These are the common troubleshooting issues:
Port Issues
-Check cabling issues and port light
-Verify speed and duplex matching. Hard code if possible
-Check VLAN database to make sure that VLAN still exists
Spanning-Tree Issues
-If a broadcast storm is occurring, disconnect all redundant links
-Ensure all links are reflected on network diagram
-Ensure root bridge selection is appropriate
-Make sure all switches are running RSTP
VLAN and Trunking Issues
-Watch for native VLAN mismatch
-Hard code trunk and access ports
-Verify SVI IP assignment
-Use ping and traceroute to verify routing
VTP Issues
-Verify trunks
-Verify VTP information (domain name, password, version, modes)
-Delete and reconfigure vlan.dat if it is corrupted
Most security focus around the network perimeter. Most of the attacks come from internal users. Below is a switch security checklist:
-Physical security
Make sure your switches are locked up properly. If anyone can reach your switch physically, they can do password recovery.
-Set passwords and logon banners
Use commands like:
enable secret
banner motd
login local
user cisco secret cisco
service password-encryption-Disable the web server
Use commands like:
no ip http server
no ip http secure-server-Limit remote access subnets
Limit VTYs to access-classes. To do this, go under the vty mode and type:
access-class PERMITTED_ACL-Use SSH whenever possible
To set up SSH, set the domain name:
ip domain name syraxius.ath.cxGenerate the key:
crypto key gen rsaEnable SSH:
line vty 0 4
transport input ssh-Configure logging
Configure a syslog host (running Kiwi or TFTPD32):
logging 192.168.1.150View the logs:
show log-Limit CDP reach
To CDP as a whole, use:
no cdp runTo disable interface CDP, use:
no cdp enable-Use BPDU guard on postfast ports
If you have a switch attached to an access port, the port would shut down if it hears BPDUs when BPDU guard is enabled.
To turn on portfast, use:
span portfTo turn on BPDU guard, use:
span bpdu
No comments :
Post a Comment