[[cisco:switch]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
cisco:switch [2009/03/11 18:03]
a Page name changed from cisco:catalyst to cisco:switch 		cisco:switch [2011/11/24 13:34] (current)
greebo
Line 8: Line 8:
   * **traffic with dest. mac addresses unknown to the switch, which is flooded to all ports but the one where the packets entered.** \\   * **traffic with dest. mac addresses unknown to the switch, which is flooded to all ports but the one where the packets entered.** \\
  
-When one uses "''**switchport block unicast**''", the third type on the list, the so called "''unknown unicast''" traffic is noe forwarded to the specific port, so the only traffic exiting the port will be the broadcast (ff...) or the packets that have as destination mac, one of the mac-addresses learned on the port. \\+When one uses "''**switchport block unicast**''", the third type on the list, the so called "''unknown unicast''" traffic is not forwarded to the specific port, so the only traffic exiting the port will be the broadcast (ff...) or the packets that have as destination mac, one of the mac-addresses learned on the port. \\
 \\ \\
 A problem arises when a host connected somehow to that port does not send any traffic for more than ''$mac_address_aging_time'' (usually 5 min): the mac will be erased from the mac address table, and the traffic will  A problem arises when a host connected somehow to that port does not send any traffic for more than ''$mac_address_aging_time'' (usually 5 min): the mac will be erased from the mac address table, and the traffic will 
Line 20: Line 20:
  
 for each interface for each interface
 +
 +===== Make Catalyst switch silent (The Invisible Catalyst Switch) =====
 +
 +<note tip>
 +If you've ever looked at a packet capture from a Cisco Catalyst switch with a default configuration, you know they produce a good amount of ambient noise out of the box. CDP, STP, DTP, keepalives - these are all turned on by default and, combined, generate a significant amount of traffic. \\
 +
 +
 +
 +**Original notes: http://packetlife.net/blog/2010/apr/15/invisible-catalyst-switch/ (10x Jeremy Stretch)**
 +</note>
 +
 +**Turning off CDP**
 +   S1(config)# no cdp run
 +**Turning off DTP**
 +   S1(config)# interface range f0/1 -24
 +   S1(config-if-range)# switchport mode access
 +   S1(config-if-range)# switchport nonegotiate
 +**Turning off STP**
 +   S1(config)# no spanning-tree vlan 1
 +**Turning off Ethernet Keepalives**
 +   S1(config)# interface range f0/1 -24
 +   S1(config-if-range)# no keepalive
 +
 +
 +
 +
 +
 +
 +===== Security on L2 based equipment =====
 +
 +see [[http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4|Security Features on Switches]] on Access Lists
 +
 +==== VLAN ACL (VACL) ====
 +
 +**VACL on a Bridged Port**
 +{{cisco:ns080402.gif|VACL on a Bridged Port}} \\
 +**VACL on a Routed Port** 
 +{{cisco:thns080403.gif|VACL on a Routed Port}}
 +
 +=== Configuring VACL ===
 +  - Define the standard or extended access list to be used in VACL.
 +  - Define a VLAN access map.
 +  - Configure a match clause in a VLAN access map sequence.
 +  - Configure an action clause in a VLAN access map sequence.
 +  - Apply the VLAN access map to the specified VLANs.
 +  - Display VLAN access map information.
 +
 +<code>
 +Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255
 +Switch(config)#access-list 2 permit any
 +Switch(config)#vlan access-map mymap 10
 +Switch(config-access-map)#match ip address 1
 +Switch(config-access-map)#action drop
 +Switch(config-access-map)#exit
 +Switch(config)#vlan access-map mymap 20
 +Switch(config-access-map)#match ip address 2
 +Switch(config-access-map)#action forward
 +Switch(config-access-map)#exit
 +Switch(config)# vlan filter mymap vlan-list 5-10
 +Switch(config-access-map)#end
 +
 +Switch# show vlan access-map
 +Vlan access-map "mymap"  10                              
 +  Match clauses:                                         
 +    ip address: 1                                        
 +  Action:                                                
 +    drop                                                 
 +Vlan access-map "mymap"  20                              
 +  Match clauses:                                         
 +    ip address: 2                                        
 +  Action:                                                
 +    Forward                                              
 +
 +Switch# show vlan filter
 +VLAN Map mymap is filtering VLANs:                       
 +  5-10                              
 +</code>
 +
 +==== MAC ACL ====
 +
 +MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL. The steps to configure a MAC ACL are similar to those of extended named ACLs. MAC ACL supports only inbound traffic filtering.
 +
 +<code>
 +Switch(config)# mac access-list extended my-mac-acl
 +Switch(config-ext-macl)# deny any any aarp
 +Switch(config-ext-macl)# permit any any
 +Switch(config-ext-macl)# exit
 +Switch(config)# interface Fastethernet0/10
 +Switch(config-if)# mac access-group my-mac-acl in
 +Switch(config-if)# end
 +Switch#
 +</code>
 +
 +
 +
 +
  
cisco/switch.1236791038.txt.gz ยท Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready