Virtual Router Redundancy Protocol
- A standards-based First Hope Redundancy Protocol (FHRP)
- Master & Backup router
- Only need 2 IP addresses but not recommended.
- Advertisement Interval 1 sec
- Unable to track interface but can use Object tracking for Interface State
HSRP vs VRRP comparison
|Cisco Proprietary||Industry Standard|
|RFC 2281||RFC 3768|
|Active Router||Master Router|
|Standby Router||Backup Router|
|Preempt Option Not Enabled by Default||Preempt Option Enabled by Default|
|Default Hello Interval: 3 sec||Default Master Advertisement Interval: 1 sec|
|Default Holdtime: 10 sec||Master Down Interval:
3 * Master_Advertisement_interval + (256 – VRRP_Priority)/256)
3*1 + (256-110)/256) = 3.570
|Cannot use Interface IP as Virtual IP address||Can use Interface IP as Virtual IP address|
SW1# conf t SW1(config)# int Fa0/1 SW1(config-if)# vrrp 10 ip 10.1.1.1 SW1(config-if)# vrrp 10 priority 110
Preempt is enabled by default for VRRP
SW2#conf t SW2(config)# int Fa0/1 SW2(config-if)# vrrp 10 ip 10.1.1.1
Default priority is also 100 for VRRP. Preempt is enabled by default.
SW1# show vrrp brief SW1# show vrrp
Master Down interval: 3*1 + (256-110)/256) = 3.570
Formular: 3 * Master_Advertisement_interval + (256 – VRRP_Priority)/256)
SW2# show vrrp brief SW2# show vrrp
Master Down interval: 3*1 + (256-100)/256) = 3.609
Formular: 3 * Master_Advertisement_interval + (256 – VRRP_Priority)/256)
VRRP – Test interface shutdown
SW1# show vrrp brief SW1# conf t SW1(config)# int fa0/1 SW1(config-if)# shutdown
SW2 became Master automatically
PC lost about 3 pings during transition
VRRP – Master back online
SW1 (Bring interface up)
SW2 became Backup router from Master
PC lost only 1 ping during transition
VRRP tracking interface
SW1# show ip int br SW1# conf t SW1(config)# track 1 interface Fa0/0 line-protocol SW1(config-track)# int Fa0/1 SW1(config-if)# vrrp 10 track 1 decrement 20
Check the priority before and after shutting down the tracking WAN interface (Fa0/0)
From Priority 100 to 90. Became Backup router from Master.
Priority value decremented by 20
SW1(config-if)#do show vrrp
SW2 became Master router
SW1# conf t SW1(config)# int Fa0/1 SW1(config-if)# vrrp 10 authentication md5 key-string cisco
SW2# conf t SW2(config)# int fa0/1 SW2(config-if)# vrrp 10 authentication md5 key-string cisco
Verify authentication on both side.
Gateway Load Balancing Protocol
- A Cisco-proprietary First Hop Redundancy Protocol (FHRP) that can load balance within a single GLBP group
- Must have phantom IP address. The virtual IP cannot be same as physical interface just like HSRP.
- GLBP sends messages to the multicast group of 126.96.36.199. Same as HSRP version 2.
- GLBP has same Timers as HSRP
Hello interval: 3 seconds.
Holdtime Timer: 10 seconds
- GLBP supports both Plain Text & MD5 Authentication
- AVG (Active Virutal Gateway)
Responds to ARP requests from hosts and assigns virtual MAC addresses to members of the GLBP group
- AVF (Active Virtual Forwarder)
A member of a GLBP group that discovers an Active Virtual Gateway (AVG) based on Hello messages, and learns its virtual MAC address from that AVG
- 4 max AVF
- GLBP is recommended for Routers.
If you are using L3 switch, you may go with HSRP instead due to STP
- Preemption is not enabled by default
GLBP Load Balancing options
R1# conf t R1(config)# int Fa0/1 R1(config-if)# glbp 10 ip 10.1.1.1 R1(config-if)# glbp 10 priority 110 R1(config-if)# glbp 10 preempt R1(config-if)# glbp 10 authentication md5 key-string cisco
R2# conf t R2(config)# int Fa0/1 R2(config-if)# glbp 10 ip 10.1.1.1 R2(config-if)# glbp 10 preempt R2(config-if)# glbp 10 authentication md5 key-string cisco
GLBP – verify setting
R1# show glbp brief
R2# show glbp brief
R1# show glbp
R2# show glbp
GLBP – Load balancing test from PC1 & PC2
PC1# show arp
PC2# show arp
GLBP – test and confirm routes taking from PC1 & PC2
PC1# traceroute 192.168.32.1
PC2# traceroute 192.168.32.1
GLBP – AVG down test
Shutdown local interface of R1
R1(config-if)# shutdown R1# show glbp brief
R2 took over the role of AVG and service both AVF1 & AVF2
R2# show glbp brief
GLBP – clients continues to use AVF1 & AVF2 even after R1 failure
PC1 took AVF1 MAC address
PC2 took AVF2 MAC address
Notice PC1 & PC2 used different MAC address even though they took the same path 10.1.1.3
The IP 10.1.1.1 is phantom (floating) address.
GLBP – Redirect Time
How long an AVG will respond to ARP queries with the virtual MAC address of a failed AVF.
Default Redirect time is 600 sec = 10 mins
R2# show glbp
GLBP – Forwarder Time-Out
How long a backup AVF will accept frames destined for the virtual MAC address of a failed AVF
Default Forwarder Time-out is 14400 sec = 240 mins = 4 hours
R2# show glbp
GLBP – Reduce weight based on network condition
GLBP weight is 100 by default.
R2(config-if)# glbp 10 weighting 100 lower 50 upper 80
If weight drops below 50, R2 will no longer be AVF.
R2 must exceeds weight 80 to become AVF again.
GLBP – Object tracking
Make R2 track its wan interface
R2# show ip int br R2# conf t R2(config)#track 1 interface Fa0/0 line-protocol
Make R2 reduce weight based on tracking object (WAN)
R2(config-track)#int Fa0/1 R2(config-if)#glbp 10 weighting track 1 decrement 51
Result of WAN interface down on R2
R2 is no longer AVF
R1 is serving both AVF1 & AVF2
GLBP Weighted Load Balancing
R1(config-if)# glbp 10 load-balancing weighted
GLBP – Change weight
Default weigh is 100
Reduce RX weighting to 50
Rx# conf t Rx(config)# int Fa0/1 Rx(config-if)# glbp 10 weighting 50
Native IPv6 First Hop Redundancy
- RA (Router Advertisement)
An ICMP Type 134 packet (part of the IPv6 Neighbor Discover Protocol suite) that can advertise default gateway information to an IPv6 client.
HSRP for IPv6
Enable IPv6 on both devices
SW1(config)# ipv6 unicast-routing
Set IPv6 address on LAN interface
SW1(config)# int fa0/1 SW1(config-if)# ipv6 address autoconfig
R1. Configure HSRP with IPv6
SW1# conf t SW1(config)# int Fa0/1 SW1(config-if)# standby version 2 SW1(config-if)# standby 20 ipv6 autoconfig SW1(config-if)# standby 20 preempt SW1(config-if)# standby 20 priority 110
R2. Configure HSRP with IPv6
SW2#conf t SW2(config)#int fa0/1 SW2(config-if)#standby version 2 SW2(config-if)#standby 20 ipv6 autoconfig SW2(config-if)#standby 20 preempt
HSRP on IPV6 – Check and verify it’s working
SW1# show standby brief SW1# show standby
SW2# show standby brief SW2# show standby
Check the default route from PC learned automatically via IPv6 advertisement
PC# show ipv6 int fa0/0
MAC Flooding Attack
MAC Flooding Attack causes CAM table overflow
Occurs when an attacker overflows a switch’s CAM table by sending multiple frames into the switch, each claiming to be from a different MAC address.
Note: This causes the switch to act much like a hub, meaning that the attacker can capture packets flowing through the switch.
A Cisco Catalyst switch feature that can make sure we don’t have too many MAC addresses or any disallowed MAC addresses, connected off a specific switch port.
- Port must be in Access mode
- Cannot be in Trunk mode. No Dynamic mode
SW250# conf t SW250(config)# int Gi1/0/13 SW250(config-if)# switchport mode access SW250(config-if)# switchport port-security SW250(config-if)# switchport port-security maximum 2 SW250(config-if)# switchport port-security mac-address sticky
A Port Security violation action that allows permitted MAC addresses to flow through a port, while disallowed MAC addresses are dropped.
SW250(config-if)# switchport port-security violation protect
A Port Security violation action that allows permitted MAC addresses to flow through a port, dropps disallowed MAC addresses and increments the switch’s Security Violation counter.
SW250(config-if)# switchport port-security violation restrict
A Port Security violation action that places a port in the Error Disabled state and sends an SNMP Trap (if the swithc is configured for SNMP)
SW250(config-if)# switchport port-security violation shutdown
Error Disabled Port Automatic Recovery
A Cisco Catalyst switch feature that allows a port in an Error Disabled state to attempt to come out of that state if the condition causing the port to be in the Error Disabled state has been resolved.
Default is 300 sec = 5 mins.
SW250# conf t SW250(config)# errdisable recovery cause psecure-violation SW250(config)# errdisable recovery interval 30
SW250# show errdisable recovery
SW250# show port-security
Show Port-security address
SW250# show port-security address
Show port-security interface
SW250# show port-security int Gi1/0/13
A Cisco Catalyst switch feature that can detect a unicast, broadcast or multicast traffic storm on a switch port and respond by putting the port into an Error Disabled state and/or sending SNMP trap.
Storm Control Broadcast
Rising threshold: 10%
Falling threshold: 5%
SW250# conf t SW250(config)# int Gi1/0/13 SW250(config-if)# storm-control broadcast level 10 5
Storm Control Multicast
Rising threshold bps: 20Mbps (Megabits per second)
Falling threshold bps: 10Mbps (megabits per second)
SW250(config-if)# storm-control multicast level bps 20m 10m
Storm Control Unicast
Rising threshold pps: 50K (packets per seconds)
Falling threshold: Not entered.
Means same as Rising threshold of 50k packets per seconds.
SW250(config-if)# storm-control unicast level pps 50k
Storm Control Action
Interface will be shutdown if a storm occurs
Sends SNMP trap if a storm occurs
SW250(config-if)# storm-control action shutdown
Storm Control – verify storm configuration
SW250# show storm-control
SW250# show storm-control multicast
SW250# show storm-control unicast
Private VLAN vs regular VLAN
- Different VLANs normally map to different IP subnets.
- Has it’s own gateway
- Hosts in different PVLANs still belong to the same IP subnet.
- If hosts need to reach each other, they should go out and come in to the LAN.
- Cannot reach each other in the local network even though they are in same IP subnet
- PVLAN is mainly used in ISPs preventing their customers from accessing each other through LAN while saving the address space
VLANs inside of another VLAN, which are isolated from one another at Layer 2, but can communicate with one another using Layer 3 routing.
Although users are in the same IP subnet (in terms of PVLAN) they can not reach each other through the local network
A VLAN that can contain a collection of private VLANs (e.g subdomains)
All ports belonging to the private VLANs should also be configured to belong to the primary VLAN.
A type of private VLAN that can contain multiple ports connected to hosts that are able to communicate with one another at Layer 2.
A type of private VLAN containing one host port that cannot communicate at Layer 2 with ports in any other private VLAN.
A port assigned to the primary VLAN that can communicate with all community and isolated ports
A port belonging to a community VLAN that shares a broadcast domain with other ports in the community VLAN.
A port belonging to an isolated VLAN that resides in its own broadcast domain
Private VLAN – Configuration (create primary vlan 150)
VTP must be turned off or in transparent mode
SW251# conf t SW251(config)# vtp mode transparent SW251(config)# vlan 150 SW251(config-vlan)# private-vlan primary
Private VLAN – Configuration (create community vlan 151)
SW251# conf t SW251(config)# vlan 151 SW251(config-vlan)# private-vlan community
Private VLAN – Configuration (create isolated vlan 152)
SW251# conf t SW251(config)# vlan 152 SW251(config-vlan)# private-vlan isolated
Private VLAN configuration (Isolated vlan 153)
SW251# conf t SW251(config)# vlan 153 SW251(config-vlan)# private-vlan isolated
Private VLAN – Interface Fa0/1 promiscuous port
SW251# conf t SW251(config)# int fa0/1 SW251(config-if)# switchport mode private-vlan promiscuous SW251(config-if)# switchport private-vlan mapping 150 add 151,152,153
Private VLAN – Interface Fa0/2 & Fa0/3 promiscuous host
SW251# conf t SW251(config)# int range fa0/2-3 SW251(config-if-range)# switchport mode private-vlan host SW251(config-if-range)# switchport private-vlan host-association 150 151
Private VLAN – Fa0/4 isolated vlan 152
SW251# conf t SW251(config)# int fa0/4 SW251(config-if)# switchport mode private-vlan host SW251(config-if)# switchport private-vlan host-association 150 152
Private VLAN – Fa0/5 isolated vlan 153
SW251# conf t SW251(config-if) #int fa0/5 SW251(config-if)# switchport mode private-vlan host SW251(config-if)# switchport private-vlan host-association 150 153
Show vlan private-vlan
Show interface fa0/1 switchport
SW251# show int fa0/1 switchport
Show interface fa0/2 switchport
SW251# show int fa0/2 switchport
Protected Port Feature
Allows a port on a single switch to be isolated from other protected ports on that same switch but not from unprotected ports on that switch.
- Protected port is unable to communicate with another Protected port (even in the same vlan)
- Protected port is not isolated from unprotected ports
- Not carried to another switch. Trunk port doesn’t help.
- Only locally significant. Unable to send over a Trunk port.
SW251# conf t SW251(config)# int Fa0/6 SW251(config-if)# switchport protected
SW251# show int Fa0/6 switchport
DHCP Snooping attack
Attacker has a DHCP server, which responds to a DHCP Discover message sent from a DHCP client.
Allows a Cisco Catalyst switch port to reject packets coming in from a DHCP server if that port is set to an untrusted state.
- D Discover (Broadcast)
- O Offer
- R Request
- A Acknowledgement
A command that allows a router to forward a DHCP broadcast (e.g the DHCP Discover message) to a DHCP server on a different subnet.
Router(config-if)# ip helper-address X.X.X.X
DHCP Snooping – Configuration
Enable DHCP Snooping
SW251# conf t SW251(config)# ip dhcp snooping
Enable DHCP Snoopin on vlan 192
SW251(config)# ip dhcp snooping vlan 192 SW251(config)# ! Now all the ports in vlan 192 are in untrusted state
DHCP Snooping – Make Fa0/1 trusted (DHCP server on this port)
SW251# conf t SW251(config)# int Fa0/1 SW251(config-if)# ip dhcp snooping trust SW251(config-if)# !Now only DHCP server from Fa0/1 can issue IP addresses
DHCP Snooping – Denial of Service attack (Flooding)
Counter measure for DHCP flooding. Limit DHCP rate for all client ports
SW251# conf t SW251(config)# int range Fa0/2-48 SW251(config-if-range)# ip dhcp snooping limit rate 100 !packets per seconds
DHCP Snooping – verify setting
SW251# show ip dhcp snooping
DHCP Snooping – show DHCP snooping binding
Show ip dhcp snooping binding
SW251> show ip dhcp snooping binding
DHCP Option 82
Causes a DHCP Request packet to contain information indicating the switch port from which the DHCP Request came.
IP Spoofing attack
An attack where a malicious user falsifies (“spoofs”) their IP address to an IP address that is allowed to access secured resources.
uRPF (Unicast Reverse Path Forwarding)
A router feature that can block a packet arriving on an interface if the router’s IP routing table indicates a different interface should be used to reach the packet’s source IP address
- Works only if the attacker is on another interface of the router.
- In this example, the attacker is on the same interface of the router (on same switch as genuine Client)
IP Source Guard
A switch feature that creates an IP address (and optionally MAC address) to port mapping table, and can drop a packet arriving on a specific port from a device claiming to have a source IP address (and optionally a source MAC address) that is not consistent with the mapping table.
IP Source Guard – Configuration
Enable IP Source Guard for all Client ports
SW251# conf t SW251(config)# int range Fa0/2-48 SW251(config-if-range)# ip verify source
Do not enable this on Trunk port. I go disconnected from SW251. You may overload ACL hardware resource.
IP Source Guard – verification
SW251# show ip verify source
Dynamic ARP Inspection
Gratuitous ARP Man-in-the-Middle Attack
An attack where the attacker sends unsolicited ARP replies to the attack target, claiming that the attacker’s MAC address is the MAC address of the attack target’s default gateway.
Dynamic ARP Inspection
Checks the contents of ARP messages against a table of IP-to-MAC address bindings, and drops ARP messages not consistent with the bindings, which were learned via DHCP Snooping.
Before turning on ARP inspection, ensure the Trunk port is trusted
SW251# conf t SW251(config)# int range Fa0/47-48 SW251(config-if-range)# ip arp inspection trust
Enable ARP inspection
SW251# conf t SW251(config)# ip arp inspection vlan 192
Show ip arp inspection
SW251# show ip arp inspection
Authentication Authorization Accounting
- Authentication: Who are you?
- Authorization: What are you allowed to do?
- Accounting: What did you do?
TACACS vs RADIUS
- AAA all separated
- Two-way challenge response
- Encrypts entire packet
- AAA combined
- One-way challenge response
- Only encrypts password
- Does Accounting function better
SW251# conf t SW251(config)# aaa new-model
Configure radius server
SW251(config)# radius-server host 192.168.32.8 key cisco
Configure Tacacs server
SW251(config)# tacacs-server host 192.168.32.8 key cisco
Configure group of servers
SW251(config)# aaa group server radius R-GROUP SW251(config-sg-radius)# server 192.168.32.8 SW251(config-sg-radius)# server 192.168.32.9
Failover to local
SW251# conf t SW251(config)# username cisco secret cisco SW251(config)# aaa authentication login default group R-GROUP local