7/26/2019 borrador estudio

1/13

Three fundamental decisions must be made: one concerned with finding the egress switch port, and two

concerned with forwarding policies. All these decisions are made simultaneouslyby independent portions of

switching hardware and can be described as follows:

L2 forwarding table

Security ACLs

QoS ACLs

Now, the decision of where to forward the packet is based on two address tables, whereas the decision of how

to forward the packet still is based on access list results. As in Layer 2 switching, all these multilayer

decisions are performed simultaneously in hardware:

L2 forwarding table

L3 forwarding table

Security ACLs

QoS ACLs

By default, idle CAM table entries are kept for 300 seconds before they are deleted.Switch(config)# mac address-table aging-timeseconds

Switch(config)# mac address-table static mac-address vlan vlan-id interface type mod/num

Switch(config)# interface type module/number

Switch(config)# interface fastethernet 0/14

Switch(config)# interface range type module/number [, type module/number ...]

Switch(config)# interface range fastethernet 1/0/3 , fastethernet 1/0/7 ,fastethernet 1/0/9 , fastethernet 1/0/48

Switch(config)# interface range type module/first-numberlast-number

7/26/2019 borrador estudio

2/13

Switch(config)# interface range fastethernet 1/0/1 48

Switch(config)# define interface-range macro-name type module/number [, type module/ number ...] [type module/first-numberlast-number] [...]

Switch(config)# interface range macro macro-name

Switch(config)# define interface-range MyGroup gig 2/0/1 , gig 2/0/3 2/0/5 , gig 3/0/1 , gig 3/0/10, gig 3/0/32 3/0/48

Switch(config)# interface range macro MyGroup

Switch(config-if)# description description-string

Switch(config-if)# speed {10 | 100 | 1000 | auto}

Switch(config-if)# duplex {auto | full | half}

STATIC VLANS

Switch(config)# vlan vlan-num

Switch(config-vlan)# name vlan-name

Switch(config)# interface type module/number

Switch(config-if)# switchport

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan vlan-num

VLAN Trunk Configuration

Use the following commands to create a VLAN trunk link:Switch(config)# interface type mod/portSwitch(config-if)# switchport

Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}

Switch(config-if)# switchport trunk native vlan vlan-id

Switch(config-if)# switchport trunk allowed vlan {vlan-list | all |

{add | except | remove} vlan-list}

Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}

switchport nonegotiate (disables DTP)

show interface type mod/port trunk

show interface type mod/num switchport

STP

STP multicast address 01-80-c2-00-00-00.

Two types of BPDU exist:Configuration BPDU, used for spanning-tree computationTopology Change Notification (TCN) BPDU, used to announce changes in the network Topology

The bridge ID is an 8-bytevalue consisting of the following fields:Bridge Priority (2 bytes)The priority or weight of a switch in relation to all other

switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768

(or 0x8000) on every Catalyst switch.MAC Address (6 bytes)The MAC address used by a switch can come from the

Supervisor module, the backplane, or a pool of 1,024 addresses that are assigned toevery supervisor or backplane, depending on the switch model. In any event, thisaddress is hard-coded and unique, and the user cannot change it.

If an entire instance of STP has been disabled, you can reenable it with the following globalconfiguration command:Switch(config)# spanning-tree vlan vlan-id

If STP has been disabled for a specific VLAN on a specific port, you can reenable it withthe following interface configuration command:Switch (config-if)# spanning-tree vlan vlan-id

Switch(config)# spanning-tree extend system-id

Switch(config)# spanning-tree vlan vlan-list priority bridge-priority

7/26/2019 borrador estudio

3/13

Switch(config)# spanning-tree vlan vlan-id root {primary | secondary}[diameter diameter]

The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to65,535. If STP extended system ID is enabled, the default bridge-priority is 32,768

plus the VLAN number. In that case, the value can range from 0 to 61,440, but onlyas multiples of 4096. A lower bridge priority is preferable.Switch (config-if)# spanning-tree [vlan vlan-id] cost cost

Switch# show spanning-tree interface type mod/num [cost]

Switch(config-if)# spanning-tree [vlan vlan-list] port-priorityport-priority

Switch(config)# spanning-tree [vlan vlan-id] hello-timeseconds

Switch(config)# spanning-tree [vlan vlan-id] forward-timeseconds

Switch(config)# spanning-tree [vlan vlan-id] max-ageseconds

Switch(config)# spanning-tree vlan vlan-list root {primary | secondary} [diameter diameter [hello-time hello-time]]

PortFastEnables fast connectivity to be established on access-layer switch portsto workstations that are booting

UplinkFastEnables fast-uplink failover on an access-layer switch when dual uplinks

are connected into the distribution layerBackboneFastEnables fast convergence in the network backbone or core layer

switches after a spanning-tree topology change occurs

Switch(config)# spanning-tree portfast default

Switch(config-if)# [no] spanning-tree portfast

Switch(config)# interface type mod/num

Switch(config-if)# switchport host

switchport mode will be set to access

spanning-tree portfast will be enabled

channel group will be disabled

Switch# show spanning-tree interface type mod/num portfast

Switch(config)# spanning-tree uplinkfast [max-update-ratepkts-per-second]

Switch# show spanning-tree uplinkfast

Switch(config)# spanning-tree backbonefast

7/26/2019 borrador estudio

4/13

After an STP topology has converged and becomes loop free, switch ports are assignedthe following roles:

Root portThe one port on a switch that is closest (with the lowest root path cost)

to the root bridge.

Designated port

The port on a LAN segment that is closest to the root. This portrelays, or transmits, BPDUs down the tree.

Blocking portPorts that are neither root nor designated ports.

Alternate portPorts that are candidate root ports (they are also close to the root

bridge) but are in the Blocking state. These ports are identified for quick use by theSTP UplinkFast feature.

Forwarding portPorts where no other STP activity is detected or expected. These

are ports with normal end-user connections.

Switch(config-if)# spanning-tree guard root

7/26/2019 borrador estudio

5/13

Switch(config)# spanning-tree portfast bpduguard default

Switch(config-if)# [no] spanning-tree bpduguard enable

Switch(config)# spanning-tree loopguard default

Switch(config-if)# [no] spanning-tree guard loop

Switch(config)# udld {enable | aggressive | message timeseconds}

Switch(config-if)# udld {enable | aggressive | disable}

Switch(config)# spanning-tree portfast bpdufilter default

Switch(config-if)# spanning-tree bpdufilter {enable | disable}

Root guard: Apply to ports where root is never expected.BPDU guard: Apply to all user ports where PortFast is enabled.Loop guard: Apply to nondesignated ports but okay to apply to all ports.UDLD: Apply to all fiber-optic links between switches (must be enabled on both ends).Permissible combinations on a switch port:Loop guard and UDLDRoot guard and UDLD

Not permissible on a switch port:Root guard and Loop guardRoot guard and BPDU guard

STP 802.1DRSTP 802.1wMST 802.1s

802.1D

Root portDesignated portBlocking port (neither root nor designated)

each switch port also is assigned one of five possible states:Disabled

BlockingListeningLearning

Forwarding

802.1w

Root portThe one switch port on each switch that has the best root path cost to

the root. This is identical to 802.1D.Designated portThe switch port on a network segment that has the best root

path cost to the root.Alternate portA port that has an alternative path to the root, different from the

path the root port takes.Backup portA port that provides a redundant (but less desirable) connection to a

segment where another switch port already connects.

DiscardingIncoming frames simply are dropped; no MAC addresses are learned.

LearningIncoming frames are dropped, but MAC addresses are learned.ForwardingIncoming frames are forwarded according to MAC addresses that

have been (and are being) learned.

Edge portA port at the edge of the network, where only a single host connects.Traditionally, this has been identified by enabling the STP PortFast feature.Root portThe port that has the best cost to the root of the STP instance.Point-to-point portAny port that connects to another switch and becomes a designated

port.

7/26/2019 borrador estudio

6/13

7/26/2019 borrador estudio

7/13

7/26/2019 borrador estudio

8/13

Port SecuritySwitch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum max-addr

Switch(config-if)# switchport port-security maximum 2

Switch(config-if)# switchport port-security mac-address mac-addr

Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

ShutdownThe port immediately is put into the Errdisable state, which effectively

shuts it down. It must be reenabled manually or through errdisable recovery to be

used again.RestrictThe port is allowed to stay up, but all packets from violating MAC addressesare dropped. The switch keeps a running count of the number of violating

packets and can send an SNMP trap and a syslog message as an alert of the violation.ProtectThe port is allowed to stay up, as in the restrict mode. Although packetsfrom violating addresses are dropped, no record of the violation is kept.

Switch# clear port-security dynamic [address mac-addr | interface type mod/num]

7/26/2019 borrador estudio

9/13

Port-Based Authentication802.1x ConfigurationRemote Authentication

Dial-In User Service (RADIUS), only RADIUS is supported for 802.1x

7/26/2019 borrador estudio

10/13

Step 1. Enable AAA on the switchSwitch(config)# aaa new-model

Step 2. Define external RADIUS servers.Switch(config)# radius-server host {hostname | ip-address} [keystring]

Step 3. Define the authentication method for 802.1x.Switch(config)# aaa authentication dot1x default group radius

Step 4. Enable 802.1x on the switch:Switch(config)# dot1x system-auth-control

Step 5. Configure each switch port that will use 802.1x:Switch(config)# interface type mod/num

Switch(config-if)# dot1x port-control {force-authorized | forceunauthorized| auto}

force-authorizedThe port is forced to always authorize any connected client. No authentication is necessary. This is thedefault state for all switch ports when 802.1x is enabled.force-unauthorizedThe port is forced to never authorize any connected client. As a result, the port cannot move to theauthorized state to pass traffic to a connected client.autoThe port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. Thisrequires an 802.1x-capable application on the client PC.

Step 6. Allow multiple hosts on a switch port.Switch(config-if)# dot1x host-mode multi-host

7/26/2019 borrador estudio

11/13

DHCP SnoopingSwitch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id]

Switch(config)# interface type mod/num

Switch(config-if)# ip dhcp snooping trust

Switch(config)# interface type mod/num

Switch(config-if)# ip dhcp snooping limit rate rate

The rate can be 1 to 2048 DHCP packets per second.

Switch(config)# [no] ip dhcp snooping information option

Switch# show ip dhcp snooping [binding]

IP Source Guard

Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num

Switch(config)# interface type mod/num

Switch(config-if)# ip verify source [port-security]

Switch# show ip verify source [interface type mod/num]

Switch# show ip source bindng [ip-address] [mac-address] [dhcp-snooping | static] [interface type mod/num] [vlan vlan-id]

Dynamic ARP InspectionSwitch(config)# ip arp inspection vlan vlan-range

Switch(config)# interface type mod/numSwitch(config-if)# ip arp inspection trust

Switch(config)# arp access-list acl-name

Switch(config-acl)# permit ip hostsender-ip mac hostsender-mac [log]

[Repeat the previous command as needed]

Switch(config-acl)# exit

Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]

Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}

src-macCheck the source MAC address in the Ethernet header against the sender

MAC address in the ARP reply.

7/26/2019 borrador estudio

12/13

dst-macCheck the destination MAC address in the Ethernet header against the

target MAC address in the ARP reply.

ipCheck the senders IP address in all ARP requests; check the senders IP addressagainst the target IP address in all ARP replies.

Best Practices for Securing Switches

Configure secure passwords

Use system banners

Secure the web interface

Secure the switch console

Secure virtual terminal Access

Use SSH whenever possible

Secure SNMP Access

Secure unused switch ports

Secure STP operation

Secure the use of CDP

Switch(config)# vlan access-map map-name [sequence-number]Switch(config-access-map)# match ip address {acl-number | acl-name}

Switch(config-access-map)# match ipx address {acl-number | acl-name}

Switch(config-access-map)# match mac address acl-nameSwitch(config-access-map)# action {drop | forward [capture] | redirect type mod/num}

Switch(config)# vlan filter map-name vlan-list vlan-list

Securing VLAN TrunksSwitch Spoofing

VLAN Hopping

7/26/2019 borrador estudio

13/13