- A Switch Port can be dynamic, static or automatic. Switch Port can be a Trunk or an Access Port.
- The Default Encapsulation Protocol for DTP is ISL.
- Native VLAN is supposed to be an Untagged VLAN which doesn’t has any VLAN information attached.
- To disable Dynamic Trunking Protocol use no negotiate
- To create an Ether channel without negotiation we use channel-group 1 mode on. This creates an ether channel without any Ether Channeling protocol (PAGP / LACP).
- Making Channel Group Mode to DESIREABLE or AUTO makes it negotiable over PAGP.
- Making Channel Group Mode to ACTIVE or PASSIVE makes it negotiable over LACP.
- Enabling DTP and issuing conflicting VTP Domain names causes the Switches to warn before enabling VLAN Trunking Protocols over the Trunk Links.
- VLAN Load Balancing can be achieved in the following ways:
- VLAN ALLOW LIST: This allows different VLANs to travel over different Trunks for better trunk efficiency and load balanced environment. Certain VLANs are allowed over one trunk and other set of VLANs can be allowed to travel over another trunk.
- MSTP VLAN Load Balancing: This allows VLAN Instance Load Balancing over different Trunks.
- STP Port Priority: By assigning different VLANs to different TRUNKs and changing the STP Port Priority.
- STP Port Cost: By assigning different VLANs to different TRUNKs and changing the STP Port COST.
- The Minimum Forward Delay time for Spanning Tree is 4 Seconds.
- Enabling Spanning Tree PortFast on interfaces causes it to bypass Listening and Learning State and directly transit into FORWARD State.
- Enabling UplinkFast Globally causes the Switch to quickly transit its root port to another port in an event of an uplink failure.
- Enabling BackboneFast Globally causes the Switch to know immediately if its path to ROOT has been broken somewhere on another switch (indirectly) and switch its path to alternate one.
- Enabling BPDU-Guard Allows an ACCESS-PORT to quickly go into PORT-INCONSISTENT (Block) State if a BPDU is received on it. This is done on all PortFast Enabled Access Ports.
- Enabling Root Guard on the Root Switch Designated Ports allows the switch to reject any Superior BPDUs received on those ports and protect itself from loosing the ROOT Role.
- BPDU Filter is an extension of BPDU-Guard in which we can define what to do if a BPDU has been received on an ACCESS-Port.
- BPDU Loop Guard allows the switch to protect itself from a sudden loss of BPDUs and go into infinite Spanning Tree Loop.
- A Multiple STP contains INSTANCES where each instance could contain a single or a group of VLANs in it.
- Configuration: spanning-tree mst configuration
- Instance 1 vlan 1-3
- Instance 2 vlan 4-6
- Instance 4 vlan 7-9
- Layer 3 Switching:
Switch Security:
Port Security
Max. Mac Address Learn Limits
Port Authentication
VLAN Hopping:
- Hacker can negotiate a TRUNK with the Switch and can move b/w VLANs easily.
- This happens because the default state of every port is Dynamic Desirable.
Private VLANs:
The common concept is VLANs within VLANs.
- Private VLANs has sub-vlans, it contains a Main VLAN called "PRIMARY-VLAN".
- Private VLANs can only be configured in a TRANSPARENT Mode.
- There can only be 1 ISOLATED or COMMUNITY VLAN per Primary VLAN.
- Private VLANs provide ISOLATION and GROUPING within a VLAN.
There are three types of sub-vlans:
-
Promiscuous
It’s a port in Primary VLAN which can be reached by all Isolated and Community Ports
Isolated
It’s a port in Primary VLAN but can't connect to any other port
Community
It’s a group of ports in Primary VLANs which can connect to each other and they can also reach Promiscuous Port but they can't reach any ISOLATED Ports.
Configuration:
Vlan 100
Private-vlan primary
Vlan 110
Private-vlan isolated
Vlan 120
Private-vlan community
Vlan 100
Private-vlan association 110,120
Interface fast1/1
Description Private Isolated VLAN 100
Switchport mode private-vlan host
Switchport private-vlan host-association 100 110
Interface fast1/2
Description Private Community VLAN 100
Switchport mode private-vlan host
Switchport private-vlan host-association 100 120
Interface fast1/3
Description Private Community VLAN 100
Switchport mode private-vlan promiscuous
Switchport private-vlan mapping 100 110,120
Verification:
Show vlan private-vlan
Spoofing Attacks:
| Ip dhcp snooping trust | Listens to ARP / DHCP Requests, makes IP to Mac Bindings Table |
| Ip verify source vlan dhcp-snooping port-security | Ip source guard enablement. |
Spanning Tree Attacks:
| Spanning-tree bpduguard enable | Blocks (shutsdown - errdisable)a Port which is not destined to receive any BPDUs |
| Spanning-tree guard root | Root Guard, protects a port to receive superior BPDUs on a root-guard enabled port. This is enabled only on Root and Backup-Root Switches
|
Best Practices:
- Disable CDP Whenever Possible.
- Lock down the spanning tree.
- Disable Trunk Negotiation and use manual negotiation.
- Place unused ports in a blackhole vlan or blocked vlan.
- Enable SwitchPort host (enables access mode, enables portfast, disables channelgroup)
- Use SSH whenever possible for doing Switched Configuration.
1 comment:
good notes farhan, appreciate if you could post some more on creatin vlans, 6509,content switching.
Post a Comment