Global access list applies logically to the entire firewall in inbound direction to all interface.
If there are existing interface access lists, those will be considered first and instead of having implicit deny any any at the end of interface ALCs, the Global access list is processed and in case of non-matching rule, the implicit deny any any is used at the end of Global access list.

To create global access list using asdm open access rule, add access rule, and for interface choose -Any-

To create global access list using CLI:

#access-list GLOBAL extended permit tcp any any
#access-group GLOBAL global

ACL overrides initial traffic flow policies based on security level: 100- the most trusted and 0 – not trusted.
By default traffic from higher to lower sec level is allowed but not from lower to higher. For this type of traffic we need ACL.
Global access list are not replicated on each interface so they save memory space.

Use packet-trace to check the rule:
packet-tracer input VLAN49 tcp 150.1.1.1 20000 150.1.2.2 21

#show access-list
#show access-group

Advertisements

A logical redundant interface is a pair of one active and one standby physical interface. When the active interface fails, the standby interface becomes active.
The firewall will remove all interface settings when adding the physical interface to a redundant group.
The logical redundant interface will take the MAC address of the first interface added to the group, because this will also become the active interface. This MAC address is not changed with the member interface failures, but changes when you swap the order of the physical interfaces added to the pair; optionally, a vMAC can be configured for the redundant interface. With redundant interfaces, the nameif, security-level, and IP address configuration is done at the logical interface level. This feature is not preemptive.

Etherchannel: ASA supports both active and passive modes, where active initiates the LACP negotiation, and passive expects to receive LACP negotiations.
The logical portchannel interface will take the MAC address of the lowest number interface from the group; optionally, a vMAC can be configured for the etherchannel interface.

interface Ethernet0/0
no nameif
no security-level
no ip address

interface Ethernet0/2
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
nameif OUTSIDE
security-level 0
ip address 136.1.34.17 255.255.255.0

interface Ethernet0/1
channel-group 1 mode passive
no nameif
no security-level
no ip address

interface Ethernet0/3
channel-group 1 mode passive
no nameif
no security-level
no ip address

interface Port-channel1
lacp max-bundle 2 port-channel load-balance src-dst-ip-port
nameif INSIDE
security-level 100
ip address 136.1.93.17 255.255.255.0

ASA03-5510# sh nameif
Interface                Name                     Security
Port-channel1            INSIDE                   100
Redundant1               OUTSIDE                    0
ASA03-5510#

ASA03-5510# sh ip address
System IP Addresses:
Interface                   Name                  IP address                     Subnet mask                   Method
Port-channel1          INSIDE              136.1.93.17                    255.255.255.0                 manual
Redundant1             OUTSIDE           136.1.34.17                    255.255.255.0                 manual

ASA03-5510# sh interface redundant 1 | b Redundancy
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 17:21:44 UTC Jul 14 2014

ASA03-5510# sh port-channel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(U) LACP Et0/1(P) Et0/3(P)

ASA03-5510# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip-port

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address and TCP/UDP (layer-4) port number
IPv6: Source XOR Destination IP address and TCP/UDP (layer-4) port number

ASA03-5510# sh port-channel 1 brief
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ passive
Minimum Links: 1
Maximum Bundle: 2
Load balance: src-dst-ip-port

– Check ip arp entry to confirm that MAC address fo the first ASA interfaces added to the group show up here:

RTR3#sh ip arp 136.1.34.17
Protocol         Address         Age (min)         Hardware Addr           Type          Interface
Internet         136.1.34.17    0                         001e.1359.4850          ARPA         FastEthernet0/0

ASA03-5510# sh int et0/0 | in MAC
MAC address 001e.1359.4850, MTU not set

CCIE-SW1#sh ip arp 136.1.93.17
Protocol       Address        Age (min)         Hardware Addr            Type         Interface
Internet       136.1.93.17    0                        001e.1359.4851            ARPA       Vlan93

ASA03-5510# sh int et0/1 | in MAC
MAC address 001e.1359.4851, MTU 1500
ASA03-5510#

~~~~~ Switch configurations to support these features.

Redundant interface configs:

#interface FastEthernet0/9                                          #interface FastEthernet0/15
switchport access vlan 34                                       switchport access vlan 34
switchport mode access                                          switchport mode access
spanning-tree portfast                                            spanning-tree portfast

Ether-channel config:
#
interface Port-channel1
switchport access vlan 93
switchport mode access

#interface FastEthernet0/19                               #interface FastEthernet0/23
switchport access vlan 93                                   switchport access vlan 93
switchport mode access                                      switchport mode access
channel-group 1 mode active                            channel-group 1 mode active

 

 

 

 

 

 

– Don’t forget to enable physical interfaces (e0/0, e0/1, e0/2)
– Create sub-interface and assign VLAN to sub-interface and make sure switch port is in trunking mode. The native (untagged) VLAN of the trunk connection maps to the physical interface, and it cannot be assigned to a sub-interface.

ASA03-5510#interface Ethernet0/3
nameif INSIDE
security-level 0
ip address 136.1.93.17 255.255.255.0

ASA03-5510#interface Ethernet0/0.34
vlan 34
nameif outside
security-level 100
ip address 136.1.34.17 255.255.255.0

ASA03-5510# sh nameif
Interface                       Name                     Security
Ethernet0/0.34           outside                   100
Ethernet0/3                 INSIDE                    0

ASA03-5510# sh ip address
System IP Addresses:
Interface                     Name                   IP address      Subnet mask     Method
Ethernet0/0.34         outside                136.1.34.17     255.255.255.0   manual
Ethernet0/3              INSIDE                136.1.93.17     255.255.255.0   manual
Current IP Addresses:
Interface                    Name                   IP address      Subnet mask     Method
Ethernet0/0.34         outside               136.1.34.17     255.255.255.0   manual
Ethernet0/3              INSIDE               136.1.93.17     255.255.255.0   manual
ASA03-5510#

ASA3# show conn

enable logging on ASA:
#logging on
#logging console 7

– Switch configurations:

interface FastEthernet0/13                      interface FastEthernet0/14
description ASA03 0/3                                   description ASA04 0/3
switchport access vlan 93                              switchport trunk allowed vlan 34
switchport mode access                                 switchport mode trunk
spanning-tree portfast

ASA configuration commands:

ASA03-5510(config)# sla monitor 20
ASA03-5510(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
ASA03-5510(config-sla-monitor-echo)# frequency 3
ASA03-5510(config-sla-monitor-echo)# request-data-size 1392
ASA03-5510(config-sla-monitor-echo)# num-packets 3
ASA03-5510(config-sla-monitor-echo)# timeout 1000
ASA03-5510(config)# sla monitor schedule 20 life forever start-time now
ASA03-5510(config)# track 1 rtr 20 reachability
ASA03-5510(config)# route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
ASA03-5510(config)# route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

 

# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 110
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 1392
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# sh sla monitor operational-state
Entry number: 110
Modification time: 06:56:46.879 UTC Tue Aug 5 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 22
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 06:57:49.881 UTC Tue Aug 5 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 10      RTTMin: 10      RTTMax: 10
NumOfRTT: 3     RTTSum: 30      RTTSum2: 300

 

ASA2# debug icmp trace
ASA2# debug track
ASA2# un all

 

ASA03-5510# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0         outside                 10.99.99.1      255.255.255.0   manual
Ethernet0/1          outside-backup  10.88.99.1      255.255.255.0   manual
Ethernet0/2          inside                   1.1.1.10            255.255.255.0   manual

!— shut down main ISP interface
!— Traceroute shows that traffic is going via backup link (outside-backup interface)

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:00:10
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
11 changes, last change 00:05:34
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [20/0] via 10.88.99.2, outside-backup

ASA03-5510# traceroute 10.77.99.3

Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.88.99.2 0 msec 0 msec 0 msec   !– via outside-backup
2  10.77.99.3 0 msec *  0 msec

!– the main ISP interface was brought up.

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:01:23
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
13 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

!– traceroute show that traffic goes via main ISP now. Route was put in automatically,
ASA03-5510# traceroute 10.77.99.3
Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.99.99.2 0 msec 0 msec 0 msec !— via outside interface
2  10.77.99.3 0 msec *  0 msec

ASA03-5510# sh run route !– only sla related routes are in configuration

route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [1/0] via 10.99.99.2, outside

 

!– SLA related configuration:

ASA Version 8.4(3)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet0/1
nameif outside-backup
security-level 0
ip address 10.88.99.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!

object network inside-host
subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside-host interface
nat (inside,outside-backup) source dynamic inside-host interface
route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

sla monitor 20
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 20 life forever start-time now
!
track 1 rtr 20 reachability

Switch Port Security

Posted: December 4, 2013 in General Security Features

 

 

interface FastEthernet1/0/1
switchport voice vlan 100            !–VLAN 100 as the voice VLAN
switchport port-security              !–Configure SW1 to guard against MAC address flooding attacks
switchport port-security maximum 2                     !—max two MAC entries, one per vlan
switchport port-security maximum 1 vlan voice  !– for trunk ports, limit the number of MAC addresses learned simultaneously on a port to one per VLAN
switchport port-security maximum 1 vlan access
switchport port-security violation protect                  !–simply drop the traffic.
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security mac-address sticky !– Retain the MAC addresses learned on the port in the switch configuration.
switchport port-security violation restrict      !–drop offending packets and generate log records of the violation.
switchport port-security aging time 10           !– Age the learned secure entries after 10 minutes of inactivity
switchport port-security aging type inactivity

interface FastEthernet1/0/3
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan 133
switchport port-security maximum 1 vlan 143
switchport port-security violation shutdown vlan             !–apply the err-disabled state only to offending vlan
switchport port-security aging time 10
switchport port-security aging type inactivity

Global commands:

errdisable recovery cause psecure-violation
errdisable recovery interval 180               !– global config, automatic recovery after 3 minutes.

Port security is a layer 2 feature that enforces a limit on the number of MAC addresses allowed per port. The two main purposes are to prevent unauthorized connections (from unauthorized/unknown MAC addresses) on a port and to prevent MAC-address flooding attacks. A MAC address flooding attack consists of sending a barrage of packets with different source MAC addresses, forcing the switch to overpopulate its MAC address table. The latter may occur in cases when the switch starts behaving like a hub, flooding frames out all ports and all VLANs because the MAC address table overflows, exceeding the maximum number of MAC address that the switch can learn.

Port security works only on ports configured as static access or static trunk

On a port configured for port security, the switch keeps a table of secure MAC address entries.

#switchport port-security maximum-address <number> =  The total number of entries allowed on interface

On trunk ports, the above command specifies the maximum number of MAC addresses for all VLANs, the aggregate limit. Note that the switch treats the same MAC address on different VLANs as two different MAC addresses.

#switchport port-security maximum <number> vlan <vlan-number> = For trunk ports specify the maximum number of MAC addresses per VLAN

#switchport port-security maximum <number> vlan [access|voice] = impose restrictions on any of two vlans, If the port is an access-port configured with both data and voice VLANs.

When a switch has reached the maximum allowed number of MAC addresses on the port level or VLAN level, and a frame with a new source MAC address arrives on the port, the switch may take any of the following actions:

Shutdown: The port actually enters in an err-disabled state and all frames received on the port are discarded.

Shutdown VLAN: The VLAN enters in an err-disabled state but only for the port where the violation occurred, and all frames received on that port for the respective VLAN are discarded. In this case, a syslog message is also generated.

Protect: All frames are silently discarded on the VLAN where the violation occurred for the respective port. Protect mode is not recommended for trunk ports because as soon as any VLAN on a trunk reaches its MAC address limit, the port stops learning MAC addresses on any other VLAN. The worst thing about this mode is that the switch does not notify you with a logging message.

Restrict: All frames are discarded for the respective port, but a syslog message and SNMP trap are generated. You must additionally configure the SNMP hosts to send the actual traps.

The default port security violation action, unless otherwise configured, is shutdown. The switch does not allow the same MAC address to appear on more than one secure port at the same time. Thus, if a switch has learned a MAC address on a secure port, it will not allow the same address to appear on other layer 2 ports until the secure entry has expired. The switch ages out secure MAC address entries using a configurable timeout. You can set the timeout and its functional mode per port using following two commands:

switchport port-security aging timeout <timeout>

switchport port-security aging type {absolute|inactivity}

Absolute aging instructs the switch to age out each MAC address entry when the timeout period has elapsed, so it is unconditional.
Inactivity aging instructs the switch to age out each MAC address entry only if it has been inactive for an interval equal to the timeout period, so it is conditional.

If the port security feature has shutdown a port, the port can be restored to an operational state using the automatic error-disable recovery procedure, or manually by issuing a shutdown command followed by a no shutdown command on the port.

There are multiple possible reasons that can trigger a port to enter the err-disabled state, so we must specify both the cause for which the port entered in the err-disabled state, and the interval for keeping it in this state. The interval is a global value, which affects the switch behavior for all possible err-disabled causes:

errdisable recovery cause <cause>

errdisable recovery interval <seconds>

#errdisable recovery cause ?

all                      Enable timer to recover from all error causes
arp-inspection           Enable timer to recover from arp inspection error disable state
bpduguard                Enable timer to recover from BPDU Guard error
channel-misconfig (STP)  Enable timer to recover from channel misconfig error
dhcp-rate-limit          Enable timer to recover from dhcp-rate-limit error
dtp-flap                 Enable timer to recover from dtp-flap error
gbic-invalid             Enable timer to recover from invalid GBIC error
link-flap                Enable timer to recover from link-flap error
loopback                 Enable timer to recover from loopback error
mac-limit                Enable timer to recover from mac limit disable state
pagp-flap                Enable timer to recover from pagp-flap error
port-mode-failure        Enable timer to recover from port mode change failure
pppoe-ia-rate-limit      Enable timer to recover from PPPoE IA rate-limiterror
psecure-violation        Enable timer to recover from psecure violation error
security-violation       Enable timer to recover from 802.1x violation error
sfp-config-mismatch      Enable timer to recover from SFP config mismatch error
small-frame              Enable timer to recover from small frame error
storm-control            Enable timer to recover from storm-control error
udld                     Enable timer to recover from udld error
vmps                     Enable timer to recover from vmps shutdown error

#switchport port-security mac-address <mac-address> = configure static secure MAC address entries. The static entries also count against the maximum number of allowed MAC addresses on an interface.

#command switchport port-security aging static  = configure a port to age static secure MAC address entries. This may be useful when you need to set up guaranteed access for a specific MAC address for some amount of time.

# switchport port-security mac-address sticky  = port-security feature known as sticky learning. It allows you to transform dynamically learned MAC addresses into static secure MAC addresses. When a switch learns new MAC addresses on a port in sticky mode, it generates a configuration line for the corresponding MAC address as a secure static entry. This line appears in the running configuration, so you need to save it to make the static entry truly permanent; otherwise, if the switch reloads the command is lost. Intead of manual configuration saving, a kron policy or EEM script can be used to automatically save the configuration periodically or triggered by an event.

# switchport port-security  = enable security feature

 

 

#sh spanning-tree vl 13                              !–Determine which interfaces run STP in VLAN 13

VLAN0013

Spanning tree enabled protocol ieee

Root ID    Priority    32781

Address     b4a4.e354.4800
This bridge is the root
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Bridge ID  Priority    32781  (priority 32768 sys-id-ext 13)

Address     b4a4.e354.4800
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————————–

Fa0/10              Desg FWD 19        128.10   P2p                                   !– trunking port
Fa0/11              Desg FWD 19        128.11   P2p                                   !– trunking port
Fa0/38              Desg FWD 19        128.38   P2p Edge                         !– port assigned to vl 13
Fa0/40              Desg FWD 19        128.40   P2p Edge                         !– port assigned to vl 13
Gi0/1               Desg FWD 4         128.49   P2p                                      !– trunking port between two switches

 

SW1-p25#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/1     ** R1 et0/0 **  notconnect   11           auto   auto 10/100BaseTX
Fa0/10    *ESX LAN 2 *    connected    trunk      a-full  a-100 10/100BaseTX
Fa0/11    *ESX LAN 1 *   connected    trunk      a-full  a-100 10/100BaseTX
Fa0/38    R3 f0/1            connected    13         a-full  a-100 10/100BaseTX
Fa0/40                       connected    13         a-full  a-100 10/100BaseTX
Gi0/1     ** Trunk DM-CoreSW connected    trunk      a-full a-1000 10/100/1000BaseTX

 

SW1-p25#sh run int f0/38

interface FastEthernet0/38
description R3 f0/1
switchport access vlan 13
switchport mode access
switchport nonegotiate               !– this shows in config that DTP is disabled on the port.
spanning-tree portfast

!– You disabled DTP on the switch port by switchport mode access command but to have it more visible you can put in port configuration one extra line: switchport nonegotiate. If the remote end still runs DTP, as is our case for trunk ports because DTP is enabled on SW2, you’ll see the dropped packets counter increasing, as each DTP message received inbound is dropped.

SW1-p25#sh dtp int f0/38

DTP information for FastEthernet0/38:

TOS/TAS/TNS:                              ACCESS/OFF/ACCESS

TOT/TAT/TNT:                              802.1Q/802.1Q/802.1Q

Neighbor address 1:                       00000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       never/STOPPED                 !– shows DTP is disabled on the switch
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S1:OF
# times multi & trunk                     0
Enabled:                                  no
In STP:                                   no

 

Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

0 packets output (0 good)

0 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

0 link ups

14 link downs, last link down on Mon Dec 02 2013, 09:12:23

 

on trunk ports:

SW1-p25#sh dtp int f0/10

DTP information for FastEthernet0/10:

TOS/TAS/TNS:                              TRUNK/ON/TRUNK
TOT/TAT/TNT:                              802.1Q/802.1Q/802.1
Neighbor address 1:                       000000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       24/RUNNING
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S6:TRUNK
# times multi & trunk                     0
Enabled:                                  yes
In STP:                                   no
Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

51672 packets output (51672 good)

51672 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

1 link ups, last link up on Fri Nov 15 2013, 10:19:26

0 link downs

 

SW1-p25#sh int f0/38 switchport                          !–A commonly used method to identify DTP state for interfaces is to view layer 2 port state information

Name: Fa0/38
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off    !!!
Access Mode VLAN: 13 (VLAN0013)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

SW1-p25#

 

##### Theory #####

DTP is the protocol that makes two switches negotiate the interconnecting links as trunk, as well as the trunking protocol (802.1q or ISL, with ISL having priority over 802.1q), without any required configurations. There are two possible DTP default port states:
     Dynamic Desirable (DTP Active):  the port actively sends DTP messages so it initiates trunk formation.
     Dynamic Auto (DTP Passive):  the port waits for DTP messages from the other end in order to respond and negotiate the trunk formation.

If you connect two switches that outside of the box have ports in Dynamic Auto mode, no trunk would be formed because there is no switch to initialize the DTP negotiation.
In common trunk port configurations, at a minimum you specify the trunking protocol and administratively set the port as trunk, with the following interface-level commands:

          switchport trunk encapsulation dot1q
switchport mode trunk

In common access port configuration, at a minimum you specify the VLAN membership and administratively set the port as access, with the following interface-level commands:

          switchport access vlan 13
switchport mode access

Ports administratively configured as trunks still have DTP enabled, whereas ports administratively configured as access have DTP disabled. Even if you configure a port as static trunk, you still want DTP enabled because the other end of the link might not yet be configured as static trunk, and you don’t want to break it. After you have configured a port as static access, you do not want it to be trunk, so there is no need to leave DTP enabled.

The inteface-level command to manually disable DTP is switchport nonegotiate.
You might want to use this command on access ports just to make it visible in the configuration, whereas on trunk ports it is mandatory to disable DTP.
The command that implicitly disables DTP on access ports is switchport mode access

 

 
During troubleshooting it is often necessary to see what traffic is being passed between two networks or two hosts. Lets use built-in capture tool. Below are the steps you need to take:
So, we are troubleshooting traffic between a host with the address of 20.20.20.1 and a host with the address of 10.10.10.1.

1.) Define the traffic that you would like to check by creating capture file called LB:

#access-list LB extended permit ip host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit ip host 10.10.10.1 host 20.20.20.1
#access-list LB extended permit icmp host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit icmp host 10.10.10.1 host 20.20.20.1

2.) Create and start the packet capture process called LB:

#capture LB access-list LB

3.) Create some traffic between these hosts.
Our defined ACL will detect all traffic between these two hosts, so let just start pinging:

From the host 20.20.20.1 ping 10.10.10.1
From the host 10.10.10.1 ping 20.20.20.1

4.) Analyze the packet capture.

#show capture LB !— This will show all captured traffic.

5.) Turn off the packet capture and remove the ACL:

#no capture LB
#clear configure access-list LB

#clear capture LB !—clear the capture log by using this command
#show capture LB | inc 20.20.20.1 !—use the pipe functionality when viewing output