%Trunk% Archives %%page%%

« Older Entries

Tag Archive for 'Trunk'

BCMSN VLAN-ACL Lab 8

Published

Deon Botha

on June 23, 2008

in ACL, BCMSN, Certification, Cisco Systems, VACL and VLAN

. 0 Comments

LAB_2

Virtual Local Area Network (VLAN) Access Control Lists (ACL) (VACL or VLAN-ACL)

The CCNA taught ACLs standard, extended and named (standard and extended) the VACL is a standard or extended access list (no surprise) that is supported on Cisco IOS Software on Multilayer Switches (this is important) that can be mapped as the name suggests to a specific VLAN (take note).

This means that instead of an ACL filtering all traffic ingressing or egressing a particular port the ACL will filter all traffic ingressing and egressing a particular VLAN (cool huh).

The below config uses a named ACL in conjunction with the other particulars to make the VACL work. If you are rusty on the Access Lists the previous lab used an extended access list you can then also go on to try your hand at standard access lists on your own.

The aim of this lab is to block telnet, ftp, www and allow all other traffic to PC1 and PC2.

PC1 is in VLAN 10 with IP address 192.168.10.200 255.255.255.0 Default Gateway (DG) 192.168.10.1

PC2 is in VLAN 20 with IP Address 192.168.20.250 255.255.255.0 DG 192.168.10.50

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW1 Enable secret and password DSW1(config)#enable password cisco DSW1(config)#enable secret cisco Setup the console port password DSW1(config)#line con 0 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW1(config)#line vty 0 4 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the default VLAN DSW1(config)#interface vlan 1 DSW1(config-if)#ip address 192.168.1.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup VLAN 10 DSW1(config)#interface vlan 10 DSW1(config-if)#ip address 192.168.10.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup VLAN 20 DSW1(config)#interface vlan 20 DSW1(config-if)#ip address 192.168.20.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#no shut DSW1(config-if)#exit Enable QoS Globally DSW1(config)#mls qos Create Access Lists DSW1(config)#access-list 150 permit udp any any eq tftp DSW1(config)#access-list 150 permit tcp any any eq ftp DSW1(config)#access-list 150 permit tcp any any eq ftp-data DSW1(config)#access-list 151 permit udp any any eq echo DSW1(config)#access-list 151 permit udp any any eq echo-reply DSW1(config)#access-list 151 permit udp any any eq echo Create a class map DSW1(config)#class-map File-Transfer DSW1(config-cmap)#match access-group 150 DSW1(config-cmap)#exit DSW1(config)#class-map Echo DSW1(config-cmap)#match access-group 151 DSW1(config-cmap)#exit Create a policy map DSW1(config)#policy-map Precedence DSW1(config-pmap)#class file-transfer DSW1(config-pmap-c)#set ip precedence 5 DSW1(config-pmap-c)#exit DSW1(config-pmap)#class echo DSW1(config-pmap-c)#set ip precedence 1 DSW1(config-pmap-c)#exit DSW1(config-pmap)#exit Create a VLAN access map DSW1(config)#vlan access-map vlan_map_10 10 DSW1(config-access-map)#match ip address blocked_protocols DSW1(config-access-map)#action drop DSW1(config-access-map)#exit DSW1(config)#vlan access-map vlan_map_10 20 DSW1(config-access-map)#match ip address allowed_protocols DSW1(config-access-map)#action forward DSW1(config-access-map)#exit Create an Named Extended Access List DSW1(config)#ip access-list extended blocked_protocols DSW1(config-ext-ipacl)#permit tcp any any eq telnet DSW1(config-ext-ipacl)#permit tcp any any eq ftp DSW1(config-ext-ipacl)#permit tcp any any eq ftp-data DSW1(config-ext-ipacl)#permit tcp any any eq www DSW1(config-ext-ipacl)#exit DSW1(config)#ip access-list extended allowed_protocols DSW1(config-ext-ipacl)#permit ip any any DSW1(config-ext-ipacl)#exit Apply the VLAN ACL to Filter a VLAN DSW1(config)#vlan filter vlan_map_10 vlan-list 10 Associate VLANs with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW1(config-if-range)#switchport mode trunk Apply QoS Policy DSW1(config-if-range)#service-policy input precedence DSW1(config-if-range)#exit Associate VLANs with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit Aministratively shutdown all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Enable Spanning Tree Protocol on VLANs DSW1(config)#spanning-tree vlan 1 root primary DSW1(config)#spanning-tree vlan 10 root primary DSW1(config)#spanning-tree vlan 20 root secondary Enable Routing and a Protocol DSW1(config)#ip routing DSW1(config)#router eigrp 100 DSW1(config-router)#network 192.168.0.0 DSW1(config-router)#exit Exit Global Configuration Mode DSW1(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status Check that you configured STP DSW1#show spanning-tree Check routing is correct DSW1#show ip route Check QoS is enabled DSW1#show mls qos Check Access Lists DSW1#show access-lists Check class maps DSW1#show class-map Check policy map DSW1#show policy-map Check that QoS is applied to the interfaces DSW1#show run | begin interface FastEthernet 0/1 Check VLAN Access-Map DSW1#show vlan access-map Confirm Named Access lists DSW1#show access-lists blocked_protocols DSW1#show access-lists allowed_protocols DSW1#show access-lists Confirm VLAN filter DSW1#show vlan filter Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run DSW1#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable password cisco DSW2(config)#enable secret cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the default VLAN DSW2(config)#interface vlan 1 DSW2(config-if)#ip address 192.168.1.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup VLAN 10 DSW2(config)#interface vlan 10 DSW2(config-if)#ip address 192.168.10.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup VLAN 20 DSW2(config)#interface vlan 20 DSW2(config-if)#ip address 192.168.20.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#no shut DSW2(config-if)#exit Enable QoS Globally DSW2(config)#mls qos Create Access Lists DSW2(config)#access-list 150 permit udp any any eq tftp DSW2(config)#access-list 150 permit tcp any any eq ftp DSW2(config)#access-list 150 permit tcp any any eq ftp-data DSW2(config)#access-list 151 permit udp any any eq echo DSW2(config)#access-list 151 permit udp any any eq echo-reply DSW2(config)#access-list 151 permit udp any any eq echo Create a class map DSW2(config)#class-map File-Transfer DSW2(config-cmap)#match access-group 150 DSW2(config-cmap)#exit DSW2(config)#class-map Echo DSW2(config-cmap)#match access-group 151 DSW2(config-cmap)#exit Create a policy map DSW2(config)#policy-map Precedence DSW2(config-pmap)#class file-transfer DSW2(config-pmap-c)#set ip precedence 5 DSW2(config-pmap-c)#exit DSW2(config-pmap)#class echo DSW2(config-pmap-c)#set ip precedence 1 DSW2(config-pmap-c)#exit DSW2(config-pmap)#exit Create a VLAN access map DSW2(config)#vlan access-map vlan_map_20 10 DSW2(config-access-map)#match ip address blocked_protocols DSW2(config-access-map)#action drop DSW2(config-access-map)#exit DSW2(config)#vlan access-map vlan_map_20 20 DSW2(config-access-map)#match ip address allowed_protocols DSW2(config-access-map)#action forward DSW2(config-access-map)#exit Create an Named Extended Access List DSW2(config)#ip access-list extended blocked_protocols DSW2(config-ext-ipacl)#permit tcp any any eq telnet DSW2(config-ext-ipacl)#permit tcp any any eq ftp DSW2(config-ext-ipacl)#permit tcp any any eq ftp-data DSW2(config-ext-ipacl)#permit tcp any any eq www DSW2(config-ext-ipacl)#exit DSW2(config)#ip access-list extended allowed_protocols DSW2(config-ext-ipacl)#permit ip any any DSW2(config-ext-ipacl)#exit Apply the VLAN ACL to Filter a VLAN DSW2(config)#vlan filter vlan_map_20 vlan-list 20 Associate VLANs with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex auto DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW2(config-if-range)#switchport mode trunk Apply QoS Policy DSW2(config-if-range)#service-policy input precedence DSW2(config-if-range)#exit Associate VLANs with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex auto DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit Aministratively shutdown all ports not connected DSW2(config)#interface range fastethernet 0/5 - 10 DSW2(config-if-range)#shut DSW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs DSW2(config)#spanning-tree vlan 1 root secondary DSW2(config)#spanning-tree vlan 10 root secondary DSW2(config)#spanning-tree vlan 20 root primary Enable Routing and a Protocol DSW2(config)#ip routing DSW2(config)#router eigrp 100 DSW2(config-router)#network 192.168.0.0 DSW2(config-router)#exit Exit Global Configuration Mode DSW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status Check that you configured STP DSW2#show spanning-tree Check routing is correct DSW2#show ip route Check QoS is enabled DSW2#show mls qos Check Access Lists DSW2#show access-lists Check class maps DSW2#show class-map Check policy map DSW2#show policy-map Check that QoS is applied to the interfaces DSW2#show run | begin interface FastEthernet 0/1 Check VLAN Access-Map DSW2#show vlan access-map Confirm Named Access lists DSW2#show access-lists blocked_protocols DSW2#show access-lists allowed_protocols DSW2#show access-lists Confirm VLAN filter DSW2#show vlan filter Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run DSW2#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable password cisco ASW1(config)#enable secret cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Default Gateway ASW1(config-line)#ip default-gateway 192.168.1.1 Setup the default VLAN ASW1(config)#interface vlan 1 ASW1(config-if)#ip address 192.168.1.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup VLAN 10 ASW1(config)#interface vlan 10 ASW1(config-if)#ip address 192.168.10.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup VLAN 20 ASW1(config)#interface vlan 20 ASW1(config-if)#ip address 192.168.20.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#no shut ASW1(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW1(config-if)#switchport mode access Make the port an access port for VLAN 10 ASW1(config-if)#switchport access vlan 10 Enable PortFast on end-points ASW1(config-if)#spanning-tree portfast ASW1(config-if)#no shut ASW1(config-if)#exit Associate VLANs with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex auto ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport trunk encapsulation dot1q ASW1(config-if-range)#switchport trunk native vlan 1 ASW1(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW1(config-if-range)#switchport mode trunk Configure UplinkFast ASW1(config-if-range)#spanning-tree uplinkfast ASW1(config-if-range)#exit Aministratively shutdown all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW1(config)#spanning-tree vlan 1 ASW1(config)#spanning-tree vlan 10 ASW1(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW1(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW1#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable password cisco ASW2(config)#enable secret cisco Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Default Gateway ASW2(config-line)#ip default-gateway 192.168.1.50 Setup the default VLAN ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 10 ASW2(config)#interface vlan 10 ASW2(config-if)#ip address 192.168.10.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 20 ASW2(config)#interface vlan 20 ASW2(config-if)#ip address 192.168.20.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW2(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 20 ASW2(config-if)#switchport access vlan 20 Enable PortFast on end-points ASW2(config-if)#spanning-tree portfast ASW2(config-if)#no shut ASW2(config-if)#exit Associate VLANs with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW2(config-if-range)#switchport mode trunk Configure UplinkFast ASW2(config-if-range)#spanning-tree uplinkfast ASW2(config-if-range)#exit Aministratively shutdown all ports not connected ASW2(config)#interface range fastethernet 0/5 - 10 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW2(config)#spanning-tree vlan 1 ASW2(config)#spanning-tree vlan 10 ASW2(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status Check that you configured STP ASW2#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW2#copy run start

The end result of this will be if you attempt to for example telnet from one of the ASW switches to the PCs (1 or 2) you should get the following:

ASW1#telnet 192.168.10.200 Trying 192.168.10.200 ... % Connection timed out; remote host not responding

Still trying to sort out LAB time so will test this out and update as needed.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

BCMSN QoS Routing Lab 7

Published

Deon Botha

on June 19, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs and QoS

. 0 Comments

LAB_2

QoS

The idea behind this config is to enable Quality of Service (QoS) create access-lists that apply to certain traffic/data (TFTP, FTP and icmp (echo) in this case), define a class, create a policy define precedence and apply those settings to downstream switches. If you remember from previous QoS posts the higher the precedence (voice) the more important and delay sensitive the lower the precedence (www) the less delay sensitive and easier it can handle dropped packets without end-user issues.

PC1 is in VLAN 10 with IP address 192.168.10.200 255.255.255.0 Default Gateway (DG) 192.168.10.1

PC2 is in VLAN 20 with IP Address 192.168.20.250 255.255.255.0 DG 192.168.10.50

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW1 Enable secret and password DSW1(config)#enable password cisco DSW1(config)#enable secret cisco Setup the console port password DSW1(config)#line con 0 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW1(config)#line vty 0 4 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the default VLAN DSW1(config)#interface vlan 1 DSW1(config-if)#ip address 192.168.1.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup VLAN 10 DSW1(config)#interface vlan 10 DSW1(config-if)#ip address 192.168.10.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup VLAN 20 DSW1(config)#interface vlan 20 DSW1(config-if)#ip address 192.168.20.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#no shut DSW1(config-if)#exit Enable QoS Globally DSW1(config)#mls qos Create Access Lists DSW1(config)#access-list 150 permit udp any any eq tftp DSW1(config)#access-list 150 permit tcp any any eq ftp DSW1(config)#access-list 150 permit tcp any any eq ftp-data DSW1(config)#access-list 151 permit udp any any eq echo DSW1(config)#access-list 151 permit udp any any eq echo-reply DSW1(config)#access-list 151 permit udp any any eq echo Create a class map DSW1(config)#class-map File-Transfer DSW1(config-cmap)#match access-group 150 DSW1(config-cmap)#exit DSW1(config)#class-map Echo DSW1(config-cmap)#match access-group 151 DSW1(config-cmap)#exit Create a policy map DSW1(config)#policy-map Precedence DSW1(config-pmap)#class file-transfer DSW1(config-pmap-c)#set ip precedence 5 DSW1(config-pmap-c)#exit DSW1(config-pmap)#class echo DSW1(config-pmap-c)#set ip precedence 1 DSW1(config-pmap-c)#exit DSW1(config-pmap)#exit Associate VLANs with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW1(config-if-range)#switchport mode trunk Apply QoS Policy DSW1(config-if-range)#service-policy input precedence DSW1(config-if-range)#exit Associate VLANs with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit Aministratively shutdown all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Enable Spanning Tree Protocol on VLANs DSW1(config)#spanning-tree vlan 1 root primary DSW1(config)#spanning-tree vlan 10 root primary DSW1(config)#spanning-tree vlan 20 root secondary Enable Routing and a Protocol DSW1(config)#ip routing DSW1(config)#router eigrp 100 DSW1(config-router)#network 192.168.0.0 DSW1(config-router)#exit Exit Global Configuration Mode DSW1(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status Check that you configured STP DSW1#show spanning-tree Check routing is correct DSW1#show ip route Check QoS is enabled DSW1#show mls qos Check Access Lists DSW1#show access-lists Check class maps DSW1#show class-map Check policy map DSW1#show policy-map Check that QoS is applied to the interfaces DSW1#show run | begin interface FastEthernet 0/1 Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run DSW1#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable password cisco DSW2(config)#enable secret cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the default VLAN DSW2(config)#interface vlan 1 DSW2(config-if)#ip address 192.168.1.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup VLAN 10 DSW2(config)#interface vlan 10 DSW2(config-if)#ip address 192.168.10.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup VLAN 20 DSW2(config)#interface vlan 20 DSW2(config-if)#ip address 192.168.20.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#no shut DSW2(config-if)#exit Enable QoS Globally DSW2(config)#mls qos Create Access Lists DSW2(config)#access-list 150 permit udp any any eq tftp DSW2(config)#access-list 150 permit tcp any any eq ftp DSW2(config)#access-list 150 permit tcp any any eq ftp-data DSW2(config)#access-list 151 permit udp any any eq echo DSW2(config)#access-list 151 permit udp any any eq echo-reply DSW2(config)#access-list 151 permit udp any any eq echo Create a class map DSW2(config)#class-map File-Transfer DSW2(config-cmap)#match access-group 150 DSW2(config-cmap)#exit DSW2(config)#class-map Echo DSW2(config-cmap)#match access-group 151 DSW2(config-cmap)#exit Create a policy map DSW2(config)#policy-map Precedence DSW2(config-pmap)#class file-transfer DSW2(config-pmap-c)#set ip precedence 5 DSW2(config-pmap-c)#exit DSW2(config-pmap)#class echo DSW2(config-pmap-c)#set ip precedence 1 DSW2(config-pmap-c)#exit DSW2(config-pmap)#exit Associate VLANs with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex auto DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW2(config-if-range)#switchport mode trunk Apply QoS Policy DSW2(config-if-range)#service-policy input precedence DSW2(config-if-range)#exit Associate VLANs with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex auto DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit Aministratively shutdown all ports not connected DSW2(config)#interface range fastethernet 0/5 - 10 DSW2(config-if-range)#shut DSW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs DSW2(config)#spanning-tree vlan 1 root secondary DSW2(config)#spanning-tree vlan 10 root secondary DSW2(config)#spanning-tree vlan 20 root primary Enable Routing and a Protocol DSW2(config)#ip routing DSW2(config)#router eigrp 100 DSW2(config-router)#network 192.168.0.0 DSW2(config-router)#exit Exit Global Configuration Mode DSW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status Check that you configured STP DSW2#show spanning-tree Check routing is correct DSW2#show ip route Check QoS is enabled DSW2#show mls qos Check Access Lists DSW2#show access-lists Check class maps DSW2#show class-map Check policy map DSW2#show policy-map Check that QoS is applied to the interfaces DSW2#show run | begin interface FastEthernet 0/1 Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run DSW2#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable password cisco ASW2(config)#enable secret cisco Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Default Gateway ASW2(config-line)#ip default-gateway 192.168.1.50 Setup the default VLAN ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 10 ASW2(config)#interface vlan 10 ASW2(config-if)#ip address 192.168.10.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 20 ASW2(config)#interface vlan 20 ASW2(config-if)#ip address 192.168.20.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 20 ASW2(config-if)#switchport access vlan 20 Enable PortFast on end-points ASW2(config-if)#spanning-tree portfast ASW2(config-if)#no shut ASW2(config-if)#exit Associate VLANs with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW2(config-if-range)#switchport mode trunk Configure UplinkFast ASW2(config-if-range)#spanning-tree uplinkfast ASW2(config-if-range)#exit Aministratively shutdown all ports not connected ASW2(config)#interface range fastethernet 0/5 - 10 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW2(config)#spanning-tree vlan 1 ASW2(config)#spanning-tree vlan 10 ASW2(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW2#copy run start

Notes and Notices:

BCMSN Layer 3 Routing Lab 6

Published

Deon Botha

on June 19, 2008

in BCMSN, Certification and Cisco Systems

. 0 Comments

LAB_2

Layer 3 Switching

PC1 is in VLAN 10 with IP address 192.168.10.200 255.255.255.0 Default Gateway (DG) 192.168.10.1

PC2 is in VLAN 20 with IP Address 192.168.20.250 255.255.255.0 DG 192.168.10.50

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable password cisco ASW2(config)#enable secret cisco Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Default Gateway ASW2(config-line)#ip default-gateway 192.168.1.50 Setup the default VLAN ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 10 ASW2(config)#interface vlan 10 ASW2(config-if)#ip address 192.168.10.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 20 ASW2(config)#interface vlan 20 ASW2(config-if)#ip address 192.168.20.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 20 ASW2(config-if)#switchport access vlan 20 Enable PortFast on end-points ASW2(config-if)#spanning-tree portfast ASW2(config-if)#no shut ASW2(config-if)#exit Associate VLANs with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW2(config-if-range)#switchport mode trunk Configure UplinkFast ASW2(config-if-range)#spanning-tree uplinkfast ASW2(config-if-range)#exit Aministratively shutdown all ports not connected ASW2(config)#interface range fastethernet 0/5 - 10 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW2(config)#spanning-tree vlan 1 ASW2(config)#spanning-tree vlan 10 ASW2(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW2#copy run start

The point of this exercise is is to get a dynamic routing protocol in this case EIGRP working.

Notes and Notices:

BCMSN STP Lab 5

Published

Deon Botha

on June 10, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs and STP

. 0 Comments

LAB_2

Spanning Tree Protocol
As a base config use the config of LAB 3 because this enables trunking between all the switches. The reason for this is because you want VLAN 1, 10, and 20 are going to be passed between ASW and DSW switches.

For reference look at this document it contains STP, PortFast and UplinkFast information and configuration information.

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable password cisco ASW1(config)#enable secret cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the default VLAN ASW1(config)#interface vlan 1 ASW1(config-if)#ip address 192.168.1.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup VLAN 10 ASW1(config)#interface vlan 10 ASW1(config-if)#ip address 192.168.10.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup VLAN 20 ASW1(config)#interface vlan 20 ASW1(config-if)#ip address 192.168.20.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#no shut ASW1(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW1(config-if)#switchport mode access Make the port an access port for VLAN 10 ASW1(config-if)#switchport access vlan 10 Enable PortFast on end-points ASW1(config-if)#spanning-tree portfast ASW1(config-if)#no shut ASW1(config-if)#exit Associate VLANs with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex auto ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport trunk encapsulation dot1q ASW1(config-if-range)#switchport trunk native vlan 1 ASW1(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW1(config-if-range)#switchport mode trunk Configure UplinkFast ASW1(config-if-range)#spanning-tree uplinkfast ASW1(config-if-range)#exit Aministratively shutdown all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW1(config)#spanning-tree vlan 1 ASW1(config)#spanning-tree vlan 10 ASW1(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW1(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW1#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable password cisco ASW2(config)#enable secret cisco Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Setup the default VLAN ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 10 ASW2(config)#interface vlan 10 ASW2(config-if)#ip address 192.168.10.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 20 ASW2(config)#interface vlan 20 ASW2(config-if)#ip address 192.168.20.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 20 ASW2(config-if)#switchport access vlan 20 Enable PortFast on end-points ASW2(config-if)#spanning-tree portfast ASW2(config-if)#no shut ASW2(config-if)#exit Associate VLANs with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW2(config-if-range)#switchport mode trunk Configure UplinkFast ASW2(config-if-range)#spanning-tree uplinkfast ASW2(config-if-range)#exit Aministratively shutdown all ports not connected ASW2(config)#interface range fastethernet 0/5 - 10 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW2(config)#spanning-tree vlan 1 ASW2(config)#spanning-tree vlan 10 ASW2(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW2#copy run start

PC1 is in VLAN 10 with IP address 192.168.10.200 255.255.255.0
PC2 is in VLAN 20 with IP Address 192.168.20.250 255.255.255.0

Notes and Notices:

BCMSN VTP Lab 4

Published

Deon Botha

on June 10, 2008

in BCMSN, Certification, Cisco Systems and VTP

. 0 Comments

VTP

This post I am going to deviate from how I have done things. In the previous posts I wrote out the entire configurations, in this post all I need is a working configuration. Use the initial config and work from here that has trunk links and setup VTP.

Run the following config on the DSW switches (both of them)

DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#no switchport trunk allowed vlan 1,100 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#no switchport trunk allowed vlan 1,100

And this config on the ASW switches (both of them)

ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#no switchport trunk allowed vlan 1,100

This is because the top commands restrict the vlans to only allow vlan 1 and vlan 100 on the trunk. By default a trunk link will allow all vlans but one can restrict what vlans are allowed over a trunk through the use of the above commands (slipped it in there didn’t I).

Some comment on VTP is that it is a very funny animal to work with (even if it is dead useful. If you do it wrong you lose all VLANs in the VLAN database because of how an update happens from server to client. This makes VTP a very dangerous beast because in large networks there may be 100s of VLANs (you can double that number if you run voice and use separate vlans for each voice end-point) and if you add a new switch to VTP that’s configured wrong…. POOF…..like magic all VLANs gone

To begin a VTP configuration see below and notice how I start with the mode command, this is just something I do because I like knowing it starts in the right mode, its paranoia more than anything and getting it wrong enough that makes me do this. You may do it in another way (at your own risk).

Its an idea to go over the table I have on this page regarding the VTP Modes so that you understand why you use a certain mode at a certain times. If you need to for example add a switch to a network where the switch must NEVER participate in VTP for example you use transparent

Step 1.1: Configure VTP

Enter Global Configuration Mode ASW1#configure terminal Set the VTP Mode ASW1(config)#vtp mode transparent Set the VTP Version 1/2 and 3 (higher level switch platforms) ASW1(config)#vtp version 2 Set the password and domain to prevent unauthorized joining to the VTP domain ASW1(config)#vtp password cisco ASW1(config)#vtp domain ciscolabnet Exit Global Configuration Mode ASW1(config)#exit

Step 1.2: Add VLANs

Enter VLAN Database Mode ASW1#vlan database Create a VLAN and assign it a name ASW1(vlan)#vlan 100 name Marketing VLAN 100 added: Name: Marketing Create another VLAN and assign it a name ASW1(vlan)#vlan 150 name Sales VLAN 150 added: Name: Sales APPLY your config (it will do this anyway on the next step but just make sure it applies changes) ASW1(vlan)#apply Exit VLAN Database Mode ASW1(vlan)#exit APPLY completed. Exiting.......

Repeat the above steps exactly on ASW2. The VTP process is now running on both ASW switches. To check that this is the case:

ASW2#show vtp status

The DSWs I am going to make clients to the ASWs (bottom-up)

Step 2: Configure VTP on the DSW switches

Enter Global Configuration Mode DSW1#configure terminal Set the VTP Mode DSW1(config)#vtp mode client Set the VTP Version 1/2 and 3 (higher level switch platforms) DSW1(config)#vtp version 2 Set the password and domain to prevent unauthorized joining to the VTP domain DSW1(config)#vtp password cisco DSW1(config)#vtp domain cisco Exit Global Configuration Mode DSW1(config)#exit

Step 3: Change the VTP Mode on the ASW switches

Do the same config on DSW2 making sure you configure the mode as client. After this is done go back to the ASWs and change them to servers:

ASW1#configure terminal ASW1(config)#vtp mode server

ASW2#configure terminal ASW2(config)#vtp mode server

After you have done this go to all the switches and try the following command

ASW2#show vlan

You should see the Sales and Marketing VLANS propogated on all the switches.

Notes and Notices:

BCMSN Trunking Lab 3

Published

Deon Botha

on June 10, 2008

in BCMSN, Certification, Cisco Systems and Trunk

. 2 Comments

Im grafting so quantity over quality… I will go over this sometime this coming weekend for mistakes

Trunking

This lab builds directly onto the previous lab where the default VLAN was shut and a new VLAN was created (basically to give practice for creating a vlan). This lab will now create trunk links between switches to allow more than a single VLANs information to traverse a link. If you are wondering why I am explicitly declaring trunks instead of allowing DTP to do its thing read this, and this.

Distribution Switch 1

Step 1: Setup the basics all of the following is CCNA level stuff and should easy if not second nature. This is to get the security and host name down before going onto the interface configuration.

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW1 Enable secret and password DSW1(config)#enable secret ciscosystems DSW1(config)#enable password cisco Setup a local user database DSW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW1(config)#line con 0 DSW1(config-line)#login local DSW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW1(config)#line vty 0 4 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the Auxiliary Password DSW1(config)#line aux 0 DSW1(config-line)#no exec DSW1(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW1(config)#interface vlan 1 DSW1(config-if)#ip address 192.168.1.1 255.255.255.0 NB I am shutting the interface DSW1(config-if)#shut DSW1(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Setup VLAN 100 ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW1(config)#interface vlan 100 DSW1(config-if)#ip address 192.168.100.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#exit Create and Associate VLAN 100 with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,100 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#exit Associate VLAN 100 with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,100 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit

Step 5: Shut down non-used interfaces

Administratively shut down all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Exit Global Configuration Mode DSW1(config)#exit

Step 6: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status show the vlans that are configured DSW1#show vlan show switchport you can change the fastethernet 0/4 for any active port for information DSW1#show interface fasthethernet 0/4 switchport show which interfaces are trunking DSW1#show interfaces trunk show run the running configuration DSW1#show run

Step 7: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW1#copy run start

Distribution Switch 2

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable secret cisco DSW2(config)#enable password cisco Setup a local user database DSW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#login local DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Auxiliary Password DSW2(config)#line aux 0 DSW2(config-line)#no exec DSW2(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW2(config)#interface vlan 1 DSW2(config-if)#ip address 192.168.1.50 255.255.255.0 NB I am shutting the interface DSW2(config-if)#shut DSW2(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Setup the VLAN ip address DSW2(config)#interface vlan 100 DSW2(config-if)#ip address 192.168.100.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW1 - ASW1 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW1 - ASW1 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW1 - ASW2 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW1 - ASW2 DSW2(config-if)#exit Create and Associate VLAN 100 with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex full DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,100 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW1 - DSW2 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW1 - DSW2 DSW2(config-if)#exit Associate VLAN 100 with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex full DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,100 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit

Step 5: Shut down non-used interfaces

Aministratively shutdown all ports not connected DSW2(config)#interface range fastethernet 0/5 - 10 DSW2(config-if-range)#shut DSW2(config-if-range)#exit Exit Global Configuration Mode DSW2(config)#exit

Step 6: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status show the vlans that are configured DSW2#show vlan show switchport you can change the fastethernet 0/4 for any active port for information DSW2#show interface fasthethernet 0/4 switchport show which interfaces are trunking DSW2#show interfaces trunk show run the running configuration DSW2#show run

Step 7: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW2#copy run start

Access Switch 1

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable secret cisco ASW1(config)#enable password cisco Setup a local user database ASW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#login local ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Auxiliary Password ASW1(config)#line aux 0 ASW1(config-line)#no exec ASW1(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch ASW1(config)#interface vlan 1 ASW1(config-if)#ip address 192.168.1.100 255.255.255.0 NB I am shutting the interface ASW1(config-if)#shut ASW1(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Create VLAN 100 and Configure Interface ASW1(config)#vlan 100 name Marketing ASW1(config)#interface vlan 100 ASW1(config-if)#ip address 192.168.100.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit Associate VLAN 100 with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex full ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport trunk encapsulation dot1q ASW1(config-if-range)#switchport trunk native vlan 1 ASW1(config-if-range)#switchport trunk allowed vlan 1,100 ASW1(config-if-range)#switchport mode trunk ASW1(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW1(config-if)#switchport mode access Make the port an access port for VLAN 100 ASW1(config-if)#switchport access vlan 100 ASW1(config-if)#no shut ASW1(config-if)#exit

Step 6: Shut down non-used interfaces

Administratively shut down all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Exit Global Configuration Mode ASW1(config)#exit

Step 7: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status show the vlans that are configured ASW1#show vlan show switchport you can change the fastethernet 0/4 for any active port for information ASW1#show interface fasthethernet 0/4 switchport show which interfaces are trunking ASW1#show interfaces trunk show run the running configuration ASW1#show run

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW1#copy run start

Access Switch 2

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable secret cisco ASW2(config)#enable password cisco Setup a local user database ASW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#login local ASW2(config-line)#exit Setup the Auxiliary Password ASW2(config)#line aux 0 ASW2(config-line)#no exec ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.200 255.255.255.0 NB I am shutting the interface ASW2(config-if)#shut ASW2(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Create VLAN 100 and Configure Interface ASW2(config)#vlan 100 name Marketing ASW2(config)#interface vlan 100 ASW2(config-if)#ip address 192.168.100.200 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit Associate VLAN 100 with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex full ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,100 ASW2(config-if-range)#switchport mode trunk ASW2(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 100 ASW2(config-if)#switchport access vlan 100 ASW2(config-if)#no shut ASW2(config-if)#exit

Step 6: Shut down non-used interfaces

Administratively shut down all ports not connected ASW2(config)#interface range fastethernet 0/5 - 11 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Exit Global Configuration Mode ASW2(config)#exit

Step 7: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status show the vlans that are configured ASW2#show vlan show switchport you can change the fastethernet 0/4 for any active port for information ASW2#show interface fasthethernet 0/4 switchport show which interfaces are trunking ASW2#show interfaces trunk show run the running configuration ASW2#show run

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW2#copy run start

Notes and Notices:

Switch Security Layer-2 Attacks – Three

Published

Deon Botha

on May 28, 2008

in BCMSN, BPDU Filtering, BPDU Guard, BPDU Root Guard, Certification, Cisco Systems, Concepts and Constructs, DAI, DHCP Snooping, DHCP Spoofing, Dynamic ARP Inspection, IP Source Guard, Loop Guard and Unidirectional Link Detection

. 0 Comments

If the feature talks about trusted/untrusted ports then access ports (facing end-devices or downstream) are untrusted and trunk/other ports (facing distribution/core or upstream) are trusted

DHCP Spoofing and Starvation

DHCP is a protocol that allows end-devices to get network configurations from a central server (router, switch, MS Server). A DHCP server can be spoofed by an attacker whereby end-devices receive network configuration from the attacker DHCP and not the legitimate DHCP server.

The reason why one would want to spoof a DHCP server is because the intruder can configure end-devices with IP Address, Domain Name Service (DNS) and Default Gateway (DG) of their choosing and not the legitimate information; the attacker will then play man in the middle.

Mitigating DHCP Snooping

DHCP Snooping is a Cisco Catalyst feature allowing for configuration of switch ports as either trusted or untrusted so that the ports can respond to DHCP requests. Trusted ports can source all DHCP messages and can host or be an uplink to a DHCP server. Untrusted ports can source requests only. If a rogue device on an untrusted port attempts to send a DHCP response packet, the port is shut down (errdisabled).

Configuration

Step 1:Configure DHCP snooping globally.

switch#configure terminal switch(config)#ip dhcp snooping

Step 2: Configure Trusted and Untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#ip dhcp snooping trust By default all ports are untrusted

Step 3:Configure DHCP Option 82 Insertion.

switch#configure terminal switch(config)#ip dhcp snooping information option This is optional and is to let the forwarded DHCP request packet contain information on the switch port where it originated

Step 4:Configure rate limiting on untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/2 switch(config-if)#ip dhcp snooping limit rate packets per second rate

Step 5:Configure DHCP snooping for selected VLANs.

switch#configure terminal switch(config)#ip dhcp snooping vlan number 1,3-6

Step 6:Confirm the configuration

switch#show ip dhcp snooping

STP Comprimises – STP Operation Protection

STP has two protection methods on ports where PortFast has been enabled. In proper configs PortFast will only be enabled on downstream ports (outward facing) that connect to end-devices. As was discussed in previous posts it is an understood theory that Broadcast Packet Data Unit (BPDU) will not come from these interfaces, if this should happen BPDU guard and BPDU filtering provide protection (this could either signal config error or an attack).

BPDU Guard is used to protect the switched network from problems that may arise from the receipt of BPDUs from ports that they shouldn’t be coming from. This could be from honest mistake or someone trying to add a switch.
BPDU Filtering affects how the switch acknowledges BPDUs seen on PortFast configured ports. The functionality differs depending on whether it is configured globally or per-port.
BPDU Root Guard protects against a switch outside the designated network attempting to become the root bridge by blocking it access until the receipt of its BPDUs ceases.

STP Operation Protection – Configuration of BPDU Guard

Step 1:Enable BPDU Guard Globally

switch#configure terminal switch(config)#spanning-tree portfast bpduguard

Step 2 isplay BPDU Configuration information

switch#show spanning-tree summary totals

STP Operation Protection – Configuration of BPDU Filtering

As mentioned earlier there are two methods of configuring BPDU Filtering, below are the two methods and the differences in how these implementations will affect configuration

STP Operation Protection – Configuration of BPDU Filtering – Global

switch#configure terminal switch(config)#spanning-tree portfast bpduguard default

In a valid config, PortFast ports do not receive BPDUs. If a PortFast enabled port receives a BPDU then it signals an invalid config, BPDU Guard puts the port in errdisabled state.

BPDU Filtering has these affects:

Affects all operational PortFast ports on switches that do not have BPDU filtering configured on the individual ports (i.e. you can have Global and port-based active at the same time)
If BPDUs are seen, port loses PortFast status, BPDU filtering is disabled, and STP sends and receives BPDUs on the port as it should with other STP ports on a switch.
Upon startup, the port transmits 10 BPDUs. If this port receives any BPDUs during that time, PortFast and BPDU filtering is disabled.

STP Operation Protection – Configuration of BPDU Filtering – Port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#spanning-tree bpduguard enable

At the interface level (port-level) you can enable BPDU guard without also enabling PortFast. When the port receives a BPDU it is put into a errdisabled state.

BPDU Filtering has these affects:

It ignores all BPDUs received.
It sends no BPDUs.

Config this on ports that connect to known end-points that would/should/will never ever see a BPDU.

AND EXPLICIT configuration of PortFast BPDU filtering on a port that is not connected to an end-device can create bridging loops. The port ignores BPDUs and changes to a forwarding state. This does not happen when PortFast BPDU Filtering is enabled globally. This means that if you config this on a port that may be/is connected to another switch and needs to participate in STP in some way/form then it is always in the forward state.

STP Operation Protection – Configuration of BPDU Filtering – Confirmation
switch#spanning-tree summary totals

Confirming Configuration on a specific port
switch#spanning-tree interface gigabitethernet 0/0 detail

STP Operation Protection – Root Guard

Root Guard is a feature that limits on which switch ports the root bridge can be negotiated on. If a root guard-enabled port receives BPDUs that are better that those of the current root bridge, then the port will transition into a root-inconsistent state (STP listenning state).

Root Guard is configured on a per-port basis, recovery requires no intervention. A root guard port is in an STP-designated port state. When root guard is enabled on a port, the switch does not allow that port to become an STP root port. The port remains an STP-designated port.

Root guard should be enabled on all ports that the root bridge is not anticipated on and never will be.

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 01. Moved to root-inconsistent state

Configuration

Step 1:Enable Root Guard on an interface

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#spanning-tree guard root

Step 2:Verify Root Guard on an interface

switch#show running-config interface gigabitethernet 0/1

Step 3:Verify if any port is in the Root Guard inconsistent state

switch#show spanning-tree inconsistentports

STP Forwarding Loops – Unidirectional Link Detection (UDLD)

A unidirectional link occurs when traffic is transmitted between neighbours in only one direction; this can cause spanning tree loops. UDLD allows detection when this occurs and shuts down the affected interface when it is detected.

UDLD is a layer-2 protocol that works with Layer-1 mechanisms to determine the status of a link. The switch periodically transmits UDLD packets on a UDLD enabled interface; if the packets are not echoed back in a specific time frame, the link is flagged as unidirectional and shut down (for this to work devices on both ends must support UDLD).

UDLD falls outside STP but has benifits to STP in detecting unidirectional links which can cause loops. UDLD can do one of two things depending on whether it is configured as “Normal” or “Aggressive”.

Normal Mode UDLD changed the port to undetermined when UDLD messages/echoes stop coming back
Aggressive Mode UDLD errdisables the port after UDLD messages/echoes stop coming back and it makes 8 re-establishing attempts.

UDLD uses MAC 0100.0CCC.CCCC (01-00-0c-cc-cc-cc) with sub-network Access Protocol (SNAP) High Level Data Link Control (HDLC) protocol type 0×0111.

Configuration

Step 1: Enable UDLD

Step 1.1:On fiber and non-fiber (copper) interfaces

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#udld enable

Step 1.2:Globally on Fiber switch interfaces

switch#configure terminal switch(config)#udld enable

Step 2: Disable UDLD

Step 2.1:On nonfiber interfaces individually

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#no udld enable

Step 2.2:On Fiber interfaces

switch#configure terminal switch(config)#udld disable

Step 3:Reset all interfaces that have been errdisabled by UDLD

switch#udld reset

Step 4:Verify UDLD

switch#show idld interface gigabitethernet 0/1

STP Forwarding Loops – Loop Guard

Similar to UDLD, Loop Guard grants protection for STP when a link is unidirectional and BPDUs are being sent and not received. Without loop guard a unidirectional link will transition to forwarding when it stops receiving BPDUs. When loop guard is enabled and a link stops receiving BPDUs, the interface will move into a STP loop-inconsistent blocking state.

SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 0/1 in vlan 2. Moved to loop inconsistent state.

When a BPDU is received again on the port, the port will transition to the appropriate state without intervention.

Configuration

Step 5:Enable Loop Guard

Step 5.1:Globally configure Loop Guard

switch#configure terminal switch(config)#spantree global-default loopguard enable/disable

Step 5.1 er-Port Loop Guard

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#spanning-tree guard loop

Step 6:Verify Loop Guard

switch#show spantree guard 0/1

E-2-LOOPGUARDBLOCK: port 0/1 restored in vlan 2

Loop guard is enabled on ports that are participating in spanning tree and are redundant at Layer-2. When a switch stops receiving BPDUs on its root or blocking ports, it will transition the ports to loop-inconsistent, which does not pass traffic. Loop Guard is configured per port on, Loop Guard does not work with Root Guard, and should not be enabled on PortFast ports.

With Loopguard and EtherChannel. the first operational port is used for BPDUs; if the link is unidirectional, loop guard transitions ALL links of the channel to loop-inconsistent. This is not desirable because the inherit redundancy gained through channeling is lost.

MAC Spoofing – IP Source Guard

Similar to DHCP snooping, IP Source Guard this feature can be enabled on a untrusted port to prevent IP address Spoofing.

When started all IP traffic on the port is blocked, except DHCP packets that are caputred by the DHCP snooping feature. When a end-device then receives a valid IP Address from the DHCP server, or when a static IP Address is configured by the user, a per-port and VLAN Access Control List (PVACL) is instaled on the port.

This restricts the end-device to those source IP Addresses configured in the binding; any IP traffic with a different source IP address will be dropped.

Step 1:Configure DHCP snooping globally.

switch#configure terminal switch(config)#ip dhcp snooping

Step 2:Configure DHCP snooping for selected VLANs.

switch#configure terminal switch(config)#ip dhcp snooping vlan number 1,3-6

Step 3: Configure Trusted and Untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#ip dhcp snooping trust

By default all ports are untrusted

Step 4:Configure IP Source Guard, Source IP, and Source MAC Address filtering on the Port.

switch#configure terminal switch(config)#interface gigabitethernet 0/2 switch(config-if)#ip verify source vlan dhcp-snooping port-security

Step 5:Configure rate limiting on untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/2 switch(config-if)#ip dhcp snooping limit rate packets per second rate

Step 6 Optional if not a DHCP End-Device) Configure a static IP Binding on the port.
switch#configure terminal Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface interface-name

ARP Spoofing

Address Resolution Protocol (ARP) Operation is that a end-device (A) sends a broadcast to determine the MAC Address of a end-device (B) with a particular IP Address. The end-device (B) at that IP Address replies with a MAC Address. The originating end-device (A) caches the ARP response, uses it to populate the destination Layer-2 header and then goes on to send a packet.

By spoofing ARP operation an attacking system then plays man in the middle and appears to be the destination sought by senders. All packets sent to the attacker will be forwarded to the correct end-device after being relayed through the attacking system.

Dynamic ARP Inspection (DIA)

DIA determines the validity of an ARP packet based on a valid MAC address-to-IP Address binding stored in a DHCP snooping database. To ensure validity these actions are taken:

Forwards ARP packets received on trusted interfaces without any checks.
Intercepts all ARP packets on untrusted ports.
Verifies that each intercepted packet has a valid binding before forwarding the packet that can update a local ARP Cahce.
Drops, logs or drops and logs ARP packets with invalid bindings.

Configuration

Step 0:Enable DHCP Snooping

Step 1:Configure DIA on a VLAN or VLAN Range

switch#configure terminal switch(config)#ip arp inspection vlan 1,2,3,4,5

Step 2:Enable DIA trust on an interface (sets the interface as trusted)

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#ip arp inspection trust

Step 3:Configures DIA to drop ARP Packets when the IP Addresses are invalid, or when MAC Addresses in the body of the ARP packet do not match the addresses specified in the Ethernet header.

switch#configure terminal switch(config)#ip arp inspection validate src-mac dst-mac ip

A post to do with DIA can be found at Richard Bannisters CCIE Blog

Notes and Notices:

Switch Security Layer-2 Attacks – Two

Published

Deon Botha

on May 27, 2008

in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs, Switch Spoofing, Trunk, VACL, VLAN and VLAN Hopping

. 2 Comments

VLAN Hopping

VLAN Hopping is a network attack whereby an end-device sends packets to/or collects packets from a VLAN that should not be accessible to that end-device. This is done by tagging the invasive traffic with a specific VLAN ID (VID) or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be done by switch spoofing or double tagging.

In a Switch spoofing attack the attacker configures an end-device to spoof itself as a switch (this can be a linux pc). The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunk Protocol (DTP). This is signaling to attempt to establishing a trunk connection with the company switch.

Any switch port configured with DTP auto, upon receipt of a DTP packet generated by the attacking device, will become a trunk port and then accept traffic destined for any VLAN supported on any trunk on that link. The attacker can then send/collect packets from/to any VLAN.

Double Tagging is another method of VLAN Hopping, this is when a workstation generates frames for two 802.1Q headers, this causes the switch to forward the frames onto a VLAN that would normally be inaccessible to the attacker through legitimate means.

The first switch to encounter the double tagged 802.1Q frame strips the first header frame (native VLAN), and forwards the frame out a trunk link, the second switch then forwards the frame according to the other 802.1Q frame header. Should the tag not match the native VLAN of the attacker, the frame will go untagged and flooded to only the original frame.

Best Practices to Mitigate VLAN Hopping

Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic (that means not the Native VLAN either).
When establishing a trunk link, purposefully configure arguments so that:
- The native VLAN will be different form any data VLANs
- Trunking is set up as “on” rather than as negotiated.
- The specific VLAN range will be carried on the trunk

Configuration
To Mitigate against VLAN hopping attacks the following is the config. First select a range of interfaces:
switch#configure terminal switch(config)#interface range gigabitethernet 0/1-48

Now configure the ports as access ports this in turn will turn off DTP

switch(config-if)#switchport mode access

Assign the ports to an unused VLAN (not the Native VLAN)

switch(config-if)#switchport access vlan vlan-id

NB the above commands will not work in VoIP (voice) networks. Cisco IP Phones use trunks (DTP).

VLAN Access Control Lists

There are three kinds of ACLs:

Router Access Control Lists (RACLs)supported in the TCAM hardware on Cisco Multi-layer switches (MLS). Can be applied to any router interface, such as a switch virtual interface (SVI) or Layer 3 routed port.
Port Access Control List (PACL)filters traffic at the port level. PACLs can be applied on a Layer-2 switch port, trunk port, or EtherChannel port.
Vlan Access Control Lists (VACLs)(a.k.a VLAN Access Maps) supported on software on Cisco MLS.

Cisco Catalyst switches support four ACL lookups per packet*:

ingress (1) and egress (2) security lookup
ingress (3) and egress (4) Quality of Service (QoS) look-up

This following section all went over my head or just about and I have no idea whether this works or not or is correct or not for more information.

There are cases where certain Access Control Entries (ACEs) must be combined in each ACLs due to limitations of TCAM hardware. The merge process is also responsible for other functions like expanding ACEs due to a lack of Layer 4 Operations Pointers (L4Op Pointers) or Logical Operational Units (LOUs).

Cisco catalyst Switches use two features to perform a merge

order independent algorithm merge
order dependant algorithm merge

Order Independent Merge (OIM) is based on Binary Decision Diagrams(BDD), ACLs are merged from a series of oder-dependant actions to a set of order-independent masks and patterns. The resulting ACE can be very large, and processor and memory intensive.

Order Dependant Merge (ODM) is not bit-based. The computation is much faster and is less processor intensive.

RACLs are supported in hardware through IP standard and IP extended ACSs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs access list statistics and logging are not supported.

*You can get some switches with two security lookups and 1 QoS lookup in each direction (6 total).

Configuring VACLs

VACLs apply to all traffic on a VLAN. VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs and VLAN access-maps.

VACLs follow route-map conventions, in which map sequences are check in order (top-down).

Each VLAN access map can consist of one or more map sequence, each sequence with a match clause and an action clause. The match clause specifices IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taked when a match occurs. When a flow matches a permit ACL entry, the assciated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If aflow does not match any ACL entry and at least on ACL is configured for that packet, the packet is denied.

Three VACL actions are permitted:

Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)

Two features are supported on Catalyst 6500 only:

VACL Capturewhere Forwarded packets are captured on the capture port. The capture option is only permit ACEs. The capture port can be an IDS port or an Ethernet port. The capture port must be an egress VLAN for layer-3 switched traffic.

VACL Redirect where matching packets are redirected to specific ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

Define a VLAN Access MAP

switch#configure terminal switch(config)#vlan access-map map-name seq# insert to/delete from

Configure the match clause in a VLAN access map sequence

switch(config-access-map)#match options

Configure actions

switch(config-access-map)#action options

Apply the VACL to VLANs

switch(config)#vlan filter map-name vlan-list list

Verify configuration

switch(config)#show vlan access-map map-name

Source for this Config document Section

Private VLANs

Internet Service Providers (ISP) often have devices from multiple clients, in addition to their own servers resident on a single demilitarized zone(DMZ) segment of VLAN. Cisco Catalyst 6500/4500 switches Private Virtual Local Area Networks (PVLAN) to keep some switch ports shared and some switch ports isolated, even if the ports exist in the same VLAN. The 2950 and 3550 support “protected ports”, which are functionally the same on a per-switch basis.

Traditionally ISPs used one VLAN per customer, with each VLAN having its own subnet. A layer 3 device the provides interconnectivity between VLANs and Internet destinations. Problems with this method:

Supporting a VLAN per customer may require a high number of interfaces on ISP network devices.
Spanning Tree becomes more complicated with many VLAN iterations.
Network address space must be divided into many subnets, which wastes space and increases management complexity.
Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer-2 isolation between ports within the same VLAN, thereby eliminating the need for VLAN and IP subnet per customer.

A Port in a PVLAN can be one of three types:

Isolated: port has complete Layer-2 separation from other ports within the same PVLAN, except for promiscuous ports; blocks all traffic to isolated ports except from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Promiscuous: ports can communicate with all ports within the PVLAN. The default Gateway (DG) is probably be hosted as a promiscuous port.
Community: ports communicate among themselves and their promiscuous ports. These interfaces are isolated at Layer-2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

Trunks carry all VLAN traffic so isolated, promiscuous and community PVLAN traffic may enter and leave a switch through trunks

PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure.

As a Primary VLAN: carrying traffic from promiscuous ports to isolated, community and other promiscuous ports in the same primary VLAN.
As an Isolated VLAN: carrying traffic from isolated ports to a promiscuous port.
As a Community VLAN: carrying traffic between secondary VLANs. You can extend PVLANs across multiple devices by trunking primary, isolated, and community VLANs to other devices that support PVLANs.

A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated VLAN or many community VLANs.

Configuring

Step 1: Set VTP Mode to Transparent

switch#configure terminal switch(config)#vtp mode transparent

You may also want to check VTP version, password and domain while you are at VTP configuration

Step 2: Create the secondary VLANs (Isolated and community VLANs are secondary VLANs)

switch#configure terminal switch(config)#vlan 102 switch(config-vlan)#private-vlan isolated switch(config-vlan)#end switch#show vlan private-vlan type

Step 3: Create the primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan primary switch(config-vlan)#end switch#show vlan private-vlan type

Step 4: Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan association add 102 switch(config-vlan)#end switch#show vlan private-vlan type

When associating secondary VLANs with primary VLANs use these best practices:

Make sure that the VLAN IDs contain only one isolated VLAN ID (VID)
Use the remove keyword with the secondary VID to clear association; there can only be one association.
Use the no keyword to clear all association from the primary VLAN.
Do not allow the command to take effect until you exit VLAN configuration submode.

Step 5: Configure an interface as an isolated or community port.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan host switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 6: Associate the isolated port or community port with the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 7: Configure an interface as a promiscuous port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan promiscuous switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 8: Map the promiscuous port to the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan host-association mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 9: Permit Routing of Secondary VLAN Ingress Traffic

switch#configure terminal switch(config)#interface vlan 100 switch(config-if)#private-vlan mapping add 102 switch(config-if)#end switch#show interfaces private-vlan mapping

The sources for this config section include this Cisco 4500 document and this document. Finally CCIE Blog gave me a some insight and hint as to WTF the difference between the host and promiscious ports on the interface config was.

Definition

Logical Operation Unit (LOU) are hardware registers used to store {operator, operand} tuplesfor Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers specified in an IP extended ACL, VACL, or QoS ACL. These tuples are called Layer 4 Operations (L4Op).

Source

Notes and Notices:

References I want to rememeber:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, VLAN Access Lists (page. 413-414). Indianapolis: Cisco Press.

QoS and Voice Traffic

Published

Deon Botha

on May 22, 2008

in AutoQoS, BCMSN, Certification, Cisco Systems, CoS, Concepts and Constructs, NBAR, QoS and Trunk

. 1 Comment

Definitions

ingress: arrives/come in/enter

egress: leaving/exit/to go

Its the new words of the day so its going to be used alot

Introduction

Regardless of the speed of individual switches (slower/older vs. faster/newer switches) or links (10/100), speed mismatches (ingress 1000/egress 100), many-to-one switching fabrics(multiple access layer switches into a distribution layer switch), and aggregation (multiple devices communicating through a single connection or to a single device or server) may cause a device to experience congestion, which can result in latency that result in dropped packets.

If and inevitably when congestion occurs (I have heard of enterprise pay-rolls that cause certain amounts of congestion on a network at the end of each month) and congestion management features are not in place (QoS, load balancing on servers, etc) then some packets will be dropped, causing retransmission (TCP) that inevitably increase overall network load and if voice and video are on the network (UDP) the inevitable will be angry employees. QoS can to an extent mitigate latency caused by congestion.

QoS is implemented by classifying and marking traffic at one device while allowing other devices to prioritize or to queue the traffic according to those marks applied to individual frames or packets.

LAN-Based Classification and Marking of Traffic

Classification and marking of traffic is the process of identifying traffic for prioritization as that traffic moves across the network. Traffic is classified by examining information at various layers of the Open Systems Interconnection (OSI) model. IP traffic can be classified according to any values configurable in an access control list (ACL) or any of these layers:

Layer-2 parameters: MAC Address, Multiprotocol Label Switching (MPLS), ATM Cell Loss Priority (CLP) bit, Frame Relay discard eligible (DE) bit, ingress interface
Layer-3 parameters: IP precedence, DiffServ Code Point (DSCP), QoS group, IP Address, ingress interface
Layer-4 parameters: TCP or User Datagram Protocol (UDP) ports, ingress interface
Layer-7 parameters: Application signature, ingress interface

QoS marks (values) establish priority levels (priority classes of service) for network traffic as it is processed by each switch (Access, Distribution, or Core). Once traffic is marked with a QoS value, then QoS policies on switches and interfaces will handle traffic accordingly at the frame and packet level. As a result of classification and marking, traffic will be prioritized accordingly at each switch to ensure that delay-sensitive traffic receives priority processing (voice, video) while non-delay sensitive data traffic waits it’s turn as each switch manages congestion, delay, and bandwidth allocation.

Layer-2 Qos

QoS layer-2 classification occurs by examining information in the Ethernet or 802.1Q header (trunking), like destination MAC Address, Virtual Local Area Network (VLAN) ID. QoS layer-2 markings occur in the priority field of the 802.1q header (LAN layer-2 headers have no place for this so 802.1Q encapsulation must occur). The priority field is 3 bits long (a.k.a 802.1p User Priority or class of Service (CoS) value).

The 3-bit Priority field can carry a value of 1 to 7; 1 is associated with delay tolerant traffic like TCP/IP traffic. Voice traffic receiving a higher priority for Call Signalling receiving a 3 value and Voice bearer traffic 5 value.

As a result of Layer-2 Classifications and marking, these QoS operations can occur:

Input queue scheduling: when a frame enters a port, it can be assigned to one of a number of port-based queues before being scheduled for switching to an egress port. Typically, multiple queues are used where traffic requires different levels of service.
Policing: is the process of inspecting a frame to see if it has exceeded a predefined rate of traffic within a certain time frame that is typically a fixed number internal to a switch. If a frame is determined to be in excess of the predefined rate limit, it can either be dropped, or the CoS value be marked down.
Output Queue Scheduling: is where the switch will place the frame into an appropriate egress queue for switching. The switch will perform buffer management on this queue by ensuring that the buffer does not overflow.

Layer-3 QoS

QoS layer-3 classification occurs by examining information of the header values such as destination IP address or protocol. Qos Layer-3 markings occurs in the Type of Service (ToS) byte in the IP header. The first three bits of the ToS byte are occupied by IP precedence, which correlates to three CoS bits carried in the Layer-2 header.

The ToS byte can also be used for DSCP marking that allows prioritization hop by hop as packets are processed on each switch and interface.

Trust Boundaries

In QoS campus implementations, trust boundaries are defined/created where existing QoS values that are attached to frames and packets are to be accepted or altered. These “trusts” are established by configuring trust levels on the ports of key peripheral network devices where QoS policies will be enforced (trusted) as traffic makes its way into/onto the network. At this entry point traffic will be allowed or not allowed to retain its original QoS markings or will be ascribed new markings (best practice is to mark traffic as close to the source as possible).

In practice this means that if you have a network with a Desktop/Notebook attached to a Cisco IP Phone attached to a Catalyst Switch attached to a Cisco Router the trust boundary can be set at the Cisco IP Phone. Where the IP Phone attaches priority values which are then trusted.

Otherwise if there is a Desktop/Notebook with Softphone attached to a Catalyst Switch attached to a Router the trust boundary can be set to the Desktop/Notebook. Where the softphone attaches priority values which are then trusted.

Configuration IP Phone Attachment

This goes hand in hand with how to configure VLANs first off we create a VLAN

switch#configure terminal switch(config)#vlan 10 name 001-WORK-STATION switch(config)#vlan 100 name 001-IP-PHONE

Now we need to assign the Data and Voice VLAN to a interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport voice vlan 100 switch(config-if)#switchport access vlan 10

Now we need to setup trust as they arrive at the switch port

switch(config-if)#mls qos trust cos

Finally set the trust conditional to a Cisco IP Phone being attached

switch(config-if)#mls qos trust device cisco-phone

Auto QoS

Cisco AutoQoS gives the ability to deploy QoS features for converged IP Telephony and allow for telephony networks to be deployed quicker and efficiently than if it had to be done manually. Cisco AutoQoS generates traffic classes and policy map command-line (CLI) templates across platforms that are the same where doing things manually might not have the same congruence. Cisco AutoQoS simplifies and automates the QoS CLI (MQC) definition of traffic classes and the creation and configuration of traffic policies.

AutoQos can be beneficial in these scenarios:

SMB that deploy IP Telephony quickly but lack experience and staffing to deploy IP QoS Services.
Large enterprises that need to deploy Cisco Systems Telephony solutions on a large scale, while reducing costs, complexity, and time frame for deployment, and ensuring that the appropriate QoS for voice applications is being set in a consistent fashion.
International enterprises or service providers requiring QoS for VoIP where little expertise exists in different regions of the world and where provisioning QoS remotely and across different time-zones is difficult.
Service providers requiring a template-driven approach to deliver managed services and QoS for voice traffic of customer premises devices.

Cisco AutoQoS simplifies and shortens the deployment cycle in the following ways:

Application classification: By leveraging intelligent classification on routers Cisco network-based application recognition (NBAR) provides stateful and deep packet inspection. Cisco AutoQos uses Cisco Discovery Protocol (CDP) for voice packets to ensure that end-device attached to the Local Area Network (LAN) is really an Cisco IP Phones (keep in mind that CDP is Cisco Proprietary).
Policy Generation: Cisco AutoQos evaluates the network environment and generates the initial policy. This feature automatically generates interface configurations, policy maps, class maps, and Access Control Lists (ACL).
Configurations: Using one command, Cisco AutoQoS configures the port to prioritize voice traffic without affecting other network traffic, while still offering the flexibility to adjust QoS settings for unique network requirements. Cisco AutoQoS will automatically detect Cisco IP Phones and enable QoS settings, in turn it will also disable QoS settings to prevent malicious activity when a Cisco IP Phone is relocated or moved.
Monitoring and reporting: Cisco AutoQoS provides visibility into the Class of Service (CoS) deployed via system logging and Simple Network Management Protocol (SNMP) traps, with notification of abnormal events(VoIP packet drops).
Consistency: Cisco AutoQoS configurations are consistent among router and switch platforms. This level of consistency ensures seamless QoS operation and interoperability within the network.

Cisco Catalyst Switch Configuration – Cat OS

To configure the global QoS settings

Console> (enable) set qos autoqos ......... All ingress and egress QoS scheduling parameters configured on all ports. CoS to DSCP, DSCP to CoS. Precedence to DSCP and policed dscp maps configured. Global QoS configured, port specific autoqos recommended: set port qos <mod/port> autoqos trust <cos/dscp> set port qos <mod/port> autoqos voip <ciscoipphone/ciscosoftphone>

To configure Cisco AutoQoS settings and the trusted boundary features on/for Cisco IP Phones, CDP V.2 or later needs to be enabled on a port. If the trusted boundary feature is enabled. You will receive a syslog warning message if CDP is not running or CDP V.1 is running.

CDP need not be enabled if you do not use the ciscoipphone QoS configuraiton.
Console> (enable) set port qos 4/1 autoqos voip ciscoipphone Warning: CDP is disabled or CDP version 1 is in use. Ensure that CDP version 2 is enabled globally, and also ensure that CDP is enabled on the port(s) you wish to configure autoqos on. Port 4/1 ingress QoS configures for ciscoipphone. It is recommended to execute the "set qos autoquos" gloval command if not executed previously. Console> (enable)

To configure the port-specific QoS macro that handles all inbound QoS configurations that are specific to a particular port. This should only be used when the port connects to other known switches or servers because the port tursts all inbound traffic marked.
Console> (enable) set port qos 4/1 autoqos voip code/dscp

Cisco Catalyst Switch Configuration – Cisco IOS

When Cisco AutoQos in enabled on the first interface, QoS is globally enabled. This would be like configuring this command

switch#configure terminal switch(config)msl qos

To in turn enable QoS on an interface use this command that tells the switch that the interface is connected to a trusted router/switch and that the VoIP classifications in the ingress packet should be trusted:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip trust

OR that the interface is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the IP Phone is detected; this enabled CDP to detect the IP Phones absence or presence.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip cisco-phone
To check config use the following command
switch#show auto qos interface-id

Cisco AutoQoS Automation

Cisco AutoQoS automates several things when configured. It enforces trust boundaries on Cisco Catalyst switches access ports, uplinks and downlinks. Enables Catalyst strict priority queuing (PQ) (a.k.a expedited queuing) with weighted round-robin (WRR) scheduling for voice and data traffic. It configures queue admission criteria and finally modifies queue sizes and weights as needed.

Notes and Notices:

Planning Voice on a Data Network

Published

Deon Botha

on May 21, 2008

in BCMSN, Certification, Cisco Systems and VoIP

. 0 Comments

There are numerous benefits to packet switched telephony:

More efficient use of bandwidth and kit: Traditional telephony networks use a 64-kbps (For argument lets say 1B Channel on a ISDN line) channel for every voice call. Packet telephony shares bandwidth among multiple logical connections and offloads traffic volumes from existing voice switches.
Lower costs for telephony network transmissions: A substantial amount of equipment is needed to combine 64-kbps (ISDN) channels into a high-speed link for transport across a network (Lets say an ISDN PRI). Packet telephony statistically multiplexes voice traffic alongside data traffic. This consolidation represents substantial savings on CAPEX and OPEX.
Consolidated voice and data network expenses: Data networks functioning separately from voice networks become major traffic carriers. The underlying voice networks can be converted to utilize the packet-switched architecture to create a single integrated communications network with a common switching and transmission system. The benefit is CAPEX and OPEX savings.
Increased revenues from new services: Packet telephony enables new integrated services, such as broadcast-quality audio, unified messaging, and real-time voice and data collaboration. These services increase employees productivity and profit margins well above those of basic voice services. In addition, these services enable companies and service providers to differentiate themselves and improve their market position.
Greater innovation in services: Unified communications use the IP infrastructure to consolidate communications methods that were previously independent (Fax, voicemail, email, wireline telephone, cellular phone, and the web). The IP Infrastructure provides users with a common method to access messages and initiate real-time communications – independent of time, location, or device.
Adding to new communications devices acket technology can reach devices that are largely inaccessible to the time-division multiplexing (TDM) infrastructures of today (pcs, wireless devices, household appliances, PDAs). Access to these devices enable companies and service providers to increase the volume of communications they deliver, the breadth of service they offer, and the number of subscribers they serve. Packet technology, therefore, enables companies to market new devices, including videophones, multimedia terminals, and advanced IP Phones.
Flexible new pricing structures: Companies and services providers with packet-switched networks can transform their service and pricing models. Because network bandwidth can be dynamically allocated, network usage no longer needs to be measured in minutes or distance. Dynamic allocation gives service providers the flexibility to meet the needs of their customers in ways that bring them the greatest benefits.

The basic components for voice on a IP network are as follows:

IP Phones: The end-device on desks
Gatekeeper: Provides Connection Admission Control (CAC), bandwidth control and management and address translation.
Gateway: Provides translation between voice over Internet Protocol (VoIP) and non-VoIP networks, such as the public switched telephone network (PSTN). It provides physical access for local analog and digital devices (telephones, fax machines, and PBXs)
Multipoint Control Unit: Provides real-time connectivity for participants in multiple locations to attend the same videoconference or meeting.
Call Agent: Provides call control for IP Phones, CAC, bandwidth control and management, and address translation.
Application Server: Provides services such as voicemail, unified messaging, and Cisco CallManager Attendant Console.
Videoconference Station: Provides access for end-users participation in videoconferencing. This station has a video camera and a microphone. The user can view video streams and hear the audio that originates from the remote user station.

There are other components not listed here like voice applications, interactive voice response (IVR) systems, and softphones that meet the specific needs of enterprise.

Voice and Data Traffic Characteristics

Voice traffic has extremely stringent QoS requirements (because it is extremely delay sensitive). Voice traffic generates a smooth demand on bandwidth and has minimal impact on other traffic (60 – 120 bytes), as long as voice traffic is managed. Because of the resulting time sensitive nature User Datagram Protocol (UDP) is used to package voice packets; TCP retransmit capabilities have no value (because if it needs to be retransmitted then there is delay in the actual conversation occuring NOW).

For voice quality, delay should be no more than 150ms (one-way) and less than 1% packet loss. A typical voice call requires 17 – 106 kbps of guaranteed priority bandwidth, plus additional 150bps per call for voice-control traffic. Multiplying this out for the maximum calls expected during busiest times the overall bandwidth requirements for voice traffic can be calculated.

Because Data traffic is not as delay sensitive and can tolearate high drop rates the restransmit capabilities of TCP has become important, as a result many applications use by default TCP.

In networks, important business critical applications are ussually easy to identify. Most applications can be identified based on TCP or UDP port numbers (HTTP, HTTPS, FTP, TELNET, SQL, ETC). Some application use dynamic port numbers that, to some extent, make classification more difficult. Cisco IOS software supports network-based application recognition (NBAR), which can be used to recognize dynamic port applications.

VoIP Call Flow

As I mentioned in a previous post (see HSRP Accross Trunk Links) and some other places its best practice to setup voice and data on separate VLANs (I did in my own network). This is done so that QoS can be applied to prioritize the VoIP traffic as it traverses the network. If this is not done then voice and data traffic contend for available traffic without consideration for other devices (one or the other is going to suffer).

A major component of designing a successful IP Telephony network is bandwidth provisioning. The bandwidth requirement is calculated by adding the total required bandwidth for voice, video and data together; the sum should not be more than 75% of the link total.

For a traffic perspective IP Telephony consists of two types of traffic:

Voice Carrier Stream consists of Real-Time Transport Protocol (RTP) packets that contain actual voice samples.
Call Control Signaling that contains packets belonging to one of several protocols used to set up, maintain, tear down, or redirect calls. Depending on the end-point this could be H.323 or Media Gateway Control Protocol (MGCP)

Auxiliary VLANs

Some Cisco Catalyst switches offer a unique feature called “Auxiliary VLAN“. This feature allows one to overlay a voice topology over an existing data network. One can segment phones into a separate logical network, even though the data and voice network are physically the same.

The auxiliary VLAN feature places the phones into their own VLANs without any end-user configuration. Additionally VLAN assignment can be maintained even if the phone is moved.

How this works is that when a phone is plugged into the switch (whichever port), the phone will request a DHCP address, and the phone is placed in a VLAN automatically. With phones in their own VLANs administrators can troubleshoot and identify problems easily. This also makes enforcement of QoS and security policies easier.

QoS

QoS is the application of features and functionality required to actively manage and satisfy the networking requirements of applications that are sensitive to loss, delay and delay variations (jitter). QoS allows preference to be given to critical application flows for the available bandwidth.

Cisco IOS implementations allows for QoS to provid these features:

Priority access to resources: QoS allows administrators to control which traffic it allows to access specific network resources such as bandwidth, kit, and WAN links.
Efficient management of network resources: If network management and accounting tools indicate that specific traffic is experiencing latency, jitter, and packet loss, then QoS tools can be used to adjust how traffic is handled.
Tailored service: The control provided by QoS enables Internet Service Providers to offer carefully tailored grades of service to their customers.
Coexistance of mission-citical applications: QoS technologies ensure that mission-critical applications receive priority access to network resources while providing adequate processing for applications that are not delay sensitive.

High Availability

Traditional Telephony networks strive to provide 99.999 (5.25 minutes) of downtime a year. This is less downtime than most data networks. To provide the same experience this means choosing hardware and software with a low mean time between failure (MTBF) or installing redundant links and hardware.

Availability is when a user wants to make a call the network is able to respond to that need. Efforts to ensure availability would include proactive management to predict failure and taking steps to correct problems in design of the network as it grows. When the converged network goes down things downtime can be minutes, hours or days. This is unacceptable in a converged network where downtime means no phone calls. Providing for uninterpretable power supplies (UPS), lighting arrestors and other means to ensure availability at all costs.

High Availability encompases many areas of a network. In a fully redundant network these components need to be duplicated:

Servers and call managers,
Acces layer devices (layer-2 switches)
Distribution layer devices (routers or Layer-3 switches)
Core layer devices (layer-3 switches)
Interconnections (WAN links, PSTN Gateways, ISP links)
Power supplies and UPSs

Notes and Notices:

Network Ninja

Tag Archive for 'Trunk'

BCMSN VLAN-ACL Lab 8

BCMSN QoS Routing Lab 7

BCMSN Layer 3 Routing Lab 6

BCMSN STP Lab 5

BCMSN VTP Lab 4

BCMSN Trunking Lab 3

Switch Security Layer-2 Attacks – Three

Switch Security Layer-2 Attacks – Two

QoS and Voice Traffic

Planning Voice on a Data Network

Search

About

Latest

Archives

Categories