CCNP Switch: Scenarios for Final Exam Preparation
Scenario 1: Trunking and DTP
This scenario is built around a network of switches connected by trunking links. You need to think about how DTP operates and how trunks are negotiated (or not) between switches. Consider the network shown in Figure 19-1 and answer the questions that follow. Assume that all switches shown support DTP.
Figure 19-1 Diagram for Scenario 1
- What is the mode of the link between Catalyst A and Catalyst B?
- Suppose that the network administrator types these commands for interface GigabitEthernet 0/1 on Catalyst B:
Switch(config)# interface gigabitethernet 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate
What will the link mode be now?
- Catalyst B has been given the command no switchport nonegotiate for interface GigabitEthernet 0/1. What is the link mode now?
- What is the mode of the link between Catalyst A and Catalyst C?
- Assume that all links between Catalyst switches are in trunking mode, transporting VLANs 1 through 1005. Can PC-2 ping PC-4?
- Suppose that PC-1 begins to generate a broadcast storm. Where would the effects of this storm be experienced in this network? Consider both devices and links. Will PC-4 receive the broadcasts?
Scenario 1 Answers
- The link is still an access link, with no trunking established, because both switches are set to auto mode. The switches are passively waiting for the other to initiate trunking.
- Trunking is still not established. Catalyst A is waiting to be asked to trunk, and Catalyst B is set to nonegotiate. Catalyst B will never try to negotiate trunking because its DTP packets have been silenced.
- Trunking finally has been established. Both switches A and B will use DTP, and B will effectively ask A to bring up a trunk link.
- Trunking. Catalyst A expects trunking on the link, while Catalyst C actively tries to negotiate trunking.
- No. The two PC devices are connected to different VLANs. Without a router or Layer 3 device connecting the VLANs, no traffic will cross between them.
- All hosts on VLAN 1 (PC-1, PC-2, and PC-3) will experience the broadcast storm. All trunk links between switches will transport the broadcast frames. In addition, all switch supervisor CPUs will receive and process the broadcasts because each switch has an IP address for management assigned to VLAN 1. (For this reason, it is recommended to reserve VLAN 1 for control protocol traffic only. User-generated broadcasts can overload the switch supervisor to the extent that it no longer can keep track of its control or “overhead” protocols, such as VTP, CDP, and so forth. Instead, all user traffic should be kept off VLAN 1.)
Scenario 2: VLANs, Trunking, and VTP
This scenario is designed to stir your thinking about VLAN and trunking connectivity. You also need to examine switch configurations and apply them to a network diagram. See the diagram shown in Figure 19-2 and answer the questions that follow. Portions of the configurations of the three Catalyst switches are shown above them.
Figure 19-2 Diagram for Scenario 2
- PC-1 and PC-2 both are configured with IP addresses on the same subnet. Notice that each PC connects to a different VLAN number. Given the switch configurations shown, can PC-1 ping PC-2?
- PC-2 and PC-3 are assigned to the same IP subnet (using subnet mask 255.0.0.0) and the same VLAN. Can PC-2 and PC-3 ping each other?
- Will the trunk link between Catalyst B and Catalyst C come up successfully?
- Suppose that the trunk between Catalyst B and Catalyst C is configured properly. Where will VLAN1 be pruned? Why?
- Suppose that Catalyst A is a VTP server, Catalyst C is a VTP client, and Catalyst B is configured for VTP transparent mode. All switches are in the Bermuda management domain. If VLAN14 is created on Catalyst A, which switches also will create VLAN 14 using VTP?
- If VLAN 15 is created on Catalyst B, what other switches also will create VLAN 15 through VTP?
- If VLAN 16 is created on Catalyst C, what will happen?
Scenario 2 Answers
- Yes. PC-1 and PC-2 are connected to access VLAN switch ports, VLAN 2 and VLAN 10, respectively. Normally, if these were assigned to different VLANs, they could not ping each other unless a Layer 3 device were present to route between the Layer 2 VLANs. In this case, however, the link between Catalyst A and B is the key. On one switch, the link is an access VLAN port on VLAN 2; on the other end, it is an access VLAN port on VLAN 10. These are physically connected, and each switch has no knowledge of what VLAN the other has assigned to the link. Therefore, data can pass across the link freely, connecting the two VLANs.
- No. Again, the key is the link between Catalyst B and C. Catalyst B has the link configured as an ISL trunk, whereas Catalyst C has it configured as an 802.1Q trunk. Because the trunk encapsulations are different, no data will pass between them.
- Yes, the trunk link on each switch will come up successfully, even though the trunk will not work end to end because of the encapsulation mismatch. This is because DTP packets will be exchanged, but both ends of the link are configured to trunk unconditionally.
As a side note, DTP and CDP packets will be exchanged between the switches. Both of these protocols are sent over VLAN 1 in ISL encapsulation and over the native VLAN (VLAN 1, by default) in dot1Q encapsulation. Because the trunk encapsulation is different on each end of the link, each switch will tag VLAN 1 differently. Therefore, VLAN 1 will not be contiguous across the link, and these protocols will not pass successfully. - VLAN 1 will not be pruned. Although VLAN 1 is present on all switches, it is not pruned because VLAN 1 is ineligible for pruning by definition.
- Only Catalyst C creates VLAN 14 in response to VTP advertisements. Catalyst B in transparent mode relays only the VTP information, without interpreting the information.
- Only Catalyst B creates VLAN 15. Because it is in transparent mode, no VLAN activity will be advertised to other neighboring switches. However, Catalyst B is allowed to create, delete, and rename VLANs freely. These VLANs are significant only to the local switch.
- Catalyst C will not allow any VLANs to be created unless they are learned from a VTP server in the bermuda domain. Because it is in VTP client mode, no VLAN changes can be performed from the console.
Scenario 3: EtherChannels
This scenario focuses on EtherChannel links between switches. See the diagram shown in Figure 19-3 and answer the questions that follow.
Figure 19-3 Diagram for Scenario 3
- Four GigabitEthernet interfaces on Catalyst A are to be bundled into a Gigabit EtherChannel with Catalyst B. If each of these interfaces also is configured as a trunk, what must be similar about them on both switches?
- Catalyst A should actively initiate an EtherChannel with Catalyst B. PAgP negotiation should be used. What commands should be used on each of Catalyst A’s ports to configure negotiation of EtherChannel 1?
- What is the default load-distribution algorithm, assuming that the switches are Catalyst 6500s?
- Suppose that the EtherChannel is a Layer 3 interface on both switches so that each switch uses one MAC and one IP address. Should you choose the src-dst-mac or src-dst-ip algorithm to maximize the load distribution across all the links?
Scenario 3 Answers
- All bundled ports must have the same set of allowed VLANs, the same native VLAN, the same trunk encapsulation, and the same trunk mode. (In addition, the switch ports all must have identical speed and duplex settings.)
- You can use the following configuration commands:
CatalystA(config)# interface range gigabitethernet 3/1 - 4 CatalystA(config-if)# channel-protocol pagp CatalystA(config-if)# channel-group 1 mode desirable
- The Catalyst 6500 default algorithm is the XOR of the source and destination IP addresses, using the port-channel load-balance src-dst-ip command.
- Most of the traffic crossing the EtherChannel will have the same two MAC addresses as source or destination—that of the two Layer 3 interfaces. Therefore, the src-dst-mac algorithm always will use only one of the four links within the EtherChannel. The source and destination IP addresses, however, probably will be varied and will yield the best distribution.
Scenario 4: Traditional STP
This scenario exercises your ability to think through the Spanning Tree Protocol operation. You are presented with a simple network of two switches. This keeps the STP complexity to a minimum while forcing you to think through the STP convergence process on a live network. Given the network diagram shown in Figure 19-4, complete the following exercises.
Figure 19-4 Network Diagram for Scenario 4
- Manually compute the spanning-tree topology. Note which switch is the root bridge, which ports are root ports and designated ports, and which ports are in the Blocking state.
- If the 100-Mbps link (port FastEthernet 1/2) is disconnected, what happens with the STP?
- If the 1000-Mbps link (port GigabitEthernet 2/1) is disconnected, how much time will elapse before the two switches can communicate again? (Assume that both switches use the default STP timer values and no additional features for faster convergence.)
- Assume that the physical 1000-Mbps link (port GigabitEthernet 2/1) stays up and active, but BPDUs are not allowed to pass (that is, an access list filter is blocking BPDUs). What happens and when?
Scenario 4 Answers
- The spanning-tree topology should look like the diagram in Figure 19-9. Catalyst A is the root bridge, and only the 1000-Mbps link is forwarding. The root ports (RP) and designated ports (DP) are labeled on the diagram.
Figure 19-9 Resulting Spanning-Tree Topology for Scenario 4
- Because the 100-Mbps link is in the Blocking state on Catalyst B, no major change in the topology occurs. Effectively, this link already was “disconnected.” However, after the physical link status goes down, both Catalyst A and Catalyst B sense the change and begin sending TCN BPDUs to notify each other of the topology change. Because Catalyst A is the root bridge, it acknowledges the TCN to Catalyst B. Both switches age out their MAC address tables in Forward Delay seconds.
- Disconnecting the 1000-Mbps link causes Catalyst B to immediately find another root port. Ports 1/1 and 1/2 go into the Listening state, waiting to receive BPDUs. Port 1/2, with a cost of 19, becomes the next root port as soon as Catalyst B computes the root path cost (0+19) for it. Port 1/2 stays in the Listening state for Forward Delay (15 seconds), and then in the Learning state for Forward Delay (15 seconds). Port 1/2 moves into the Forwarding state, restoring connectivity in 30 seconds. (If PAgP is operating on the port, an additional delay of 20 seconds occurs.)
- Because the 1000-Mbps link’s status stays up, neither Catalyst detects a link failure. Therefore, no immediate attempt to find another root port occurs. Instead, Catalyst B will not receive BPDUs from Catalyst A over link GigabitEthernet 2/1 because they are being filtered out. After the MaxAge Timer expires (20 seconds), Catalyst B ages out the stored BPDU for Catalyst A on port GigabitEthernet 2/1. Catalyst B moves ports FastEthernet 1/1 and 1/2 into the Listening state to determine a new root port. As in step 3, port FastEthernet 1/2 becomes the root port with a lower root path cost than port FastEthernet 1/1. The port moves through the Listening (15 seconds) and Learning (15 seconds) states and into the Forwarding state. The total time that has elapsed before connectivity restores is 20 + 15 + 15 = 50 seconds. (Again, if PAgP is active on the port, an additional 20 seconds can be added to the delay.)
Scenario 5: Advanced STP
A small network consists of two core switches, Catalyst C1 and C2, and an access switch, A1, as shown in Figure 19-5. Advanced Spanning Tree Protocol features will improve the convergence times and reduce the number of STP instances. Answer these questions.
Figure 19-5 Network Diagram for Scenario 5
- To prevent the possibility of a unidirectional link occurring on switch A1’s uplinks, what switch feature can be used? What commands are necessary to enable this feature? Assume that the links should be disabled if a unidirectional condition is found. Which switches need to be configured this way?
- On Catalyst A1, what feature and command should be used to prevent unexpected STP BPDUs from being received on the ports connected to end users?
- For the links between switch A1 and the user PCs, what command is needed to configure these as RSTP edge ports?
- By default, the traditional PVST+ mode is enabled on a switch. What command can be used to enable RSTP to be used with PVST+?
- Suppose that MST is to be configured to reduce the number of STP instances because 12 unique VLANs are being used across the network. How many MST instances are needed for the three switches shown in Figure 21-4, assuming that traffic should be load-balanced across the two uplinks of switch A1?
- What commands are needed to configure switch C1 for MST?
- Now make sure that C1 is configured as the root bridge for one MST instance. What commands are needed?
Scenario 5 Answers
- The Unidirectional Link Detection (UDLD) feature can be used. You can use the udld aggressive global-configuration command to enable UDLD on all fiber-optic ports. UDLD must be enabled on both ends of a link, so it should be enabled on switches A1 and also C1 and C2.
- The BPDU Guard feature can be used to detect and stop unexpected BPDUs from being received on access layer ports. You can use the following interface-configuration command to enable this feature:
Switch(config-if)# spanning-tree bpduguard enable - The spanning-tree portfast interface-configuration command defines an edge port.
- You can use the following global configuration command to enable rapid PVST+:
Switch(config)# spanning-tree mode rapid-pvst
- A minimum of two MST instances are needed so that traffic can be load-balanced. One instance can support VLANs 100 through 104; the other can support VLANs 200 through 204. To load-balance, traffic from one instance must be carried over one uplink while the other instance is carried over the second uplink.
- You can use these configuration commands:
Switch(config)# spanning-tree mode mst Switch(config)# spanning-tree mst configuration Switch(config-mst)# name NorthWestDivision Switch(config-mst)# revision 1 Switch(config-mst)# instance 1 vlan 1 00, 1 01 , 1 02, 1 03, 1 04, 99 Switch(config-mst)# instance 2 vlan 200, 201 , 202, 203, 204 Switch(config-mst)# exit
Notice that VLAN 99, used for switch-management traffic, also is mapped to an MST instance. It is sometimes easy to forget about nonuser or nonaccess VLANs.
- This command makes C1 become the MST root bridge for instance 1:
Switch(config)# spanning-tree mst 1 root primary
This causes the uplink from C1 to A1 to be used for instance 1 by keeping it in the Forwarding state. Switch C2 also should be configured as the root for MST instance 2 so that the other uplink can be used for those VLANs.
Scenario 6: Router Redundancy with HSRP and GLBP
This scenario covers two methods by which you can configure multilayer switches to provide redundant router or gateway functionality: HSRP and GLBP.
A network consists of two VLANs: 101 and 102. Suppose that the PCs in VLAN 101 (192.168.101.0/24) use address 192.168.101.1 as their default gateway. The PCs in VLAN 102 (192.168.102.0/24) use 192.168.102.1.
- What commands are necessary to configure HSRP on a Catalyst switch so that it becomes the active router for VLAN 101 and the standby router for VLAN 102? If a failed router interface is restored, control should be passed back to it from the HSRP standby router. (You can use IP addresses 192.168.101.2 and 192.168.102.2, if needed.)
- What commands can you use to configure VRRP for the network described in question 1?
- GLBP is to be used in the network shown in Figure 19-6. Answer the following questions about this network.
Figure 19-6 Network Diagram for Scenario 6
a. What command should you use to make Catalyst B become the active virtual gateway (AVG) for GLBP group 10?
b. The virtual gateway address is 192.168.10.1. Which switches should be configured for this, and with what command?
c. Give the command needed on the AVG to implement round-robin load balancing, evenly distributing the virtual gateway MAC addresses across the set of AVFs.
d. Each of the AVF switches must be configured to become members of GLBP group 10. How can this be accomplished?
Scenario 6 Answers
- You can configure HSRP load balancing with the following Catalyst configuration commands:
Switch(config)# interface vlan 1 01 Switch(config-if)# ip address 1 92. 1 68. 1 01 . 2 255. 255. 255. 0 Switch(config-if)# standby 1 01 priority 1 1 0 Switch(config-if)# standby 1 01 preempt Switch(config-if)# standby 1 01 ip 1 92. 1 68. 1 01 . 1 Switch(config-if)# interface vlan 1 02 Switch(config-if)# ip address 1 92. 1 68. 1 02. 2 255. 255. 255. 0 Switch(config-if)# standby 1 02 priority 1 00 Switch(config-if)# standby 1 02 preempt Switch(config-if)# standby 1 02 ip 1 92. 1 68. 1 02. 1
The default gateway address that is shared between the switches is configured as 192.168.101.1 for VLAN 101 and 192.168.102.1 for VLAN 102. In VLAN 101, the virtual interface has an IP address of 192.168.101.2. Two HSRP groups are defined, one for each VLAN. Interface VLAN 101 will be the active router for VLAN 101 because of its higher priority of 110 (over a default of 100 on the other Catalyst). If control is passed to the standby router, this router can assume control again through the use of the preempt command. For VLAN 102, the roles are reversed. This router becomes the standby router in Group 102, with its lower priority of 100. (The other switch will be configured with priority 110 for VLAN 102 to take the active router role.)
- Functionally, VRRP is very similar to HSRP. The following commands can be used to configure VRRP. No commands are necessary to enable the router to pre-empt for VRRP; preemption is the default.
Switch(config)# interface vlan 1 01 Switch(config-if)# ip address 1 92. 1 68. 1 01 . 2 255. 255. 255. 0 Switch(config-if)# vrrp 1 01 priority 1 1 0 Switch(config-if)# vrrp 1 01 ip 1 92. 1 68. 1 01 . 1 Switch(config-if)# interface vlan 1 02 Switch(config-if)# ip address 1 92. 1 68. 1 02. 2 255. 255. 255. 0 Switch(config-if)# vrrp 1 02 priority 1 00 Switch(config-if)# vrrp 1 02 ip 1 92. 1 68. 1 02. 1
- The four-part answers to question 2 are as follows:
a. By default, all switches have a GLBP priority of 100. Catalyst B’s priority can be raised with the glbp 10 priority 200 command.
b. Only the AVG switch, Catalyst B, needs to be configured with the gateway address. It will inform all other members of the group. You should use the glbp 10 ip 192.168.10.1 command. c. glbp 10 load-balancing round-robin
d. Each AVF switch should receive the glbp 10 ip interface-configuration command. No IP address is needed here because the virtual gateway address is learned from the group’s AVG.
Scenario 7: Multicast
This scenario tests your knowledge of various multicast switching features. Think about how multicast traffic traverses a network and how switches can be configured to participate in building multicast topologies. Then consider how you can configure the switches to limit the forwarding of unnecessary multicast traffic.
- Under what conditions is IGMP snooping more suitable than CGMP for handling multicast traffic?
- Figure 19-7 shows a network diagram. Assume that all switches use the default multicast configurations. Where in the network will multicast traffic originating from PC-1 on Catalyst A (VLAN 101) be seen?
Figure 19-7 Network Diagram for Scenario 7
- What configuration is needed on Catalysts C and D to limit multicast traffic to only those ports that explicitly join multicast groups, using CGMP with PIM dense mode? Assume that this is needed on both VLANs 101 and 102. What configuration is needed on Catalysts A and B, which are not capable of IGMP snooping?
Scenario 7 Answers
- With IGMP snooping, a switch can listen to IGMP activity for itself. Although this burdens the switch supervisor with examining IGMP reports from multicast group members, the learning process does not require a router or multilayer switch. However, if a switch does not have hardware capable of IGMP snooping natively, CGMP and help from an external router are required.
- By default, a switch must forward broadcast and multicast frames out all available ports on a VLAN. The multicast traffic will be seen on all VLAN 101 ports on Catalyst A. In addition, Catalyst C and Catalyst D bridge the multicast traffic over the trunk links between them. Finally, all VLAN 101 ports on Catalyst B also forward the multicasts.
- In this network, CGMP configuration is needed on both types of switches, whether or not IGMP snooping can be used. You can use the following commands on one of the multilayer switches:
Switch(config)# ip multicast-routing Switch(config)# interface vlan 1 01 Switch(config-if)# ip pim dense-mode Switch(config-if)# ip cgmp Switch(config-if)# interface vlan 1 02 Switch(config-if)# ip pim dense-mode Switch(config-if)# ip cgmp
On Catalyst A and B, only the following global-configuration command cgmp is needed.
Scenario 8: IP Telephony in a Switched Network
This scenario uses a simple two-switch network to reinforce the concepts needed to properly implement IP telephony. Think about supplying power to the Cisco IP Phone, as well as how to implement QoS trust within this network. Use Figure 19-8 as a reference for the following questions.
Figure 19-8 Network Diagram for Scenario 8
- Assume that Catalyst B supports Power over Ethernet. If interface Fa1/0/1 has its default configuration, will power be supplied to the IP Phone? Now suppose that someone has entered the power inline never command for that interface. What command could you use to begin supplying power to the phone dynamically?
- Where should a QoS trust boundary be implemented? In other words, which switches should trust incoming QoS information and which ones should not?
- On Catalyst B, configure interface FastEthernet 3/1 to inform the IP Phone to use VLAN 17 for voice traffic. Also add a configuration command to ensure that no QoS trust is extended to the IP Phone’s PC data port.
- What configuration commands would be necessary to enable QoS trust on Catalyst B’s Gig 1/0/1 uplink and to disable trust on port Fa1/0/2 where the user PC is connected?
Scenario 8 Answers
- In the default configuration, PoE will automatically be supplied if a powered device is detected. If someone has disabled PoE on that interface, you can re-enable it by using the power inline auto interface-configuration command.
- The QoS domain should consist of the two Catalyst switches, A and B. QoS trust should be extended to the IP Phone connected to Catalyst B. QoS information should be trusted on the ports connecting switches A and B.
QoS information should not be trusted on Catalyst A port Gig1/0/1 (the public network), Catalyst B port Fa1/0/2 (PC), or the IP Phone’s PC data port. At these locations, incoming QoS information should be overwritten to known and trusted values, such as COS 0 or DSCP 0. - The following commands define VLAN 17 as the voice VLAN (VVID) and the IP Phone’s data port as untrusted:
Switch(config)# interface fastethernet 3/1 Switch(config-if)# switchport voice vlan 1 7 Switch(config-if)# switchport priority extend cos 0
- To enable trust on the uplink, you can use the following commands:
CatalystB(config)# interface gigabitethernet 1 /0/1 CatalystB(config-if)# mls qos trust cos
Then to disable trust on Fa 1/0/2, you can use these commands:
CatalystB(config)# interface fastethernet 1 /0/2 CatalystB(config-if)# no mls qos trust
Scenario 9: Securing Access and Managing Traffic in a Switched Network
This scenario is designed to stir your thinking about how to control access to switched networks, how to control traffic within a VLAN, and how to monitor traffic.
- Network administrators want to have tight control over hosts moving around within their network. A Catalyst 3750 needs to have port-level security enabled on all 48 of its FastEthernet access-layer ports. Only one host should be connected per port, so the default behavior of shutting down the port is acceptable. What commands are necessary to do this?
- Port-level security is desired on a Catalyst 3750 interface FastEthernet 1/0/18, where 24 users are connected through an Ethernet hub. Rather than have the switch port shut down upon a security violation, network administrators want only the hosts in violation to be rejected. What command can accomplish this?
- Configure a VLAN access control list that can perform packet filtering within a VLAN. Users in the 192.168.191.0 255.255.255.0 network should be allowed to use only HTTP (www) traffic to the web server 192.168.191.199/24, on VLAN 180. How can you configure the VACL to accomplish this?
- An access-layer switch has ports FastEthernet 1/0/1 through 1/0/48 connected to end-user PCs. Is it possible for a user to make one of these ports come up in trunking mode? If so, what commands should you enter to prevent unexpected trunk negotiation?
- Suppose that a switch has a trunk link GigabitEthernet 1/0/1 configured with the following commands:
Switch(config)# interface gigabitethernet 1 /0/1 Switch(config-if)# switchport Switch(config-if)# switchport trunk encapsulation dot1 q Switch(config-if)# switchport trunk native vlan 1 00 Switch(config-if)# switchport trunk allowed vlan 1 00-30 Switch(config-if)# switchport mode trunk
VLANs 100, 200, and 300 all are used for user traffic. What, if anything, should be done to the trunk configuration to prevent a VLAN hopping attack from occurring?
- A Catalyst switch has users connected to ports FastEthernet 1/0/1 through 1/0/30. These users are associated with VLAN 50. Two production DHCP servers are connected to ports FastEthernet 1/0/40 and 1/0/41. What commands should be entered to enable DHCP snooping so that DHCP spoofing attacks can be detected and prevented?
- Assume that a server is connected to interface GigabitEthernet 3/3 on a Catalyst 6500. What command can be used to monitor traffic transmitted and received on the server port with a network analyzer connected to interface GigabitEthernet 5/8 on the same switch?
- Suppose that the only network analyzer available has a 10/100 Ethernet NIC. It is connected to Catalyst 6500 interface FastEthernet 2/1, to monitor the server on GigabitEthernet 3/3. Explain any problems you might encounter with this setup.
Scenario 9 Answers
- On a Catalyst 3750, you can use the following commands:
Switch(config)# interface range fastethernet 1 /0/1 – 48 Switch(config-if)# switchport port-security
- On a Catalyst 3750, you can use the following commands:
Switch(config)# interface fastethernet 1 /0/1 8 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 24 Switch(config-if)# switchport port-security violation restrict
The first command line enables port-level security on the switch port. The second line configures port security to learn up to 24 MAC addresses dynamically on that port. The last line configures the switch to restrict any MAC addresses found to be in violation (any additional addresses learned beyond the 24). The port stays up, allowing the other users to communicate.
- You can use the following commands:
Switch(config)# access-list 1 01 permit tcp 1 92. 1 68. 1 91 . 0 0. 0. 0. 255 host 1 92. 1 68. 1 91 . 1 99 eq www Switch(config)# vlan access-map myfilter Switch(config-access-map)# match ip address 1 01 Switch(config-access-map)# action forward Switch(config-access-map)# match Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan filter myfilter vlan-list 1 80
The first line configures an access list that will be used only to match against traffic being forwarded on a VLAN. The permit keyword causes matching traffic only to be eligible for an action by the VACL; it does not cause the matching traffic to be forwarded or not. The VACL is configured to first match traffic with access list 101; this traffic is forwarded as normal. Then a simple match statement is given so that all other traffic is matched; this remaining traffic is dropped so that it does not reach its destination. The VACL then is applied to VLAN 180.
- In the default configuration, a switch port uses the switchport mode dynamic auto command. Therefore, it passively waits for a switch on the far end to initiate DTP negotiation to enter trunking mode. A malicious user could spoof the DTP exchange, causing the switch to bring the port into trunking mode. You can use the following commands to prevent unexpected trunk negotiation:
Switch(config)# interface range fastethernet 1 /0/1 – 48 Switch(config-if)# switchport mode access
In addition, you should disable any unused access ports and set the access VLAN to an unused or isolated VLAN ID.
-
The trunk configuration does have a weakness that could allow attackers to inject packets that essentially “hop” from one VLAN to another. The trunk has VLAN 100 as its native VLAN— a VLAN that also is used for user traffic elsewhere in the network. The solution is to configure the trunk to have an unused VLAN ID for its native VLAN. Then the native VLAN should be manually pruned or disallowed from entering the trunk. By adding the shaded command to the following interface configuration, the native VLAN becomes VLAN 9, which is not allowed on the trunk:
Switch(config)# interface gigabitethernet 1 /0/1 Switch(config-if)# switchport Switch(config-if)# switchport trunk encapsulation dot1 q Switch(config-if)# switchport trunk native vlan 9 Switch(config-if)# switchport trunk allowed vlan 1 00-300 Switch(config-if)# switchport mode trunk
- You can use the following commands to enable DHCP snooping on the switch:
Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 50 Switch(config)# interface range fastethernet 1 /0/40 – 41 Switch(config-if)# ip dhcp snooping trust
Only the two ports where legitimate DHCP servers are connected are configured as trusted ports. All other ports are considered to be untrusted, by default. If the switch has an uplink to other switches, you also should use the ip dhcp snooping trust command to configure the uplink as trusted. This assumes that the upstream switches have DHCP snooping configured also; it’s wise to extend trust to an uplink only if the trusted domain also extends to the neighboring switches.
- The following commands can configure a local SPAN session on the Catalyst 6500:
Switch(config)# monitor session 1 source interface gigabitethernet 3/3 both Switch(config)# monitor session 1 destination interface gigabitethernet 5/8
- The only potential problem is with the mismatch in connection speeds. The server has a Gigabit Ethernet connection, while the analyzer is limited by its Fast Ethernet connection. If the server has a low utilization on its connection, the network analysis might turn out fine. Otherwise, if the server’s connection is using most of the available 1000 Mbps of bandwidth, the analyzer misses a large portion of the mirrored packets.
The server and its connection will not suffer from the speed mismatch. The Catalyst switch continues to forward packets to and from the server as if no port mirroring was occurring. Only when the packets are being copied to the monitor port queue can they potentially be dropped.
More Resources