Академический Документы
Профессиональный Документы
Культура Документы
-----------------------
-----------------------
Private VLANs
-------------
R1(config)# vlan 201
R1(config-vlan)# name pvlan201
R1(config-vlan)# private-vlan community
R1(config)# vlan 202
R1(config-vlan)# name pvlan202
R1(config-vlan)# private-vlan isolated
R1(config)# vlan 2
R1(config-vlan)# private-vlan primary
R1(config-vlan)# private-vlan association 201,202
-------------------
-------------------
STP
---
SW1(config)# spanning-tree vlan 1,2,3 root
or
SW1(config)# spanning-tree vlan 1,2,10 priority 0 <-- better
PVST+
-----
SW1(config)# int fa0/1
SW1(config-if)# spanning-tree portfast
SW1(config)# spanning-tree uplinkfast
SW1(config)# spanning-tree backbonefast (20 secs go away, in every switch)
RPVST+
------
SW1(config)# spanning-tree mode rapid-pvst
MST
----
SW1(config)# spanning-tree mode mst
SW1(config)# spanning-tree mst configuration
SW1(config-mst)# name Region 1
SW1(config-mst)# revision 1 --> incrementar en cada cambio
SW1(config-mst)# instance 1 vlan 2
SW1# show pending --> see changes
SW1(config)# spanning-tree mst 0 priority 0
SW1(config)# spanning-tree mst 1 priority 4096
STP PROTECTION
---------------
ROOT GUARD
----------
SW1(config)# int fa0/1 --> donde no esta el root
SW1(config-if)# spanning-tree guard root
BPDU GUARD
----------
SW1(config)# spanning-tree portfast bpduguard default
or
SW1(config)# int fa0/1 --> donde no se recibe bpdu
SW1(config-if)# spanning-tree bpduguard enable
LOOP GUARD
----------
SW1(config)# spanning-tree loopguard default
or
SW1(config)# int fa0/1
SW1(config-if)# spanning-tree guard loop
UDLD
----
Sw1# show udld neighbors
SW1(config)# udld enable
or
SW1(config)# int Gi1/1
SW1(config-if)# udld enable/aggressive
SW1(config-if)# udld message time 5 ("seconds")
ETHERCHANNEL
------------
SW1# show etherchannel load-balance
SW1# show etherchannel summary
PAGP
----
SW1(config)# int range fa0/2 -5
SW1(config-if)# switchport mode trunk
SW1(config-if)# channel-protocol pagp --> cisco propietary
SW1(config-if)# channel-group 1 mode auto/desirable
LACP
----
SW1(config)# lacp system-priority 100 --> lowest priority win (default 32768)
SW1(config)# int range fa0/2 -5
SW1(config-if)# switchport mode trunk
SW1(config-if)# channel-protocol lacp --> IEEE standard
SW1(config-if)# channel-group 1 mode passive/active
SW1(config-if)# lacp port-priority 100
LAYER 3 (SVI)
-------------
SW1(config)# ip routing
LAYER 3 (ETHERCHANNEL)
----------------------
SW1(config)# int port-channel 1
SW1(config-if)# no switchport
SW1(config-if)# ip address 192.168.3.1 255.255.255.0
SW1(config-if)# no shut
SW1(config)# int range fa0/4-10
SW1(config-if)# no switchport
SW1(config-if)# ip address 192.168.3.1 255.255.255.0
SW1(config-if)# channel-protocol lacp
SW1(config-if)# channel-group 1 mode passive/active
CEF
---
SW1# show ip cef (192.168.100.0 255.255.255.0)
SW1# show adjacency
SW1(config)# ip routing
HSRP
----
SW1# show standby
SW1(config)# int vlan 2
SW1(config-if)# ip address 192.168.3.10 255.255.255.0
SW1(config-if)# no shut
SW1(config-if)# standby 1 name vlan2-luis
SW1(config-if)# standby 1 ip 192.168.3.1
SW1(config-if)# standby 1 priority 110
SW1(config-if)# standby 1 preempt delay minimum 60 reload 200
SW1(config-if)# standby 1 authentication md5 key-string secreto
SW1(config-if)# standby 1 track fa0/1 20
SW1(config-if)# standby 1 timers msec 500 msec 1500
(hello) (holdtime)
GLBP
----
SW1# show glbp (brief)
SW1(config)# int vlan 2
SW1(config-if)# ip address 192.168.3.10 255.255.255.0
SW1(config-if)# no shut
SW1(config-if)# glbp 1 ip 192.168.3.1
SW1(config-if)# glbp 1 priority 200
SW1(config-if)# glbp 1 preempt
SW1(config-if)# glbp 1 timers msec 500 msec 1500
SW1(config-if)# glbp 1 authentication md5 key-string secreto
SW1(config-if)# glbp 1 load-balancing round-robin/weighted/host-dependent
RACLs
----
SW1(config)# ip access-list extended borde-salida
SW1(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 any
SW1(config-ext-nacl)# permit ip 192.168.3.0 0.0.0.255 any
SW1(config)# int f0/2
SW1(config)# ip access-group borde-salida out
VACLs
-----
SW1# show vlan filter
SW1# show vlan access-map
SW1(config)# ip access-list estended vacl-test
SW1(config-ext-nacl)# permit tcp any any eq ftp
SW1(config-ext-nacl)# permit tcp any any eq telnet
SW1(config)# vlan access-map vacl-test 10
SW1(config-access-map)# match ip address vacl1-acl
SW1(config-access-map)# action drop
SW1(config)# vlan access-map vacl-test 20
SW1(config-access-map)# action forward
SW1(config)# vlan filter vacl-test vlan-list 2
SW1# show plataform tcam utilization --> TCAM-STATUS(3750)
PORT SECURITY
-------------
SW1# show port-security (address)
SW1(config)# int f0/1
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security violation restrict/protect/shutdown
SW1(config-if)# swithcport port-security port-maximum 2
SW1(config-if)# switchport port-security port-security mac-address sticky
SW1(config-if)# switchport port-security port-security aging type inactivity/abs
olute
SW1(config-if)# switchport port-security port-security aging time 120
SPOOFING
--------
DHCP SNOOPING
--------------
SW1# show ip dhcp snooping (binding/statistics)
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 2
SW1(config)# ip dhcp snooping verify mac-address
SW1(config)# int fa0/8
SW1(config-if)# ip dhcp snooping trust
IP SOURCE GUARD
---------------
SW1# show ip verify source
SW1# show ip source binding
SW1(config)# int fa0/8
SW1(config-if)# ip verify source
SW1(config)# ip source binding 0015.c557cf954 vlan 2 192.168.2.30 int fa0/8
ARP ACL
-------
SW1# show ip arp inspection interfaces/statistics
SW1(config)# arp access-list pa-vlan2
SW1(config)# permit ip host 192.168.1.10 mac host 0015.c557.f9bd
SW1(config)# ip arp inspection filter pa-vlan2 vlan 2
LOCAL SPAN
----------
SW1(config)# monitor session 1 source int fa0/2 both/rx/tx
SW1(config)# monitor seccion 1 destination int fa0/10
REMOTE SPAN
-----------
SW1(config)# vlan 30
SW1(config-if)# remote-span
SW1(config)# int fa0/2
SW1(config-if)# switchport trunk allowed add vlan 30
SW1(config)# monitor session 1 source int fa0/2 both/rx/tx
SW1(config)# monitor seccion 1 destination remote vlan 30
SW2(config)# vlan 30
SW2(config-if)# remote-span
SW2(config)# int fa0/5
SW2(config-if)# switchport trunk allowed add vlan 30
SW2(config)# monitor session 1 type rspan-destination
SW2(config-mon-rspan-dst)# source remote vlan 30
SW2(config-mon-rspan-dst)# destination interface fa0/10
SW2(config-mon-rspan-dst)# no shut
ENCAPSULATED RSPAN
------------------
SW1(config)# monitor session 1 type erspan-source
SW1(config-mon-erspan-src)# source int fa0/8 both
SW1(config-mon-erspan-src)# filter vlan 2
SW1(config-mon-erspan-src)# destination
SW1(config-mon-erspan-src-dst)# ip address 192.168.3.1
SW1(config-mon-erspan-src-dst)# erspan-id 1
SW1(config-mon-erspan-src-dst)# origin ip address 192.168.2.1
SW1(config-mon-erspan-src-dst)# no shut
SW2(config)# monitor session 1 type erspan-destination
SW2(config-mon-erspan-dst)# destination int fa0/10
SW2(config-mon-erspan-dst)# source
SW2(config-mon-erspan-dst-src)# ip add 192.168.3.1
SW2(config-mon-erspan-dst-src)# erspan-id 1
SW2(config-mon-erspan-dst-src)# no shut
QoS
---
SW1(config)# mls qos
SW1(config)# int fa0/2
SW1(config-if)#mls qos trust dscp/cos