DOCSLIB.ORG

Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20920-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2016 Cisco Systems, Inc. All rights reserved. CONTENTS Preface Preface xiii Audience xiii Document Organization xiii Document Conventions xiv Obtaining Documentation and Submitting a Service Request xv CHAPTER 1 New and Changed Information 1 New and Changed Information for this Release 1 CHAPTER 2 Overview 3 Layer 2 Ethernet Switching Overview 3 VLANs 3 Private VLANs 4 Spanning Tree 4 STP Overview 4 Rapid PVST+ 5 MST 5 STP Extensions 5 CHAPTER 3 Configuring Ethernet Interfaces 7 Information About Ethernet Interfaces 7 Interface Command 7 Information About Unified Ports 8 Guidelines and Limitations for Unified Ports 8 Unidirectional Link Detection Parameter 8 Default UDLD Configuration 9 UDLD Aggressive and Nonaggressive Modes 10 Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide OL-20920-02 iii Contents Interface Speed 10 Cisco Discovery Protocol 10 Default CDP Configuration 10 Error-Disabled State 11 About Port Profiles 11 Guidelines and Limitations for Port Profiles 12 Debounce Timer Parameters 13 MTU Configuration 13 Configuring Ethernet Interfaces 13 Configuring Unified Ports 13 Configuring the UDLD Mode 15 Configuring Interface Speed 16 Disabling Link Negotiation 17 Configuring the CDP Characteristics 18 Enabling or Disabling CDP 19 Enabling the Error-Disabled Detection 19 Enabling the Error-Disabled Recovery 20 Configuring the Error-Disabled Recovery Interval 21 Configuring the Debounce Timer 22 Configuring the Description Parameter 23 Disabling and Restarting Ethernet Interfaces 23 Displaying Interface Information 24 Default Physical Ethernet Settings 27 CHAPTER 4 Configuring VLANs 29 Information About VLANs 29 Understanding VLANs 29 Understanding VLAN Ranges 30 Creating, Deleting, and Modifying VLANs 32 About the VLAN Trunking Protocol 32 Guidelines and Limitations for VTP 33 Configuring a VLAN 33 Creating and Deleting a VLAN 33 Changing the Range of Reserved VLANs 34 Configuring a VLAN 36 Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide iv OL-20920-02 Contents Adding Ports to a VLAN 37 Verifying the VLAN Configuration 38 CHAPTER 5 Configuring Private VLANs 39 Information About Private VLANs 39 Primary and Secondary VLANs in Private VLANs 40 Private VLAN Ports 40 Primary, Isolated, and Community Private VLANs 41 Associating Primary and Secondary VLANs 42 Private VLAN Promiscuous Trunks 43 Private VLAN Isolated Trunks 43 Broadcast Traffic in Private VLANs 44 Private VLAN Port Isolation 44 Guidelines and Limitations for Private VLANs 44 Configuring a Private VLAN 45 Enabling Private VLANs 45 Configuring a VLAN as a Private VLAN 45 Associating Secondary VLANs with a Primary Private VLAN 46 Configuring an Interface as a Private VLAN Host Port 48 Configuring an Interface as a Private VLAN Promiscuous Port 49 Configuring a Promiscuous Trunk Port 50 Configuring an Isolated Trunk Port 51 Configuring Private VLANs on FEX Trunk Ports 52 Configuring the Allowed VLANs for PVLAN Trunking Ports 53 Configuring Native 802.1Q VLANs on Private VLANs 54 Verifying the Private VLAN Configuration 55 CHAPTER 6 Configuring Access and Trunk Interfaces 57 Information About Access and Trunk Interfaces 57 Understanding Access and Trunk Interfaces 57 Understanding IEEE 802.1Q Encapsulation 58 Understanding Access VLANs 59 Understanding the Native VLAN ID for Trunk Ports 60 Understanding Allowed VLANs 60 Understanding Native 802.1Q VLANs 60 Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide OL-20920-02 v Contents Configuring Access and Trunk Interfaces 61 Configuring a LAN Interface as an Ethernet Access Port 61 Configuring Access Host Ports 62 Configuring Trunk Ports 62 Configuring the Native VLAN for 802.1Q Trunking Ports 63 Configuring the Allowed VLANs for Trunking Ports 64 Configuring Native 802.1Q VLANs 65 Verifying the Interface Configuration 66 CHAPTER 7 Configuring Port Channels 67 Information About Port Channels 67 Understanding Port Channels 67 Guidelines and Limitations for Port Channel Configuration 68 Compatibility Requirements 69 Load Balancing Using Port Channels 70 Understanding LACP 72 LACP Overview 72 LACP ID Parameters 73 Channel Modes 73 LACP Marker Responders 74 LACP-Enabled and Static Port Channel Differences 75 Configuring Port Channels 75 Creating a Port Channel 75 Adding a Port to a Port Channel 76 Configuring Load Balancing Using Port Channels 77 Configuring Hardware Hashing for Multicast Traffic 78 Enabling LACP 79 Configuring the Channel Mode for a Port 79 Configuring the LACP Fast Timer Rate 80 Configuring the LACP System Priority and System ID 81 Configuring the LACP Port Priority 82 Disabling LACP Graceful Convergence 83 Reenabling LACP Graceful Convergence 84 Verifying Port Channel Configuration 85 Verifying the Load-Balancing Outgoing Port ID 86 Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide vi OL-20920-02 Contents CHAPTER 8 Configuring Virtual Port Channels 89 Information About vPCs 89 vPC Overview 89 Terminology 90 vPC Terminology 90 Supported vPC Topologies 91 Cisco Nexus Device vPC Topology 91 vPC Domain 91 Peer-Keepalive Link and Messages 91 Compatibility Parameters for vPC Peer Links 92 Configuration Parameters That Must Be Identical 92 Configuration Parameters That Should Be Identical 93 vPC Peer Links 94 vPC Peer Link Overview 94 vPC Number 95 vPC Interactions with Other Features 96 Configuring vPC Peer Links and Links to the Core 96 vPC and LACP 98 vPC Peer Links and STP 98 vPC and ARP 98 CFSoE 99 vPC Peer Switch 99 Guidelines and Limitations for vPCs 100 Configuring vPCs 100 Enabling vPCs 100 Disabling vPCs 101 Creating a vPC Domain 102 Configuring a vPC Keepalive Link and Messages 103 Creating a vPC Peer Link 105 Checking the Configuration Compatibility 106 Moving Other Port Channels into a vPC 107 Manually Configuring a vPC Domain MAC Address 108 Manually Configuring the System Priority 109 Manually Configuring a vPC Peer Switch Role 110 Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide OL-20920-02 vii Contents Configuring the vPC Peer Switch 111 Configuring a Pure vPC Peer Switch Topology 111 Configuring a Hybrid vPC Peer Switch Topology 113 Verifying the vPC Configuration 115 vPC Default Settings 115 CHAPTER 9 Configuring Rapid PVST+ 117 Information About Rapid PVST+ 117 Understanding STP 117 STP Overview 117 Understanding How a Topology is Created 118 Understanding the Bridge ID 118 Bridge Priority Value 118 Extended System ID 119 STP MAC Address Allocation 119 Understanding BPDUs 120 Election of the Root Bridge 121 Creating the Spanning Tree Topology 121 Understanding Rapid PVST+ 122 Rapid PVST+ Overview 122 Rapid PVST+ BPDUs 123 Proposal and Agreement Handshake 124 Protocol Timers 125 Port Roles 125 Port States 126 Rapid PVST+ Port State Overview 126 Blocking State 127 Learning State 127 Forwarding State 127 Disabled State 128
Load more

Recommended publications
  • AT-GS950/16 Gigabit Ethernet Switch
    AT-GS950/16 Gigabit Ethernet Switch AT-GS950/16 Web Interface User Guide AT-S114 Version 1.1.0 [1.00.021] 613-001857 Rev A Copyright © 2013 Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesis, Inc. Allied Telesis and the Allied Telesis logo are trademarks of Allied Telesis, Incorporated. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesis, Inc. reserves the right to make changes in specifications and other information contained in this document without prior written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesis, Inc. be liable for any incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this manual or the information contained herein, even if Allied Telesis, Inc. has been advised of, known, or should have known, the possibility of such damages. Contents List of Figures ................................................................................................................................................ 11 List of Tables ................................................................................................................................................. 15 Preface ...........................................................................................................................................................
    [Show full text]
  • Vlans Feature Overview and Configuration Guide
    TechnicalTTechnicalechnical GuideGuidGuidee Virtual LANs (VLANs) Feature Overview and Configuration Guide VLAN Introduction This guide describes Virtual LANs (VLANs), VLAN features and configuration on the switch. It begins with a description of what a VLAN is, its evolution and purpose, and also provides the meaning of some common VLAN terminology. This is followed with a detailed look at VLAN implementation. Port-based VLAN membership is the most common way to split a network into sets of virtual LANs. We look at how this is achieved using the VLAN tagging. The use of double-tagging (or VLAN stacking) to tunnel VLANs across Layer 2 networks is described, and an example is provided for the configuration of VLAN stacking. Next we discuss private VLANs and the communication rules that limit what is possible between devices operating within the VLAN. AlliedWare Plus™ has two private VLAN solutions: private VLANs for ports in Access Mode private VLANs for ports in Trunked Mode Configuration examples are provided for both of these solutions. Then, we look at combining private VLANs with other features, such as: EPSR, ARP, LLDP, GVRP, Link aggregation, and management servers. The guide ends with a section on configuring protocol based VLANs and then describes how data counters are used to count both the number of received frames or the number of received bytes (octets) belonging to a particular VLAN. C613-22001-00 x REV C alliedtelesis.com Products and software version that apply to this guide This guide applies to all AlliedWare Plus™ products, running version 5.4.4 or later. However, not all features in this guide are supported on all products.
    [Show full text]
  • Configuring Vlans, Spanning Tree, and Multi-Link Trunking on Avaya Ethernet Routing Switch 4900 and 5900 Series
    Configuring VLANs, Spanning Tree, and Multi-Link Trunking on Avaya Ethernet Routing Switch 4900 and 5900 Series Release 7.4 NN47211-502 Issue 06.01 April 2017 © 2014-2017, Avaya Inc. IF YOU DO NOT WISH TO ACCEPT THESE TERMS OF USE, YOU All Rights Reserved. MUST NOT ACCESS OR USE THE HOSTED SERVICE OR AUTHORIZE ANYONE TO ACCESS OR USE THE HOSTED Notice SERVICE. While reasonable efforts have been made to ensure that the Licenses information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA the right to make changes and corrections to the information in this WEBSITE, HTTPS://SUPPORT.AVAYA.COM/LICENSEINFO, document without the obligation to notify any person or organization UNDER THE LINK “AVAYA SOFTWARE LICENSE TERMS (Avaya of such changes. Products)” OR SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE APPLICABLE TO ANYONE WHO DOWNLOADS, Documentation disclaimer USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED “Documentation” means information published in varying mediums FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AVAYA which may include product information, operating instructions and CHANNEL PARTNER (AS APPLICABLE) UNDER A COMMERCIAL performance specifications that are generally made available to users AGREEMENT WITH AVAYA OR AN AVAYA CHANNEL PARTNER. of products. Documentation does not include marketing materials. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, Avaya shall not be responsible for any modifications, additions, or AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE deletions to the original published version of Documentation unless WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN such modifications, additions, or deletions were performed by or on AVAYA AFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYA the express behalf of Avaya.
    [Show full text]
  • Implementasi Private Virtual Local Area Network Menggunakan Mikrotik Routerboard
    1 IMPLEMENTASI PRIVATE VIRTUAL LOCAL AREA NETWORK MENGGUNAKAN MIKROTIK ROUTERBOARD TUGAS AKHIR OLEH : RANKA ARDEPA 09030581620013 PROGRAM STUDI TEKNIK KOMPUTER JURUSAN SISTEM KOMPUTER FAKULTAS ILMU KOMPUTER UNIVERSITAS SRIWIJAYA 2019 2 IMPLEMENTASI PRIVATE VIRTUAL LOCAL AREA NETWORK MENGGUNAKAN MIKROTIK ROUTERBOARD TUGAS AKHIR Diajukan Untuk Melengkapi Salah Satu Syarat Memperoleh Gelar Ahli Madya Komputer OLEH : RANKA ARDEPA 09030581620013 PROGRAM STUDI TEKNIK KOMPUTER JURUSAN SISTEM KOMPUTER FAKULTAS ILMU KOMPUTER UNIVERSITAS SRIWIJAYA 2019 3 4 5 6 MOTTO DAN PERSEMBAHAN Motto : "Setiap orang mempunyai cara dan jalananya masing-masing dalam mencapai kesuksesanya.” Kupersembahkan Kepada : Allah SWT. yang memberikan nikmat iman, kesehatan, kekuatan dan kesabaran. Kedua orang tua saya tercinta (Sandi Arapat dan Eka Wati) terima kasih untuk seluruh kasih sayang, doa, dukungan dan segala hal yang telah engkau lakukan terhadap saya. I love you so much. Kedua pembimbing saya (Ahmad Heryanto, M.T.) dan (Rido Zulfahmi, M.T.) yang telah banyak membantu dan membimbing saya dalam penyelesaian Tugas Akhir. Terima kasih. Sahabat – sahabat saya yang selalu mendoakan dan memberikan semangat untuk tetap berusaha. Seluruh teman seperjuangan Teknik Komputer 2016 yang sudah berbagi moment suka dan duka selama 3 tahun. Almamaterku. 7 KATA PENGANTAR Alhamdulillah puji syukur penulis panjatkan kehadirat Allah SWT. Karena atas rahmat dan hidayah-Nya penulis dapat menyelesaikan Tugas Akhir dengan baik. Tugas Akhir ini berjudul " IMPLEMENTASI PRIVATE VIRTUAL LOCAL AREA NETWORK MENGGUNAKAN MIKROTIK ROUTERBOARD ". Tugas Akhir ini merupakan salah satu syarat untuk menyelesaikan masa studi pada program Diploma Komputer Universitas sriwijaya. Tidak lupa, kita junjung tinggi kemuliaan dan kesejahtaraan kepada Nabi Muhammad SAW. dan keluarganya. Dalam penulisan laporan ini, penulis menyadari, bahwa tanpa adanya bimbingan, bantuan, dorongan, dan petunjuk serta dukungan dari semua pihak tidak mungkin laporan ini dapat terselesaikan.
    [Show full text]
  • Private VLAN and Cisco UCS Configuration Prior to 2.2(2C)
    Contents Introduction Prerequisites Requirements Components Used Background Information Theory PVLAN Implementation in UCS Goal Configure Network Diagrams PVLAN on vSwitch: Isolated PVLAN with Promiscuous Port on an Upstream Device Configuration in UCS Configuration of Upstream Devices Troubleshooting Isolated PVLAN on N1K with Promiscuous Port on an Upstream Device Configuration in UCS Configuration of Upstream Devices Configuration of N1K Troubleshooting Isolated PVLAN on N1K with Promiscuous Port on the N1K Uplink Port-Profile Configuration in UCS Configuration of Upstream Devices Configuration of N1K Troubleshooting Community PVLAN on N1K with Promiscuous Port on the N1K Uplink Port-Profile Troubleshooting Isolated PVLAN and Community PVLAN on VMware DVS Promiscuous Port on the DVS Verify Troubleshoot Introduction This document describes private VLAN (PVLAN) support in the Cisco Unified Computing System (UCS), a feature introduced in Release 1.4 of the Cisco UCS Manager (UCSM). It also details the features, the caveats, and the configuration when PVLANs are used in a UCS environment. THIS DOCUMENT IS FOR USE WITH UCSM VERSION 2.2(2C) AND EARLIER VERSIONS. In versions later than Version 2.2(2C), changes have been made to UCSM and ESXi DVS is supported. There are also changes in how tagging works for the PVLAN NIC. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: ● UCS ● Cisco Nexus 1000 V (N1K) ● VMware ● Layer 2 (L2) switching Components Used This document is not restricted to specific software and hardware versions. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration.
    [Show full text]
  • Configuring Private Vlans
    CHAPTER18 Configuring Private VLANs This chapter describes how to configure private VLANs in Cisco IOS Software Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Software Releases 12.2SX Command References at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sx_mcl.html This chapter consists of these sections: • Understanding Private VLANs, page 18-1 • Private VLAN Configuration Guidelines and Restrictions, page 18-6 • Configuring Private VLANs, page 18-11 • Monitoring Private VLANs, page 18-17 Understanding Private VLANs These sections describe how private VLANs work: • Private VLAN Domains, page 18-2 • Private VLAN Ports, page 18-3 • Primary, Isolated, and Community VLANs, page 18-3 • Private VLAN Port Isolation, page 18-4 • IP Addressing Scheme with Private VLANs, page 18-4 • Private VLANs Across Multiple Switches, page 18-5 • Private VLAN Interaction with Other Features, page 18-5 Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases OL-13013-02 18-1 Chapter 18 Configuring Private VLANs Understanding Private VLANs Private VLAN Domains The private VLAN feature addresses two problems that service providers encounter when using VLANs: • The switch supports up to 4096 VLANs. If a service provider assigns one VLAN per customer, the number of customers that service provider can support is limited. • To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses and creating IP address management problems. Using private VLANs solves the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers.
    [Show full text]
  • 5517 M. Foschiano Category: Informational Cisco Systems ISSN: 2070-1721 February 2010
    Independent Submission S. HomChaudhuri Request for Comments: 5517 M. Foschiano Category: Informational Cisco Systems ISSN: 2070-1721 February 2010 Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment Abstract This document describes a mechanism to achieve device isolation through the application of special Layer 2 forwarding constraints. Such a mechanism allows end devices to share the same IP subnet while being Layer 2 isolated, which in turn allows network designers to employ larger subnets and so reduce the address management overhead. Some of the numerous deployment scenarios of the aforementioned mechanism (which range from data center designs to Ethernet-to-the- home-basement networks) are mentioned in the following text to exemplify the mechanism's possible usages; however, this document is not intended to cover all such deployment scenarios nor delve into their details. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5517. HomChaudhuri & Foschiano Informational [Page 1] RFC 5517 Private VLANs February 2010 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors.
    [Show full text]
  • Hacking Layer 2: Fun with Ethernet Switches Sean Convery, Cisco Systems [email protected]
    Hacking Layer 2: Fun with Ethernet Switches Sean Convery, Cisco Systems [email protected] l2-security-bh.ppt © 2002, Cisco Systems, Inc. All rights reserved. 1 Agenda ¥ Layer 2 Attack Landscape ¥ Specific Attacks and Countermeasures (Cisco and @Stake Testing)Ñhttp://www.atstake.com MAC Attacks VLAN ÒHoppingÓ Attacks ARP Attacks Spanning Tree Attacks Layer 2 Port Authentication Other Attacks ¥ Summary and Case Study l2-security-bh.ppt © 2002, Cisco Systems, Inc. All rights reserved. 2 Caveats ¥ All attacks and mitigation techniques assume a switched Ethernet network running IP If shared Ethernet access is used (WLAN, Hub, etc.) most of these attacks get much easier If you arenÕt using Ethernet as your L2 protocol, some of these attacks may not work, but you may be vulnerable to different ones J ¥ Attacks in the ÒtheoreticalÓ category can move to the practical in a matter of days ¥ All testing was done on Cisco equipment, Ethernet switch attack resilience varies widely from vendor to vendor ¥ This is not a comprehensive talk on configuring Ethernet switches for security; the focus is on L2 attacks and their mitigation l2-security-bh.ppt © 2002, Cisco Systems, Inc. All rights reserved. 3 Why Worry about Layer 2 Security? OSI Was Built to Allow Different Layers to Work without Knowledge of Each Other Host A Host B Application Stream Application Application Presentation Presentation Session Session Transport Protocols/Ports Transport Network IPIP AddressesAddresses Network MAC Addresses Data Link Data Link Physical Links Physical Physical l2-security-bh.ppt
    [Show full text]
  • Configure Your Switch
    TRENDnet User’s Guide Table of Contents Contents SYSTEM REQUIREMENTS .............................................................................................................114 INSTALLATION...............................................................................................................................114 PRODUCT OVERVIEW .......................................................................................................2 USING THE UTILITY ......................................................................................................................115 DISCOVERY LIST............................................................................................................................116 FEATURES............................................................................................................................................ 2 DEVICE SETTING ...........................................................................................................................117 FRONT VIEW ....................................................................................................................................... 3 MAIN MENU OPTIONS .................................................................................................................118 NDICATORS LED I ............................................................................................................................... 3 REAR VIEW ........................................................................................................................................
    [Show full text]
  • Virtual LAN Security Best Practices
    Application Note Virtual LAN Security Best Practices Independent security research firm @stake [9] recently conducted a Security Review [1] of the virtual LAN (VLAN) technology on the Cisco Catalyst 2950, Catalyst 3550, Catalyst 4500, and Catalyst 6500 series switches. Although no intrinsic security weaknesses emerged from this review, it has been pointed out that an improper or inadequate switch configuration can be the source of undesired behavior and possible security breaches. Over the past years, Cisco Systems has been If a user does not want one of his or her advocating best-practices guidelines for devices to be tampered with, physical access secure network configuration in several to the device must be strictly controlled. documents. The SAFE Blueprint [2] or the Furthermore, it is important for any Best Practices for Catalyst 4500, 5000, and network administrator to use all the proven 6500 Series Switches [3] are examples of security tools available on Cisco platforms: such documents. However, there has been from the very basic configuration of system no single document that collects all of the passwords, the use of IP permit filters, and VLAN-related best practices for easier login banners, all the way to more advanced perusal by customers and field engineers. tools such as RADIUS, TACACS+, The purpose of this paper is to present in a Kerberos, SSH, SNMPv3, IDS, and so forth. comprehensive way all of the (More details are provided in [3].) recommendations that Cisco engineers have Only after all the basic security components accumulated to aid with the proper are in place, is it possible to turn attention configuration of VLANs on Cisco switches.
    [Show full text]
  • Quick Setup Guide
    QUICK SETUP GUIDE Luxul L2/L3 Managed Switches XMS-2624P, XMS-5248P, XMS-7048P AMS-1208P, AMS-2616P, AMS-2624P, AMS-4424P AMS-2600 Quick Installation Quick System Setup IP Configuration and Routing PoE VLANs Private VLANs Spanning Tree CONTENTS INTRODUCTION .......................................................... 1 QUICK INSTALLATION .................................................... 2 Rack Installation ................................................................................. 2 Ethernet and Power Connections .................................................................. 2 Network Cabling ................................................................................. 2 IP Addressing .................................................................................... 2 Getting Connected ............................................................................... 3 Logging In ....................................................................................... 3 MANAGED SWITCH BASICS ................................................ 4 QUICK SETUP: SYSTEM .................................................... 5 System ........................................................................ 5 Information. 5 IP ............................................................................................... 6 NTP ............................................................................................. 8 Time ............................................................................................ 9 Log ............................................................................................
    [Show full text]
  • Vlans and Trunks
    Expert Reference Series of White Papers VLANs and Trunks 1-800-COURSES www.globalknowledge.com VLANs and Trunks Alan Thomas, CCNA, CCSI, Global Knowledge Instructor Introduction Virtual Local Area Networks (VLANs) provide several benefits to enterprise networks. VLANs provide a measure of flexibility, improve user mobility, ease the application of security measures, and increase the overall efficiency of the network. Trunks also provide benefits, specifically the ability to reduce the number of physical connections needed between switches in order to support multiple VLANs. This paper describes VLANs and trunks. It includes an overview of Ethernet-based computer networks, which includes definitions of several terms. This paper also includes technical details about VLANs and trunks, along with design options at a basic to intermediate level. Recommendations and commands are included throughout. Overview The Open Systems Interconnect (OSI) communications model is a seven-layer reference model that describes the functions necessary for two endpoints to communicate. The 2nd Layer of the OSI model is called the Data Link Layer. Its functions are to format data for transmission on the physical media and to define how devices access the physical media (twisted pair copper, fiber optic, or wireless). Ethernet is the Layer 2 protocol used for devices that connect to a Local Area Network (LAN). Ethernet defines how data is formatted for transmission by creating frames. Figure 1 shows a sample Ethernet frame. Figure 1---Ethernet Frame When data is transmitted along the media, the data is just a series of bits. Ethernet defines how the sending and receiving device will interpret those bits.
    [Show full text]