CCNP - CCIP

www.id-networkers.com

Course Breakup

Frame-Relay, Basic Switching & RIPv2

EIGRP, OSPF, Route Filtering & Redistribution
OSPF & BGP
Advanced Switching & Security
IOS Services & QOS
Multicasting & IPv6
MPLS & MPLS - VPN
100 Point Super Lab

www.id-networkers.com

Section 1

ADVANCE SWITCHING

www.id-networkers.com

Advance Switching
Task 1
Configure Cat-1 using the following policy:
The ports that routers R1-R6 are connected should be configured
such that they only allow one MAC-address to be detected, if any
other MAC address besides the pertaining router is detected on any of
these ports, the appropriate switch should automatically shutdown that
given port. You should use a regular and smart port macro to
accomplish this task

On Cat-1
Define interface-range router-ports f0/1-6
Macro name port-secure
Enter macro commands one per line. Ending with the
character @
Switchport mode access
Switchport port-security

Switchport port-security mac-address sticky

Switchport port-security maximum 1

www.id-networkers.com

Advance Switching
Task 1 (contd)
A smartport macro can be applied to an interface, interface range,
or a regular macro. Lastly the smartport macro is applied to the
regular macro, as follows:
Interface range macro router-ports
Macro apply port-secure

On Cat-2 port f0/14 configure the amount of bandwidth utilization

for broadcast traffic to 50%
Interface f0/14
Storm-control broadcast level 50.00

www.id-networkers.com

Advance Switching
Strom Control
Strom-control can be used for broadcast, unicast and multicast
traffic, this command specifies suppression level for a given type of
traffic for a particular interface.
The level can be from 0 to 100 and an optional fraction of a level
can also be configured from 0-99
A threshold value of 100 percent means that no limit is placed for a
specified type of traffic; a value of 0.0 means that the particular type
of traffic is blocked all together
When the rate of multicast traffic exceeds a predefined threshold, all
incoming traffic (broadcast, multicast and unicast) is dropped until
the level of multicast traffic is dropped below the threshold level.
Once this occurs, only the spanning-tree packets are forwarded
When broadcast or unicast thresholds are exceeded, traffic is
blocked for only the type of traffic that exceeded the threshold

www.id-networkers.com

Advance Switching
Task 2
Cat-2s ports f0/15 and f0/16 are connected to companys web and
email server. These ports should be configured in VLAN 88.
Ensure that these ports cant communicate with each other.
On Cat-2
Cat-2#Interface range f0/15-16
Cat-2#Switchport protected
Cat-2#show interface f0/15 switch
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: None

www.id-networkers.com

The port is now in protected mode

Note unknown unicast or multicast
traffic is not blocked

Advance Switching
Task 2 (contd)
Typically port blocking is implemented when protected ports are
configured. By default the switch will flood packets with unknown
destination MAC addresses to all ports but the port that the
packet/s was received
If unknown unicast or multicast traffic is forwarded to a protected
port, there could be security issues. In order to prevent this
behavior, unknown broadcast or unicast packets should be
blocked as follows
Interface range f0/15-16
Switchport block unicast
Switchport block multicast

www.id-networkers.com

Advance Switching
Task 3
Configure Cat-1 such that the ports that the routers are connected to
bypass listening and learning state. If any of the ports receive a
BPDU, that particular port should lose its configured portfast state
On Cat -1
Interface range f0/1 f0/6
Spanning-tree portfast

Globally: Configuring this command in the global config mode will

affect all the ports that are configured with portfast
Spanning-tree portfast bpdufilter default

The above command stops ports that are in portfast state from sending
BPDUs; the ports will send few BPDUs on the link-up before the switch starts
to filter outbound BPDUs. If a BPDU is received on a portfast enabled port, it
will lose its status as a portfast

Interface:
Spanning-tree bpdufilter enable
www.id-networkers.com

Advance Switching
Task 3 (contd)
Cat-1(config)#spanning-tree portfast bpduguard default
Interface range f0/1-6
Spanning-tree portfast

Once the portfast command is entered you should see the following
warning message:
% Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
% portfast will be configured in 6 interfaces due to the range command but
will have effect when the interfaces are in a non-trunking mode

The spanning-tree portfast bpduguard default command in the global

config mode will shut the port down in err-disable mode if any portfast
enabled port receives BPDU packets

www.id-networkers.com

10

Advance Switching
Task 4
You received a request from the IT department to monitor and
analyze all the packets sent and received by the host connected to
port f0/14 on cat-1, you have connected the packet analyzer to port
f0/15 on the same switch, configure the switch to accommodate this
request
On Cat-1
Monitor session 1 source interface f0/14 both
Monitor session 1 destination interface f0/15

Note the following:

There can only be two monitor sessions configured on a given switch
Their direction to monitor can be configured as Rx, Tx or both. Rx is for
received traffic, Tx is for transmitted traffic, and both is on both direction
VLANs can only be configured in Rx direction
To verify enter a show monitor session 1 command

www.id-networkers.com

11

Advance Switching
Task 5
The PCs that are connected or will be connected to Cat-1 port
f0/16 should get authenticated before they are allowed access to
the network. This authentication should use CSACS located at
192.168.1.2 using cisco as the key
On Cat-1
Cat-1#show dot1x
Sysauthcontrol
= disabled
Dot1x protocol version = 2
Critical Recovery Delay
100
Critical EAPOL
Disabled

Note: By default Dot1x is disabled. Enter the following command

to enable Dot1x
Dot1x system-auth-control
The above command enables Dot1x globally on the switch

www.id-networkers.com

12

Advance Switching
Task 5 (contd)
On Cat-1
Cat-1#show dot1x
Sysauthcontrol
= enabled
Dot1x protocol version = 2
Critical Recovery Delay
100
Critical EAPOL
Disabled

On Cat-1
AAA new-model
Enter the above command to enable AAA services
AAA authentication dot1x default group radius
Enter the above command to specify the authentication method list,
which describes the sequence and authentication methods to be queried
in order to authenticate a given user
Radius-server host 192.168.1.2 key cisco
The above command specifies the radius server and the password

www.id-networkers.com

13

Advance Switching
Task 5 (contd)
Int f0/16
Dot1x port-control auto
^
% invalid input detected at ^ marker

Note the error message tells us that Dot1x is not available on this
port; the reason for this error message is because the port is in
dynamic mode and dot1x is not available on ports that are in
dynamic mode.
In order to fix this problem and satisfy the requirements of Dot1x
configuration, port f0/16 must be configured in access mode as
follows:
Int f0/16
Switch mode access
Dot1x port-control auto

www.id-networkers.com

14

Advance Switching
The port authentication state can be controlled as follows
Force-authorized: It bypasses the authentication state and all traffic
is allowed
Force-unauthorized: The port remains in unauthorized state
regardless of clients attempt to get authorized
Auto: Enables 802.1x authentication, switch identifies the client by the
MAC address

To verify that it is enabled on a given port

Cat-1#show dot1x interface f0/16
Dot1x info for fastethernet0/16
------------------------------PAE
= Authenticator
Portcontrol
= AUTO

www.id-networkers.com

15

THANK YOU

www.id-networkers.com

16