Laborator Final Multilayer Switching

v 0.2

1. Configuratii generale pe switch: Switch-uri de nivel ACCES si DISTRIBUTIE.

- se configureeaza hostname distinct - se opreste rezolutia de nume - se configureaza autentificare AAA folosind baza de date locala (admin/cisco/15 , junior/class/1) - se configureaza adresa IP pe interfata de management - se configureaza default-gateway corespunzator HSRP GLOBAL: Switch(config)# no ip domain-lookup Switch(config)# aaa new-model Switch(config)# aaa authentication login default local Switch(config)# username admin privilege 15 secret cisco Switch(config)# username junior secret class Switch(config)# ip default-gateway <IP> SHOWs: Switch# show hosts Switch# show aaa servers Switch# show aaa sessions Switch# show ip redirects

2. Configuratii comune pentru toate interfetele. Switch-uri de nivel ACCES.

- se configureaza de tip trunk sau access - se opreste negocierea prin DTP - se configureaza storm-control astfel: broadcast: maxim 10%, multicast: maxim 30%, unicast: maxim 60% - se configureaza port blocking pentru unicast si multicast INTERFATA: Switch(config-if)# switchport nonegociate Switch(config-if)# storm-control {unicast | multicast | broadcast} {action {shutdown|trap} | level {<percent_up> [<percent_down>]}} Switch(config-if)# switchport block { unicast | multicast } SHOWs: Switch# shwo interface <intf> switchport Switch# show dtp [ interface <intf> ] Switch# show storm-control [<intf> [broadcast | unicast | multicast] | broadcast | unicast | multicast] DEBUGs: Switch# debug dtp { events | states | packets | decisions | all } Switch# debug storm-control { statistics | detection }

3. Configuratii comune pentru interfetele fizice neutilizate. Switch-uri de nivel ACCES si DISTRIBUTIE.
- se configureaza de tip acces - se asociaza unui vlan neutilizat (de parking) - VLAN-ul de parking se configureaza in shutdown - se configureaza interfata in shutdown - se opreste CDP pe interfata GLOBAL: Switch(config)# vlan <VID> Switch(config-vlan)# name Parking Switch(config-vlan)# shutdown

4. Protejarea management-plane-ului (VTY si HTTP ACLs) Switch-uri de nivel ACCES si DISTRIBUTIE.

- se permite accesul doat prin HTTPS si SSH - se configureaza protejarea accesului la serviciul de SSH si HTTPS doar de la IP-uri din VLAN-ul de Management GLOBAL: Switch(config)# access-list 99 permit <ID> <WM> Switch(config)# access-list 99 deny any Switch(config)# ip http secure-server Switch(config)# no ip http server Switch(config)# ip http access-class 99 Switch(config)# line vty 0 15 Switch(config-line)# access-class 99 in Switch(config-line)# transport input ssh Switch(config-line)# login authentication VTY Switch(config)# hostname Sw Switch(config)# ip domain-name CCNP.RO Switch(config)# crypto key generate rsa general-keys modulus 1024 Switch(config)# ip ssh version 2 SHOWs: Switch# sh ip ssh Switch# sh ssh Switch# sh ip http server {status | connection | history | all} Switch# sh tcp brief all Switch# sh users Switch# sh line [<vty>] Switch# sh access-list DEBUGs: Switch# debug ip ssh [client] Switch# debug ip http { authentication | ssl | transactions | url | all } 5: VLAN Trunking Protocol (VTP) - toate switchurile folosesc domeniul: CCNP - toate switchurile folosesc versiunea 2 VTP - toate switchurile utilizeaza modul transparent

5. Multiple Spanning Tree Protocol (MSTP) Switch-uri de nivel ACCES si DISTRIBUTIE.

- se foloseste o singura regiune, denumita CCNP3 - se pleaza de la numarul de revizie: 1 - se creaza 2 instante noi, numarul 2 si 3 - se mapeaza jumatate de VLAN-uri la instanta 2 si cealalta jumatate la instanta 3 - Se configureaza un SW drept root pentru instanta 1 si 2 - Se configureaza un ALT siwtch drept root pentru instanta 3 - Se configureaza interfetele de tip acces catre end-useri: portfast GLOBAL: Switch(config)# spanning-tree mode mst Switch(config)# spanning-tree mst configuration Switch(config-mst)# name CCNP3 Switch(config-mst)# revision 1 Switch(config-mst)# instance 2 vlan <VID-VID> Switch(config-mst)# instance 3 vlan <VID-VID> Switch(config-mst)# exit Switch(config)# spanning-tree mst <instanta> root { primary | secondary } INTERFATA: Switch(config-if)# spanning-tree portfast SHOWs: Switch# sh spanning-tree mst [configuration [digest] | detail | service instance | interface <intf> [detail]] DEBUGs & CLEARs: Switch# debug spanning-tree mst { all | bpdu | proposals | roles | state | sync | tc | timers .. } Switch# clear spanning-tree {counters [interface <intf>] | detected-protocols [interface <intf>]}

6. Securizarea procesului STP (Spanning Tree Protocol) Switch-uri de nivel ACCES.

- pe interfetele catre end-user se configureaza root guard - pe interfetele catre end-user se configureaza bpdu guard - pe interfetele catre switchuri se configureaza loopguard - pe interfetele catre switchuri se configureaza UDLD aggressive INTERFATA: Switch(config-if)# spanning-tree guard {root | loop | none} Switch(config-if)# spanning-tree bpduguard { enable | disable} Switch(config-if)# udld port aggressive SHOWs: Switch# show udld [<intf> | neighbors] Switch# show spanning-tree interface <intf> [detail] DEBUGs: Switch# debug udld {events | packets }

7. Port security Switch-uri de nivel ACCES.

- se configureaza pe toate porturile access end-user - permit maxim doua MAC-uri per port - se porneste invatarea sticky GLOBAL: Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval <sec> INTERFATA: Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security SHOWs: Switch# show port-security [interface <intf> [address [vlan <VID>]] | [vlan]] | [address [vlan <VID>]] DEBUGs & CLEARs: Switch# debug port-security Switch# clear port-security { { all | configured | dynamic | sticky } [address <H.H.H> [vlan [<VID>]]] | [interface <intf> [vlan access]] }

8. IP DHCP Snooping Switch-uri de nivel ACCES.

- Porturi trusted catre serverul DHCP - Porturi untrusted si rate-limited catre clienti - activat in toate vlan-urile - activata functia de verificare adrese MAC - dezactivata functia de insertie a optiunii 82 GLOBAL: Switch(config)# ip dhcp shooping database flash:snoop.dat Switch(config)# ip dhcp shooping database write-delay <sec> Switch(config)# ip dhcp shooping database timeout <sec> Switch(config)# no ip dhcp snooping information option Switch(config)# ip dhcp snooping verify no-relay-agent-address Switch(config)# ip dhcp snooping verify mac-address Switch(config)# ip dhcp shooping vlan VID1 VID2 Switch(config)# ip dhcp shooping Switch(config)#errdisable recovery cause dhcp-rate-limit Switch(config)#errdisable recovery interval <sec> INTERFATA & CONFIGURARE STATICA ! Switch(config-if)# no ip dhcp snooping trust Switch(config-if)# no ip dhcp snooping limit rate 15 Switch# ip dhcp snooping database <H.H.H> vlan <VID> <IP> interface <intf> expiry <sec> SHOWs: Switch# sh ip dhcp snooping binding Switch# sh ip dhcp snooping database [detail] Switch# sh ip dhcp snooping statistics [detail]

DEBUGs & CLEARs: Switch# debug ip dhcp snooping { event | packet | H.H.H | acl } Switch# clear ip dhcp snooping binding { * | interface <intf> | vlan <VID> | <IP> } Switch# clear ip dhcp snooping database statistics Switch# clear ip dhcp snooping statistics

9. IP Source Guard (IPSG) Switch-uri de nivel ACCES.

- se configureaza IPSG pe interfetele end-user de tip acces pentru analiza DOAR a adresei IP sursa GLOBAL: Switch(config)# ip source binding <H.H.H> vlan <VID> <IP> interface <intf> INTERFATA: Switch(config-if)# ip verify source [port-security] SHOWs: Switch# sh ip source binding [ dhcp-snooping | interface <intf> | static ] Switch# sh ip verify source [ interface <intf> ] DEBUGs: Switch# debug ip verify source packet

10. Dynamic ARP Inspection (DAI) Switch-uri de nivel ACCES.

- se configureaza drept untrusted toate porturile catre end-useri - se configureaza trusted porturile catre switchuri/routere - se limiteaza numarul de mesaje ARP la 10 sec pe interfetele untrusted. Se accepta un numar excedentar de mesaje ARP pentru 2 secunde - se configureaza verificarea adresei mac sursa/destinatie si a adresei IP. Se va permite adresa 0.0.0.0 GLOBAL: Switch(config)# ip arp inspection vlan <VID> Switch(config)# errdisable recovery cause arp-inspection Switch(config)# errdisable recovery interval <sec> INTERFATA: Switch(config-if)# [no] ip arp inspection trust Switch(config-if)# ip arp inspection limit { rate <pps> [burst interval <sec>] | none } SHOWs: Switch# sh ip arp inspection [ interfaces <intf> | log | statistics | vlan <VID> ] Switch# sh arp access-list DEBUGs & CLEARs: Switch# debug arp snooping Switch# clear ip arp inspection log

11. IEEE 802.1q Port-based Authentication (minimal) Switch-uri de nivel ACCES.

- toate porturile de tip acces catre end-useri sunt autentificate in modul auto (daca exista un server RADIUS in topologie). Altfel, se configureaza force-authorized - toate porturile catre switchuri si routere se configureaza force-authorized - parola comuna folosita cu serverul RADIUS este: CCNP GLOBAL: Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# radius-server host <IP> auth-port 1812 key <password> Switch(config)# dot1x system-auth-control INTERFATA: Switch(config-if)# dot1x port-control {auto | force-authorized | force-unauthorized} SHOWs: Switch# show dot1x all [count | statistics | detail | summary] | [interface <intf> [detail] [statistics]] DEBUGs & CLEARs: Switch# debug dot1x {events | errors | packets | all | registry} Switch# clear dot1x { all | interface <intf> }

12. Quality of Service (QoS) (minimal) Switch-uri de nivel ACCES si DISTRIBUTIE.

- se configureaza auto qos voip trust pe interfetele catre switchuri/routere - se configureaza auto qos voip trust cisco-phone pe interfetele de tip access catre hosturi - se asociaza interfetele de tip acces catre end-useri la vlanul auxiliar (de voce) INTERFATA: Switch(config-if)#switchport voice vlan <VID> Switch(config-if)#auto qos voip { trust | cisco-softphone | cisco-phone } SHOWs: Switch#sh mls qos interface [ <intf> | statistics | queuing | buffers ] Switch#sh auto qos [interface <intf>] DEBUGs: Switch# debug auto qos

13. Layer 2 EtherChannel Switch-uri de nivel ACCES si DISTRIBUTIE.

- se configureaza load-balancing de tip: src_dst_mac (src XOR dst) - se configureaza PagP - se utilizeaza negocierea activa intre vecini (mode desirable) GLOBAL: Switch(config)# port-channel load-balance {dst-ip | src-ip | dst-mac | src-mac | src-dst-ip | src-dst-mac } INTERFATA:

Switch(config)# interface range <intf>-<intf> Switch(config-if-range)# shutdown Switch(config-if-range)# channel-protocol {lacp | pagp} Switch(config-if-range)# channel-group <nr> mode {desirable | auto | on | active | pasive} Switch(config-if-range)# no shutdown SHOWs: Switch# show etherchannel [summary | load-balance | <nr> | detail | protocol | port | port-channel] DEBUGs: Switch# debug etherchannel [all | detail | event | error]

14. Hot Standby Resolution Protocol (HSRP) Se configureaza pe Routere.

- autentificare md5 cu parola: CCNP3 - configurare tracking object. se decrementeaza cu 30 - configurare Hello-time 500 msec, Hold-time 1,5 sec - configurare preemption - se configureaza nume identic cu numele VLAN-ului INTERFATA: Switch(config-if)# standby 1 ip <IP> Switch(config-if)# standby 1 authentication md5 key-string <parola> Switch(config-if)# standby 1 preempt Switch(config-if)# standby 1 timers msec 500 msec 1500 Switch(config-if)# standby 1 track <intf> [<decrement>] Switch(config-if)# standby 1 name <nume> SHOWs: Switch# show standby [brief | <intf> | delay | capability | redirect | all] DEBUGs: Switch# debug standby [errors | events | packets | terse]