Chapter 22 – Managing Switch Users

  • What does the AAA means?
    • Authentication: Who is the user?
    • Authorization: What is the user allowed to do?
    • Accounting: What did the user do?
  • On Cisco switches what protocols can communicate with AAA servers?
    • TACACS+: Cisco proprietary. Completely encrypted over TCP port 49.
    • RADIUS: Combines authentication and authorization into a singe resource. Communicates over UDP 1812 and 1813, but is not completely encrypted.

Configuring Authentication

  • How can the user authentication being handled?
    • Username / pass locally configured on the switch
    • One or more external RADIUS
    • One or more external TACACS+
  • How do you configure AAA?
    • Default: disabled
    • Enabling AAA:
      (global)# aaa new-model
    • Configure RADIUS / TACACS! servers:
      (global)# radius-server host { HOSTNAME | IP } [key STRING]
      (global)# tacacs-server host { HOSTNAME | IP } [key STRING]
    • Define a list of authentication methods to try:
      (global)# aaa authentication login {default | LIST-NAME} METHOD1 METHOD2..


      • tacacs+
      • radius
      • local: The user’s credentials are compared against all the username commands configured on the local switch.
      • line: The line password authenticate any connected user. No usernames can be used.
    • Apply authentication method:
      (line)# login authentication { default | LIST-NAME}
    • After authentication is configured, it is a good idea to stay in with a session in case the authentication with another session fails.


Switch(config)# aaa new-model
Switch(config)# username lastresort password MySecretP@ssw0rd
Switch(config)# tacacs-server host key t@c@csk3y
Switch(config)# tacacs-server host key t@c@csk3y
Switch(config)# aaa group server tacacs+ myauthservers
Switch(config-sg)# server
Switch(config-sg)# server
Switch(config-sg)# exit
Switch(config)# aaa authentication login myauth group myauthservers local
Switch(config)# line vty 0 15
Switch(config-line)# login authentication myauth

Configuring Authorization

  • How do you configure authorization?
    • (global)# aaa authorization { commands | config-commands | configuration | exec | network | reverse-access } { default | LIST-NAME} METHOD1 METHOD2
      • commands: Permission to use any switch command at any privilege level.
      • config-commands: Permission to use any switch configuration command
      • configuration: Permission to enter the switch configuration mode.
      • exec: Return permission for the user to run a switch EXEC session.
      • network: Permission to sue network-related services.
      • reverse-access: Permission to access a reverse Telnet session on the switch.
    • You can also configure a list-name when you are configuring more than one list:
      • group GROUP-NAME:
      • group {radius | tacacs+}
      • if-authenticated: Requests are granted if the user already is authenticated.
      • none: No external authorization is used; every user is authorized successfully.
    •  Next you need to apply the authorization method list:
      (line)# authorization { commands LEVEL | exec | reverse-access} { default | LIST-NAME}
      • If no authorization applied on a line, the default group is used for it.
    • You can apply the authorization for all lines:
      (global)# aaa authorization exec default group myauthservers none

Configuring Accounting

  • How do you configure accounting?
    • First define a method list:
      (global)# aaa accounting { system | exec | commands LEVEL} { default | LIST-NAME } { start-stop | stop-only | wait-start | none } METHOD1 METHOD2
      • system: Major switch events such as a reload are recorded
      • exec: User authentication into an EXEC session is recorded, along with information about the user’s address and time and duration of the session.
      • commands LEVEL: Any command running at a specific privilege level is recorded along with the username.
      • start-stop: Events are recorded when start and stopped.
      • stop-only: Events are recorded when they stop.
      • none: No events recorded.
    • Then apply the method list:
      (line)# accounting {commands LEVEL | connection | exec} { default | LIST-NAME}

Chapter 21 – Preventing Spoofing Attacks

DHCP Snooping

  • How does DHCP Snooping work?
    • The switch ports are categorized into trusted an untrusted.
    • Legitimate DHCP servers can be found on the trusted ports
    • All other hosts are behind untrusted ports
  • What kind of traffic is discarded by DHCP Snooping?
    • DHCP replies from untrusted ports
    • In addition, the offending switch port automatically goes to errdisable state
  • How do you configure DHCP snooping?
    • (global)# ip dhcp snooping
      (global)# ip dhcp snooping vlan VLAN-ID
      (interface)# ip dhcp snooping trust

      Default: all switchports are untrusted

  • How can you check DHCP snooping’s database?
    • (global)#  show ip dhcp snooping [binding]
      snooping database.PNG

IP Source Guard

  • What is an example us of spoofed IP addresses?
    • denial-of-service attack
    • man in the middle
  • What is the purpose of IP Source Guard?
    • It protects against attackers using “borrowed” IP addresses from the valid subnet
  • How does IP Source Guard knows which is the valid IP address + MAC pairs?
    • It uses DHCP snooping’s database
    • also uses static mapping
  • How do you configure IP Source Guard?
    • (interface)# ip verify source [port-security]
    • You can configure IP source binding statically:
    • (global)# ip source binding MAC vlan VLAN-ID IP-ADDRESS interface INTERFACE
  • How do you verify IP source guard?
    • show ip verify source [interface INTERFACE]

Dynamic ARP Inspection (DAI)

  • What is ARP poisoning?
    • When an ARP request is sent in a L2 segment the attacker can respond to it sending it’s own MAC address. This is an opportunity for man in the middle attack.
  • How does Dynamic ARP inspection work?
    • The switch listens to ARP packets only on untrusted ports.When an ARP reply is received it compares the MAC/IP to the DHCP Snooping database. If the values do not match the switch will generate a log message.
    • DHCP Snooping must be enabled !
  • How do you configure Dynamic ARP Inspection?
    • (global)# ip arp inspection vlan VLAN-RANGE
      (interface)# ip arp inspection trust
    • Static MAC-IP binding:
      (global)# arp access-list ACL
      (acl)# permit ip host SENDER-IP mac host SENDER-MAC
      (global)# ip arp inspection filter ARP-ACL-NAME vlan VLAN-RANGE
  • What is DAI validation? How do you configure it?
    • It validates that an ARP reply packet is really coming from the address listed inside it:
      (global)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
    • Options:
      • src-mac: Check the source MAC address in the Etherned header against the sender MAC address in the ARP reply
      • dst-mac: Check the destination MAC
      • ip: Check the sender’s IP address in all ARP requests; check the sender’s IP address against the target IP address in all ARP replies.

Chapter 20 – Securing VLANs

VLAN Access Lists

  • What is VLAN ACL used for?
    • VLAN access-lists (VACL) are used to filter traffic within the VLAN.
  • How do you configure a VACL?
    • (global)#  vlan access-map MAP-NAME [SEQUENCE]
      (vacl)# match ip address { ACL-NUM | ACL-NAME }
      (vacl)# match mac address ACL-NAME 
      (vacl)# action { drop | forward [capture ] | redirect INTERFACE }
      (global)# vlan filter MAP-NAME vlan-list VLAN-LIST
    • Example:
      (global)# access-list 100 permit ip any host
      (global)# vlan access-map BLOCK-TO-SERVER 10
      (VACL)# match ip address 100
      (VACL)# action drop
      (VACL)# exit
      (global)# vlan access-map BLOCK-TO-SERVER 20
      (VACL)# action forward
      (VACL)# exit
      (global)# vlan filter NOT-TO-SERVER vlan-list 10

      This will block traffic to in VLAN 10.

Private VLANs

  • How do Private VLANs work?
    • A primary VLAN is associated with multiple secondary VLANs
    • The primary VLAN contains ports and/or devices that any of the secondary VLANs can access
  • What types of Secondary VLAN exist?
    • Isolated: hsts can only communicate with ports in the primary VLAN
    • Community: hosts can communicate with ports in the primary VLAN as well as any other devices in the same VLAN
  •  What port modes exist?
    • Promiscuous: This port type is used on gateway devices. It ignores Private VLANs, so it can communicate with any primary or secondary VLAN.
    • Host:
  • How does VTP advertise Private VLANs?
    • It cannot advertise it.
  • Which VLAN can use Private VLANs?
    • All VLANs except VLAN 1


  • How do you configure a Private VLAN?
    • Disable or switch VTP to transparent mode!
      (global)# vtp mode transparent 
    • First configure the secondary VLANs and its modes (isolated/community):
    • (global)# vlan VLAN-ID
      (vlan)# private-vlan {isolated | community}

      Then configure the primary VLAN:

      (config)# vlan VLAN-ID
      (vlan)# private-vlan primary
      (vlan)# private-vlan association {SECONDARY-VLAN-LIST | add SECONDARY-VLAN-LIST | remove SECONDARY-VLAN-LIST }
    • When the VLANs are prepared you need to associate the ports to VLANs. First host ports:
      (interface)# switchport mode private-vlan {host | promiscuous}
      (interface)# switchport private-vlan host-association PRIMARY-VLAN SECONDARY-VLANS
    • Then promiscuous port(s):
      (interface)# switchport mode private-vlan {host | promiscuous}
      (interface)# switchport private-vlan mapping PRIMARY-VLAN SECONDARY-VLAN | {add SECONDARY-VLAN} | {remove SECONDARY-VLAN}
  • How can you configure a SVI as promiscuous port?
    • You do not need to specify the primary vlan in the …mapping command:
      (global)# interface vlan VLAN-ID
      (interface)# private-vlan mapping SECONDARY-VLANS





NOTE: All hosts can communicate with the promiscuous port and whats behind it.



Alternate config:
NOTE: All hosts can communicate with the promiscuous port and whats behind it.



Securing VLAN Trunks

  • What is the security flaw of a default switchport? What is the solution?
    • DTP can negotiate with the other side and by default allows all VLANs through the trunk. A normal user would use the native vlan, however a malicious user could use VLANs that connects to servers or other sensitive parts of the network:
    • Use static configuration like “switchport access vlan VLAN”


  • What is VLAN hopping?
    • vlan-hopping.PNG
  • How could you prevent such attack?
    • Set the native VLAN of a trunk to an unused VLAN ID
    • or do not use native VLANs
      (global)# vlan dot1q tag native

Chapter 19 – Securing Switch Access

Port Security

  • How do you enable port security on a switchport?
    • (interface)# switchport port-security
  • What happens when you enable port security on a trunk port?
    • The IOS will reject the command.
    • Port Security can be applied only on Access Ports.
    • NOTICE: By default all switchports are turnks !!!

Default Switchport:

Switch3#sho int gi0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL


Switchport configured with “switchport mode access“:

Switch3#sho int gi0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
  • How many MAC addresses does Port Security allows by default? How can you modify this value?
    • Default: 1
    • (interface)# switchport port-security maximum MAXIMUM-NUM
    • Learned addresses can age out from the CAM table, if the hosts do not transmit traffic for a period of time. Default: no aging
  • How can a switchport dynamically learn the MAC addresses?
    • Default: enabled
    • (interface)# switchport port-security mac-address sticky
  • How can you statically add MAC addresses to a switchport?
    • (interface)# switchport port-security mac-address MAC
    • Example format: 0006.5b02.a841
  • What happens if less than the maximum allowed MAC addresses are configured statically?
    • The rest is learned dynamically
  • What actions exist for port security violations?
    • Shutdown: The port immediately is put into errdisable state.
    • Restrict: The port stays up, but traffic from violating MAC is blocked. Syslog message alert regarding the violation + SNMP trap can be sent.
    • Protect: The port stays up, traffic from violating MAC is blocked, no record of the violation is kept.
  • How can you choose the Violation Mode?
    • Default: shutdown (errdisabled)
    • (interface)# switchport port-security violation { shutdown | restrict | protect }


Port-Based Authentication

  • How does Port-Based authentication work?
    • It is using the standard 802.1X alias EAPOL (Extensible Authentication Protocol over LAN)
      • 802.1X begins in unauthorized state
      • The switch or client can initiate the 802.1X session
      • Authorization keeps until the client logs out or the switch times out the user.
  • What is the prerequirement of port-based authentication?
    • Both the switch and the client must know the 802.1X standard.
    • Client knows 802.1X but Switch not: The client will communicate normally
    • Switch knows 802.1X but Client not: The switchport remains unauthorized state so that it will not forward any traffic
  • How do you configure 802.1X?
    • (global)# aaa new-model 
      (global)# radius-server host {HOSTNAME | IP } [key STRING]
      (global)# aaa authentication dot1x default group radius
      (global)# dot1x system-auth-control
      (interface)# dot1x port-control {force-authorized | force-unauthorized | auto }
      (interface)# dot1x host-mode multi-host
    • port-control:
      • force-authorized: The port is forced to always authorize any connected client. No authentication necessary. This is default.
      • force-unauthorized: The port is forced to never authorize any connected client. As a result, the port cannot move to the authorized state to pass traffic to a connected client.
      • auto: The port uses an 802.1X exchange to move from the unauthorized to the authorized state, if successful. This requires an 802.1X-capable application on the client PC.
    • host-mode multi-host: This need to be used if the switch expects to find multiple hosts present on the port.


SW1(global)# aaa new-model 
SW1(global)# radius-server host key Cisco
SW1(global)# aaa authentication dot1x default group radius
SW1(global)# dot1x system-auth-control 
SW1(global)# interface Gi0/1
SW1(interface)# switchport mode access
SW1(interface)# switchport access vlan 10
SW1(interface)# dot1x port-control auto


Using Storm Control

  • What is Storm Control and how does it work?
    • Strom Control can limit the amount of broadcast/multicast/unknown unicast frames on a switch’s interface (inbound).
    • You configure the threshold and an action when the threshold is exceeded.
  • How do you configure Storm Control?
    • (interface)# storm-control {broadcast | multicast | unicast} level { LEVEL-LOW] | bps BPS [BPS-LOW] | pps PPS [PPS-LOW] }
    • Notice: unicast means unknown unicast
    • level { LEVEL [LEVEL-LOW] } : The threshold is set to a percentage of the interface bandwidth.  Range: 0.00 – 100.00
    • Storm Control will take action when the threshold reaches the first value and stops action when falls below it.
  • What is the default action when traffic exceeds the Storm Control threshold? What additional actions can you configure? How?
    • It drops the frames
    • (interface)# storm-control action {shutdown | trap}
  • How do you verify storm control?
    • show storm-control INTERFACE

Storm Control example:

(interface)# storm control broadcast level 50
(interface)# storm control multicast level pps 50k
(interface)# storm control unicast level 20 10

Broadcast: When broadcast frames exceed 50 percent of the interface bandwidth they will be dropped.

Multicast: When the rate of multicast frames exceed 50.000 packets per second, they will be dropped.

Unknown Unicast: When the volume of unknown unicast frames rises above 20 percent and then stays above 10 percent of the interface bandwidth, they will be dropped. 


Best Practices for Securing Switches

  • Secure password:
    • enable secret instead of enable password
    • use AAA
    • service password-encryption
  • System banners:
    • banner motd  (displayed to authenticated users)
    • banner exec
    • banner login (display when ssh/telnet session opens, but not yet authenticated)
  • Secure the web interface:
    • If you don’t manage the switches via WEB interface disable it:
    • no ip http server
    • Otherwise:
      • use https: ip http secure server
      • use ACL: ip http access-class ACL
  • Configure authentication on console line
  • Secure VTY
  • SSH instead telnet
    • ip ssh version 2
  • Secure SNMP access
    • snmp-server community STRING ro
  • Secure unused switch ports
    • shutdown
    • switchport mode access
  • Secure STP operation
    • spanning-tree portfast bpduguard default
  • Limit CDP / LLDP
    • CDP / LLDP should be enabled only on trusted ports
    • Turn off CDP (enabled by default): no cdp enable


Chapter 18 – Layer 3 High Availability

Packet-Forwarding Review

  • What is the purpose of FHRPs?
    • First Hop Redundancy Protocols are meant to prevent a LAN being separated from the network. It gives the gateway (router) hops high availability.
  • What is proxy ARP?
    • Let’s say HostA tries to send traffic to HostB, and HostB is in another subnet. HostA might still generate ARP request for the off-net destination, hoping that someone will answer. Obviously HostB cannot answer, however the router can send a reply to the ARP request using it’s own MAC address. After this HostA will forward it’s traffic to the router, because it thinks that is the MAC of HostB.
      This is called a proxy ARP.

Hot Standby Router Protocol

  • How does HSRP work?
    • Cisco proprietary  
    • Basically, each of the routers that provides redundancy for a given gateway address is assigned to a common HSRP group. One router is elected as the primary, or active , HSRP router; another is elected as the standby HSRP router; and all the others remain in the listen HSRP state. The routers exchange HSRP hello messages at regular intervals so that
      they can remain aware of each other’s existence and that of the active router.
  • How can you recognize the well known HSRP MAC?
    • It has the following convention: 0000.0C07.ACxx
    • The last 2 character represents the Group ID.
  • What is the HSRP group ID range?
    • 0 – 255
  • How many HSRP groups are supported by Catalyst switches?
    • 16
  • What happens if you use the same HSRP group in VLAN10 and VLAN11?
    • Both HSRP group will work, as HSRP groups are locally significant.
  • How do you configure HSRP virtual IP?
    • (interface)# standby GROUP ip IP-ADDRESS secondary IP-ADDRESS
  • How does HSRP elects the active router?
    • Using priority, the higher the better
    • Default: 100   Available range: 0 – 255
  • How do you configure HSRP priority?
    • (interface)# standby GROUP priority PRIORITY
  • What if the HSRP priorities are the same?
    • The highest interface IP is the tiebreaker
  • What states do HSRP have when activating on an interface?
    • Disabled
    • Init
    • Listen
    • Speak
    • Standby
    • Active
  • Which HSRP states listen to hello-s?
    • Only the Standby HSRP routers listen to Hello packets.
  • How often the Hellos sent and what is the Hold-Time?
    • Hello Default: 3 sec
    • Hold Time default: 10 sec
  • What happens when the active HSRP member goes down?
    • The Standby will take its place and the HSRP member in Listen state (the one with the 3rd highest priority/IP) will switch into Standby state.
  • How do you configure HSRP timers?
    • (interface)# standby GROUP timers [msec] HELLO-TIME [msec] HOLD-TIME
  • What is preempt function?
    • This means a HSRP member can take over the Active role any time if its priority is higher than the actual Active device’s priority.
    • Default: preempt is disabled
  • How do you configure preempt?
    • (interface)# standby GROUP preempt [delay [minimum SEC] [reload SEC]]
    • delay: Wait X seconds before taking over. (Prevent flapping interfaces being Active HSRP members)
    • reload:  Wait X seconds after device restart. (Gives time for routing protocols to populate the routing table.)
  • What authentication methods does HSRP have?
    • plaint text
    • MD5
  • How do you configure plain text authentication? What is the purpose?
    • It prevent HSRP devices with default configuration to join the HSRP group.
    • (interface)# standby GROUP authentication STRING
  • How do you configure MD5 authentication (2 methods)?
    • Method 1:
    • (interface)# standby GROUP authentication md5 key-string [ 0 | 7 ] STRING
    • Method 2:
    • (global)# key chain CHAIN-NAME
      (keychain)# key KEY-NUMBER
      (keychain)# key-string [ 0 | 7 ] STRING
      (interface)# standby group authentication md5 key-chain CHAIN-NAME
  • How can you dynamically decrease priority?
    • (interface)# standby GROUP track NUMBER [ decrement VALUE | shutdown ]
    • Preempt need to be enabled on the other device.
  • How can you perform load-balancing with HSRP?
    • You have to use 2 HSRP groups. One group is Active on one switch the other is active on the other switch:

Virtual Router Redundancy Protocol

  • What is VRRP?
    • VRRP is the standards-based alternative of HSRP
  • What are the active/passive routers called in VRRP?
    • Active = Master
    • Passive = Backup
  • What is the default VRRP priority?
    • Same as HSRP..
      Default: 100 Available range: 1 – 254
  • What is the well-known Virtual MAC of VRRP?
    • 0000.5e00.01xx
    • xx = group number
  • What are the default VRRP timers?
    • Advertisements: 1 sec
  • How do you configure VRRP?
    • (interface)# vrrp GROUP ip IP-ADDRESS
      (interface)# vrrp GROUP priority NUMBER  << optional
    • d
  • How do you configure preempt in VRRP?
    • Default: Enabled
    • (interface)# vrrp GROUP preempt
  • How do you verify VRRP ?
    • (global)# show vrrp

Gateway Load Balancing Protocol

  • What is the purpose of GLBP?
    • Cisco Proprietary 
    • It’s  a FHRP like HSRP and VRRP, but it can use load balancing more effectively.
  • What is the difference between HSRP/VRRP and GLBP load balancing methods? How does it work?
    • In the case of GLBP the LAN devices can use a single gateway IP.
    • When a client sends an ARP request for the (virtual) gateway address, GLBP will reply with the MAC of one of the GLBP members. For the second ARP request it will send the other GLBP member’s MAC address.
    • As a result, clients will have the same default gateway IP but different MAC addresses.
  • What is AVG?
    • Active Virtual Gateway
    • The GLBP member with the highest priority / interface IP will answer to all ARP requests.
  • What is a AVF?
    • Active Virtual Forwarder
    • Those GLBP members that are participating in the traffic forwarding.
  • What is the difference between HSRP/VRRP priority and GLBP priority?
    • GLBP priority doesn’t decide who will forward the traffic.
    • It only decides who will be the AVG.
  • How much AVF can be in a GLBP group? What happens if there are more?
    • max 4
    • The rest of the GLBP members are going to serve as backup
  • What are the default GLBP timers?
    • Hello: 3 sec
    • Hold time: 10 sec
    • If you configure the timers on the AVG, it will advertise it to the AVFs.
  • What happens when an AVG stops receiving Hellos from an AVF?
    • The AVG will assign the AFV role to another router.
  • How do you configure GLBP ?
    • (interface)# glbp GROUP priority NUMBER
      (interface)# glbp GROUP preempt [delay minimum SEC]
      (interface)# glbp GROUP timers [msec] HELLOTIME [msec] HOLDTIME
  • How does the weight function work?
    • All AVF routers have the maximum weight at the beginning (1 – 254).
      When an interface goes down the weight will be decreased. When the weight hits a threshold the router will lose the AVF role.
  • How do you configure the weight?
    • Default: 100
    • (interface)# glbp GROUP weighting MAXIMUM [lower NUMBER] [upper NUMBER]
      (interface)# glbp GROUP weighting track OBJECT-NUM [decrement VALUE]
  • What load balancing methods do GLBP have?
    • Round robin: Default. Each new ARP request for the virtual router IP receives the next available virtual MAC.
    • Weighted: The GLBP group interface’s weighting value determines the proportion of traffic that should be sent to that AVF.
    • Host dependent: Once a client receives an AVF MAC, it will receive it the time after that too.
  • How do you configure GLBP load balancing?
    • (interface)# glbp GROUP load-balancing [ round-robin | weighted | host-dependent]
  • How do you verify GLBP ?
    • (global)# show glbp brief

GLBP Example


The routers have basic GLBP config:

glbp 1 ip

R1 has the following output:

R1#sho glbp brief
Interface   Grp  Fwd Pri State    Address         Active router   Standby router
Fa0/0       1    -   100 Active       local 
Fa0/0       1    1   -   Active   0007.b400.0101  local           -
Fa0/0       1    2   -   Listen   0007.b400.0102        -
Fa0/0       1    3   -   Listen   0007.b400.0103        -
Fa0/0       1    4   -   Listen   0007.b400.0104        -



Chapter 17 – Understanding High Availability

Increasing redundancy with Multi-Chassis EtherChannel. As this is only one Etherchannel, STP will keep it up.


The same setup in a full network:



  • What is StackWise and StackWise Plus?
    • This technology enabled separate physical switches to act as a single logical switch.
    • Cisco Catalyst 3750-E, 3750-X, 3850
  • How can you stack switches?
    • You must use a special-purpose cable to connect the switches. The switches are connected in a daisy-chain fashion, one switch to the next, and one final connection connects the chain into a closed loop.
  • What is the advantage of the closed loop?
    • Switches can be added / removed without breaking the connection.
  • How many switches can be stacked?
    • 9 switches



  • What is Virtual Switching System and how does it differs from StackWise switches?
    • Some switches can contain multiple switching modules. The chassis contain a supervisor module that handles the routing / forwarding tables (supervisor module can be redundant).
    • With VSS you can configure 2 identical switches to work together as one logical switch: VSS pair.
    • Cisco 4500R, 6500, 8500

Supervisor and Route Processor Redundancy

  • What operation modes can the redundant supervision engines have?
    • Route processor redundancy (RPR): The standby supervisor is only partially booted and initialized. When the active module fails it needs to reload every other module. Links will be dropped (down) during the failover.
      Failover time: > 2 min
    • Route processor redundancy plus (RPR+): The standby supervisor engine is booted, but no L2 or L3 functions started. When the active engine fails it do not need to reload the other switch modules. Links will stay up during the failover.
      Failover time: > 30 sec
    • Stateful SwitchOver (SSO): The standby supervisor engine is fully booted, with L2 information maintained on both engines so hardware switching can continue during a failover.
      Failover time: > 1 sec




  • How do you configure supervisor redundancy?
    • (global)# redundancy
      (redundancy)# mode { rpr | rpr-plus | sso }
    • First time you need to implement the config on both devices.
      When the redundancy mode is enabled, you only need to configure on the Active engine. It will synchronize with the standby engine.
  • How can you specify what should the supervisor engines synchronize? 
    • (global)# redundancy
      (redundancy)# main-cpu
      (main-cpu)# auto-sync { startup-config | config-register | bootvar }
    • You need to use auto-sync multiple time if you want to configure more than 1 parameters.
    • Default sync: config-register, startup-config
  • How can you verify redundancy modes?
    • (global)# show redundancy states
    • show-red-states.PNG
    • “STANDBY HOT” means the standby device has initialized as far as the redundancy mode allows.



  • What is NSF? In which Supervisor Redundancy Mode do we use it? What does it do?
    • Nonstop Forwarding
    • By default SSO (Stateful SwitchOver) need to rebuild the Routing Information Base (RIB) to create Forwarding Information Base (FIB). Instead of waiting for the configured L3 routing protocols to converge and rebuild FIB, NFS can be used.
    • It is a Cisco proprietary function that is built into some routing protocols.







Chapter 16 – Using Port Mirroring to Monitor Traffic

  • What is the purpose of SPAN?
    • Switched Port Analyzer mirrors traffic from one source port or VLAN to a destination port.
    • When packets arrive on the source port, they are specially marked so they can be copied to the SPAN destination port.
  • What forms does SPAN have?
    • Local SPAN: Both the source and destination ports are located on the same switch.
    • Remote SPAN (RSPAN): The source and destination ports are located on different switches. The mirrored traffic is copied over a special-purpose VLAN across trunks between switches from the source to the destination.
  • How does SPAN handles trunk interfaces as source?
    • It can copy all traffic from all VLANs to the destination port or
    • you can configure a VLAN filter to the SPAN source, this way limiting the VLANs that will be monitored.
  • How does SPAN handles EtherChannels as source?
    • If you use the PortChannel interface as source, then all the traffic passing through the EtherChannel will be copied
    • If you specify a physical interface (member of the EtherChannel), then only the traffic of that interface will be copied to the destination port
  • How does SPAN handles VLANs as source?
    • If you specify a VLAN as SPAN source, then all the traffic passing through the ports that are member of the VLAN is going to be copied to the destination port.
  • What happens when the source and destination port has different speeds?
    • The copied traffic is going through the destination port’s egress queue. If congestion happens and the queue is full, then packets are going to be dropped.
  • What kind of traffic is copied from source interface to destination?
    • Normally all kind except L2 protocol data like STP, CDP, PAgP etc..
  • What happens with the traffic that is sent to the SPAN destination interface?
    • All packets are dropped.
      One-way traffic is sufficient for network analysis.
  • How will STP act on a SPAN destination port?
    • STP is going to be disabled.


Local SPAN configuration

  • How do you configure a SPAN interface?
    • First configure the source:
    • (global)# monitor session SESSION-NUMBER source {interface INT-NAME | vlan VLAN-ID} [rx | tx | both]
      • The session number must be UNIQUE.
      • You need to use physical interface or VLAN as source (no SVI).
    • Then configure the destination:
      (global)# monitor session SESSION-NUMBER destination interface INTERFACE-NAME [encapsulation replicate]
      • The session number must be the same as the source session number.
      • encapsulate replicate:  With this parameter SPAN will copy L2 protocol packets and VLAN tagging information too.
  • How can you enable ingress traffic for a SPAN destination port?
    • (global)# monitor session SESSION-NUMBER destination ingress {dot1q vlan VLANID | isl | untagged vlan VLANID}
    • You must specify how the ingress traffic should be handled.
  • How can you configure SPAN source for a specific VLAN of a trunk port?
    • (global)# monitor session SESSION-NUMBER filter vlan VLAN-RANGE
    • You specify the interested vlans in the VLAN-RANGE parameter.


Remote SPAN

  • What is the difference between SPAN and RSPAN mechanism?
    • RSPAN is using a special VLAN to transport the mirrored traffic to the destination port. The destination port is NOT on the local switch.
    • MAC address learning is disabled on the RSPAN VLAN, to prevent the intermediate switches from responding to the mirrored packets.
    • RSPAN VLAN will flood the traffic out on all ports that are belonging to the RSPAN VLAN.
  • What is the relation of RSPAN and STP?
    • RSPAN VLAN must have STP enabled to avoid briding loops. This means RSPAN cannot mirror BPDUs.

RSPAN configuration

  • How do you configure a RSPAN VLAN?
    • You need to create this VLAN on all intermediate switches.
    • VTP can also propagate this VLAN.
    • (global)# vlan VLAN-ID
      (vlan)# remote-span
  • How do you configure RSPAN?
    • Configuration on the source switch:
    • (global)# monitor session SESSION-NUMBER source {interface INTERFACE-NAME | vlan VLANID{ [rx | tx | both]
      (global)# monitor session SESSION-NUMBER destination remote vlan RSPAN-VLAN-ID
    • Configuration on the destination switch:
    • (global)# monitor session SESSION-NUMBER source remote vlan RSPAN-VLAN-ID
      (global)# monitor session SESSION-NUMBER destination interface INTERFACE
  • How do you delete a SPAN session?
    • You can use the session ID to delete a whole SPAN session:
    • (global)# no monitor session SESSION-ID


  • How do you verify a SPAN session?
    • (global)#show monitor


Example RSPAN config:


Switch_A(config)# vlan 99
Switch_A(config-vlan)# remote-span
Switch_A(config-vlan)# exit
Switch_A(config)# monitor session 1 source interface gigabitethernet 1/0/1 both
Switch_A(config)# monitor session 1 destination remote vlan 99

Switch_B(config)# vlan 99
Switch_B(config-vlan)# remote-span
Switch_B(config-vlan)# exit

Switch_C(config)# vlan 99
Switch_C(config-vlan)# remote-span
Switch_C(config-vlan)# exit
Switch_C(config)# monitor session 1 source remote vlan 99
Switch_C(config)# monitor session 1 destination interface gigabitethernet 1/0/48

Chapter 15 – Monitoring Performance with IP SLA

  • What is the purpose of IP SLA?
    • It gathers realistic information about how specific type of traffic are being handled end to end across a network.
    • IP SLA sends a packet to the destination and when it received the reply back, it gathers data about what happened along the way.
  • What kind of IP SLA test operations do you know of?
    • ip-sla-operations.PNG
  • What is the IP SLA target device called? What is it’s job?
    • IP SLA responder.
    • Its role is to reply any incoming IP SLA packets
  • Specify some useful IP SLA features!
    • IP SLA can generate SNMP traps when certain test thresholds are exceeded
    • Other IP SLA measurements can be started when a threshold is crossed
    • FHRP can be triggered by IP SLA


  • How do you enable an IP SLA responder?
    • default: disabled
    • (global)# ip sla responder
  • How can you secure an IP SLA operation?
    • (global)# key chain CHAIN-NAME
      (keychain)# key NUMBER
      (keychain)# key-string STRING
      (global)# ip sla key-chain CHAIN-NAME
  • How do you configure an IP SLA operation?
    • (global)# ip sla OPERATION-NUMBER
      (ip-sla)# { dhcp | dns | ethernet | ftp | http | icm-echo | mpls | path-echo | path-jitter | slm | tcp -connect | udp-echo | udp-jitter } ...
      (ip-sla)# frequency SECONDS 
      (global)# ip sla schedule OPERATION-NUMBER [ life {forever | SEC} [start-time {hh:mm ... | now | pending | after hh:mm }  ] [ageout SECONDS]
    • frequency: Default: 60 sec, The operation runs every X seconds for the lifetime of the test.
    • Example:
      (global)# ip sla 100
      (ip-sla)# icmp-echo
      (ip-sla)# frequency 5 
      (ip-sla)# exit
      (global)# ip sla schedule 100 life forever start-time now
  • How do you force HSRP to decrement its priority in case of lost IP SLA packets?
    • The above IP SLA example is already configured
    • (global)# track 66 ip sla 100 reachability
      (interface)# standy 10 track 66 decrement 30




  •  How do you verify an IP SLA configuration?
    • show ip sla configuration

Chapter 14 – Managing Switches with SNMP

  • What is the purpose of SNMP?
    • Simple Network Management Protocol shares information about the host router and its activities.
  • What 2 parts do SNMP have?
    • SNMP manager: This is a network management system that polls information from the SNMP agent. This is usually runs on a central location.
    • SNMP agent: The process that runs on the network device being monitored.
  • Where does the switch gather data for SNMP?
    • From the Management Information Base (MIB). Data contained in memory and updated in real time.
  • How does the SNMP manager communicate with the SNMP agent? What is the 4 request type?
    • The communication uses UDP port 161
    • get request: the value of one specific MIB is needed
    • get next request: the next or subsequent value following an initial get request is needed
    • get bulk request: whole table or list of values in a MIB is needed
    • set request: a specific MIB variable needs to be set to a value
  • How can the SNMP agent notify the manager? What communications types exist?
    • The communication uses UDP port 162
    • SNMP trap: News of some event is sent without any acknowledgement that the trap has been received
    • Inform request: News of some event is sent, but the SNMP manager need to acknowledge
  • What are the differences between SNMP versions?
    • SNMPv1:
      • Get/Set requests plus SNMP traps
      • 32 bit variable counters
      • Authentication with clear text community string
    • SNMPv2C:
      • 64 bit variable counters
      • Get/Set requests, SNMP traps + Bulk requests
      • Authentication still with clear text community strings
    • SNMPv3:
      • Authentication through usernames
      • “views” can be used to limit what MIB variables can an SNMP manager read/write
  • What security levels are available in SNMPv3?
    • noAuthNoPriv: SNMP packets are neither authenticated nor encrypted
    • authNoPriv: SNMP packets are authenticated but not encrypted
    • authPriv: SNMP packets are authenticated and encrypted


  • How do you configure SNMPv1?
    • (global)# snmp-server community COMMUNITY [ro|rw] [ACL]
      (global)# snmp-server host HOST COMMUNITY [TRAP-TYPE]
  • How do you configure SNMPv2?
    • (global)# snmp-server community COMMUNITY [ro|rw] [ACL]
      (global)# snmp-server host HOST [informs] version 2c COMMUNITY 
    • The config is almost the same as with SNMPv1, but if you would like to use informs instead of traps, you must use the informs keyword.
  • How do you configure SNMPv3?
    • snmp-server view: You can specify a view for the users, so they can only access a certain part of the MIB.
      (global)# snmp-server view VIEW-NAME OID-TREE
    •  snmp-server-group:
      (global)# snmp-erver group GROUP-NAME v3 { noauth | auth | priv } [read READ-VIEW]  [ write WRITE-VIEW] [notify NOTIFY-VIEW] [access ACL]

      • noauth, auth = Authentication
      • priv = Encryption
    • snmp-server user:
      (global)# snmp-server user USER-NAME  GROUP-NAME v3 auth {md5 | sha} AUTH-PASSWORD priv { des | 3des | aes {128|192|256}} PRIV-PASS [ACL]
    • snmp-server host:
      (global)# snmp-server host HOST-IP [informs] version 3 {noauth | auth | priv} USERNAME [trap-type] 

Create a free website or blog at

Up ↑