Saturday, February 25, 2012

DHCP and DNS

DHCP

  • Extension to BOOTP for automatic host configuration
  • Provide ip addressing netmask and default gw bootfile etc to end hosts
  • Broadcast UDP packets source port BOOTP 68 destination port BOOTPS 67
  • Host sends DHCP Discover (broadcast) server sends DHCP offer (unicast) host sends dhcp request (broadcast) server sends dhcpack (unicast)
  • Server should be in the same broadcast domain if not dhcp relay must be used
  • IOS SUPPORTS the following DHCP Server, DHCP client,DHCP Proxye.g translate IPCP request into DHCP used for PPP links,DHCP relaying
  • DHCP can supports option82 which a option added by the relay to be more specfic on the port the end host is connected to
  • Some end host vendors use there own specfic options to this
  • option 82 is automatically enabled when you configure dhcp snooping
  • DHCP Server is configured with DHCP Pools each pool has an ip subnet for allocation
  • host pools are supported

DHCP POOL SELECTION

Server may have multiple address pool
Pool is selected based on
-DHCP Client id (could be any string)
  - supplied by windows client but not linux
  -DHCP Hardware address if ID is missing
  -relaying gateway ip address
  - recieving interface ip subnet if no matching pool found and no relay ip address present

DHCP Relaying

Broadcast can be relayed to unicast destination
ip helper-address "ip" interface command

In case of DHCP relaying router inserts interface IP address
- known as "giaddres" of gateway address
- other options could be inserted e.g the information option 82

Commands

Server

service dhcp - enables dhcp ios
ip dhcp pool vlan 58
network 155.0.58.0/24
default-router 155.0.58.1
dns-server 1.1.1.1
lease 0 1 58

Client

int fa0/0
ip address dhcp





LAB
----
Ok so s2 is the dhcp client
r5 will be dhcp relay
r6 will be the dhcp server

r6
---

r6(config)#service dhcp - enable dhcp server

r6(config)#ip dhcp pool VLAN58     - create a pool and options
r6(dhcp-config)#network 155.0.58.0 /24
r6(dhcp-config)#default-router 155.0.58.5
r6(dhcp-config)#dns-server 1.1.1.1
r6(dhcp-config)#lease?
lease
r6(dhcp-config)#lease ?
  <0-365>   Days
  infinite  Infinite lease
r6(dhcp-config)#lease 0 ?
  <0-23>  Hours
  <cr>
r6(dhcp-config)#lease 0 1 ?
  <0-59>  Minutes
  <cr>

r6#debug ip dhcp server events

r5
---
r5(config)#int fa0/0
r5(config-if)#ip helper-address 6.6.6.6   this will forward broadcast on the fa0/0 segement
to the dhcp server 6.6.6.6


s2
---
s2(config-if)#int vlan 58
s2(config-if)#ip address dhcp

s2(config)#int vlan 58
s2(config-if)#ip dhcp ?
  client  DHCP client configuration
  relay   DHCP relay configuration parameters
s2(config-if)#ip dhcp client ?
  class-id   Specify Class-ID to use
  client-id  Specify Client-ID to use
  hostname   Specify hostname to use
  lease      Requested address lease time
  request    Specify options (not) to request
  route      Options for routes installed by dhcp
s2(config-if)#ip dhcp client

we have a few options to specify class id etc if we wanted

we can see we have learnt the address via dhcp
155.0.58.1

s2#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  administratively down down
Vlan58                 155.0.58.1      YES DHCP   up                    up

r6
---
r6#sh log
Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 44 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 17 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
No active filter modules.
    Trap logging: level informational, 32 message lines logged
Log Buffer (99999 bytes):
*Feb 25 18:02:18.275: DHCPD: checking for expired leases.
*Feb 25 18:02:42.663: DHCPD: Sending notification of DISCOVER:
*Feb 25 18:02:42.663:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:42.663:   DHCPD: remote id 020a00009b00920600000092
*Feb 25 18:02:42.663:   DHCPD: circuit id 00000000
*Feb 25 18:02:42.663: DHCPD: Seeing if there is an internally specified pool class:
*Feb 25 18:02:42.663:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:42.663:   DHCPD: remote id 020a00009b00920600000092
*Feb 25 18:02:42.663:   DHCPD: circuit id 00000000
*Feb 25 18:02:44.663: DHCPD: Adding binding to radix tree (155.0.58.1)
*Feb 25 18:02:44.663: DHCPD: Adding binding to hash tree
*Feb 25 18:02:44.663: DHCPD: assigned IP address 155.0.58.1 to client
0063.6973.636f.2d30.3031.622e.3262.6563.2e38.3363.342d.566c.3538.
*Feb 25 18:02:44.939: DHCPD: Sending notification of ASSIGNMENT:
*Feb 25 18:02:44.943:  DHCPD: address 155.0.58.1 mask 255.255.255.0
*Feb 25 18:02:44.943:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:44.943:   DHCPD: lease time remaining (secs) = 3600

we can see the request and assignment

r6#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
155.0.58.1          0063.6973.636f.2d30.    Feb 25 2012 07:02 PM    Automatic
                    3031.622e.3262.6563.
                    2e38.3363.342d.566c.
                    3538

say if wanted r6 to give s2 an ip by dhcp but it to be reserved than no one else could have
this ip we could create a specfic poool based on s2 client id

r6
---
r6(config)#ip dhcp pool SW2-CLIENT-POOL
r6(dhcp-config)#host 155.28.58.100
r6(dhcp-config)#client-id 0063.6973.636f.2d30.3031.622e.3262.6563.2e38.3363.34

in order to do this we need to know the client id windows give certain ones linux gives other
so vendor specfic
??? not working need to complete

DNS

  • IOS has DNS client enable by default  that is why if we miss enter a command it can take a few minutes for it throw up an error
  • we can disable this behaviour we no ip domain-lookup
  • We could specify a dns server with ip name-server "ip" on the client and leave on ip domain-lookup
  • For configuring IOS as a server we do no ip domain-lookup  and specify ourselve as the name server ip name-server "my ip"
  • To create host records  ip host "hostname" "host ip"
  • We can configure dns server ip in cisco ios dhcp as above



LAB
r1
---
ok we will configure r1 as dns server

r1(config)#ip dns server
r1(config)#ip host R3 3.3.3.3
r1(config)#

WE have added a record for 3.3.3.3 for r3
s2
---
s2(config)#ip domain lookup
s2(config)#ip name-server 1.1.1.1
s2(config)#

s2#ping R3
Translating "R3"...domain server (1.1.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/65/67 ms
s2#


NAT

NAT

  • Network Address translation rewrite sources ip address in packet normally to hide private ip address
  • Also used in case where we have overlapping subnets maybe a merger of networks
  • static translation is 1 to 1 translation guaranteed same ip everytime
  • dynamic translation is 1 to 1 done dynamically so not guaranteed same ip every time
  • Port address translation is many to one translation based on tcp/udp ports common for overloading scenerios
  • Inside local is inside ip before translation
  • inside global is inside ip after translation
  • outside global is original outside ip address
  • outside local is outside ip after translation as seen on inside
  • Major thing in nat is the order of operations when going from inside to outside routing takes place before nat when coming from outside to inside routing takes place after nat.

Commands

 Static Nat

ip nat inside source static 10.10.10.1   30.30.30.30 - this going out
ip nat outside source static 30.30.30.30 10.10.10.1- this is coming in
int fa0/0
ip nat inside
int s0/0
ip nat outside

Dynamic Nat

ip nat pool 'name of pool' "start ip" "end ip"netmask "mask"
access-list "aclno" permit "source ip"
ip nat inside source-list "acl no" pool " name of pool"

int fa0/0
ip nat inside
int s0/0
ip nat outside

PAT

To the source list command we just need to add the keyword overload so we could define a smaller pool and choose overload when the pool runs out it will overload the last ip?



LAB
----
For the LAB sw2 and R5 are inside the network r5 is the border router + will do the nat
The rest of router are outside they do not have a route to inside address 10.164.48.0/24


s2
----
s2(config)#int vlan 58
s2(config-if)#ip address 10.164.48.2 255.255.255.0
s2(config-if)#e
00:09:37: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.58.5 (Vlan58) is down: interface downxit
s2(config)#ip route 0.0.0.0 0.0.0.0 10.164.48.5

r5
---
r5(config)#int fa0/0
r5(config-if)#ip address 10.164.48.5 255.255.255.0
r5(config-if)#no shut
r5(config-if)#


The first thing we will do is define a pool for the nat address
r5(config)#do sh run | begin ip nate
r5(config)#do sh run | begin ip nat
ip nat pool INSIDE-GLOBAL 155.28.254.0 155.28.254.254 prefix-length 24 add-route

what this command is saying that we will use a pool 155.28.254.0-254 with mask /24 the add route is to add static route to nv0 - the nat interface so we can use to advertise out to external networks

r5(config)#router eigrp 1
r5(config-router)#redistribute static 1 1 1 1 1 1
                                      ^
% Invalid input detected at '^' marker.
r5(config-router)#redistribute static metric 1 1 1 1 1

Next step we will define an access-list of what we are going to NAT
5(config)#access-list 1 permit 10.164.48.0 0.0.0.255

so we will nat address in 10.164.48.0- this important step we can have problems if start doing ip any any like control plane traffic can end up getting natted and just unexpected results it is better to limit down to our specfic networks

Next step is the actual nat command

r5(config)#ip nat source list 1 pool INSIDE-GLOBAL overload

ok so this is saying source list 1 is anything matched in the acl 1 and we will use the pool INSIDE-GLOBAL with port overload if we run address we can use port numbers to do many to one translations
ok next is to enable on the interfaces
r5(config)#int fa0/0
r5(config-if)#ip nat enable

r5(config-if)#int s0/0/0
r5(config-if)#ip nat enable


s1
---

s2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 67/67/67 ms
i can ping 1.1.1.1 sucessifully

r5
---
r5#sh ip nat tran
Pro Inside global      Inside local       Outside local      Outside global
r5#sh ip nat nvi tran
Pro Source global      Source local       Destin  local      Destin  global
icmp 155.28.254.1:5    10.164.48.2:5      1.1.1.1:5          1.1.1.1:5
r5#

we are getting translated from 10.164.48.2 to 155.28.254.1 port 5


r1
---
we can see this traffic been sent back from src1 dst 155.28.254.1
when this gets to r5. R5 checks its state table above and will forward the reply back to 10.164.48.2

*Mar  1 03:00:16.795: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.859: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.927: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.995: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.063: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.131: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.199: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.263: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.331: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.399: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.467: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.531: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.599: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.667: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.735: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1


r1
---
r1#ping 155.28.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.28.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#telnet 155.28.254.1
Trying 155.28.254.1 ...

i can not ping or telnet this is because there is no way for r5 to know to forward this to 10.164.48.2 as there is no state information from and outbound packet
we can create a static entry for 

r5
----
r5(config)#ip nat source static tcp 10.164.48.2 23 interface s0/0/0 8080

bascially this command is saying anything coming on port 8080 on interface s0/0/0 will be redirected to 10.164.48.2 on port 23
r5#clear ip nat nvi translation *


r1
---
r1#
r1#telnet 155.0.0.5 8080
Trying 155.0.0.5, 8080 ... Open

User Access Verification
Username: cisco
Password:
s2>

working as expected

GLBP

GLBP

  • Gateway load balancing Protocol  Cisco Propetiary
  • Extends HRSP functionality to natively support load balancing
  • We can load balance in VRRP or HRSP by configuring multiple groups on interfaces
  • But GLBP provides native inbuilt load balancing forUp to 4 devices
  • There is 2 election first election is for AVG (Active Virtual Gateway) this is based on priority and highest ip as tie breaker
  • The AVG will then look at all possible forwarders if there is more than 4 it will elect forwarders and standby devices.
  • This election is based on weight. The weight will also decipher traffic share of load balancing given to each gateway. It is not exact but provides some level of weight
  • When a client arp for the gateway address the AVG will reply with the mac of one of the forwarder it will go throught them in weighted round robin way
  • As client keep arp cache and will not arp every time for the gateway address so the load balancing is not exact
  • By default, GLBP routers use the local multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP 3222 (source and destination)
  • We can manipulate to weight in conjuction with the likes of ip sla and enhanced object tracking to say if a particualr happens the weight will be decremented.
  • We configure upper and lower limit if we go below the lower limit we lose our avf status the upper limit is the weight we must be at the regain our avf status
  • default priority is 100
Commands

int fa0/0
glbp 10 ip 10.10.10.1
glbp 10 priority 110
glbp 10 weighting 110 lower 85 upper 105
glbp 10 track 20 decrement 30

ip sla 18
icmp echo 10.9.9.9
ip sla schedule 18 start now life forever

track 20 rtr 18 state

so in the abover we track the reachability from this layer 3 switch to 10.9.9.9 if it is not reachable we decrement our weight by 30 this would have us at weight 80 below the lower limit so we would lose our avf status

LAB
----

r6
---
r6(config-subif)#int fa0/0.146
r6(config-subif)#glbp 10 ip 155.0.146.254
r6(config-subif)#
*Feb 25 13:48:26.962: GLBP: joining IPv4 multicast on Fa0/0.146
*Feb 25 13:48:26.962: GLBP: joining IPv6 multicast on Fa0/0.146
*Feb 25 13:48:26.962: GLBP: Fa0/0.146 API 155.0.146.254 is not a GLBP address in table 0
*Feb 25 13:48:26.962: GLBP: Fa0/0.146 10 Disabled: a/GLBP IP address configured
*Feb 25 13:48:26.962: GLBP: Fa0/0.146 10 Disabled -> Init
r6(config-subif)#
*Feb 25 13:48:36.966: GLBP: Fa0/0.146 Interface up
*Feb 25 13:48:36.966: GLBP: Fa0/0.146 10 Init: d/GLBP enabled
*Feb 25 13:48:36.966: GLBP: Fa0/0.146 10 Init -> Listen
*Feb 25 13:48:39.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Listen  pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:39.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:39.966:     UDP src=3222, dst=3222
*Feb 25 13:48:42.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Listen  pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:42.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:42.966:     UDP src=3222, dst=3222
*Feb 25 13:48:45.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Listen  pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:45.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:45.966:     UDP src=3222, dst=3222
*Feb 25 13:48:46.966: GLBP: Fa0/0.146 10 Listen: g/Active timer expired (unknown)
*Feb 25 13:48:46.966: GLBP: Fa0/0.146 10 Listen -> Speak
*Feb 25 13:48:46.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:46.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:46.966:     UDP src=3222, dst=3222
*Feb 25 13:48:49.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:49.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:49.966:     UDP src=3222, dst=3222
*Feb 25 13:48:52.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:52.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:52.966:     UDP src=3222, dst=3222
*Feb 25 13:48:55.874: IP: s=155.0.67.1 (FastEthernet0/0.67), d=224.0.0.1, len 28, rcvd 0, proto=2
*Feb 25 13:48:55.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:55.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:55.966:     UDP src=3222, dst=3222
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Speak: f/Standby timer expired (unknown)
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby router is local
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Speak -> Standby
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Standby pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:56.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:56.966:     UDP src=3222, dst=3222
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby: g/Active timer expired (unknown)
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Active router IP is local
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby router is unknown, was local
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby -> Active
*Feb 25 13:48:56.966: %GLBP-6-STATECHANGE: FastEthernet0/0.146 Grp 10 state Standby -> Active
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10.1 Disabled: a/Forwarder MAC address acquired

we can see we are multicasting out 224.0.0.102 over protocol udp 3222
we go through VG (virtual gateway) listen and speak this is where would be doing the election if other gateways where online none are so we become active as the AVG


r6#sh glbp
FastEthernet0/0.146 - Group 10
  State is Active
    2 state changes, last state change 00:02:54
  Virtual IP address is 155.0.146.254
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.308 secs
  Redirect time 600 sec, forwarder time-out 14400 sec
  Preemption disabled
  Active is local
  Standby is unknown
  Priority 100 (default)
  Weighting 100 (default 100), thresholds: lower 1, upper 100
  Load balancing: round-robin
  Group members:
    0013.80e4.901a (155.0.146.6) local
  There is 1 forwarder (1 active)
  Forwarder 1
    State is Active
      1 state change, last state change 00:02:44
    MAC address is 0007.b400.0a01 (default)
    Owner ID is 0013.80e4.901a
    Redirection enabled
    Preemption enabled, min delay 30 sec
    Active is local, weighting 100
r6#

There is 2 parts to this output mainly the first part is referencing the active gateway and the 2nd part is refernecing the forwarders


r4
---
r4(config)#int fa0/1
r4(config-if)#glbp 10 ip 155.0.146.254


r4#sh glbp
FastEthernet0/1 - Group 10
  State is Standby
    1 state change, last state change 00:00:01
  Virtual IP address is 155.0.146.254
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.572 secs
  Redirect time 600 sec, forwarder time-out 14400 sec
  Preemption disabled
  Active is 155.0.146.6, priority 100 (expires in 9.928 sec)
  Standby is local
  Priority 100 (default)
  Weighting 100 (default 100), thresholds: lower 1, upper 100
  Load balancing: round-robin
  Group members:
    0012.d993.728d (155.0.146.4) local
    0013.80e4.901a (155.0.146.6)
  There are 2 forwarders (1 active)
  Forwarder 1
    State is Listen
    MAC address is 0007.b400.0a01 (learnt)
    Owner ID is 0013.80e4.901a
    Time to live: 14399.928 sec (maximum 14400 sec)
    Preemption enabled, min delay 30 sec
    Active is 155.0.146.6 (primary), weighting 100 (expires in 9.452 sec)
  Forwarder 2
    State is Active
      1 state change, last state change 00:00:11
    MAC address is 0007.b400.0a02 (default)
    Owner ID is 0012.d993.728d
    Preemption enabled, min delay 30 sec
    Active is local, weighting 100
r4#
so we are in standby for the AVG as r6 is the AVG
there is 2 forwarders on the link

r6
---
r6(config-subif)#int fa0/0.146
r6(config-subif)#glbp 10 priority 90

the priority is in relation to active gateway not forwarding
preemption is disabled by default

r4
----
r4(config)#int fa0/1
r4(config-if)#glbp 10 preempt
r4(config-if)#
*Feb 25 13:45:44.866: %GLBP-6-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active

now i am the active gateway so i am responding to the arp request

if we look at this command on r4
r4(config)#int fa0/1
r4(config-if)#glbp 10 weighting 110 lower 85 upper 105

so the lower limit if my weighting goes below 85 i will no longer forward for the segement
but if my weighting comes back up to 105 i will be allowed forward for the segment
r4(config-if)#glbp 1 weighting track 1

We can get into complex ip sla so say if one ip is unreachable decrement 20 if another is down decrement by 10 so like we can be very specfic on what conditions we forwarder undert by messing around with the weights

we also tell r4 we want to load balance based on weighting
r4(config-if)#glbp 10 load-balancing weighted

VRRP

VRRP

  • IETF alternative to HRSP
  • Use terms master/backup as opposed to primary and standby
  • Concepts are nearly identical
  • Vrrp has preemt on by default
  • Also lower default timers 1 hello 3 dead
  • It uses a virtual mac of 0000.5E00.01xx where xx is the group
  • uses vrrp interface command instead of standby
  • It has it own dedicated protocol number so not using udp the vrrp protocol number is 112
  • Also it has it own dedicated multicast group 224.0.0.18
  • it can only object track it does not have the track interface option compared to hrsp but in general track object like ip sla is the better choice as track interface is depending on line protocol
  • it supports md5 authentication implented the same with key chain and key string same as hrsp
  • it also support plain text authentication
Commands

int fa0/1
vrrp 10 ip 155.0.0.10
vrrp 10 authentication md5 key-chain cisco
or
vrrp 10 authentication key-string 'cisco'
vrrp prempt delay 10 - wait 10 seconds before preempting


LAB

As this almost identical to hrsp i will just do a quick lab and then do lab on authentication
this authentication would work on both hrsp or vrrp of glbp



r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 ip 155.0.146.254
r6(config-subif)#
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Create -> Disable
*Feb 25 12:54:13.795: VRRP: Grp 10 Event - primary IP configured
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Disable -> Init
*Feb 25 12:54:13.795: VRRP: vrrp_interface_state: Fa0/0.146 is Up
*Feb 25 12:54:13.795: VRRP: Grp 10 Event - Interface UP
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Init -> Backup
*Feb 25 12:54:17.407: VRRP: Grp 10 Event - Master down timer expired
*Feb 25 12:54:17.407: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Backup -> Master
*Feb 25 12:54:17.407: VRRP: tbridge_smf_update failed
*Feb 25 12:54:17.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:17.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:18.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:18.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:19.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:19.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:20.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:20.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:21.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:21.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:22.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:22.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:23.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:23.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:24.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:24.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:25.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:25.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:26.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:26.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
ok so we can see that it started in disabled went to init then backup then to master then it
started sending to the multicast group 224.0.0.18 and it has it own protocol 112 it is not
using udp 1985 like hrsp was


r4
---
r4#sh run int fa0/1
Building configuration...
Current configuration : 142 bytes
!
interface FastEthernet0/1
 ip address 155.0.146.4 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
 vrrp 10 ip 155.0.146.254
end
r4#
one of the first things noticed is preempt is on by default

r4(config)#int fa0/1
r4(config-if)#vrrp 10 priority 105
r4(config-if)#
*Feb 25 12:44:25.875: %VRRP-6-STATECHANGE: Fa0/1 Grp 10 state Backup -> Master

so i do not need to configure preempt

next i will do a config of enable authentication on r4

on r4 i will enable authentication
r4(config)#int fa0/1
r4(config-if)#vrrp 10 authentication ?
  WORD  Plain text authentication string
  md5   Use MD5 authentication
  text  Plain text authentication
r4(config-if)#vrrp 10 authentication md5 ?
  key-chain   Set key chain
  key-string  Set key string
r4(config-if)#vrrp 10 authentication md5 key-string PASSWORD

r4#sh vrrp
FastEthernet0/1 - Group 10
  State is Master
  Virtual IP address is 155.0.146.254
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 105
  Authentication MD5, key-string "PASSWORD"
  Master Router is 155.0.146.4 (local), priority is 105
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.589 sec
r4#

if we go to r6

r6#sh vrrp
FastEthernet0/0.146 - Group 10
  State is Master
  Virtual IP address is 155.0.146.254
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 155.0.146.6 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec
r6#

effectively vrrp is not working both routers think they are masters

basically r4 is rejecting r6 vrrp packets
*Feb 25 12:53:11.875: VRRP: Grp 10 sending Advertisement checksum 2B15u
*Feb 25 12:53:12.487: VRRP: Grp 10 Advertisement from 155.0.146.6 has incorrect
                authentication type 0 expected 254
*Feb 25 12:53:12.875: VRRP: Grp 10 sending MD5 digest:

as of incorrect authentication so then r6 does not recieve reply from r4 so it believes it is
 the only vrrp router on the segment so it goes to the master state
on r6
------

r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 authentication md5 key-string PASSWORD

r6#sh vrrp
FastEthernet0/0.146 - Group 10
  State is Backup
  Virtual IP address is 155.0.146.254
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Authentication MD5, key-string "PASSWORD"
  Master Router is 155.0.146.4, priority is 105
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 3.349 sec)

has gone to backup and we are back in proper vrrp config

we could also specify a key chain if we wanted to do
r6(config)#do sh run | sec key chain
key chain VRRP-KEY
 key 1
  key-string PASSWORD
  accept-lifetime 00:00:00 Jan 1 1993 infinite
r6(config)#
r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 authentication md5 key-chain VRRP-KEY

another option for preempt in both hrsp glbp and vrrp
r6(config-subif)#int fa0/0.146
r6(config-subif)#vrrp 10 preempt delay minimum 10

we can configure that when a router finds out it has higher priority we can do a delay of a
few seconds so it does not preempt

HRSP

HRSP (Hot Router Standy Protocol)

  • Cisco Propetiary
  • elects gateway based on highest priority 100 is default 255 is maximum tie breaker is highest ip
  • default is no preempt
  • uses udp multicast 224.0.0.2 (all routers) on port 1985
  • arp response contains virtual mac of 0000.0c07.acxx where xx is the group number
  • can user clear text or md5 authentication
  • default hello is 3 and dead 10
  • speak router is router that is not elected primary or standby
  • 256 hrsp groups is the limit
  • It does not support ddr
  • standby use bia - uses the burnt in address of the switch instead of the well known mac
  • NAT is supported but can have issues when standy takes over as state table is not maintained
  • In radius and tacas hrsp routers appear as 1 and the primary sends info to radius server
  • it is not possible to track a gre interface
  • it is possible to run hrsp for primary and secondary subnet
  • hrspv2 support millisecond timers
  • there is 255 groups in v1 there 4095 in v2
  • hrspv2 uses a different mac 000.0c95.Fyyy where y is the group
  • hrspv2 multicast to 224.0.0.12
  • Supports multiple groups per interface so we can have a few groups configured and potential load balance
  • can integrate with ip sla via enhance object tracking
  • technically standby only needs to be configured on standby router but it should be configured on both for when the primary route comes back avalible
HRSP STATES

Initial
Listen
Speak
Standby
Active

Commands

int fa0/0
standby 1 ip 155.0.0.1
standby 1 preempt
standby 1 priority 120
standby version 1/2

sh standby

LAB

Ok so for the lab r1 will be end host with default gateway of 155.0.146.254 r4 and r6 will
use hrsp with the 155.0.146.254 being virtual default gateway

r1
---
so i am setting r1 not to do routing and to have a default gateway of 155.0.146.254
r1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#no ip routing
*Mar  1 02:55:51.199: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.146.4
(FastEthernet0/0) is down: interface down
*Mar  1 02:55:51.203: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.146.6
(FastEthernet0/0) is down: interface down
r1(config)#
r1(config)#ip default-gateway 155.0.146.254

r4
---

i will create an acl
r4(config)#access-list 112 deny eigrp any any
r4(config)#access-list 112 deny pim?
pim
r4(config)#access-list 112 deny pim  any any
r4(config)#access-list 112 permit ip any any
this will be applied to our debug to keep it cleaner
r4#debug ip packet detail 112
IP packet debugging is on (detailed) for access list 112
r4#

r4#debug standby
HSRP debugging is on
r4#config t
Enter configurat


r4(config)#int fa0/1
r4(config-if)#standby 10 ip 155.0.146.254
r4(config-if)#
*Feb 25 10:14:46.535: HSRP: Fa0/1 Starting minimum interface delay (1 secs)
*Feb 25 10:14:46.535: HSRP: Fa0/1 Grp 10 Disabled -> Init
*Feb 25 10:14:46.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Disabled -> Init
*Feb 25 10:14:46.539: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Disabled -> Init
*Feb 25 10:14:46.539: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" added
*Feb 25 10:14:47.535: HSRP: Fa0/1 Interface min delay expired
*Feb 25 10:14:47.535: HSRP: Fa0/1 Grp 10 Init: a/HSRP enabled
*Feb 25 10:14:47.535: HSRP: Fa0/1 Grp 10 Init -> Listen
*Feb 25 10:14:47.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Init -> Backup
*Feb 25 10:14:47.535: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Init -> Backup
*Feb 25 10:14:47.535: HSRP: Fa0/1 Redirect adv out, Passive, active 0 passive 1
*Feb 25 10:14:47.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 44,
sending broad/multicast
*Feb 25 10:14:47.535:     UDP src=1985, dst=1985
*Feb 25 10:14:53.571: IP: s=155.0.146.1 (FastEthernet0/1), d=224.0.0.1, len 28, rcvd 0,
proto=2
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Listen: c/Active timer expired (unknown)
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Listen -> Speak
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Backup -> Speak
*Feb 25 10:14:57.535: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Backup -> Speak
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:14:57.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:14:57.535:     UDP src=1985, dst=1985
*Feb 25 10:14:59.667: IP: s=155.0.146.4 (local), d=224.0.1.40 (FastEthernet0/1), len 28,
sending broad/multicast, proto=2
*Feb 25 10:15:00.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:15:00.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:00.535:     UDP src=1985, dst=1985
*Feb 25 10:15:03.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:15:03.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:03.535:     UDP src=1985, dst=1985
*Feb 25 10:15:06.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:15:06.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:06.535:     UDP src=1985, dst=1985
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Speak: d/Standby timer expired (unknown)
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Standby router is local
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Speak -> Standby
*Feb 25 10:15:07.535: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Speak -> Standby
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Speak -> Standby
*Feb 25 10:15:07.535: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Speak -> Standby
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Standby pri 100 vIP
155.0.146.254
*Feb 25 10:15:07.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:07.535:     UDP src=1985, dst=1985
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Standby: c/Active timer expired (unknown)
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Active router is local
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Standby router is unknown, was local
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Standby -> Active
*Feb 25 10:15:08.035: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Standby -> Active
*Feb 25 10:15:08.035: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Standby -> Active

from the output we can see that by enabling hrsp we started sending traffic to 224.0.0.2 (all
routers multicast address on source and destination of 1985 we can see we went from initial
to listen just waiting to see could we hear any other routers on the segment then we went to
speak we generated our hrsp info waiting for an election we then went into standby then into
active.

If both routers on the segement went to active you know that you have some transport issue
underlying the first thing you really should do before config ensure layer 2 connectivity
between all hrsp routers

r6
--
we can see we are recieving the hrsp related packets in

i have enabled
r6#sh run int fa0/0.146
Building configuration...
Current configuration : 149 bytes
!
interface FastEthernet0/0.146
 encapsulation dot1Q 146
 ip address 155.0.146.6 255.255.255.0
 ip pim sparse-mode
 standby 10 ip 155.0.146.254
end


Feb 25 10:38:42.475: HSRP: Fa0/0.146 Starting minimum interface delay (1 secs)
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Grp 10 Disabled -> Init
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Disabled ->
Init
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Disabled
-> Init
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" added
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Interface min delay expired
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Grp 10 Init: a/HSRP enabled
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Grp 10 Init -> Listen
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Init ->
Backup
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Init ->
Backup
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Redirect adv out, Passive, active 0 passive 1
*Feb 25 10:38:43.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 44,
sending broad/multicast
*Feb 25 10:38:43.475:     UDP src=1985, dst=1985
*Feb 25 10:38:44.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:44.267:     UDP src=1985, dst=1985
*Feb 25 10:38:44.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:44.267: HSRP: Fa0/0.146 Grp 10 Active router is 155.0.146.4
*Feb 25 10:38:44.267: HSRP: Fa0/0.146 Redirect adv out, Passive, active 0 passive 1
*Feb 25 10:38:44.267: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 44,
sending broad/multicast
*Feb 25 10:38:44.267:     UDP src=1985, dst=1985
*Feb 25 10:38:47.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:47.267:     UDP src=1985, dst=1985
*Feb 25 10:38:47.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:48.287: IP: s=155.0.67.1 (FastEthernet0/0.67), d=224.0.1.40, len 28, rcvd 0,
proto=2
*Feb 25 10:38:50.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:50.267:     UDP src=1985, dst=1985
*Feb 25 10:38:50.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:50.571: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:50.571:     UDP src=1985, dst=1985
*Feb 25 10:38:50.571: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:53.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:53.267:     UDP src=1985, dst=1985
*Feb 25 10:38:53.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Listen: d/Standby timer expired (unknown)
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Listen -> Speak
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Backup ->
Speak
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Backup ->
Speak
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:38:53.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:38:53.475:     UDP src=1985, dst=1985
*Feb 25 10:38:56.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:56.267:     UDP src=1985, dst=1985
*Feb 25 10:38:56.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:56.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:38:56.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:38:56.475:     UDP src=1985, dst=1985
*Feb 25 10:38:59.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:59.267:     UDP src=1985, dst=1985
*Feb 25 10:38:59.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:59.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:38:59.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:38:59.475:     UDP src=1985, dst=1985
*Feb 25 10:39:00.535: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:39:00.535:     UDP src=1985, dst=1985
*Feb 25 10:39:00.535: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254u a
*Feb 25 10:39:02.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:39:02.267:     UDP src=1985, dst=1985
*Feb 25 10:39:02.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:39:02.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:39:02.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:39:02.475:     UDP src=1985, dst=1985ll
                 ^
% Invalid input detected at '^' marker.
r6(config-subif)#
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Speak: d/Standby timer expired (unknown)
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Standby router is local
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Speak -> Standby
*Feb 25 10:39:03.475: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Speak -> Standbye
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Speak ->
Standby
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Speak ->
Standby
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Standby pri 100 vIP
155.0.146.254
*Feb 25 10:39:03.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:39:03.475:     UDP src=1985, dst=1985xit

we can see that we go through the states but we will stick at standby realistically if we had
the election we should became hrsp active as we both default priority and r6 has the higher
ip but once a router is online as active there is no election and no preempt by default  so
like the ospf dr etc it really comes down to who boots up first

we can see from the
r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Standby
    1 state change, last state change 00:05:45
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.164 secs
  Preemption disabled
  Active router is 155.0.146.4, priority 100 (expires in 8.768 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#

that we are standby virtual ip is 155.0.146.254 active and local virtual mac is 000.0c07.ac-a
we can see our timers
we can see premption is disabled and our default priority is 100
lets change preempt
r6(config)#int fa0/0.146
r6(config-subif)#standby 10 preempt
Now we have enabled preemption we will not preempt based on highest ip it does not go through
the election process we will only preempt based on priority

r6(config)#int fa0/0.146
r6(config-subif)#standby 10 priority 110
r6(config-subif)#
*Feb 25 10:47:50.263: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Standby -> Active

higher priority is better i configured preemption and higher priority i am now in the active
state
Lets look another command
notice this command is not group specfic like the other commands
r6(config-subif)#int fa0/0.146
r6(config-subif)#standby use-bia

r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Active
    2 state changes, last state change 00:02:55
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0013.80e4.901a
    Local virtual MAC address is 0013.80e4.901a (bia)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.572 secs
  Preemption enabled
  Active router is local
  Standby router is 155.0.146.4, priority 100 (expires in 9.564 sec)
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#

notice the active virtual mac address has changed to the bia of r6 this is for situation
maybe you have port security you do not want the additional virtual mac on the port

r4
---
r4#sh st
*Feb 25 10:34:05.891: %SYS-5-CONFIG_I: Configured from console by consoleandby
FastEthernet0/1 - Group 10
  State is Standby
    4 state changes, last state change 00:03:29
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0013.80e4.901a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.432 secs
  Preemption disabled
  Active router is 155.0.146.6, priority 110 (expires in 9.432 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/1-10" (default)
r4#

r6
---
r6(config)#int fa0/0.146
r6(config-subif)#shut
r6(config-subif)#


r4
---
r4#sh standby
FastEthernet0/1 - Group 10
  State is Active
    5 state changes, last state change 00:00:34
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.384 secs
  Preemption disabled
  Active router is local
  Standby router is unknown
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/1-10" (default)
r4#
goes back to using the typical hrsp address as we did not configure the command on r4
it will send a arp reply even though it was not requested saying the new mac for
155.0.146.254 is 0000.0c07.ac0a

r6
---
i will bring backup r6 and take off use bia

r6#sh st
*Feb 25 10:57:04.951: %SYS-5-CONFIG_I: Configured from console by consoleandby
FastEthernet0/0.146 - Group 10
  State is Active
    4 state changes, last state change 00:00:45
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.372 secs
  Preemption enabled
  Active router is local
  Standby router is 155.0.146.4, priority 100 (expires in 7.368 sec)
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#

one things we notice is the timers are quite high

r6(config)#int f0/0.146
r6(config-subif)#standby 10 timers 1 3

we can change them or we can also use bfd in here ios version my version does not currently
support

Ok I am going make r4 active so preemtion is configured the other

r4
--
on r4 i will enable preemption it is still at the defaul priority of 100 so will not preempt
r4(config)#int fa0/1
r4(config-if)#standby 10 preempt

r6
---
We will looking tracking
r6(config-subif)#int fa0/0.146
r6(config-subif)#standby 10 track fa0/1 120
r6(config-subif)#

so this basically say if r6 int fa0/1 goes down bring down my priority by 120
this would then mean that r6 has lower priority than r4 so r4 would take over as now it has
preempt configured

r6(config)#int fa0/1
r6(config-if)#shut
r6(config-if)#
*Feb 25 11:25:40.375: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Active -> Speak
*Feb 25 11:25:41.655: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to
administratively down
*Feb 25 11:25:42.655: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
*Feb 25 11:25:43.375: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Speak -> Standby

we can see this is indeed what happens

now as we know tracking interface may not be the best way to tell for upstream reachability
just because our local interface is up does not mean the service provider may have internal
issues
so another more used option is tracking with ip sla
so i will just change r6 back

r6(config)#int fa0/1
r6(config-if)#no shut
r6(config-if)#
*Feb 25 11:27:02.875: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Standby -> Active
*Feb 25 11:27:04.767: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Feb 25 11:27:05.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to u

so bb2 has a loopback of 11.2.2.2
r6#ping 11.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r6#

which i can reach from r6 so lets use this
r6(config)#ip sla 1
r6(config-ip-sla)#icmp echo 11.2.2.2
r6(config-ip-sla)#icmp-echo 11.2.2.2
r6(config-ip-sla-echo)#frequency 5
r6(config-ip-sla-echo)#timeout 2000
r6(config-ip-sla-echo)#exit
r6(config)#ip sla schedule 1 start-time now life forever

r6(config)#track 2 rtr 1

r6#sh track
Track 2
  Response Time Reporter 1 state
  State is Up
    1 change, last change 00:00:32
  Latest operation return code: OK
  Latest RTT (millisecs) 1
r6#

r6(config)#int fa0/0.146
r6(config-subif)#standby 10 track 2
r6(config-subif)#standby 10 track 2 decrement 120
at the moment
r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Active
    10 state changes, last state change 00:07:45
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.032 secs
  Preemption enabled
  Active router is local
  Standby router is 155.0.146.4, priority 100 (expires in 2.008 sec)
  Priority 110 (configured 110)
    Track interface FastEthernet0/1 state Up decrement 120
    Track object 2 state Up decrement 120
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)

BB2
---
bb2#config t
Enter configuration commands, one per line.  End with CNTL/Z.
bb2(config)#int lo0
bb2(config-if)#shut
bb2(config-if)#
access#5
r6
----
r6#
*Feb 25 11:35:31.895: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Active -> Speak

r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Standby
    12 state changes, last state change 00:00:27
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.556 secs
  Preemption enabled
  Active router is 155.0.146.4, priority 100 (expires in 2.560 sec)
  Standby router is local
  Priority 0 (configured 110)
    Track interface FastEthernet0/1 state Up decrement 120
    Track object 2 state Down decrement 120
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#
*Feb 25 11:35:34.895: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Speak -> Standby

Friday, February 24, 2012

PROTECTED PORTS & PRIVATE VLANS

Protected Ports

  • 2  Protected port  on switch in the same vlan cannot exchange l2 frame with each other
  • used to prevent devices on same vlan from communicating at layer 2
  •  Both port must be on the same switch for this feature to work
  • You will still recieve traffic from unkown unicast and multicast 
Commands

int fa0/1
switchport protected

sh switchport protected
Private Vlans

  • can work across multiple switches
  • sub vlans are community or isolated
  • promiscious ports can speak to all usually layer 3 interface
  • community can speak to all ports in its own community and promiscious port
  • isolated can only speak to promiscious port
  • urpf will not work with pvlans
  • the vtp mode on switches for pvlan must be transparent
  • cannot include vlan 1 or 1002-1005
  • does not work with etherchannel if both are configured on port pvlan superside etherchannel
  • You can use span destination ports in pvlans span supersides pvlan
  • you can use span source port in pvlans
  • enable portfast + bpduguard on pvlan to prevent loops from misconfig
  • qos is supported
  • acl should not be applied to isolated or community
  • dynamic acl should not be applied to primary vlan
  • same config is required on all switches
  • vtp v3 supports but not vtpv1 or vtpv2

Commands

vtp mode transparent
vlan 112
primary-vlan primary
private-vlan association 113 114
vlan 113
private-vlan community
vlan 114
private-vlan isolated

int fa0/1
switchport mode private-vlan promiscious
switchport private-vlan mapping 112 add 113,114,115

int fa0/5
switchport mode private-vlan host
switchport private vlan host 112 113 - so primary 112 and subvlan 112

sh vlan private-vlan


LAB
----

Protected Port
---------------

so i am configuring all the ports on s1 in the same vlan
s1(config)#int fa0/1
s1(config-if)#switchport access vlan 112
% Access VLAN does not exist. Creating vlan 112
s1(config-if)#int fa0/3
s1(config-if)#switchport access vlan 112
Command rejected: Fa0/3 not a switching port.
s1(config-if)#int fa0/5
s1(config-if)#switchport access vlan 112
s1(config-if)#

All the routers connecting in will go in 10.229.254.0/24 subnet
r1(config)#int fa0/0
r1(config-if)#ip address 10.229.254.1 255.255.255.0
r1(config-if)#

r3(config)#int fa0/0
r3(config-if)#ip address 10.229.254.3 255.255.255.0
r3(config-if)#no shut

r5(config)#int fa0/0
r5(config-if)#ip address 10.229.254.5 255.255.255.0

ok so we will have r1 r3 not able to communicate with each other but a;; communicate with r5

s1(config)#int fa0/1
s1(config-if)#switchport protected
s1(config-if)#int fa0/3
s1(config-if)#switchport protected

From R1
--------
r1#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#

FROM R3
--------

r3#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r3#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#

From R5
--------
r5#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#


Private VLAN
-------------
I will take the protected port of but we will keep the new address all in vlan 112 i will also do this to the routers connected to sw2 r2,r4,r6
10.229.254.2 and 10.229.254.4 and 10.229.254.6 all in vlan 112

routers
--------

r2(config)#int fa0/0
r2(config-if)#ip address 10.229.254.2 255.255.255.0
r2(config-if)#

r4(config)#int fa0/0
r4(config-if)#ip address 10.229.254.4 255.255.255.0
r4(config-if)#

r6(config)#int fa0/0
r6(config-if)#ip address 10.229.254.6 255.255.255.0
r6(config-if)#

switch 2
---------

s2(config)#int fa0/2
s2(config-if)#switchport mode access
s2(config-if)#switchport access vlan 112
s2(config-if)#int fa0/4
s2(config-if)#switchport mode access
s2(config-if)#switchport access vlan 112
s2(config-if)#int f0/6
s2(config-if)#switchport mode access
s2(config-if)#switchport access vlan 112
ok as per lab diagram r1 is going promicious will able to connect to everyone r3 + r2 will able to connect to each other and r1  r5 and r4 will able to
connect to each other and r1
r6 will only able to connect to r1 they will all be in the same main vlan


We will start the config on s1
first things first put the vtp mode to transparent

s1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
create the vlans
s1(config)#vlan 112
s1(config-vlan)#private-vlan primary
s1(config-vlan)#vlan 113
s1(config-vlan)#private-vlan community
s1(config-vlan)#vlan 114
s1(config-vlan)#private-vlan community
s1(config-vlan)#vlan 115
s1(config-vlan)#private-vlan isolated
s1(config-vlan)#

s1(config)#vlan 112
s1(config-vlan)#private-vlan association 113,114,115

this same config needs to be put on s2

S2
---
s2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
s2(config)#vlan 112
s2(config-vlan)#  private-vlan primary
s2(config-vlan)#  private-vlan association 113-115
s2(config-vlan)#!
s2(config-vlan)#vlan 113
s2(config-vlan)#  private-vlan community
s2(config-vlan)#!
s2(config-vlan)#vlan 114
s2(config-vlan)#  private-vlan community
s2(config-vlan)#!
s2(config-vlan)#vlan 115
s2(config-vlan)#  private-vlan isolated

s1
---
we will start with inteface fa0/1 setting as the promiscious port
s1(config)#int fa0/1
s1(config-if)#switchport mode private-vlan promiscuous
s1(config-if)#switchport private-vlan mapping 112 add 113,114,115

now on to the community ports
so for r3 in community vlan 113

s1(config-if)#int fa0/3
s1(config-if)#switchport mode private-vlan host
s1(config-if)#switchport private-vlan host 112 113
for r5 in community vlan 114
s1(config)#int fa0/5
s1(config-if)#switchport mode private-vlan host
s1(config-if)#switchport private-vlan host 112 114

S2
---
for r2 in community vlan 113

s2(config)#int fa0/2
s2(config-if)#switchport mode private-vlan host
s2(config-if)#switchport private-vlan host 112 113

for r4 in private vlan 114
s2(config)#int fa0/4
s2(config-if)#switchport mode private-vlan host
s2(config-if)#switchport private-vlan host 112 114
for r6 who is in the isolated vlan
s2(config)#int fa0/6
s2(config-if)#switchport mode private-vlan host
s2(config-if)#switchport private-vlan host 112 115

ok lets test the config

r1
---
r1#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
r1#ping 10.229.254.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
r1#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#ping 10.229.254.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
r1#

can ping everything


r5
---
r5#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#ping 10.229.254.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
r5#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r5#ping 10.229.254.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r5#

it can ping it fellow community member r4 and the promiscious port but not memeber from other communties or isolated group

r6
---
r6#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r6#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r6#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
..

can only ping r1 which is what was expected

say i decided r4 should not be in community but be isolated


s2(config-if)#switchport private-vlan host 112 115
s2(config-if)#exit
s2(config)#do sh run int fa0/4
Building configuration...
Current configuration : 146 bytes
!
interface FastEthernet0/4
 switchport access vlan 112
 switchport private-vlan host-association 112 115
 switchport mode private-vlan host
end
s2(config)#

it is using the same vlan id as r6 115

r4#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r4#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r4#ping 10.229.254.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

it can not ping it ex community member it can ping the promicious port
it cannot ping r6 even though they are in the same secondary vlan meaning we can use the
same secondary isolated vlan over and over


ADDITIONAL LAYER 2 SECURITY

ADDITIONAL LAYER 2 SECURITY


DHCP SNOOPING

  • This is a way of enforcing the dhcp server role on ports.
  • The potential issue that dhcp snooping is that a man in the middle attack on the dhcp.
  • The way dhcp works is that dhcp request (broadcast) is sent out by the host onto the segement the router on the segement will usually configured to pass this broadcast to dhcp server the dhcp server then unicast back a dhcp offer with the  ip address on offer etc.The client will  sent back dhcprequest(broadcast) saying it would like to reserve this and the dhcp server replies with unicast dhcppack As we see the initial request is broadcast so other devices on the segment recieve this. So this what DHCP attack could be is that you would setup a DHCP server on the segment when the broadcast is recieved you will send back the offer the router will go with the first dhcp server that responds back so the ogue dhcp server sends an offer setting itself as the default gateway.
  • So DHCP snooping will validate dhcp message from untrusted source ports and filter out messages. So if dhcp offer is coming out an access port that is not the dhcp server if dhcp snooping is enabled it will filter this
  • DHCP snooping will only allow trusted ports respons to dhcp request broadcast. So you would set your user acccess ports to untrusted and your uplink towards the designated dhcp server as trusted so only offers can comes in trusted ports.
  • Also when you enable dhcp snooping it creates the dhcp database which will keep track of your mac to IP to port bindings. This is also used by other security features
  • it can also rate limit dhcp traffic from trusted and untrusted port
  • it is enabled on per vlan basis
  • if dhcp mac verification os on the snooping check the source mac and dhcp client hardware address if they do not match it is not allowed

DHCP SNOOPING CAVEATS

  • Do not forget to trust port to dhcp server
  • in multiswitch scenerio trust trunk links
  • keep in mind that dhcp snooping inser option 82 information option into packet some servers do not support this if it is the case you can disable it
no ip dhcp snooping information-option
  • Alternatively configure server to trust empty giaddress

Commands

ip dhcp snooping
ip dhcp snooping vlan 146
int fa0/1
ip dhcp snooping trust

all other ports in vlan 146 are set to untrusted


LAB

S4
---
so i have switched vlan snooping on and added vlan 146
s4(config)#ip dhcp snooping
s4(config)#ip dhcp snooping vlan 146
s4#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
146
DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
s4#

ok so i will enable a trusted interface where the dhcp server is

s4(config)#int fa0/1
s4(config-if)#ip dhcp snooping trust

s4#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
146
DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              yes         unlimited
s4#

that is really all that is required you just need to watch out if the dhcp server is not connected trust the trunk links
watch out for the option 82 particular if using cisco ios as dhcp server it does not support so you need to disable option 82

s4(config)#no ip dhcp snooping information option

Dynamic ARP Inspection (DAI)

  • This is in response to arp poisoning attack. So the attack is that a client will arp out for the mac of the default gateway as per normal The rogue attacker will reply back saying i have the default gateway ip and my mac is this. The user will then forward the packets at layer 2 to the rogue device again the attacker will most likely forward the packets on to the legitmate default gateway so the attack becomes transparent to the user they do not know that it is happening
  • ARP inspection (DAI) is way of dealing with this type of attack It inspects arp request+ response and compare them to the dhcp snooping database if it is conflict with this the arp is ignored
  • There is a second part to this if dhcp snooping or dhcp is not been used i.e we are using static mapping we could configure statically the arp address for the default gateway
  • static is preffered over dynamic
Commands

ip arp inspection vlan 146

int fa0/1
ip arp inspection trust

Static config
arp access-list
permit ip host 10.229.254.1 mac host 0000.0000.000.0001

we apply to the vlan

ip arp inspection filter 'myfilter' vlan 146


LAB

we will look at the config for both scenerios
for Dynamic with dhcp address
s4(config)#ip arp inspection vlan 146
this willl enable inspection for arp request responses on the segment it will check the dhcp database for binding for port to mac to ip

we will configure our trunks to be trusted as this will carry multiple macs for multiple vlans

s4(config)#int fa0/4
s4(config-if)#ip arp inspection trust

for the static mappings
------------------------
We do not have the dhcp binding entry for statically assigned addresses so we can manually create a entry for the inspection to use
we use and arp access-list
s4(config)#arp access-list MYFILTER
s4(config-arp-nacl)#permit ip host 10.229.254.1 mac host 0000.0000.0001

we apply this to the vlan with
s4(config)#ip arp inspection filter MYFILTER vlan 146


IP SOURCE GUARD

  • Prevents IP address Spoofing
  • Same concept as arp inspection but at layer 3
  • Uses the dhcp snooping database to filter ip on the port dynamically
  • Port secuirty must be enabled
  • Ip source guard is not supported on etherchannels

Commands
ip verify source (interface command)
Mac address filtering could also be enforced
Requires port security enable on interface
additinal paramters

ip verify souce port security

static ip to mac mapping on vlan
ip source binding (global comman

SNMP & RMON

SNMP & RMON


SNMP

  • runs over udp ports 161/162 - non reliable
  • Mangement information base- used to read/write variables in device config
  • Network Management station (NMS) asks managed device the status of the MIB. This is called SNMP Polling
  • Managed device may also report unsolicted events called SNMP Traps or informs - difference been informs require ack

SNMP VERSIONS

3 main versions
v1- supports only community authentication
v2c- supports community authentication and views
v3- support users/groups - encryption and secure authentication

SNMPv1/2c

Configured as snmp-server community {string} {ro|rw} {acl}
community string
   - clear text passwords for NMS to poll device
2 types of community strings
   - read only
   - read write
ACL defines who can poll device

SNMP Traps

Device reports unsolicted events to NMS
Reports could be
   - unreliable- traps
   - reliable- informs
   - both are sent using UDP to port 162
SNMP V1/V2
-----------
Define events to trap
All traps
snmp-server enable traps
specfic
snmp-server enable traps {notification-type}
Define a host to send the traps to

all Enabled traps
  snmp-server host "host addr community-string"
subset of enabled traps
snmp-server host " host add community-sting {notification type}

A common mistake is to define the hosts but not actual enable the traps globally i.e skipping
step 1

sh snmp ifmib ifindex - this is a good command to look at what assigned index was givn to a  
                      particular interface. IFindex can change when new interfaces come on
                        line new interface include sub interface and loopback in order to
                        keep persistent values for assigned interfaces we can use the command
snmp=server ifindex persist
sh snmp mib- will give you a list of all possible mibs some are hard to decipher what they do
             from the name there is snmp mib translator on the net to assist

SNMP V3
--------
3 main entites
Users- operators accessing the routers
Groups - group users access privilges is then asssigned to groups
Views - define subset of mib visible to groups
so it sort similar to windows group you put a user in a group and group then is assigned
access to the view


SNMPV3 Security
----------------
Access to mib is either
    - unauthenticated/unencrypted - No AuthNoPRiv
    - authenticated only - AuthnoPriv
    - authenticated and encrypted - AuthPriv
SNMPv3 Traps
------------
Support traps/informs
AUthentication model is different
Traps need to have a user associated
User credentials are used to authenticate
The nms need to implement authentication


RMON
-----
Remote Monitoring
  - used to monitor MIB variables
Monitoring has two components
   - alarm
      condition to trigger events
   -event
      action to associate to alarm
      normally a syslog/snmp trap


RMON ALarm
-----------
Rmon alarm defines how mib is sampled
you have 2 types

1) DELTA sampling- used for variables that accumalted like packet counter,crc errror these
vairiable never go down always up. Having just a value for these is not much use as it is
hard to decipher the time period the value was obtained. WHat delta gives you is the
difference in each time period so like if you get syslog saying you have had 6 crc errrors on
interface in the last 10 minutes is alot easier to act on then just getting you had 6 crc
ever.
_ difference between MIB value at time index a compared to time index B
- Used for values that only increase/accumalate
- Tracks rate of change for variable
-Sampling intervals define the time period
2) ABosulute sammpling- Is for exact match of the MIB at time of index A
  You use this for values that are going go up and down and for variables that just given the
value at that specfic is going be useful for example
CPU Utilization memory utilization error % on interfaces size of routing table
Used for values that increase and decrease

The parser will not guide you to say you should use this variable with delta so you neeed to
look at it and think about it in general if it variable that just goes up - delta if it
variable that goes up and down- abosulute
 
LAB
----
FOR SNMPV1/V2

First we will define our polling
we will define a subnet that has access
r4(config)#ip access-list standard EIGRP-SNMP
r4(config-std-nacl)#permit 192.168.1.0 0.0.0.255
r4(config-std-nacl)#

r4(config)#snmp-server community EIGRP-SNMP-COM ro EIGRP-SNMP


Next in global config we need to enable our traps

r4(config)#snmp-server enable traps ?
  atm                Enable SNMP atm traps
  authenticate-fail  Enable SNMP 802.11 Authentication Fail Trap
  bgp                Enable BGP traps
  bstun              Enable SNMP BSTUN traps
  bulkstat           Enable Data-Collection-MIB Collection notifications
  cnpd               Enable NBAR Protocol Discovery traps
  config             Enable SNMP config traps
  config-copy        Enable SNMP config-copy traps
  cpu                Allow cpu related traps
  deauthenticate     Enable SNMP 802.11 Deauthentication Trap
  disassociate       Enable SNMP 802.11 Disassociation Trap
  dlsw               Enable SNMP dlsw traps
  dot11-qos          Enable SNMP 802.11 QoS Change Trap
  ds0-busyout        Enable ds0-busyout traps
  ds1                Enable SNMP DS1 traps
  ds1-loopback       Enable ds1-loopback traps
  dsp                Enable SNMP dsp traps
  eigrp              Enable SNMP EIGRP traps
  entity             Enable SNMP entity traps
  envmon             Enable SNMP environmental monitor traps
  event-manager      Enable SNMP Embedded Event Manager traps
  firewall           Enable SNMP Firewall tra
this is partial list we can enable traps based on specfic technologies etc rather than all
traps
this would be for eigrp info
r4(config)#snmp-server enable traps eigrp

if i wanted all trap i would use the below
r4(config)#snmp-server enable traps

next we define the host to send traps to

r4(config)#snmp-server host 192.168.2.1 EIGRP-SNMP-COM eigrp

so this server would be sent the traps for eigrp

sh snmp mib will show you all the preconfigured mibs availible to use
if we are looking at interfaces
r4#sh snmp mib ifmib ifindex
FastEthernet0/0: Ifindex = 1
Loopback0: Ifindex = 8
Null0: Ifindex = 5
Serial0/0/0: Ifindex = 3
Async2: Ifindex = 6
FastEthernet0/1: Ifindex = 2
Serial0/1/0: Ifindex = 4
Async18: Ifindex = 7
r4#
and we want to keep the index persistent for our logging of particular interfaces

r4(config)#snmp-server ifindex pers

SNMP V3
-------

FIrst we create our view
r4(config)#snmp-server view MYVIEW cisco included
create the group
r4(config)#snmp-server group MYGOUP v3 priv read MYVIEW

Create the user
snmp-server user MYUSER MYGROUP v3 auth md5 PASSWORD priv 3des SECRETKEY
so we have created a user who will be in the group MTGROUP with md5 authentication and
encyption of 3des


define a trap
r4(config)#snmp-server host 192.168.2.1 trap version 3 auth MYUSER eigrp

RMON
-----
OK i will do rmon on interface f0/1 for an alarm for if we get 1000 packets in  60 seconds

r4#sh snmp mib ifmib ifindex
FastEthernet0/0: Ifindex = 1
Loopback0: Ifindex = 8
Null0: Ifindex = 5
Serial0/0/0: Ifindex = 3
Async2: Ifindex = 6
FastEthernet0/1: Ifindex = 2
Serial0/1/0: Ifindex = 4
Async18: Ifindex = 7
r4#

r4#sh run
*Feb 24 13:11:08.895: %SYS-5-CONFIG_I: Configured from console by console| inc rmon
rmon alarm 1 ifOutUcastPkts.2 60 delta rising-threshold 1000 2 falling-threshold 1 3 owner
config
r4#

ok so this command is saying the first rmon alarm we will check interface output unicast
packets it is for the ifindex 2 so that is fa0/1 delta rising value is 100 packets so this
trigger it if this happens we will use alarm 2 the falling-treeshold is 1 packet and will
trigger alarm 3

we now need to define the event
r4(config)#rmon event 2 log description interface-fa0/1-over-100ppm
so for event 2 we will get a log saying interface-fa0/1-over-100ppm

for alarm 3

r4(config)#rmon event 3 log description interface-fa0/1-is-not-transmitting

r4#sh rmon alarms
Alarm 1 is active, owned by config
 Monitors ifOutUcastPkts.2 every 60 second(s)
 Taking delta samples, last value was 6
 Rising threshold is 1000, assigned to event 2
 Falling threshold is 1, assigned to event 3
 On startup enable rising or falling alarm
r4#

r4#
*Feb 24 13:23:01.855: %RMON-5-RISINGTRAP: Rising trap is generated because the value of
ifOutUcastPkts.2 exceeded the rising-threshold value 1000

r4#sh rmon alarms
Alarm 1 is active, owned by config
 Monitors ifOutUcastPkts.2 every 60 second(s)
 Taking delta samples, last value was 1106
 Rising threshold is 1000, assigned to event 2
 Falling threshold is 1, assigned to event 3
 On startup enable rising or falling alarm
r4#