Things to know… (lab)

Routing info:

(The infrastructure provided by CEF or process switching performs the recursion to the next-hop IP address.) The configuration sequence, which affects routing, is as follows:

  1. Next-hop
  2. Next-hop recursive
  3. Interface
  4. Default next-hop
  5. Default interface

Switching info:

Difference between bpduguard & bpdufilter

BPDU Guard : error-disables port if a portfast port receives a bpdu

(config)# spanning-tree portfast bpduguard default
(config-if)# spanning-tree bpduguard [enable disable]

BPDU Filtering : When enabled globally prevents portfast ports from sending bpdus. If bpdu is received, port becomes non-portfast and filtering is disabled.

When configured on an interface it disables STP on the port: very dangerous! Global configuration is recommented.

(config)# spanning-tree portfast bpdufilter default
(config-if)# spanning-tree bpdufilter [enable disable]

Spanning-tree on non-default point-to-point links

spanning-tree link-type point-to-point : 802.1w defines the link as pt-pt for rapid convergence.

Backbone fast

  • To detect indirect link failures & to start spanning-tree reconfiguration sooner
  • Must be enabled on all switches in the VTP domain

spanning-tree backbonefast

Would the port still listen for DTP frames in trunk mode?

DTP : Dynamic Trunking Protocol. Interfaces need to be set to either trunk mode or access mode -AND THEN- you need to use the switchport nonegotiate command.

switchport nonegotiate – Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighbouring interface as a trunk interface to establish a trunk link.

Smartport Macro (3550/4500 unsupported on older switches/software)

Macros are fairly simple. Basically all they are, is a collection of interface level commands grouped together and applied with a single named macro. It’s just something to save typing effort, not fancy programming or technology behind it.

This example shows how to define the desktop-config macro for an access switch interface, apply the macro to Fast Ethernet interface 0/9, add a description to the interface, and verify the configuration. You can substitute any interface level command you want for the ones I’ve listed here to get the desired effect. The key parts are the global config of macro name xxx to create the macro and macro apply to put those commands on the interface.

Switch(config)# macro name desktop-config
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
switchport port-security maximum 1
switchport access vlan 1
@

Switch(config)# interface fastethernet0/9
Switch(config-if)# macro apply desktop-config
Switch(config-if)# macro description desktop-config
Switch(config-if)# end

Show parser are the show command roots for this.

show parser macro name desktop-config
show parser macro description

This can also be applied to an interface range as follows, where “unused” is the interface range macro name.

SW-61(config)# define interface-range unused fa0/17 - 20
SW-61(config)# interface range macro unused
SW-61(config-if-range)# macro apply desktop-config

Catalyst COS (link) [have a look in the directory this linked document is in, you'll find lots of great snippets. It's been one of my sources for this page and maybe more, I'm not finished going through it yet so who knows]

Etherchannel

Etherchannel Layer 3

interface port-channel 1
_no switchport
_ip address 172.10.20.10 255.255.255.0

  • Assigns an IP address to the etherchannel instead of the single interface
  • All ports must be: no switchport /depends on version
  • Then assign to physical interface with: channel-group 5 mode DESIRABLE
  • Only one VLAN can be associated with the L3 EtherChannel
  • Allow routing on the etherchannel
  • Layer 3 and Layer 2 etherchannel both aggregate bandwidth. However, the layer 3 one can only associated with 1 VLAN while the layer 2 one can also become a trunk link. So, if the network is a flat network, using layer 3 etherchannel is better because it avoids spanning tree problems.

Etherchannel Layer 2

  • For port aggregation, the configuration must be identical on the both sides
  • Make sure that port fa0/13 and fa0/14 are not in blocking state for any vLAN
  • More than 1 single interface bundled/aggregated and acting as 1 single port
  • Best practice: mode DESIRABLE on both sides
  • Set trunking mode to ACCESS unconditionally

interface Port-channel1
_switchport trunk encapsulation dot1q/isl
_switchport mode trunk
_no ip address
!
interface range gigabitethernet0/1-2
_switchport mode access

Etherchannel layer 2 load balance

port-channel load-balance src-mac
or
port-channel load-balance dst-mac

  • Load distribution is based on the source-MAC address of the incoming packet. Packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel.
  • When src-mac is used, load distribution based on the source and destination IP address is also enabled. For all IP traffic being routed, the switch chooses a port for transmission based on the source and destination IP address. Packets between two IP hosts always use the same port for packet transmission, but packets between any other pair of hosts might use a different transmission port.

Private VLAN (PVLAN)

Rules:

  • PVLANs cannot include VLANs 1 or 1002–1005.
  • VTP mode must be transparent.
  • A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.
  • An isolated or community VLAN can have only one primary VLAN associated with it.
  • You can only designate a VLAN as a PVLAN if that VLAN has no current access port assignments. Remove any ports in that VLAN before you make the VLAN a PVLAN.
  • Do not configure PVLAN ports as EtherChannels.
  • Due to hardware limitations, the Catalyst 6500/6000 Fast Ethernet switch modules restrict the configuration of an isolated or community VLAN port when one port within the same COIL application-specific integrated circuit (ASIC) is one of these:
  1. A trunk
  2. A Switched Port Analyzer (SPAN) destination
  3. A promiscuous PVLAN port
  • If you delete a VLAN that you use in the PVLAN configuration, the ports that associate with the VLAN become inactive.
  • Configure Layer 3 (L3) VLAN interfaces only for the primary VLANs. VLAN interfaces for isolated and community VLANs are inactive while the VLAN has an isolated or community VLAN configuration. For more information, refer to Configuring Private VLANs.
  • You can extend PVLANs across switches with the use of trunks.
  • Note: You must manually enter the same PVLAN configuration on every switch with involvement because VTP in transparent mode does not propagate this information.
  • Destination SPAN configuration supersedes private VLAN configuration. While a port is a destination SPAN port, any private VLAN configuration for it is inactive. Private VLANs support the following SPAN features:
  1. You can configure a private VLAN port as a SPAN source port.
  2. You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs, or use SPAN on only one VLAN to separately monitor egress or ingress traffic.
  • Enable PortFast and BPDU guard on isolated and community ports to prevent STP loops due to misconfigurations and to speed up STP convergence. When enabled, STP applies the BPDU guard feature to all PortFast-configured Layer 2 LAN ports.

Private VLAN ports are associated with a set of supporting VLANs that are used to create the private VLAN structure. A private VLAN uses VLANs three ways:

  • Primary VLAN – Carries traffic from promiscuous ports to isolated, community, and other promiscuous ports.
  • Isolated VLAN – Carries traffic from isolated ports to promiscuous ports.
  • Community VLAN – Carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a private VLAN.

Note: Isolated and community VLANs are both called secondary VLANs.

Private VLAN ports can be configured as either one of the following types:

  • Host – The isolated host port
  • Promiscuous – This optional configuration allows a device on this interface to connect to all devices in the isolated VLAN. (Think management, external routers, backup etc…)
  • Trunk – When you want to nail down PVLAN trunking (when you can’t use auto or desirable)

# — VTP mode is transparent, as PVLANs require.
vtp mode transparent
!
vlan 100
_name primary_for_101
_private-vlan primary
_private-vlan association 101
!
vlan 101
_name isolated_under_100
_private-vlan isolated

# — This is a port channel for int Gi3/1 & Gi3/2.
interface Port-channel1
_switchport
_switchport trunk encapsulation dot1q
_switchport mode dynamic desirable

# — This is a trunk to the Access_Layer switch.
interface GigabitEthernet3/1
_switchport trunk encapsulation dot1q
_switchport mode dynamic desirable
_channel-group 1 mode desirable

# — This is the trunk to the Access_Layer switch.
interface GigabitEthernet3/2
_switchport trunk encapsulation dot1q
_switchport mode dynamic desirable
_channel-group 1 mode desirable

# — Designate the port as a host port.
interface fastethernet 5/1
_switchport private-vlan host-association 100 101
_switchport mode private-vlan host

# — Designate the port as promiscuous for PVLAN 101.
interface GigabitEthernet3/26
_switchport private-vlan mapping 100 101
_switchport mode private-vlan promiscuous

# — This is the L3 interface for the primary VLAN.
interface Vlan100
_ip address 10.1.1.1 255.255.255.0
_private-vlan mapping 101

This maps VLAN 101 to the VLAN interface of the primary VLAN (100). Ingress traffic for devices in isolated VLAN 101 routes via interface VLAN 100.

Verify with: show interfaces {fastethernet | gigabitethernet} slot/port switchport

Trunk config:
_switchport mode private-vlan trunk
_switchport private-vlan association trunk

VLAN security

VLAN Maps have three components.

  1. VLAN filter
  2. VLAN map entries
  3. IP ACL and/or MAC extended ACL

A VLAN filter is watching packets coming in and going out of VLAN X, Y and Z for the type of clause configured in the vlan access-map statement (either IP or a MAC address).

Allow only http on a VLAN

A few remarks which I picked up on the ccielab@groupstudy.com mailing list:

  • A VLAN access-map has no implicit deny like there is with an ACL. This is to safeguard ARP, routing etc.
  • To explicitly block all other traffic than HTTP one would have to add the deny any any. One would have to ask the proctor what to do with DHCP, ARP, DNS etc for the HTTP clients. Thanks go to Derek Pocoroba.
  • On would have to allow the return traffic as it will traverse the same VACL (hence the second line in ACL ‘http’ any eq www any)

vlan access-map only-http 10
_action forward
_match ip address http
!
vlan access-map only-http 20
_action drop
_match ip address ALL
!
ip access-list extended http
_permit tcp any any eq www
_permit tcp any eq www any
!
ip access-list standard ALL
_permit any
!
vlan filter only-http vlan-list 11

Example code, note that the ‘all’ option is only for removing filters:

3750(config)#vlan filter only-http vlan-list ?
__<1-4094>__VLAN id
__all_______Remove this filter from all VLANs
C3750(config)#vlan filter only-http vlan-list 2 ?
__,__comma
__-__hyphen
__<cr>

Drop by MAC address

How to drop a mac address whose first 2 bytes are 0101 to send any frames to any host on VLAN 55.

mac access-list extended FILTER-0101
permit 0101.0000.0000 0000.FFFF.FFFF any
!
VLAN access-map FILTERS 10
_match mac address FILTER-0101
_action drop
VLAN access-map FILTERS 20
_action forward
!
VLAN filter FILTERS VLAN-list 55

Allow a specific IP & MAC address w/o ACL

arp 192.168.1.1 1111.2222.3333 arpa vlan1 < <<
!
int fa0/1
_switchport mode access
_switchport access VLAN 1
_switchport port-security mac-address 1111.2222.3333
< <<
_switchport port-security violation restrict
_spanning-tree portfast

  • Port security can only be configured on static access ports.
  • A secure port cannot be a dynamic access port or a trunk port.
  • A secure port cannot be a private-vlan (PVLAN: what used to be a protected port).
  • A secure port cannot be a destination port for Switch Port Analyzer (SPAN).

Deny Ethernet type 6000 or 8042 (old?)

interface FastEthernet0/1
_mac access-group ACL-ETYPE in
!
mac access-list extended ACL-ETYPE
_deny any any etype-6000
_deny any any etype-8042
_permit any any

4506-QoS.AS(config-ext-macl)# deny any any protocol-family ?

appletalk
arp-non-ipv4
decnet
ipx
ipv6
rarp-ipv4
rarp-non-ipv4
vines
xns

Current software -on a 4500 sup4- does not permit this granularity, but does present the above list. (Ethernet type codes)

Conserve bandwidth

vtp pruning
!
interface gigabitethernet0/1
_switchport block multicast

  • VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices
  • Block unnecessary multicast/broadcast traffic on the switch port
%d bloggers like this: