Monday, April 5, 2010


To troubleshoot a switched network, you would first have to get familiar with the network. This goes hand in hand with having an absolutely accurate network diagram. This gives us most of the information required to troubleshoot the network. Finally, work logically from bottom-up through the layers of the OSI model.
These are the common troubleshooting issues:
Port Issues
-Check cabling issues and port light
-Verify speed and duplex matching. Hard code if possible
-Check VLAN database to make sure that VLAN still exists

Spanning-Tree Issues
-If a broadcast storm is occurring, disconnect all redundant links
-Ensure all links are reflected on network diagram
-Ensure root bridge selection is appropriate
-Make sure all switches are running RSTP

VLAN and Trunking Issues
-Watch for native VLAN mismatch
-Hard code trunk and access ports
-Verify SVI IP assignment
-Use ping and traceroute to verify routing

VTP Issues
-Verify trunks
-Verify VTP information (domain name, password, version, modes)
-Delete and reconfigure vlan.dat if it is corrupted

Most security focus around the network perimeter. Most of the attacks come from internal users. Below is a switch security checklist:

-Physical security

Make sure your switches are locked up properly. If anyone can reach your switch physically, they can do password recovery.

-Set passwords and logon banners

Use commands like:
enable secret
banner motd
login local
user cisco secret cisco
service password-encryption

-Disable the web server

Use commands like:
no ip http server
no ip http secure-server

-Limit remote access subnets

Limit VTYs to access-classes. To do this, go under the vty mode and type:
access-class PERMITTED_ACL

-Use SSH whenever possible

To set up SSH, set the domain name:
ip domain name syraxius.ath.cx

Generate the key:
crypto key gen rsa

Enable SSH:
line vty 0 4
transport input ssh

-Configure logging

Configure a syslog host (running Kiwi or TFTPD32):

View the logs:
show log

-Limit CDP reach

To CDP as a whole, use:
no cdp run

To disable interface CDP, use:
no cdp enable

-Use BPDU guard on postfast ports

If you have a switch attached to an access port, the port would shut down if it hears BPDUs when BPDU guard is enabled.

To turn on portfast, use:
span portf

To turn on BPDU guard, use:
span bpdu

No comments :

Post a Comment