Differences

This shows you the differences between two versions of the page.

--- cisco:switch [2008/01/18 20:46]
a created
+++ cisco:switch [2010/04/16 23:56]
a
@@ Line 1: / Line 1: @@
 <note warning>
-**GOOD TO KNOW!** (//http://puck.nether.net/pipermail/cisco-nsp/2004-November/014090.html) \\
+**GOOD TO KNOW!** \\
+( //http://puck.nether.net/pipermail/cisco-nsp/2004-November/014090.html //) \\
 \\
 Normally, through a switch port, there are 3 kinds of traffic that are  forwarded (i didn't take into account the vlan separation in the switch):\\
@@ Line 13: / Line 14: @@
 packets is enough to make the mac address of the host be addded to the table on the switch, and the probability of a "normal" host to not send packets for 5 minutes (especially if it is Windows :) ) is very very small.
 </note>
+===== PoE (Cisco that's not using 802.3af by default) =====
+   interface fa x/y
+   power inline delay shutdown 5 initial 100
+for each interface
+===== Make Catalyst switch silent (The Invisible Catalyst Switch) =====
+<note tip>
+If you've ever looked at a packet capture from a Cisco Catalyst switch with a default configuration, you know they produce a good amount of ambient noise out of the box. CDP, STP, DTP, keepalives - these are all turned on by default and, combined, generate a significant amount of traffic. \\
+**Original notes: http://packetlife.net/blog/2010/apr/15/invisible-catalyst-switch/ (10x Jeremy Stretch)**
+</note>
+**Turning off CDP**
+   S1(config)# no cdp run
+**Turning off DTP**
+   S1(config)# interface range f0/1 -24
+   S1(config-if-range)# switchport mode access
+   S1(config-if-range)# switchport nonegotiate
+**Turning off STP**
+   S1(config)# no spanning-tree vlan 1
+**Turning off Ethernet Keepalives**
+   S1(config)# interface range f0/1 -24
+   S1(config-if-range)# no keepalive
+===== Security on L2 based equipment =====
+see [[http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4|Security Features on Switches]] on Access Lists
+==== VLAN ACL (VACL) ====
+**VACL on a Bridged Port**
+{{cisco:ns080402.gif|VACL on a Bridged Port}} \\
+**VACL on a Routed Port**
+{{cisco:thns080403.gif|VACL on a Routed Port}}
+=== Configuring VACL ===
+  - Define the standard or extended access list to be used in VACL.
+  - Define a VLAN access map.
+  - Configure a match clause in a VLAN access map sequence.
+  - Configure an action clause in a VLAN access map sequence.
+  - Apply the VLAN access map to the specified VLANs.
+  - Display VLAN access map information.
+<code>
+Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255
+Switch(config)#access-list 2 permit any
+Switch(config)#vlan access-map mymap 10
+Switch(config-access-map)#match ip address 1
+Switch(config-access-map)#action drop
+Switch(config-access-map)#exit
+Switch(config)#vlan access-map mymap 20
+Switch(config-access-map)#match ip address 2
+Switch(config-access-map)#action forward
+Switch(config-access-map)#exit
+Switch(config)# vlan filter mymap vlan-list 5-10
+Switch(config-access-map)#end
+Switch# show vlan access-map
+Vlan access-map "mymap"  10
+  Match clauses:
+    ip address: 1
+  Action:
+    drop
+Vlan access-map "mymap"  20
+  Match clauses:
+    ip address: 2
+  Action:
+    Forward
+Switch# show vlan filter
+VLAN Map mymap is filtering VLANs:
+-10
+</code>
+==== MAC ACL ====
+MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL. The steps to configure a MAC ACL are similar to those of extended named ACLs. MAC ACL supports only inbound traffic filtering.
+<code>
+Switch(config)# mac access-list extended my-mac-acl
+Switch(config-ext-macl)# deny any any aarp
+Switch(config-ext-macl)# permit any any
+Switch(config-ext-macl)# exit
+Switch(config)# interface Fastethernet0/10
+Switch(config-if)# mac access-group my-mac-acl in
+Switch(config-if)# end
+Switch#
+</code>