CCNP 300-115 Switch study Part 2/2

VRRP

Virtual Router Redundancy Protocol

A standards-based First Hope Redundancy Protocol (FHRP)
Master & Backup router
Only need 2 IP addresses but not recommended.
Advertisement Interval 1 sec
Unable to track interface but can use Object tracking for Interface State

HSRP vs VRRP comparison

HSRP	VRRP
Cisco Proprietary	Industry Standard
RFC 2281	RFC 3768
Active Router	Master Router
Standby Router	Backup Router
0000.0c07.acXX (v1) 0000.0c9f.fXXX (v2)	0000.5e00.01XX
Preempt Option Not Enabled by Default	Preempt Option Enabled by Default
Default Hello Interval: 3 sec	Default Master Advertisement Interval: 1 sec
Default Holdtime: 10 sec	Master Down Interval: 3 * Master_Advertisement_interval + (256 – VRRP_Priority)/256) 31 + (256-110*)/256) = 3.570
224.0.0.2 (v1) 224.0.0.102 (v2)	224.0.0.18
Cannot use Interface IP as Virtual IP address	Can use Interface IP as Virtual IP address

VRRP configuration

SW1 (Master)

SW1# conf t
SW1(config)# int Fa0/1
SW1(config-if)# vrrp 10 ip 10.1.1.1
SW1(config-if)# vrrp 10 priority 110

Preempt is enabled by default for VRRP

SW2 (Backup)

SW2#conf t
SW2(config)# int Fa0/1
SW2(config-if)# vrrp 10 ip 10.1.1.1

Default priority is also 100 for VRRP. Preempt is enabled by default.

VRRP verification

SW1 (Master)

SW1# show vrrp brief
SW1# show vrrp

Master Down interval: 3*1 + (256-110)/256) = 3.570

Formular: 3 * Master_Advertisement_interval + (256 – VRRP_Priority)/256)

SW2 (Backup)

SW2# show vrrp brief
SW2# show vrrp

Master Down interval: 3*1 + (256-100)/256) = 3.609

Formular: 3 * Master_Advertisement_interval + (256 – VRRP_Priority)/256)

VRRP – Test interface shutdown

SW1

SW1# show vrrp brief
SW1# conf t
SW1(config)# int fa0/1
SW1(config-if)# shutdown

SW2 became Master automatically

PC lost about 3 pings during transition

VRRP – Master back online

SW1 (Bring interface up)

SW1(config-if)#no shutdown

SW2 became Backup router from Master

PC lost only 1 ping during transition

VRRP tracking interface

SW1

SW1# show ip int br
SW1# conf t
SW1(config)# track 1 interface Fa0/0 line-protocol
SW1(config-track)# int Fa0/1
SW1(config-if)# vrrp 10 track 1 decrement 20

Check the priority before and after shutting down the tracking WAN interface (Fa0/0)

From Priority 100 to 90. Became Backup router from Master.

Priority value decremented by 20

SW1(config-if)#do show vrrp

SW2 became Master router

VRRP Authentication

SW1

SW1# conf t
SW1(config)# int Fa0/1
SW1(config-if)# vrrp 10 authentication md5 key-string cisco

SW2

SW2# conf t
SW2(config)# int fa0/1
SW2(config-if)# vrrp 10 authentication md5 key-string cisco

Verify authentication on both side.

GLBP

Gateway Load Balancing Protocol

A Cisco-proprietary First Hop Redundancy Protocol (FHRP) that can load balance within a single GLBP group
Must have phantom IP address. The virtual IP cannot be same as physical interface just like HSRP.
GLBP sends messages to the multicast group of 224.0.0.102. Same as HSRP version 2.
GLBP has same Timers as HSRP
Hello interval: 3 seconds.
Holdtime Timer: 10 seconds
GLBP supports both Plain Text & MD5 Authentication
AVG (Active Virutal Gateway)
Responds to ARP requests from hosts and assigns virtual MAC addresses to members of the GLBP group
AVF (Active Virtual Forwarder)
A member of a GLBP group that discovers an Active Virtual Gateway (AVG) based on Hello messages, and learns its virtual MAC address from that AVG
4 max AVF
GLBP is recommended for Routers.
If you are using L3 switch, you may go with HSRP instead due to STP
Preemption is not enabled by default

GLBP Load Balancing options

Round-Robin
Host-Dependent
Weighted

GLBP configuration

R1# conf t
R1(config)# int Fa0/1
R1(config-if)# glbp 10 ip 10.1.1.1
R1(config-if)# glbp 10 priority 110
R1(config-if)# glbp 10 preempt
R1(config-if)# glbp 10 authentication md5 key-string cisco

R2# conf t
R2(config)# int Fa0/1
R2(config-if)# glbp 10 ip 10.1.1.1
R2(config-if)# glbp 10 preempt
R2(config-if)# glbp 10 authentication md5 key-string cisco

GLBP – verify setting

R1# show glbp brief

R2# show glbp brief

R1# show glbp

R2# show glbp

GLBP – Load balancing test from PC1 & PC2

PC1# show arp

PC2# show arp

GLBP – test and confirm routes taking from PC1 & PC2

PC1# traceroute 192.168.32.1

PC2# traceroute 192.168.32.1

GLBP – AVG down test

Shutdown local interface of R1

R1(config-if)# shutdown
R1# show glbp brief

R2 took over the role of AVG and service both AVF1 & AVF2

R2# show glbp brief

GLBP – clients continues to use AVF1 & AVF2 even after R1 failure

PC1 took AVF1 MAC address

PC2 took AVF2 MAC address

Notice PC1 & PC2 used different MAC address even though they took the same path 10.1.1.3

The IP 10.1.1.1 is phantom (floating) address.

GLBP – Redirect Time

How long an AVG will respond to ARP queries with the virtual MAC address of a failed AVF.

Default Redirect time is 600 sec = 10 mins

R2# show glbp

GLBP – Forwarder Time-Out

How long a backup AVF will accept frames destined for the virtual MAC address of a failed AVF

Default Forwarder Time-out is 14400 sec = 240 mins = 4 hours

R2# show glbp

GLBP – Reduce weight based on network condition

GLBP weight is 100 by default.

R2(config-if)# glbp 10 weighting 100 lower 50 upper 80

If weight drops below 50, R2 will no longer be AVF.
R2 must exceeds weight 80 to become AVF again.

GLBP – Object tracking

Make R2 track its wan interface

R2# show ip int br
R2# conf t
R2(config)#track 1 interface Fa0/0 line-protocol

Make R2 reduce weight based on tracking object (WAN)

R2(config-track)#int Fa0/1
R2(config-if)#glbp 10 weighting track 1 decrement 51

Result of WAN interface down on R2

R2 is no longer AVF

R1 is serving both AVF1 & AVF2

GLBP Weighted Load Balancing

R1(config-if)# glbp 10 load-balancing weighted

GLBP – Change weight

Default weigh is 100

Reduce RX weighting to 50

Rx# conf t
Rx(config)# int Fa0/1
Rx(config-if)# glbp 10 weighting 50

Native IPv6 First Hop Redundancy

RA (Router Advertisement)
An ICMP Type 134 packet (part of the IPv6 Neighbor Discover Protocol suite) that can advertise default gateway information to an IPv6 client.

HSRP for IPv6

Enable IPv6 on both devices

SW1(config)# ipv6 unicast-routing

Set IPv6 address on LAN interface

SW1(config)# int fa0/1
SW1(config-if)# ipv6 address autoconfig

R1. Configure HSRP with IPv6

SW1# conf t
SW1(config)# int Fa0/1
SW1(config-if)# standby version 2
SW1(config-if)# standby 20 ipv6 autoconfig
SW1(config-if)# standby 20 preempt
SW1(config-if)# standby 20 priority 110

R2. Configure HSRP with IPv6

SW2#conf t
SW2(config)#int fa0/1
SW2(config-if)#standby version 2
SW2(config-if)#standby 20 ipv6 autoconfig
SW2(config-if)#standby 20 preempt

HSRP on IPV6 – Check and verify it’s working

SW1# show standby brief
SW1# show standby

SW2# show standby brief
SW2# show standby

Check the default route from PC learned automatically via IPv6 advertisement

PC# show ipv6 int fa0/0

MAC Flooding Attack

MAC Flooding Attack causes CAM table overflow

Occurs when an attacker overflows a switch’s CAM table by sending multiple frames into the switch, each claiming to be from a different MAC address.

Note: This causes the switch to act much like a hub, meaning that the attacker can capture packets flowing through the switch.

Port Security

A Cisco Catalyst switch feature that can make sure we don’t have too many MAC addresses or any disallowed MAC addresses, connected off a specific switch port.

Port must be in Access mode
Cannot be in Trunk mode. No Dynamic mode

SW250# conf t
SW250(config)# int Gi1/0/13
SW250(config-if)# switchport mode access
SW250(config-if)# switchport port-security
SW250(config-if)# switchport port-security maximum 2
SW250(config-if)# switchport port-security mac-address sticky

Port-Security violation

Protect
Restrict
Shutdown

Port-Security Protect

A Port Security violation action that allows permitted MAC addresses to flow through a port, while disallowed MAC addresses are dropped.

SW250(config-if)# switchport port-security violation protect

Port-Security Restrict

A Port Security violation action that allows permitted MAC addresses to flow through a port, dropps disallowed MAC addresses and increments the switch’s Security Violation counter.

SW250(config-if)# switchport port-security violation restrict

Port-Security Shutdown

A Port Security violation action that places a port in the Error Disabled state and sends an SNMP Trap (if the swithc is configured for SNMP)

SW250(config-if)# switchport port-security violation shutdown

Error Disabled Port Automatic Recovery

A Cisco Catalyst switch feature that allows a port in an Error Disabled state to attempt to come out of that state if the condition causing the port to be in the Error Disabled state has been resolved.

Default is 300 sec = 5 mins.

SW250# conf t
SW250(config)# errdisable recovery cause psecure-violation
SW250(config)# errdisable recovery interval 30

Show current

SW250# show errdisable recovery

Show Port-security

SW250# show port-security

Show Port-security address

SW250# show port-security address

Show port-security interface

SW250# show port-security int Gi1/0/13

Storm Control

A Cisco Catalyst switch feature that can detect a unicast, broadcast or multicast traffic storm on a switch port and respond by putting the port into an Error Disabled state and/or sending SNMP trap.

Storm Control Broadcast

Rising threshold: 10%
Falling threshold: 5%

SW250# conf t
SW250(config)# int Gi1/0/13
SW250(config-if)# storm-control broadcast level 10 5

Storm Control Multicast

Rising threshold bps: 20Mbps (Megabits per second)
Falling threshold bps: 10Mbps (megabits per second)

SW250(config-if)# storm-control multicast level bps 20m 10m

Storm Control Unicast

Rising threshold pps: 50K (packets per seconds)
Falling threshold: Not entered.

Means same as Rising threshold of 50k packets per seconds.

SW250(config-if)# storm-control unicast level pps 50k

Storm Control Action

shutdown
Interface will be shutdown if a storm occurs
trap
Sends SNMP trap if a storm occurs

SW250(config-if)# storm-control action shutdown

Storm Control – verify storm configuration

Show broadcast

SW250# show storm-control

Show multicast

SW250# show storm-control multicast

Show unicast

SW250# show storm-control unicast

Private VLAN vs regular VLAN

Regular VLAN

Different VLANs normally map to different IP subnets.
Has it’s own gateway

PVLAN

Hosts in different PVLANs still belong to the same IP subnet.
If hosts need to reach each other, they should go out and come in to the LAN.
Cannot reach each other in the local network even though they are in same IP subnet
PVLAN is mainly used in ISPs preventing their customers from accessing each other through LAN while saving the address space

Private VLANs

VLANs inside of another VLAN, which are isolated from one another at Layer 2, but can communicate with one another using Layer 3 routing.

Although users are in the same IP subnet (in terms of PVLAN) they can not reach each other through the local network

Primary VLAN

A VLAN that can contain a collection of private VLANs (e.g subdomains)

All ports belonging to the private VLANs should also be configured to belong to the primary VLAN.

Community VLAN

A type of private VLAN that can contain multiple ports connected to hosts that are able to communicate with one another at Layer 2.

Isolated VLAN

A type of private VLAN containing one host port that cannot communicate at Layer 2 with ports in any other private VLAN.

Promiscuous Port

A port assigned to the primary VLAN that can communicate with all community and isolated ports

Community Port

A port belonging to a community VLAN that shares a broadcast domain with other ports in the community VLAN.

Isolated Port

A port belonging to an isolated VLAN that resides in its own broadcast domain

Private VLAN – Configuration (create primary vlan 150)

VTP must be turned off or in transparent mode

SW251# conf t
SW251(config)# vtp mode transparent
SW251(config)# vlan 150
SW251(config-vlan)# private-vlan primary

Private VLAN – Configuration (create community vlan 151)

SW251# conf t
SW251(config)# vlan 151
SW251(config-vlan)# private-vlan community

Private VLAN – Configuration (create isolated vlan 152)

SW251# conf t
SW251(config)# vlan 152
SW251(config-vlan)# private-vlan isolated

Private VLAN configuration (Isolated vlan 153)

SW251# conf t
SW251(config)# vlan 153
SW251(config-vlan)# private-vlan isolated

Private VLAN – Interface Fa0/1 promiscuous port

SW251# conf t
SW251(config)# int fa0/1
SW251(config-if)# switchport mode private-vlan promiscuous
SW251(config-if)# switchport private-vlan mapping 150 add 151,152,153

Private VLAN – Interface Fa0/2 & Fa0/3 promiscuous host

SW251# conf t
SW251(config)# int range fa0/2-3
SW251(config-if-range)# switchport mode private-vlan host
SW251(config-if-range)# switchport private-vlan host-association 150 151

Private VLAN – Fa0/4 isolated vlan 152

SW251# conf t
SW251(config)# int fa0/4
SW251(config-if)# switchport mode private-vlan host
SW251(config-if)# switchport private-vlan host-association 150 152

Private VLAN – Fa0/5 isolated vlan 153

SW251# conf t
SW251(config-if) #int fa0/5
SW251(config-if)# switchport mode private-vlan host
SW251(config-if)# switchport private-vlan host-association 150 153

Show vlan private-vlan

Show interface fa0/1 switchport

SW251# show int fa0/1 switchport

Show interface fa0/2 switchport

SW251# show int fa0/2 switchport

Protected Port Feature

Allows a port on a single switch to be isolated from other protected ports on that same switch but not from unprotected ports on that switch.

Protected port is unable to communicate with another Protected port (even in the same vlan)
Protected port is not isolated from unprotected ports
Not carried to another switch. Trunk port doesn’t help.
Only locally significant. Unable to send over a Trunk port.

SW251# conf t
SW251(config)# int Fa0/6
SW251(config-if)# switchport protected

Verify protected

SW251# show int Fa0/6 switchport

DHCP Snooping attack

Attacker has a DHCP server, which responds to a DHCP Discover message sent from a DHCP client.

DHCP Snooping

Allows a Cisco Catalyst switch port to reject packets coming in from a DHCP server if that port is set to an untrusted state.

D Discover (Broadcast)
O Offer
R Request
A Acknowledgement

A command that allows a router to forward a DHCP broadcast (e.g the DHCP Discover message) to a DHCP server on a different subnet.

Router(config-if)# ip helper-address X.X.X.X

DHCP Snooping – Configuration

Enable DHCP Snooping

SW251# conf t
SW251(config)# ip dhcp snooping

Enable DHCP Snoopin on vlan 192

SW251(config)# ip dhcp snooping vlan 192
SW251(config)# ! Now all the ports in vlan 192 are in untrusted state

DHCP Snooping – Make Fa0/1 trusted (DHCP server on this port)

SW251# conf t
SW251(config)# int Fa0/1
SW251(config-if)# ip dhcp snooping trust
SW251(config-if)# !Now only DHCP server from Fa0/1 can issue IP addresses

DHCP Snooping – Denial of Service attack (Flooding)

Counter measure for DHCP flooding. Limit DHCP rate for all client ports

SW251# conf t
SW251(config)# int range Fa0/2-48
SW251(config-if-range)# ip dhcp snooping limit rate 100 !packets per seconds

DHCP Snooping – verify setting

SW251# show ip dhcp snooping

DHCP Snooping – show DHCP snooping binding

Show ip dhcp snooping binding

SW251> show ip dhcp snooping binding

DHCP Option 82

Causes a DHCP Request packet to contain information indicating the switch port from which the DHCP Request came.

IP Spoofing attack

An attack where a malicious user falsifies (“spoofs”) their IP address to an IP address that is allowed to access secured resources.

uRPF (Unicast Reverse Path Forwarding)

A router feature that can block a packet arriving on an interface if the router’s IP routing table indicates a different interface should be used to reach the packet’s source IP address

Works only if the attacker is on another interface of the router.
In this example, the attacker is on the same interface of the router (on same switch as genuine Client)

IP Source Guard

A switch feature that creates an IP address (and optionally MAC address) to port mapping table, and can drop a packet arriving on a specific port from a device claiming to have a source IP address (and optionally a source MAC address) that is not consistent with the mapping table.

IP Source Guard – Configuration

Enable IP Source Guard for all Client ports

SW251# conf t
SW251(config)# int range Fa0/2-48
SW251(config-if-range)# ip verify source

Do not enable this on Trunk port. I go disconnected from SW251. You may overload ACL hardware resource.

IP Source Guard – verification

SW251# show ip verify source

Dynamic ARP Inspection

Gratuitous ARP Man-in-the-Middle Attack

An attack where the attacker sends unsolicited ARP replies to the attack target, claiming that the attacker’s MAC address is the MAC address of the attack target’s default gateway.

DAI

Dynamic ARP Inspection

Checks the contents of ARP messages against a table of IP-to-MAC address bindings, and drops ARP messages not consistent with the bindings, which were learned via DHCP Snooping.

Before turning on ARP inspection, ensure the Trunk port is trusted

SW251# conf t
SW251(config)# int range Fa0/47-48
SW251(config-if-range)# ip arp inspection trust

Enable ARP inspection

SW251# conf t
SW251(config)# ip arp inspection vlan 192

Show ip arp inspection

SW251# show ip arp inspection

AAA

Authentication Authorization Accounting

Authentication: Who are you?
Authorization: What are you allowed to do?
Accounting: What did you do?

TACACS vs RADIUS

TACACS

Cisco-Proprietary
TCP
AAA all separated
Two-way challenge response
Encrypts entire packet

RADIUS

Industry-Standard
UDP
AAA combined
One-way challenge response
Only encrypts password
Does Accounting function better

Enable AAA

SW251# conf t
SW251(config)# aaa new-model

Configure radius server

SW251(config)# radius-server host 192.168.32.8 key cisco

Configure Tacacs server

SW251(config)# tacacs-server host 192.168.32.8 key cisco

Configure group of servers

SW251(config)# aaa group server radius R-GROUP
SW251(config-sg-radius)# server 192.168.32.8
SW251(config-sg-radius)# server 192.168.32.9

Failover to local

SW251# conf t
SW251(config)# username cisco secret cisco
SW251(config)# aaa authentication login default group R-GROUP local