Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
18 Cards in this Set
- Front
- Back
|
Set switch's location to "Washington, DC"
|
snmp-server location ...
|
|
|
Config of ports in VLAN 489 should use the template "489Ports"
|
define interface-range ...
|
|
|
Prepare switchports for IP telephony
|
<if> switchport voice vlan ...
|
|
|
Make sure that Cat2 is always the root and Cat1 is the backup root (mode is MST)
|
spanning-tree mst root ...
|
|
|
Vlans 2 and 5 should handle spanning-tree decisions one way, and 7 another
|
spanning-tree mode mst
instance 1 vlan ... THERE IS ALWAYS AN INSTANCE 0 |
|
|
Reduce time that MST will wait to receive config messages before attempting a reconfiguration to half of the default time
|
spanning-tree mst max-age 10
|
|
|
Set diameter to 4 (mode is MST)
|
spanning-tree mst 0 root primary diameter 4
CAN ONLY SET ON ROOT OR SECONDARY ROOT |
|
|
Bypass listening phase of spanning-tree
|
<if> spanning-tree portfast
CAN'T JUST SKIP LISTENING |
|
|
Ports should not send BPDU's out
|
<if> spanning-tree bpdu-filter enable
|
|
|
Single trunk between switches using IEEE protocol
|
<if-range> channel-group 1 mode active
ACTIVE MODE = LACP |
|
|
Fast Ethernet links should appear to STP as Gigabit links
|
<if> spanning-tree cost 20000
CAN ALSO USE INTERFACE BANDWIDTH COMMAND -- BUT AVOID IF POSSIBLE |
|
|
Port Channel load balancing should favor where frames are headed
|
port-channel load-balance dst-mac
EC LINKS LOAD BALANCE BY DEFAULT BASED ON SOURCE MAC |
|
|
If not trunking, ports should operate in Vlan 3. If trunking, Vlan 3 should carry basic information like PAgP frames.
|
<if> switchport access vlan 3
<if> switchport mode dynamic desirable <if> switchport trunk native vlan 3 |
|
|
Steps to configure private vlans
|
1) Config Primary, Isolated, and Community Vlans
2) Associate Primary to Secondary Vlans 3) Config Promiscuous port (set mode and mapping) 4) Config Host ports (set mode and host-assoc) |
|
|
Private Vlan Configuration Example
- Gateway on Vlan 1 - Internet-only devices on ports 1-10 - Servers and clients on ports 11-20 |
vlan 1
private-vlan primary vlan 501 private-vlan isolated vlan 502 private-vlan community ! vlan 1 private-vlan assoc add 11-12 ! int g0/1 switchport mode private-vlan promiscuous switchport private-vlan mapping 1 add 501-502 ! int range fa0/1-10 switchport mode private-vlan host switchport private-vlan host-association 1 501 ! int range fa0/11-20 switchport mode private-vlan host switchport private-vlan host-association 1 502 |
|
|
Interfaces fa0/1-5 should be part of Vlan 2000 and unable to come online without host authentication
|
SOLUTION: DOT1X
aaa new-model aaa authen dot1x default group radius ! dot1x system-auth-control ! int range fa0/1-5 switchport mode access switchport access vlan 2000 dot1x port-control auto MAKE SURE TO SET UP AAA FOR CONSOLE AND VTY SO YOU DON'T LOCK YOURSELF OUT! |
|
|
Protect port fa0/5 from broadcasts. Use typical design guidelines.
|
SOLUTION: STORM CONTROL
int fa0/5 storm-control broadcast level 20 BEST PRACTICES RECOMMENDS 20% MAX OF LINK TO BE USED BY BROADCAST |
|
|
Port fa0/6 should not have unicast packets with unknown destinations flooded out.
|
SOLUTION: SWITCHPORT BLOCK UNICAST
int fa0/6 switchport block unicast |
