Cisco Switches – Troubleshooting and Security

By | June 20, 2013

1) Get familiar with the network

2) Create an accurate Network Diagram!

3) Work logically, from the bottom up in the OSI model:

Physical > Data Link > Network > Transport > Session > Presentation > Application

Most problems lie within Physical, Data Link, Network, and Transport. The issues above that are usually based around development and application problems.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Common problems:

Port issues:

  • Check cabling issues
  • Check speed and duplex are matching
  • Check that the VLAN is still prevent

Spanning Tree Issues:

  • Solve the immediate problem by disconnecting the redundant links
  • Ensure all links reflect are on your network diagram
  • Ensure the root bridge is the correct one
  • Make sure all switches are running RSTP!

VLAN and Trunking Issues:

  • Watch for native VLAN mismatch
  • Hard code trunk ports to trunk mode and On.
  • Make sure the VLAN has been activated on the switch.
  • Verify the IP address assignments on the VLAN and VLAN interfaces
  • Use ping and trace route to diagnose routing issues

VTP Issues

  • Verify the trunks are correct
  • Verify VTP information: Name, Password, Version, Modes
  • Last resort: Delete Flash:VLan.dat will delete all VTP & VLAN information!

To secure the switch, do the following recommendations:

  • Physical Security
  • Set passwords and Logon Banners
  • Disable the web server – conf t > no ip http sevrer & no ip http secure
  • Limit remote access subnets via access-lists
  • use SSH instead of Telnet
  • Configure Logging – conf t > logging buffered XXXXXX (sets the logging buffer size) > logging XXX.XXX.XXX.XXX (this points the logs to the IP of a syslog server).
  • Limit the ports with CDP – conf t > int faX/X > no cdp enable
    (turns off CDP on a port) or no cdp run (disables on the entire switch).  CDP is required for IP phones so try to limit this to ports only.
  • Use BPDUGuard on Portfast ports – conf t > int faX/X > spanning-tree bpduguard.  This will shut down the interface if BPDU’s are seen coming from a port you put this on.  This should be used with portfast on ports that switches should not be plugged into.