter the following command.  config ap mode local AP_name The access point loads the non-mesh image (k9w8). 2. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access point using the GUI, do the following. a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point you want to convert. b.

At the General Properties panel, select Local from the AP Mode drop-down menu.

c.

Click Apply and Save Configuration.

3. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access point using Cisco WCS, do the following. a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240 indoor access point you want to convert. b.

At the General Properties panel, select Local as the AP Mode (left-side).

c.

Click Save.

Configuring QoS on a IP phone connected to a switch with the PC connected to the phone

Switch port Security Module 8 Cisco 176 Mitigate mac address flooding so the switch will forward all traffic out all of the ports (DOS attack or information gathering Can stop this my setting security mac addresses on the switch to access restrict it – Could also use AAA method (like crown and firewall user permissions)



– –

Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.

You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:



force-authorized: Disables 802.1x port-based authentication and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default setting.



force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.



auto: Enables 802.1x port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up (authenticator initiation) or when an EAPOL-start frame is received (supplicant initiation). The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. The switch uniquely identifies each client attempting to access the network with the client MAC address.

– –

“sticky learning,” which is available on some switch platforms, combines the features of dynamically learned and statically configured addresses. When this feature is configured on an interface, the interface converts dynamically learned addresses to “sticky secure” addresses. The addresses are added to the running configuration as if they were configured using the switchport port-security macaddress command. The following command converts all dynamic port security–learned MAC addresses to sticky secure MAC addresses: switchport port-security mac-address sticky This command cannot be used on ports where voice VLANs are configured. Step 1 Port security is enabled on a port-by-port basis. Step 2 By default, only one MAC address is allowed access through a given switch port when port security is enabled. This parameter increases that number. It places no restriction on specific MAC addresses, just on the total number of addresses that can be learned by the port. Learned addresses are not aged out by default, but can be configured to do so after a specified time using the switchport port-security aging command. The value parameter can be any number from 1 to 1024, with some restrictions regarding the number of ports on a given switch with port security enabled. Note: Be sure to set the value parameter to a value of 2 when you are configuring a port to support VoIP and requires a phone and computer accessible on the port. If the default value is used, a port security violation occurs. Step 3 Access to the switch port can be restricted to one or more specific MAC addresses. If the number of MAC addresses assigned is lower than the value parameter set in Step 2, the remaining allowed addresses can be learned dynamically. If you specify a set of MAC addresses that is equal to the maximum number allowed, access is limited to that set of MAC addresses. Step 4 By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions:



Protect: Frames from the non-allowed address are dropped, but there is no log of the violation.

Note: The protect argument is platform or version dependent.



Restrict: Frames from the non-allowed address are dropped, a log message is created, and a Simple Network Management Protocol (SNMP) trap is sent.



Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, an SNMP trap is sent, and manual intervention or errdisable recovery must be used to make the interface usable.

Use show commands to verify the port security configuration. The show port-security command lists the ports on which port security has been enabled. It also displays count information and security actions to be taken per interface. The full command syntax is as follows: Switch#show port-security [interface interface_id] address You can view port security status by interface or by the addresses associated with port security on all interfaces. Figure displays output from the show port-security command when you do not enter an interface. Use the interface keyword to provide output for a specific interface. Figure

displays output from the show port-security command for a specified interface.

Use the address keyword to display MAC address table security information. Figure displays output from the show port-security address privileged EXEC command. The Remaining Age column is populated only if specifically configured for a given interface.

Now we have VLAN hoping

Another method of VLAN hopping is for a workstation to generate frames with two 802.1Q headers to get the switch to forward the frames onto a VLAN that would be inaccessible to the attacker through legitimate means. To stop this •

Configure all unused ports as access ports so that trunking cannot be negotiated across those links.



Place all unused ports in the shutdown state and associate with a VLAN designated only for unused ports, carrying no user data traffic.



When establishing a trunk link, configure the following: ○

Make the native VLAN different from any data VLANs



Set trunking as “on,” rather than negotiated



Specify the VLAN range to be carried on the trunk

If you do a policy on the vty line then you won’t be able to port scan or see the telnet option is available. Can also do •

Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction. To

improve performance in Cisco Catalyst multilayer switches, RACLs are supported in ternary content addressable memory (TCAM).



Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port.



VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).

Which is only supported on certain equipment. 8.2.4 examples Also could use private vlans 8.2. Configuring PVLANs 6 To configure a PVLAN on an IOS-based Catalyst 3560, 3750, 4500, or 6500, follow these steps: Step 1 Set VTP mode to transparent. Step 2 Create the secondary VLANs. Note: Isolated and community VLANs are secondary VLANs. Step 3 Create the primary VLAN. Step 4 Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN. Step 5 Configure an interface as an isolated or community port. Step 6 Associate the isolated port or community port with the primary-secondary VLAN pair. Step 7 Configure an interface as a promiscuous port. Step 8 Map the promiscuous port to the primary-secondary VLAN pair. Use these commands to configure a VLAN as a PVLAN: Switch(config)#vlan vlan_ID

Switch(config-vlan)#[no] private-vlan {isolated | primary} The following example shows how to configure VLAN202 as a primary VLAN and verify the configuration: Switch#configure terminal Switch(config)#vlan 202

Switch(config-vlan)#private-vlan primary Switch(config-vlan)#end

Switch#show vlan private-vlan type Primary Secondary Type Interfaces

------- --------- ----------------- -----------202

primary

This example shows how to configure VLAN 200 as an isolated VLAN and verify the configuration:

Switch#configure terminal Switch(config)#vlan 200

Switch(config-vlan)#private-vlan isolated Switch(config-vlan)#end

Switch#show vlan private-vlan type Primary Secondary Type Interfaces

------- --------- ----------------- -----------202 200

primary

isolated

To associate secondary VLANs with a primary VLAN, perform this procedure: Switch(config)#vlan primary_vlan_ID

Switch(config-vlan)#[no] private-vlan association

{secondary_vlan_list | add secondary_vlan_list | remove secondary_vlan_list}

When you associate secondary VLANs with a primary VLAN, note the following: •

The

secondary_vlan_list parameter contains only one isolated VLAN ID. •

Use the

remove keyword with the secondary_vlan_list parameter to clear the association between the secondary and primary VLANs. The list can contain only one VLAN. •

Use the

no keyword to clear all associations with the primary VLAN. •

The command does not take effect until you exit VLAN configuration mode.

To configure a Layer 2 interface as a PVLAN promiscuous port, perform this procedure: Switch(config)#interface {fastethernet | gigabitethernet} slot/port

Switch(config-if)#switchport mode private-vlan {host | promiscuous}

Switch(config-if)#[no] switchport private-vlan mapping

primary_vlan_ID {secondary_vlan_list | add secondary_vlan_list | remove secondary_vlan_list}

When you configure a Layer 2 interface as a PVLAN promiscuous port, note the following: •

The

secondary_vlan_list parameter cannot contain spaces. It can contain multiple commaseparated items. Each item can be a single PVLAN ID or a hyphenated range of PVLAN IDs. •

Enter a

secondary_vlan_list or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the PVLAN promiscuous port.



Use the

remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the PVLAN promiscuous port. •

Use the

no keyword to clear all mappings with the PVLAN promiscuous port. This example shows how to configure interface FastEthernet 5/2 as a PVLAN promiscuous port, map it to a PVLAN, and verify the configuration: Switch#configure terminal

Switch(config)#interface fastethernet 5/2

Switch(config-if)#switchport mode private-vlan promiscuous Switch(config-if)#switchport private-vlan mapping 202 440 Switch(config-if)#end

Switch#show interfaces fastethernet 5/2 switchport Name: Fa5/2

Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down

Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 202 (VLAN0202) 440 (VLAN0440)

Operational private-vlan: none Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001 Capture Mode Disabled

To configure a Layer 2 interface as a PVLAN host port, perform this procedure: Switch(config)#interface {fastethernet | gigabitethernet} slot/port

Switch(config-if)#switchport mode private-vlan {host | promiscuous}

Switch(config-if)#[no] switchport private-vlan host-association primary_vlan_ID secondary_vlan_ID

This example shows how to configure interface FastEthernet 5/1 as a PVLAN host port and verify the configuration: Switch#configure terminal

Switch(config)#interface fastethernet 5/1

Switch(config-if)#switchport mode private-vlan host

Switch(config-if)#switchport private-vlan host-association 202 440 Switch(config-if)#end

Switch#show interfaces fastethernet 5/1 switchport Name: Fa5/1

Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down

Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 202 (VLAN0202) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001 Capture Mode Disabled

To permit routing of secondary VLAN ingress traffic, perform this procedure: Switch(config)#interface vlan primary_vlan_ID

Switch(config-if)#[no] private-vlan mapping primary_vlan_ID {secondary_vlan_list | add secondary_vlan_list | remove secondary_vlan_list}

When you permit routing on the secondary VLAN ingress traffic, note the following: •

Enter a value for the

secondary_vlan_list parameter or use the add keyword with the secondary_vlan_list parameter to map the secondary VLANs to the primary VLAN. •

Use the

remove keyword with the secondary_vlan_list parameter to clear the mapping between secondary VLANs and the primary VLAN. •

Use the

no keyword to clear all mappings with the PVLAN promiscuous port. This example shows how to permit routing of secondary VLAN ingress traffic from PVLAN440 and verify the configuration: Switch#configure terminal

Switch(config)#interface vlan 202

Switch(config-if)#private-vlan mapping add 440 Switch(config-if)#end

Switch#show interfaces private-vlan mapping Interface Secondary VLAN Type

--------- --------- ----------------vlan202

440

isolated

DHCP snooping stops DHCP packets from being streamed into the network 8.3.3 configs and examples ARP poisoning and directing Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based on the MAC address-to-IP address bindings stored in a DHCP snooping database. Additionally, DAI can validate ARP packets based on user-configurable ACLs for hosts that use statically configured IP addresses. To prevent ARP spoofing or “poisoning,” a switch must ensure that only valid ARP requests and responses are relayed. To ensure that only valid ARP requests and responses are relayed, DAI takes the following actions: •

Forwards ARP packets received on a trusted interface without any checks



Intercepts all ARP packets on untrusted ports



Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache



Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings

Generally, all access switch ports should be cofigured as untrusted and all switch ports connected to other switches as trusted. All ARP packets traversing the network from an upstream distribution or core switch c The following example shows how to configure DAI for hosts on VLAN 1, where client devices are located for switch 2. All client ports are untrusted by default. Only port 3/3 is trusted, because this is the only port where DHCP replies would be expected. Switch S2(config)#ip arp inspection vlan 1

Switch S2(config)#interface fastethernet 3/3 Switch S2(config-if)#ip arp inspection trust

***Default to untrusted…must specify what is to be trusted to relieve packet inspection BPDU guard prevents loops and also stops other switches from being the root SPT To enable BPDU guard globally on the switch, use this command: Switch(config)#spanning-tree portfast bpduguard default ----this enables bpdu port guard by default on all portfast ports The no form of the command disables the feature on the switch. To enable PortFast BPDU guard on a specific switch port, use this command: Switch(config)#spanning-tree bpduguard enable

Not quite sure what this does To enable PortFast BPDU filtering globally on the switch, use this command: Switch(config)#spanning-tree portfast bpdufilter default To enable PortFast BPDU filtering on a specific switch port, use this command: Switch(config-if)#spanning-tree bpdufilter enable

Protoecting the root bridge with STP security To enable root guard on a Layer 2 access port (to force it to become a designated port), use the following command. To disable root guard, use the no form of the command. Switch(config-if)#spanning-tree guard root Figure demonstrates how to verify the root guard configuration. To display the interface configuration, use the following command: Switch#show running-config interface fastethernet 5/8 To determine whether any ports are in a root-inconsistent state, use the following command: Switch#show spanning-tree inconsistentports

More stp stuff Unidirectional links The function of UDLD is to prevent one-way communication between adjacent devices. When UDLD detects a one-way conversation, it can do one of two things, depending on whether UDLD is configured in normal or aggressive mode. In normal mode, UDLD changes the UDLD-enabled port to an undetermined state when it stops receiving UDLD messages from its directly connected neighbor. Aggressive mode makes eight attempts to re-establish the UDLD neighbor relation before error disabling the port. Aggressive mode is the preferred method of configuring UDLD and is the only mode that can detect a UDLD condition on twisted-pair cable. UDLD is used when a link should be shut down because of a hardware failure that is causing unidirectional communication. In an EtherChannel bundle, UDLD shuts down only the physical link that has failed. UDLD can be enabled globally for all fiber interfaces or on a per-interface basis. To enable UDLD on an interface, use the following command: Switch(config-if)#udld port To enable UDLD globally on all fiber-optic interfaces, use the following command: Switch(config)#udld enable UDLD shuts down interfaces. To reset all interfaces that have been shut down, use the following command: Switch#udld reset To verify the UDLD configuration for an interface, use this command: Switch#show udld interface CDP is necessary for management applications and cannot be disabled without impairing some networkmanagement applications. However, CDP can be selectively disabled on interfaces where management is not being performed. The interface command no cdp enable disables CDP on an individual interface.

Figure

describes how CDP can be used maliciously.

8.6. vty ACLs 4 Cisco provides ACLs to permit or deny Telnet access to the vty ports of a switch. Cisco devices vary in the number of vty ports that are available by default. When configuring vty ACLs, ensure that all default ports are removed or have a specific vty ACL applied. Telnet filtering is normally considered an extended IP ACL function because it is filtering a higher level protocol. However, because the access-class command filters incoming Telnet sessions by source address and applies filtering to vty lines, you can use standard IP ACL statements to control vty access. The access-class command also applies standard IP ACL filtering to vty lines for outgoing Telnet sessions originating from the switch. You can apply vty ACLs to any combination of vty lines. You can apply the same ACL to all vty lines or specifically to each vty line. The most common practice is to apply the same ACL to all vty lines.

To configure vty ACLs on a Cisco switch, create a standard IP ACL and apply it to the vty interfaces. Different from applying an ACL to a data interface, apply it to a vty line or range of lines with the accessclass command. Consider this example. Permission is granted to any device on network 192.168.1.0/24 to establish a virtual terminal (Telnet) session with the switch. Of course, the user must know the appropriate passwords to enter user mode and privileged mode. Identical restrictions have been set on every vty line, because the line on which the vty user connects cannot be controlled. The implicit deny any statement at the end of the access list still applies to the ACL when it is used as an access-class entry. Switch(config)# access-list 12 permit 192.168.1.0 0.0.0.255 Switch(config)# line vty 0 15

Switch (config-line)# access-class 12 in 8.6. Best Practices for Switch Security 6 Network security vulnerabilities include loss of privacy, data theft, impersonation, and loss of integrity. Basic security measures should be taken on every network to mitigate adverse effects of user negligence or acts of malicious intent. The following steps are required whenever placing new equipment in service: Step 1 Consider or establish organizational security policies. Step 2 Secure switch devices. Step 3 Secure switch protocols. Step 4 Mitigate compromises launched through a switch. You should consider the policies of an organization when determining which level and type of security to implement. You must balance the goal of reasonable network security with the administrative overhead of extremely restrictive security measures. A well-established security policy has these characteristics: •

Provides a process for auditing existing network security



Provides a general security framework for implementing network security



Defines disallowed behaviors toward electronic data



Determines which tools and procedures are needed for the organization



Communicates consensus among a group of key decision-makers and defines the

responsibilities of users and administrators •

Defines a process for handling network security incidents



Enables an enterprise-wide, all-site security implementation and enforcement plan

Follow these best practices for secure switch access:



Set system passwords: Use the enable secret command to set the password that grants enabled access to the Cisco IOS system. Because the enable secret command simply implements a Message Digest 5 (MD5) hash on the configured password, that password still remains vulnerable to dictionary attacks. Therefore, apply standard practices in selecting a feasible password. Try to pick passwords that contain letters, numbers, and special characters, for example, “$pecia1$” instead of “specials,” where the “s” has been replaced by “$,” and the “l” has been replace with "1" (one).

no no no no



Secure access to the console: Console access requires a minimum level of security both physically and logically. An individual who gains console access to a system can recover or reset the system-enable password, thus allowing that person to bypass all other security implemented on that system. Consequently, it is imperative to secure access to the console.



Secure access to vty lines: The minimum recommended steps for securing Telnet access are: ○

Apply the basic ACL for in-band access to all vty lines.



Configure a line password for all configured vty lines.



Use SSH: The SSH protocol and application provide a secure remote connection to a switch. It encrypts all traffic, including passwords, between a remote console and a switch. Because SSH sends no traffic in clear text, network administrators can conduct remote access sessions that casual observers cannot view. The SSH server in Cisco IOS software works with publicly and commercially available SSH clients.



Configure system-warning banners: For both legal and administrative purposes, displaying a system-warning banner prior to login is a convenient and effective way of reinforcing security and general usage policies. By clearly stating the ownership, usage, access, and protection policies before a login, you provide more solid backing for potential future prosecution.



Disable unneeded services: By default, Cisco devices implement multiple TCP and User Datagram Protocol (UDP) servers to facilitate management and integration into existing environments. For most installations, these services are typically not required, and disabling them can greatly reduce overall security exposure. These commands disable services not typically used:

service service service service

tcp-small-servers udp-small-servers finger config



Disable the integrated HTTP daemon if not in use: Although Cisco IOS software provides an integrated HTTP server for management, it is highly recommended that it be disabled to minimize overall exposure. If HTTP access to the switch is absolutely required, use basic ACLs to permit access from only trusted subnets.



Configure basic logging: To assist and simplify problem troubleshooting and security investigations, monitor the switch subsystem information received from the logging facility.

View the output in the on-system logging buffer memory. To render the on-system logging useful, increase the default buffer size. Follow these best practices for switch security





:

Use CDP only as needed: CDP does not reveal security-specific information, but it is possible for an attacker to exploit this information in a reconnaissance attack, whereby an attacker learns device and IP address information for the purpose of launching other types of attacks. Two practical guidelines should be followed for CDP. ○

If CDP is not required, or the device is located in an unsecure environment, disable CDP globally on the device.



If CDP is required, disable CDP on a per-interface basis on ports connected to untrusted networks. Because CDP is a link-level protocol, it is not transient across a network (unless a Layer 2 tunneling mechanism is in place). Limit it to run only between trusted devices and disable it everywhere else. However, CDP is required on any access port when you are attaching a Cisco phone to establish a trust relationship.

Secure the spanning tree topology: It is important to protect the STP process of the switches that compose the infrastructure. Inadvertent or malicious introduction of STP BPDUs could potentially overwhelm a device or pose a DoS attack. The first step in stabilizing a spanning tree installation is to positively identify the intended root bridge in the design and to hard set the STP bridge priority of that bridge to an acceptable root value. Do the same for the designated backup root bridge. These actions protect against inadvertent shifts in STP due to an uncontrolled introduction of a new switch.

On some platforms, the BPDU guard feature may be available. If so, enable it on access ports in conjunction with the PortFast feature to protect the network from unwanted BPDU traffic injection. Upon receipt of a BPDU, the feature automatically disables the port. Follow these best practices to mitigate compromises through a switch: •

Proactively configure unused router and switch ports:



Execute the shut command on all unused ports and interfaces.



Place all unused ports in a “parking-lot” VLAN used specifically to group unused ports until they are proactively placed into service.



Configure all unused ports as access ports, disallowing automatic trunk negotiation.



Disable automatic trunk negotiation: By default, Cisco Catalyst switches running Cisco IOS software are configured to automatically negotiate trunking capabilities. This situation poses a serious hazard to the infrastructure because an unsecured third-party device can be introduced to the network as a valid infrastructure component. Potential attacks include interception of traffic, redirection of traffic, and DoS. To avoid this risk, disable automatic negotiation of trunking and manually enable it on links that require it. Ensure that trunks use a native VLAN that is dedicated exclusively to trunk links.



Monitor physical device access: Avoid rogue device placement in wiring closets with direct access to switch ports.



Establish port-based security: Specific measures should be taken on every access port of any switch placed into service. Ensure that a policy is in place outlining the configuration of both used and unused switch ports. For ports enabled for end-device access, the macro switchport host takes the following actions when executed on a specific switch port: ○

Sets the switch port mode to access



Enables spanning tree PortFast



Disables channel grouping.

Related Documents

Router And Switch Commands
November 2019 11
Switch
October 2019 36
Switch
June 2020 11
Switch
November 2019 35
Switch
November 2019 35