This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.

CCIE #29033

This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.

You can also follow me on twitter @FE80CC1E


Showing posts with label Layer2. Show all posts
Showing posts with label Layer2. Show all posts

Sunday, January 22, 2012

Layer 2 Security Best Practices

Here are a couple of recommendations from Cisco when it comes to securing layer 2

  • STP - Leverage Root Guard and BPDU Guard
  • Shutdown unused ports
  • Leverage DHCP snooping and DAI (Dynamic Arp Inspection)
  • Disable unneeded services
  • Use port security to restrict the number of MAC addresses that a port can learn
  • Limit management access to a layer 2 switch
  • Use SNMPv3
  • Do not use the native VLAN to send user data. Create a native VLAN and do not add any ports to it.

This was not mentioned but I would also add PVLAN (Private VLANs) and VACL's where appropriate.

Posted by Packets Analyzed at 8:08 PM 0 comments
Labels: , ,

Sunday, July 10, 2011

Best Practices Part 1 - Layer 2 Spanning-Tree

The topology depicted in the diagrams is used to help demonstrate data flow during failure and to provide discussion around best practices and may not be necessarily be configured as optimal as possible. I will provide examples in a series of blogs that will provide alternate technical solutions that follow best practice guidelines.

Topology Image

Normal Data Path Flow
 Data Path Flow Root Fail

Data Path Flow-Access Trunk Fail
Data Path Flow Router Fail

Spanning-Tree mode Rapid-PVST (802.1w) or MST (802.1s) - I will show more about load balancing techniques leveraging each of these technologies in "Layer 2 Spanning-Tree Best Practices Part-2" Deterministic blocked ports - in this example we know exactly which ports are going to be blocked by STP. All redundant connections to the secondary root bridge will be blocked. Cisco also recommends that you do not exceed STP diameter of seven hops. Ensure that you hard configure your Root and Secondary Root bridges. Ensure that you only allow required VLAN's over the trunks to ensure you are not running unnecessary STP instances.

Features to leverage include:
Access Layer
-portfast
-bdpuguard
-disable DTP
-loopguard
-etherchannel Guard

Distribution Layer
-root and secondary root placement
-root guard
-disable DTP
-etherchannel Guard

Leverage EtherChannel to reduce the number of ports that need to transition from blocking to forwarding state when leveraging multiple links.

EtherChannel Ports
-EtherChannel Guard

Read more »
Posted by Packets Analyzed at 10:14 PM 2 comments
Labels: ,

Monday, May 9, 2011

Quick Notes - IRB - IEEE

BBBB must be able to connect to AAAA and vice versa. Layer2 must be used on hub and AAAA/BBBB must leverage layer 3 ports on the directly connected interface.

Read more »
Posted by Packets Analyzed at 6:42 PM 0 comments
Labels: , ,

Saturday, February 5, 2011

Quick Notes - Layer2 MISC

Layer2 MISC

Loop Guard - Prevents alternate port and root ports from becoming designated ports. IF BPDUs are not received on a NON-DP port then the port is moved into err-disabled state
Global config - "spanning-tree loopguard default"

UDLD - Unidirectional Link Detection
- Both sides need to be configured
- default setting is disabled on copper ports and enabled on fibre ports
Enable on copper ports, interface config - udld enable

Root Guard
- the port that has root guard enabled ensures that if a superior BPDU is received the port is put into "root inconsistent state"
Interface config - "spanning-tree guard root"

BPDU Guard
- Ensures that loops are not formed on ports that are enabled to use portfast, if BPDU is recieved the port is put into error disabled state. Two ways to enable BPDU Guard
Global config - "spanning-tree portfast bpduguard" - All ports that have portfast enabled will also have BPDU guard enabled
Interface config - spanning-tree bpduguard enable"

BPDU Filter
- When enabled globally and a BPDU is received on a port the is enabled with portfast the port loses it portfast status
Global config - "spanning-tree portfast bpdufilter default
-when enabled on the interface the port stops sending and recieveing BPDU. This is dangerous as a loop can form
Interface config - "spanning-tree bpdufilter enable
Posted by Packets Analyzed at 6:34 PM 0 comments
Labels: , ,

Thursday, May 27, 2010

Question 125

When would you use "pseudowire-class" command?
Posted by Packets Analyzed at 8:35 PM 1 comments
Labels: ,

Question 124

Why would you use the "bba-group" command for?
Posted by Packets Analyzed at 6:52 PM 1 comments
Labels: ,

Wednesday, May 19, 2010

Question 116

What is VMPS?
Posted by Packets Analyzed at 6:27 AM 1 comments
Labels: ,

Sunday, May 16, 2010

Question 107

What does "ip local-proxy-arp" accomplish?
Posted by Packets Analyzed at 10:19 PM 1 comments
Labels: ,

Question 106

What command would you use to ensure a device responds to all ARP requests?
Posted by Packets Analyzed at 10:18 PM 1 comments
Labels: ,

Wednesday, May 5, 2010

Question 73

Provide a bridging networks example?

Read more »
Posted by Packets Analyzed at 6:18 AM 0 comments
Labels: ,

Sunday, April 25, 2010

Question 34

What protocol is an industry standard replacement of CDP?
Posted by Packets Analyzed at 6:48 PM 1 comments
Labels: ,

Question 33

What is required when setting up a remote span?
Provide an example using 3 switches



Posted by Packets Analyzed at 6:44 PM 1 comments
Labels: ,
Subscribe to: Posts (Atom)