You are on page 1of 13

Three fundamental decisions must be made: one concerned with finding the egress switch port, and two

concerned with forwarding policies. All these decisions are made simultaneously by independent portions of
switching hardware and can be described as follows:
L2 forwarding table
Security ACLs
QoS ACLs

Now, the decision of where to forward the packet is based on two address tables, whereas the decision of how
to forward the packet still is based on access list results. As in Layer 2 switching, all these multilayer
decisions are performed simultaneously in hardware:
L2 forwarding table
L3 forwarding table
Security ACLs
QoS ACLs
By default, idle CAM table entries are kept for 300 seconds before they are deleted.

Switch(config)# mac address-table aging-time seconds


Switch(config)# mac address-table static mac-address vlan vlan-id interface type mod/num

Switch(config)# interface type module/number


Switch(config)# interface fastethernet 0/14
Switch(config)# interface range type module/number [, type module/number ...]
Switch(config)# interface range fastethernet 1/0/3 , fastethernet 1/0/7 ,fastethernet 1/0/9 , fastethernet 1/0/48
Switch(config)# interface range type module/first-number last-number

Switch(config)# interface range fastethernet 1/0/1 48

Switch(config)# define interface-range macro-name type module/number [, type module/ number ...] [type module/first-number last-number] [...]
Switch(config)# interface range macro macro-name
Switch(config)# define interface-range MyGroup gig 2/0/1 , gig 2/0/3 2/0/5 , gig 3/0/1 , gig 3/0/10, gig 3/0/32 3/0/48
Switch(config)# interface range macro MyGroup
Switch(config-if)# description description-string
Switch(config-if)# speed {10 | 100 | 1000 | auto}
Switch(config-if)# duplex {auto | full | half}
STATIC VLANS
Switch(config)# vlan vlan-num
Switch(config-vlan)# name vlan-name
Switch(config)# interface type module/number
Switch(config-if)# switchport
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-num

VLAN Trunk Configuration


Use the following commands to create a VLAN trunk link:
Switch(config)# interface type mod/port
Switch(config-if)# switchport
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan {vlan-list | all |
{add | except | remove} vlan-list}
Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}

switchport nonegotiate (disables DTP)


show interface type mod/port trunk
show interface type mod/num switchport
STP
STP multicast address 01-80-c2-00-00-00.
Two types of BPDU exist:
Configuration BPDU, used for spanning-tree computation
Topology Change Notification (TCN) BPDU, used to announce changes in the network Topology
The bridge ID is an 8-byte
value consisting of the following fields:
Bridge Priority (2 bytes)The priority or weight of a switch in relation to all other
switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768
(or 0x8000) on every Catalyst switch.
MAC Address (6 bytes)The MAC address used by a switch can come from the
Supervisor module, the backplane, or a pool of 1,024 addresses that are assigned to
every supervisor or backplane, depending on the switch model. In any event, this
address is hard-coded and unique, and the user cannot change it.

If an entire instance of STP has been disabled, you can reenable it with the following global
configuration command:
Switch(config)# spanning-tree vlan vlan-id

If STP has been disabled for a specific VLAN on a specific port, you can reenable it with
the following interface configuration command:
Switch (config-if)# spanning-tree vlan vlan-id
Switch(config)# spanning-tree extend system-id
Switch(config)# spanning-tree vlan vlan-list priority bridge-priority

Switch(config)# spanning-tree vlan vlan-id root {primary | secondary}[diameter diameter]

The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to
65,535. If STP extended system ID is enabled, the default bridge-priority is 32,768
plus the VLAN number. In that case, the value can range from 0 to 61,440, but only
as multiples of 4096. A lower bridge priority is preferable.
Switch (config-if)# spanning-tree [vlan vlan-id] cost cost
Switch# show spanning-tree interface type mod/num [cost]
Switch(config-if)# spanning-tree [vlan vlan-list] port-priority port-priority
Switch(config)# spanning-tree [vlan vlan-id] hello-time seconds
Switch(config)# spanning-tree [vlan vlan-id] forward-time seconds
Switch(config)# spanning-tree [vlan vlan-id] max-age seconds

Switch(config)# spanning-tree vlan vlan-list root {primary | secondary} [diameter diameter [hello-time hello-time]]

PortFastEnables fast connectivity to be established on access-layer switch ports


to workstations that are booting
UplinkFastEnables fast-uplink failover on an access-layer switch when dual uplinks
are connected into the distribution layer
BackboneFastEnables fast convergence in the network backbone or core layer
switches after a spanning-tree topology change occurs
Switch(config)# spanning-tree portfast default
Switch(config-if)# [no] spanning-tree portfast

Switch(config)# interface type mod/num


Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch# show spanning-tree interface type mod/num portfast

Switch(config)# spanning-tree uplinkfast [max-update-rate pkts-per-second]


Switch# show spanning-tree uplinkfast
Switch(config)# spanning-tree backbonefast

After an STP topology has converged and becomes loop free, switch ports are assigned
the following roles:
Root portThe one port on a switch that is closest (with the lowest root path cost)
to the root bridge.
Designated portThe port on a LAN segment that is closest to the root. This port
relays, or transmits, BPDUs down the tree.
Blocking portPorts that are neither root nor designated ports.
Alternate portPorts that are candidate root ports (they are also close to the root
bridge) but are in the Blocking state. These ports are identified for quick use by the
STP UplinkFast feature.
Forwarding portPorts where no other STP activity is detected or expected. These
are ports with normal end-user connections.

Switch(config-if)# spanning-tree guard root

Switch(config)# spanning-tree portfast bpduguard default


Switch(config-if)# [no] spanning-tree bpduguard enable
Switch(config)# spanning-tree loopguard default
Switch(config-if)# [no] spanning-tree guard loop
Switch(config)# udld {enable | aggressive | message time seconds}
Switch(config-if)# udld {enable | aggressive | disable}
Switch(config)# spanning-tree portfast bpdufilter default
Switch(config-if)# spanning-tree bpdufilter {enable | disable}

Root guard: Apply to ports where root is never expected.


BPDU guard: Apply to all user ports where PortFast is enabled.
Loop guard: Apply to nondesignated ports but okay to apply to all ports.
UDLD: Apply to all fiber-optic links between switches (must be enabled on both ends).
Permissible combinations on a switch port:
Loop guard and UDLD
Root guard and UDLD
Not permissible on a switch port:
Root guard and Loop guard
Root guard and BPDU guard

STP 802.1D
RSTP 802.1w
MST 802.1s

802.1D

Root port
Designated port
Blocking port (neither root nor designated)

each switch port also is assigned one of five possible states:


Disabled
Blocking
Listening
Learning
Forwarding
802.1w
Root portThe one switch port on each switch that has the best root path cost to
the root. This is identical to 802.1D.
Designated portThe switch port on a network segment that has the best root
path cost to the root.
Alternate portA port that has an alternative path to the root, different from the
path the root port takes.
Backup portA port that provides a redundant (but less desirable) connection to a
segment where another switch port already connects.
DiscardingIncoming frames simply are dropped; no MAC addresses are learned.
LearningIncoming frames are dropped, but MAC addresses are learned.
ForwardingIncoming frames are forwarded according to MAC addresses that
have been (and are being) learned.

Edge portA port at the edge of the network, where only a single host connects.
Traditionally, this has been identified by enabling the STP PortFast feature.
Root portThe port that has the best cost to the root of the STP instance.
Point-to-point portAny port that connects to another switch and becomes a designated
port.

Port Security
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum max-addr
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address mac-addr
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

ShutdownThe port immediately is put into the Errdisable state, which effectively
shuts it down. It must be reenabled manually or through errdisable recovery to be
used again.
RestrictThe port is allowed to stay up, but all packets from violating MAC addresses
are dropped. The switch keeps a running count of the number of violating
packets and can send an SNMP trap and a syslog message as an alert of the violation.
ProtectThe port is allowed to stay up, as in the restrict mode. Although packets
from violating addresses are dropped, no record of the violation is kept.

Switch# clear port-security dynamic [address mac-addr | interface type mod/num]

Port-Based Authentication
802.1x Configuration
Remote Authentication
Dial-In User Service (RADIUS), only RADIUS is supported for 802.1x

Step 1. Enable AAA on the switch


Switch(config)# aaa new-model

Step 2. Define external RADIUS servers.


Switch(config)# radius-server host {hostname | ip-address} [key string]

Step 3. Define the authentication method for 802.1x.


Switch(config)# aaa authentication dot1x default group radius

Step 4. Enable 802.1x on the switch:


Switch(config)# dot1x system-auth-control

Step 5. Configure each switch port that will use 802.1x:


Switch(config)# interface type mod/num
Switch(config-if)# dot1x port-control {force-authorized | forceunauthorized| auto}

force-authorizedThe port is forced to always authorize any connected client. No authentication is necessary. This is the
default state for all switch ports when 802.1x is enabled.
force-unauthorizedThe port is forced to never authorize any connected client. As a result, the port cannot move to the
authorized state to pass traffic to a connected client.
autoThe port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This
requires an 802.1x-capable application on the client PC.
Step 6. Allow multiple hosts on a switch port.
Switch(config-if)# dot1x host-mode multi-host

DHCP Snooping
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id]
Switch(config)# interface type mod/num
Switch(config-if)# ip dhcp snooping trust
Switch(config)# interface type mod/num
Switch(config-if)# ip dhcp snooping limit rate rate

The rate can be 1 to 2048 DHCP packets per second.


Switch(config)# [no] ip dhcp snooping information option
Switch# show ip dhcp snooping [binding]

IP Source Guard
Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num
Switch(config)# interface type mod/num
Switch(config-if)# ip verify source [port-security]
Switch# show ip verify source [interface type mod/num]
Switch# show ip source bindng [ip-address] [mac-address] [dhcp-snooping | static] [interface type mod/num] [vlan vlan-id]

Dynamic ARP Inspection


Switch(config)# ip arp inspection vlan vlan-range
Switch(config)# interface type mod/num
Switch(config-if)# ip arp inspection trust
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host sender-ip mac host sender-mac [log]
[Repeat the previous command as needed]
Switch(config-acl)# exit
Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
src-macCheck the source MAC address in the Ethernet

MAC address in the ARP reply.

header against the sender

dst-macCheck the destination MAC address in the Ethernet header against the
target MAC address in the ARP reply.
ipCheck the senders IP address in all ARP requests; check the senders IP address
against the target IP address in all ARP replies.

Best Practices for Securing Switches

Configure secure passwords


Use system banners
Secure the web interface
Secure the switch console
Secure virtual terminal Access
Use SSH whenever possible
Secure SNMP Access
Secure unused switch ports
Secure STP operation
Secure the use of CDP

Switch(config)# vlan access-map map-name [sequence-number]


Switch(config-access-map)# match ip address {acl-number | acl-name}
Switch(config-access-map)# match ipx address {acl-number | acl-name}
Switch(config-access-map)# match mac address acl-name
Switch(config-access-map)# action {drop | forward [capture] | redirect type mod/num}
Switch(config)# vlan filter map-name vlan-list vlan-list

Securing VLAN Trunks


Switch Spoofing

VLAN Hopping

You might also like