!!!I used real Cisco 3550 switch *4 to do this lab. I did not use Dynamips to do this lab.!!!
Objective:
‧ Secure the Layer 2 spanning tree topology with BPDU guard
‧ Protect the primary and secondary root bridge with root guard
‧ Protect switchports from unidirectional links with UDLD
Scenario:
In this lab, you will secure the network against possible spanning tree disruptions
Basic Configuration:
All Switches:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
hostname
Step 1
Load the configurations from Lab 8.1.
All Switches:
Load the configurations from Lab 8.1.
Step 2
For this scenario, DLS1 acts as the root for VLANs 1 and 100, and performs the secondary function for VLAN 200. In addition, DLS2 is the primary root bridge for VLAN 200, and secondary for VLANs 1 and 100.
DLS1(config)#spanning-tree vlan 1 root primary
DLS1(config)#spanning-tree vlan 100 root primary
DLS1(config)#spanning-tree vlan 200 root secondary
DLS2(config)#spanning-tree vlan 200 root primary
DLS2(config)#spanning-tree vlan 1 root secondary
DLS2(config)#spanning-tree vlan 100 root secondary
DLS1#show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN0100
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 6 6
VLAN0100 0 0 0 6 6
VLAN0200 1 0 0 5 6
---------------------- -------- --------- -------- ---------- ----------
3 vlans 1 0 0 17 18
DLS1#
DLS2#show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0200
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 1 0 0 5 6
VLAN0100 1 0 0 5 6
VLAN0200 0 0 0 6 6
---------------------- -------- --------- -------- ---------- ----------
3 vlans 2 0 0 16 18
DLS2#
Step 3
In the topology diagram, Fast Ethernet ports 0/13 and 0/14 on each switch are not being used as trunk or access ports. It is possible that a switch could be accidentally or maliciously added to those ports. Set up root guard on these ports to ensure that if a switch is added, it is not allowed to take over as root.
ALL SWITCH:
ALL SWITCH(config)#interface range fastEthernet 0/13 - 14
ALL SWITCH(config-if-range)#spanning-tree guard root
Step 4
Verify your configuration to make sure that root guard was not accidentally configured on a port that should hear root advertisements, such as a port on ALS2 that is connected to the root bridge.
ALS2#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 000e.d7a6.9c80
Cost 19
Port 9 (FastEthernet0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000e.d7d4.7500
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/7 Altn BLK 19 128.7 P2p
Fa0/8 Altn BLK 19 128.8 P2p
Fa0/9 Root FWD 19 128.9 P2p
Fa0/10 Altn BLK 19 128.10 P2p
Fa0/11 Altn BLK 19 128.11 P2p
Fa0/12 Altn BLK 19 128.12 P2p
ALS2#
Configure root guard on the root port that you found.
ALS2(config)#interface fastEthernet 0/9
ALS2(config-if)#spanning-tree guard root
Notice that as soon as you issue this command, you receive a message that root guard has been enabled and that the port is now in the blocking state for the specific VLANs configured.
*Mar 1 00:26:20.491: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/9.
*Mar 1 00:26:21.091: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/9 on VLAN0001.
*Mar 1 00:26:22.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:26:51.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
ALS2(config-if)#
Verify which ports are in this inconsistent state.
ALS2#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 000e.d7a6.9c80
Cost 19
Port 10 (FastEthernet0/10)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000e.d7d4.7500
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/7 Altn BLK 19 128.7 P2p
Fa0/8 Altn BLK 19 128.8 P2p
Fa0/9 Desg BKN*19 128.9 P2p *ROOT_Inc
Fa0/10 Root FWD 19 128.10 P2p
Fa0/11 Altn BLK 19 128.11 P2p
Fa0/12 Altn BLK 19 128.12 P2p
ALS2#
ALS2#show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ------------------------ ------------------
VLAN0001 FastEthernet0/9 Root Inconsistent
VLAN0100 FastEthernet0/9 Root Inconsistent
VLAN0200 FastEthernet0/9 Root Inconsistent
Number of inconsistent ports (segments) in the system : 3
ALS2#
Remove it.
ALS2(config)#interface fastEthernet 0/9
ALS2(config-if)#no spanning-tree guard
Once removed, a message indicates that the port is being unblocked.
*Mar 1 00:31:06.771: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/9.
*Mar 1 00:31:06.771: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/9 on VLAN0001.
*Mar 1 00:31:08.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:31:38.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
ALS2(config-if)#
Step 5
To enable BPDU guard on PortFast-enabled ports.
ALS1(config)#spanning-tree portfast bpduguard default
ALS2(config)#spanning-tree portfast bpduguard default
Verify your configuration.
ALS1#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 3 0 0 3 6
VLAN0100 3 0 0 3 6
VLAN0200 3 0 0 3 6
---------------------- -------- --------- -------- ---------- ----------
3 vlans 9 0 0 9 18
ALS1#
Step 6
UDLD allows devices to detect when a unidirectional link exists and shut down the affected interface. You can configure UDLD on a per port basis or globally for all gigabit interfaces. Enable UDLD protection on Fast Ethernet ports 1 – 24 on all switches.
ALL SWITCH:
ALL SWITCH(config)#interface range fastEthernet 0/1 - 24
ALL SWITCH(config-if-range)#udld port aggressive
ALL SWITCH(config-if-range)#exit
ALL SWITCH(config)#udld enable
Verify your configuration.
ALS2#show udld fastEthernet 0/15
Interface Fa0/15
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Link down
Message interval: 7
Time out interval: 5
No neighbor cache information stored
ALS2#
Final Configurations
DLS1:
hostname DLS1
!
enable secret cisco
!
udld enable
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
spanning-tree vlan 1,100 priority 24576
spanning-tree vlan 200 priority 28672
!
interface FastEthernet0/1
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/2
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/3
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/4
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/5
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/6
switchport mode dynamic desirable
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/13
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/14
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/15
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/16
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/17
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/18
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/19
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/20
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/21
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/22
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/23
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/24
switchport mode dynamic desirable
udld port aggressive
!
interface Vlan1
ip address 172.16.1.3 255.255.255.0
standby 1 ip 172.16.1.1
standby 1 priority 105
standby 1 preempt
no shutdown
!
interface Vlan100
ip address 172.16.100.3 255.255.255.0
standby 100 ip 172.16.100.1
standby 100 priority 105
standby 100 preempt
no shutdown
!
interface Vlan200
ip address 172.16.200.3 255.255.255.0
standby 200 ip 172.16.200.1
standby 200 preempt
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
password cisco
logging synchronous
login
!
end
DLS2:
hostname DLS2
!
enable secret cisco
!
udld enable
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
spanning-tree vlan 1,100 priority 28672
spanning-tree vlan 200 priority 24576
!
interface FastEthernet0/1
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/2
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/3
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/4
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/5
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/6
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/13
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/14
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/15
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/16
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/17
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/18
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/19
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/20
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/21
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/22
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/23
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/24
switchport mode dynamic desirable
udld port aggressive
!
interface Vlan1
ip address 172.16.1.14 255.255.255.0
standby 1 ip 172.16.1.1
standby 1 preempt
no shutdown
!
interface Vlan100
ip address 172.16.100.4 255.255.255.0
standby 100 ip 172.16.100.1
standby 100 preempt
no shutdown
!
interface Vlan200
ip address 172.16.200.4 255.255.255.0
standby 200 ip 172.16.200.1
standby 200 priority 105
standby 200 preempt
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
password cisco
logging synchronous
login
!
end
ASL1:
hostname ALS1
!
enable secret cisco
!
aaa new-model
!
aaa authentication dot1x default group radius
!
udld enable
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
dot1x system-auth-control
!
spanning-tree portfast bpduguard default
!
interface FastEthernet0/1
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/2
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/3
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/4
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/5
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/6
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/13
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/14
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/15
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/16
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/17
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/18
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/19
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/20
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/21
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/22
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/23
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/24
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
udld port aggressive
dot1x port-control auto
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface Vlan1
ip address 172.16.1.101 255.255.255.0
no shutdown
!
ip default-gateway 172.16.1.1
radius-server host 172.16.100.100 auth-port 1812 acct-port 1646 key cisco
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
line vty 5 15
password cisco
logging synchronous
!
end
ALS2:
hostname ALS2
!
enable secret cisco
!
udld enable
!
no ip domain-lookup
!
ip dhcp snooping vlan 100,200
ip dhcp snooping
!
spanning-tree portfast bpduguard default
!
interface FastEthernet0/1
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/2
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/3
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/4
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/5
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/6
switchport mode dynamic desirable
udld port aggressive
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/9
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
udld port aggressive
ip dhcp snooping trust
!
interface FastEthernet0/13
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/14
switchport mode dynamic desirable
udld port aggressive
spanning-tree guard root
!
interface FastEthernet0/15
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/16
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/17
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/18
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/19
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/21
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/22
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/23
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface FastEthernet0/24
switchport access vlan 200
switchport mode access
udld port aggressive
spanning-tree portfast
ip dhcp snooping limit rate 20
!
interface Vlan1
ip address 172.16.1.102 255.255.255.0
no shutdown
!
ip default-gateway 172.16.1.1
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
password cisco
logging synchronous
login
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Building Multilayer Switched Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.21 / 2018.06.12
0 comments:
張貼留言