Modul 3 Konfigurasi Router

5/28/2018 Modul 3 Konfigurasi Router

1/69

1 2003, Cisco Systems, Inc. All rights reserved.

CCNP 3 v4 Module 7Minimizing Service Loss and Data

Theft in a Switched Network


2/69


Objectives

Switch Security Issues

Mitigating VLAN attacks

Mitigating Spoof Attacks

Implementing Authentication,Authorization and AccountingAAA

Defending Network Switches


3/69


Overview

This module describes some measures to secure

Ciscos multilayer switches based on Ciscos SAFE

blueprint.

Cisco Systems has implemented a number of devicelevel countermeasures to defend the individual

devices as well as the entire network from security

threats.

In this module we will spell out possible

vulnerabilities, define threats, and describes the

countermeasures that should be implemented to

mitigate security risks


4/69444 2003, Cisco Systems, Inc. All rights reserved.

Switch Security Concerns

Network security coverage often focuseson perimeter devices and the filtering ofpackets based upon Layer 3 and 4

headers, ports, stateful packetinspection and VPNs.

Campus Access devices and Layer 2

communication are left largelyunconsidered in most securitydiscussions.



Firewalls, Routers and Switches

Firewalls, placed at the organizationalborders, arrive in a secure operationalmode and allow no communication, until

configured to do so. The opposite is true for routers and

switches.

Unlike firewalls, routers and switches havea default operational mode that forwards alltraffic unless configured otherwise



Securing more than the perimeter



Layer 2 Attacks

Attacks launched against switches andat Layer 2 can be grouped as follows:

MAC Layer Attacks

VLAN Attacks

Spoof Attacks

Attacks on Switch Devices



MAC Flooding Attack



MAC Flooding

A common Layer 2/switch attack is MAC Flooding,resulting in CAM table overflow that causes flooding ofregular data frames out all switch ports.

A network intruder can maliciously flood a switch with a

large number of frames from a range of invalid sourceMAC addresses.

Once the CAM is full the switch cannot create anyadditional CAM table entries.

The switch must flood new legitimate frames out all ports

(the switch is in dumb hub mode). The intruding device can now be attached to any

switchport and see all traffic that flows through thatswitch.



Mitigation for MAC Flood Attacks

Configure Port Security to define thenumber of MAC addresses that are

allowed on a given port.

Port security can also specify what MACaddress is allowed on a given port.

Sticky configuration with maximum MACaddress count.



Port Security

Port security restricts a switch port to a specificset and/or number of MAC addresses.

Addresses can be learned dynamically or configuredstatically.

To dynamically allow a set of MAC address onan interface, use the sticky configuration.

When configured on an interface, the interfaceconverts dynamically learned addresses to "stickysecure" addresses.

The sticky configuration cannot be applied to trunkports

The swtichport must be in switchport mode access

Switch(config-if)# switchport port-security mac-address sticky



Port Security Configuration

Switch(config)#int fa0/1

Switch(config-if)#switchport port-security

Command rejected: Fa0/1 is not an access port.

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security mac-address stickySwitch(config-if)#switchport port-security maximum 4

Switch(config-if)#switchport port-security violation ?

protect Security violation protect mode

restrict Security violation restrict mode

shutdown Security violation shutdown mode



show port-security



show port-security address



Caveats to Port Security Configuration

Port security is enabled on a port-by-port basis

By default, only one MAC address is allowed

access through a given switch port when portsecurity is enabled.

Static MAC address entries for a givenswitchport may interfere with the maximum

MAC address configuration. The default violation action is shutdown.



Switchport Violation Actions

There are three violation actions that can beconfigured on the secure port:

Protectframes from the non-allowed address aredropped but there is no log of the violation

Restrictframes from the non-allowed address aredropped and a log message is created

Shutdownif any frames are seen from a non-allowed address, the interface is errdisabled and alog message is created.

To bring a switchport out of errdisable, you mustmanually use the shutdown/no shutdown intefaceconfiguration mode command.

Shutdown is the default violation action.



VLAN Hopping

VLAN hopping is a network attackwhereby an end system sends packetsto, or collects them from, a VLAN that

should not be accessible to that endsystem.

VLAN Hopping can be accomplished by

Switch Spoofing or Double Tagging

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml

http://www.sans.org/resources/idfaq/vlan.php
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtmlhttp://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtmlhttp://www.sans.org/resources/idfaq/vlan.phphttp://www.sans.org/resources/idfaq/vlan.phphttp://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtmlhttp://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml



Switch Spoofing

In a Switch Spoofing attack, the network attackerconfigures a system to spoof itself as a switch byemulating ISL or 802.1Q signaling and using DTP.

Doing so, allows the end system to negotiate a trunk linkwith the switch.

Remember, by default Cisco switchports are set todynamic desirable mode.

The solution to switch spoofing is to configure all edgeports as access ports which essentially turns off trunking.

You can also change the native VLAN from the default of 1

so that the trunk is not negotiated properly.Switch(config)# int range fa0/ 1 20

Switch(config-range-if)# switchport mode access

Switch(config-if)# switchport trunk native vlan 10



Private VLANs

Private VLANs provide traffic isolation betweenports although they may exist on the sameLayer 3 segment and VLAN.

Private VLANs (PVLANs) can be implemented onCatalyst 4500s and 6500s to keep some switchports shared and some switch ports isolated,although all ports exist on the same VLAN.

The 2950 and 3550 support "protected ports"

which is functionally similar to PVLANs on aper switch basis.



Private VLAN Port Types

A port in a PVLAN can be one of three types:

IsolatedAn isolated port has complete Layer 2 separationfrom other ports within the same PVLAN except for thepromiscuous port.

Traffic received from an isolated port is forwarded only to

promiscuous ports. PromiscuousA promiscuous port can communicate with all

ports within the PVLAN, including the community andisolated ports.

The default gateway for the segment would likely behosted on a promiscuous port.

CommunityCommunity ports communicate amongthemselves and with their promiscuous ports.

These interfaces are isolated at Layer 2 from all otherinterfaces in other communities.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm



Private VLAN Configuration Guidelines

VTP does not support private VLANs so you must configure yourVTP mode to transparent and manually add each primary and theassociated private VLANs to each switch.

VLAN 1 and VLANs 10021005 cannot be private VLANs.

A primary VLAN can have one isolated VLAN and multiple

community VLANs. An isolated or community VLAN can have only one primary VLAN

associated with it.

If you delete a VLAN used in the private VLAN configuration, theprivate VLAN ports associated with the VLAN become inactive

Private VLAN ports can be on different network devices if the

devices are trunk-connected and the primary and secondaryVLANs have not been removed from the trunk.

All primary, isolated, and community VLANs associated within aprivate VLAN must maintain the same topology across trunks.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm


22/69


Private VLAN Configuration Example

Router# configure terminal

Router(config)# vlan 202Router(config-vlan)# private-vlan primary

Router(config-vlan)# exi

Router(config)# vlan 303

Router(config-vlan)# private-vlan community



Router(config-vlan)# private-vlan isolated



Router(config-vlan)# private-vlan association 303-307,309,440

Router(config-vlan)# end

Router(config)# interface fastethernet 5/1

Router(config-if)# switchport mode private-vlan host | promiscuous

Router(config-if)# switchport private-vlan host-association 202 303

Router(config)# interface fastethernet 5/2

Router(config-if)# switchport mode private-vlan host | promiscuous

Router(config-if)# switchport private-vlan host-association 202 440Router# show vlan private-vlan

Switch(config)# show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

202 303 community Fa5/1

202 440 isolated Fa5/2


23/69


Protected Ports

Protected ports do not forward any traffic toother ports that are also protected ports.

Forwarding behavior between a protected portand a nonprotected port proceeds as usual.

Switch# configure terminal

Switch(config)# interface fastethernet0/1

Switch(config-if)# switchport protected

Switch(config-if)# end


24/69


VLAN Security using ACLs

Cisco multilayer switches support three types of ACLs:

Router access control lists(RACLs) Supported in theternary content addressable memory (TCAM) hardware onCisco multilayer switches

Quality of service(QoS) access control lists Supported inthe TCAM hardware on Cisco multilayer switches

VLAN access control lists(VACLs) Supported in softwareon Cisco multilayer switches

VACLs are also referred to as VLAN maps


25/69


VLAN ACL Examples


26/69


Routed ACLs

RACLs are supported in hardware

through IP standard ACLs and IPextended ACLs, with permit and denyactions.

With RACLs, access list statistics and

logging are not supported.


27/69


VLAN ACLs

VACLs (also called VLAN access maps in IOSsoftware) apply to all traffic on the VLAN.

VACLs are similar to route maps and follow route-map conventions, where map sequences arechecked in order.

VLAN maps have three actions that can beconfigured:

Drop

Forward

Redirect


28/69


VLAN Map Configuration

ALSwitch7(config)#ip access-list extended HRServerAllowed

ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.16 0.0.0.15 host 172.16.50.240 eq wwwALSwitch7(config-ext-nacl)#exit

ALSwitch7(config)#ip access-list extended HRServerBlocked

ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.0 0.0.0.127 host 172.16.50.240 eq www

ALSwitch7(config-ext-nacl)#exit

ALSwitch7(config)#ip access-list extended HRServerDefaults

ALSwitch7(config-ext-nacl)#permit ip any any

ALSwitch7(config-ext-nacl)#exit

ALSwitch7(config)#vlan access-map HRServerMap 10

ALSwitch7(config-access-map)#match ip address HRServerAllowed

ALSwitch7(config-access-map)#action forward

ALSwitch7(config-access-map)#exit


ALSwitch7(config-access-map)#match ip address HRServerBlocked

ALSwitch7(config-access-map)#action drop

ALSwitch7(config-access-map)#exit


ALSwitch7(config-access-map)#match ip address HRServerDefaults

ALSwitch7(config-access-map)#action forward

ALSwitch7(config-access-map)#end

ALSwitch7#config t

ALSwitch7(config)# vlan filter HRServerMap vlan-list 20


29/69


show vlan mapand show vlan filter

ALSwitch7#show vlan access-mapVlan access-map "HRServer" 10

Match clauses:

ip address: HRServerAllowed

Action:

forward

Vlan access-map "HRServerMap" 20

Match clauses:ip address: HRServerBlocked

Action:

drop

Vlan access-map "HRServerMap" 30

Match clauses:

ip address: HRServerDefaultsAction:

forward

ALSwitch7#show vlan filter

VLAN Map HRServerMap is filtering VLANs:

50

ALSwitch7#


30/69


Defending Network Switches

CDP can be selectively disabled on interfaceswhere management is not being performed or

if you do not want CDP information learnedout of that interface.

Switch(config-if)#no cdp enable


31/69


Controlling VTY Access

Cisco provides ACLs to permit or deny Telnetaccess to the VTY ports of a switch.

Use the access-class line configuration modecommand to specify a subnet that is allowed to

telnet to the switch. The access-class command uses a standard ACL

with the in keyword.

A standard ACL is used because the access-classcommand filters inbound connections

Switch(config-line)#access-class 5 in

out can also be used to filter outbound VTYconnections.


32/69


Access-class Example


33/69


Use Secure ShellSSH

SSH can be configured for remote access to Ciscomultilayer switches.

Catalyst 2950s do not support SSH

Switch(config)#hostname ALSwitch

ALSwitch(config)#ip domain-name cisco.com

ALSwitch(config)#ip ssh version 2

Please create RSA keys to enable SSH.ALSwitch(config)#crypto key generate rsa general-keys

The name for the keys will be: ALSwitch.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]

ALSwitch(config)#

00:47:18: %SSH-5-ENABLED: SSH 1.99 has been enabled

ALSwitch(config)#line vty 0 15

ALSwitch(config-line)#transport input ssh

ALSwitch(config-line)#login local

ALSwitch(config-line)#exit

ALSwitch(config)#username leo privilege 15 secret baca


34/69


Encrypt Password

Make sure to use encrypted passwords.

Encrypted password can be used for enable passwords,user passwords, console and vty passwords.

ALSwitch(config)#enable secret class

ALSwitch(config)#username user1 secret userpassALSwitch(config)#username leo privilege 15 secret baca

ALSwitch(config)#exi

ALSwitch#sho run

...

!

hostname ALSwitch

!

enable secret 5 $1$kH1o$2yH/E500t6PC1rCCDeFEb1

!

username leo privilege 15 secret 5 $1$nwnw$rvATQge3PqFS8qARlTOd51

username user1 secret 5 $1$CalZ$rCMYfxqKPrJfWENUrHIZL.


35/69


Service Password Encryption

Some passwords are not encrypted by default,such as the enable password command andthe line configuration mode passwordcommand

To encrypt any plaintext passwords orkeystrings, use the global configuration modecommand:

Switch(config)# service password-encryption

This will encrypt plaintext passwords withCisco level 7 encryption.

This encryption level is not very strong


36/69


END PART 1

PART 1 STOP HERE


37/69


DHCP Spoof Attack


38/69


DHCP Snooping

DHCP Snooping is a Catalyst feature thatdetermines which switch ports can respond toDHCP requests.

Ports are identified as trusted and untrusted.

Trusted ports can source all DHCP messageswhile untrusted ports can source requestsonly.

Trusted ports host a DHCP server or can be anuplink toward the DHCP server.

If a rogue device on an untrusted port attempts tosend a DHCP response packet into the network, theport is shut down.


39/69


DHCP Snooping Example


40/69


DHCP Snooping Configuration

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm


41/69


show ip dhcp snooping


42/69


MAC Address Spoofing

MAC Spoofing attacks occur when a devicespoofs the MAC address of a valid networkdevice to gain access to frames of the valid

device.

The attacker generates a single frame with asource MAC address of the valid device.

Once the valid host sends new frames, the spoofedCAM table entry is overwritten so forwarding to thatMAC address resumes on the legitimate port.


43/69


MAC Address Spoofing Example


44/69


ARP Table Entries

In normal ARP operation, a host sends abroadcast to determine the MAC address of ahost with a particular IP address.

The device at that IP address replies with its

MAC address. The host that originated the request then

caches the ARP response, creating an ARPtable entry.

ARP table entries are used to populate thedestination Layer 2 header of packets sent to thatIP address.


45/69


ARP Table Example


46/69


ARP Spoofing

By spoofing an ARP reply, an attackingdevice appears to be the destinationMAC address sought by the senders.

Now the attackers MAC address is storedwith the legitimate dest. IP address.

All packets destined for that IP addresswill be forwarded through the attackers

system on the Ethernet network.

ARP Cache Poisoninghttp://www.grc.com/nat/arp.htm
http://www.grc.com/nat/arp.htmhttp://www.grc.com/nat/arp.htm


47/69


ARP Spoof Example


48/69


Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) prevents ARPspoofing by intercepting and validating all ARPrequests and responses.

Each intercepted ARP reply is verified for validMAC to IP address bindings before it is forwarded

to a PC. ARP replies coming from invalid devices are dropped.

The switch checks the MAC to IP binding in theARP reply with the trusted DHCP snooping

database. This database is built by DHCP snooping if DHCP

snooping is enabled on the VLANs and on the switch.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.htmlhttp://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html


49/69


Dynamic ARP Inspection Example

Configure all Access switch ports as untrusted and

all switch ports connected to other switches as trusted.


50/69


Dynamic ARP Inspection

To ensure that only valid ARP requests andresponses are relayed, DAI takes the followingactions:

Forwards ARP packets received on a trusted

interface without any checks Intercepts all ARP packets on untrusted ports

Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets

that can update the local ARP cache. Drops and/or logs ARP packets with invalid IP-to-

MAC address bindings.


51/69


Dynamic ARP Inspection Configuration

Dynamic ARP inspection is enabled on a per-VLAN basis

Make sure to enable DHCP snooping first

Dynamic ARP Inspection is not supported on 29xx series switches


52/69


What is AAA?

AAA stands for Authentication, Authorizationand Accounting.

AAA is an architectural framework for

configuring access control security functions. AAA is generally concerned with access

control to a network or network device.

For instance, an AAA server can be used to

authenticate remote users via a VPN or it can beused to authenticate local users to a router, switchor firewall.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm


53/69


AAA in a Nutshell

Authentication provides the method of identifying users.

The most common method of authentication isusername/password.

Authorization provides a method of controlling access to

what a user can do. Authorization is usually tied to a policy, profile or group.

Accounting provides a method for collecting and sendingsecurity server information used for billing, auditing, andreporting.

Accounting collects data as to what a user did oncelogged in.


54/69


AAA Servers and Authentication

AAA uses protocols such as RADIUS,TACACS+, or 802.1X to administer its securityfunctions.

There is an authenticator (device) that permitsor denies access to the network or networkresource and an authentication server thatprovides the actual database of useridentification.

The Authenticator can be a switch, router, firewall,wireless access point, VPN server or access server.


55/69


Using AAA for Login Security

The AAA security services facilitate a variety oflogin authentication methods.

Use aaa authentication loginto enableAAA authentication.

With the aaa authentication logincommand, it is possible to create one or morelists of authentication methods that are tried atlogin.

The login authenticationline

configuration command applies these lists tologin attempts.


56/69


AAA Login Configuration


57/69


AAA Login Configuration Example

Switch(config)#aaa new-model

Switch(config)#tacacs-server host 147.144.51.46 key 0 tacacskey

Switch(config)#aaa group server tacacs+ TACACS

Switch(config-sg-tacacs+)#server 147.144.51.46

Switch(config-sg-tacacs+)#exiSwitch(config)#

Switch(config)#aaa authentication login TACACS local

Switch(config)#line con 0

Switch(config-line)#login authentication TACACS

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm


58/69


Authentication Methods


59/69


AAA Authorization

AAA authorization enables the limitation of theservices available to a user.

When AAA authorization is enabled, the device

uses information retrieved from the user profile The user profile is located either in the local user

database on the switch or on the security server

You can configure up to 16 hierarchical levels of

commands for each mode.

Setting Passwords and Privilegeshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm


60/69


AAA Accounting

Accounting is the process of keepingtrack of the activity of each user who isaccessing the network resources.

Accounting data is used for trendanalysis, capacity planning, billing,auditing and cost allocation.


61/69


802.1X Port-based Authentication

Supplicant

Authenticator


62/69


802.1X Port-based Authentication

Until the workstation is authenticated, 802.1x accesscontrol allows only Extensible Authentication Protocolover LAN (EAPOL) traffic through the switchport.

After authentication is successful, normal traffic can passthrough the port.

The port starts in the unauthor ized state.

While in this state, the port disallows all ingress andegress traffic except for 802.1x protocol packets.

When a client is successfully authenticated, the porttransitions to the authorizedstate

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htm


63/69


802.1X Configuration

Switch1(config)#aaa new-modelSwitch1(config)#aaa authentication dot1x TACACS local

Switch1(config)#dot1x system-auth-control

Switch1(config)#interface range fa0/2 - 20

Switch1(config-if-range)#switchport mode access

Switch1(config-if-range)#dot1x port-control autoSwitch1(config-if-range)#end

Switch1# show run

!

interface FastEthernet0/1

!

interface FastEthernet0/2

switchport mode access

dot1x port-control auto

spanning-tree portfast


64/69


Capturing Traffic in a Switched Network

If a network analyzer is connected to a switch port, bydefault the analyzer will only collect data directed to theMAC address of the analyzer.

To resolve this issue, we configure Switch Port Analyzer(SPAN) ports.

SPAN sends a copy of frames generated on one port or anentire VLAN to another switch port hosting a networkanalyzer.

Also known as port mirroring or port monitoring

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htm


65/69


SPAN Example


66/69


Remote SPAN (RSPAN)

RSPAN sends traffic from a monitored portthrough an intermediate switch network to a

traffic analyzer on another switch. RSPAN supports source ports, source VLANs,

and destination ports on different switches.

RSPAN provides remote monitoring of ports onmultiple switches across the network


67/69


RSPAN Example


68/69


Reflector Ports

The reflector port is the mechanism that copies packetsonto an RSPAN VLAN.

The reflector port forwards only the traffic from the RSPANsource session with which it is affiliated.

Any device connected to a port set as a reflector portloses connectivity until the RSPAN source session is

disabled. The reflector port has these characteristics:

It is a port set to loopback.

It cannot be an EtherChannel group, it does not trunk, andit cannot do protocol filtering.

A port used as a reflector port cannot be a SPAN source ordestination port, nor can a port be a reflector port for morethan one session at a time.

It is invisible to all VLANs.

Spanning tree is automatically disabled on a reflector port.


69/69

SPAN and RSPAN Configuration

SPAN:Switch(config)#monitor session 1 source interface fa0/2

Switch(config)#monitor session 1 source interface fa0/2 - 24

Switch(config)#monitor session 1 source vlan 33 , 34 , 40 - 50

Switch(config)#monitor session 1 destination interface fa0/10

RSPAN:SourceSw(config)#vlan 100

SourceSw(config-vlan)#remote-span

SourceSw(config-vlan)#exi

SourceSw(config)#monitor session 1 source interface fa0/10 both

SourceSw(config)#monitor session 1 destination remote vlan 100

reflector-port fa0/12

DestSw(config)#monitor session 1 source remote vlan 100

DestSw(config)#monitor session 1 destination interface fa0/5

Modul 3 Konfigurasi Router

Documents