2012年思科认证(CCIE)考试知识复习指导5
4. Switchport protected
interface FastEthernet0/10
switchport protected
switchport protected :
Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch.
By sending traffic to random destination unicast and multicast MAC addresses,
an attacker can force a switch to flood the traffic out all interfaces. In the case
that this traffic is received on a protected port, the resulting behavior will be to
flood the traffic out all ports in the VLAN, even those that are protected. Since
the ultimate goal of port protection is to prevent protected ports from
communicating with each other, this behavior is not acceptable. By issuing the
switchport block unicast and switchport block multicast interface level
commands, these unknown unicast and multicast frames will not be forwarded
out the interfaces they are configured on.
5. ACL
Your NOC engineers have been noticing minor outages that seem to coincide with the security team updating ACLs on SW1. You have informed these engineers that the switch is temporarily blocking traffic through the port that the ACL is being updated on. Although this is a normal and desirable case, they have requested that this behavior be disabled.
SW1:
access-list hardware program nonblocking
Additionally configure SW1 to prevent a loop in the spanning-tree domain by taking these ports out of portfast state if a spanning-tree packet is received on them
SW1:
spanning-tree portfast bpdufilter default
!
interface FastEthernet0/
spanning-tree portfast