How to configure 802.1X with AAA – Cisco Switch config

Below is a quick guide on 802.1x port-based authentication using a radius server for authentication.

 

- Firstly enable AAA

 

ALS1(config)#aaa new-model

 

- Configure the location of the Radius-server

 

ALS1(config)#radius-server host 172.16.1.1 key abc123

 

- Then configure what exactly needs authentication, along with how to authenticate it. In this case dot1x, using radius as the authentication method.

 

ALS1(config)#aaa authentication dot1x default group radius

- To globally enable dot1x (note this just “enables” the feature as such)

 

ALS1(config)#dot1x system-auth-control

 

- Following that, is configuring the access port, or group of access ports to use 802.1x to authenticate users against radius. Note, IOS may not show dot1x sub-commands if you haven’t configured the port as an access port.

 

ALS1(config-if)#int fa0/6

ALS1(config-if)#switchport mode access

ALS1(config-if)#dot1x port-control ?

auto PortState will be set to AUTO

force-authorized PortState set to Authorized

force-unauthorized PortState will be set to UnAuthorized

 

ALS1(config-if)#dot1x port-control auto

 

Auto

- Enables 802.1x port-based Authentication

 

Force-authorized

- Disables 802.1x on the port, and the port will auto transition to the authorized state.

 

Force-Unauthorized

- Causes the port to remain in the unauthorised state, effectively making the port useless.

 

Implementing Cisco Switched Networks Chapter 7 Review

This is my review and notes of Chapter 7 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 7: Preparing the Campus Infrastructure for Advanced Services

WAFFLE WAFFLE WAFFLE. This chapter felt like “oh man, we totally need another chapter!”. When this book was first written, a lot of the content of this chapter was probably in the CCNP Switch exam. It covers topics that I’ve understood are now hardly touched on at all, if at it. Not to say it doesn’t still have some important topics in it. I read this chapter mainly to make sure I’ve covered every possible thing, but a lot of it I didn’t make notes on.

This chapter really went on and on about things that are common sense, especially things you should take into consideration when deploying voice, or video.

It did have some good content, but man it felt like there was a lot of extra stuff that just doesn’t matter for the exam.

What’s probably going to be in the exam:
- Just know the very simple things like important commands such as AutoQoS
- Very basic understanding of QoS, e.g. what DSCP and CoS is
- Very basic understanding of PIM-SM, PIM-DM
- Very basic understanding of IGMP, and IGMP Snooping

What the chapter also covers:
- Preparing your network for Wireless, Voice, and Video
- There was A LOT on each of these

Initially chapter is basically a spiel on why converged networks with video, voice, along with decent wifi connectivity are good.

Then goes into an introduction to WiFi, and its’ application in the Campus Network. I don’t have too many notes on this, mainly because I believe the exam doesn’t heavily focus on wireless and voice any more, as these have become more separate certification tracks of their own.

One point to make about wireless is the two deployment methods:

- Standalone WLAN Solution (also referred to as autonomous)
- Controller-based WLAN Solution

Traffic handling in a Controller-Based Solution
- Data and control messages are encapsulated between the access point and the WLC using the Control and Provisioning of Wireless Access Pooints (CAPWAP) or the LIghtweight Access Point Protocol (LWAPP). Both methods are standards based, but only LWAPP was adopted by Cisco.
- Control packets are enapsulated within the LWAPP or CAPWAP and encrypted.
- ^Same with Data traffic. The traffic is then switched at the WLC.

WLC is typically deployed at the distribution layer.

Hybrid Remote Edge Access Points (HREAP)
- Useful for providing HA of controller-based wireless solutions in remote offices.
- The purpose of these access points is to still offer wireless client connectivity when their connection to the controller (WLC) is lost.

Planning for the Campus Network to Support Voice

Again a lot on planning, and a lot on general considerations when implementing Voice.

- Voice uses UDP
- Voice is very much time sensitive traffic and a lot of thought needs to go into it when implementing.

Planning for the Campus Network to Support Video

Again talks about how it’s time sensitive, but in this case also very bandwidth hungry. This section was still several pages long, but I didn’t really feel like I read anything worth writing down. It was all pretty general, but obvious things to consider.

From these topics we come to something we really need to understand, and that is QoS.

Understanding QoS

Quality of Service refers to the prioritisation of different types of traffic. An example of its’ use is time critical traffic such as Voice packets not being swamped and lost due to lower priority traffic such as P2P consuming all the links bandwidth.

QoS allows you to have:
- Control over resources – Classifying high priority and low priority traffic
- More efficient use of network resources – By using network analysers, you can see a view of the traffic flows within your network and dedicate a higher priority to network resources that require it.
- Tailored services – In an ISP setting, better QoS can be sold at a price to customers who need it.
- Coexistence of mission-critical applications – Correct QoS configuration can ensure mission-critical apps are given exactly what they need.

Network Stability Issues
- Delay (latency)
- Delay variation (Jitter)
- Packet loss

QoS Service Models

- Best-effort service
Basically no QoS is applied, and the switch simply does FIFO (First In, First Out), so packets are simply transmitted out as they arrive in a queue

- Integrated Services (IntServ)
AKA hard QoS.
Implies that traffic flows are reserved explicitly by all intermediate systems and resources

-Differentiated Services (DiffServ)
AKA soft QoS.
Class-based, which some classes of traffic receive preferential handling over other traffic classes
DiffServ categorizes traffic, and then sorts it into queues of various efficiencies.

AutoQoS
Very handy Cisco feature that automates a lot of the QoS configuration

- Basically it does all the QoS config work for you, and therefore requires less of an understanding of QoS config, and enables more less experienced staff to deploy it.

AutoQoS covers:
- Application classification
- Policy generation
- Configuration
- Monitoring and reporting
- Consistency

Traffic Classification and Marking

- Layer 2 = CoS (Class of Service)

At Layer 2, 3 bits are available in 802.1Q frames for classification for up to eight distinct levels of service: 0 through to 7.

- Layer 3 = DSCP (Differentiated Services Code Point)

At Layer 3, QoS uses the six most significant ToS bits in the IP header for a DSCP field definition.
- Allows up to 64 distinct values (levls of service): 0 through to 63.
- Last 2 bits represent the Early Congestion Notification (ECN) bits.

Classification
- Distinguishes a frame or packet with a specific priority or predetermined criteria.
- For Cisco Catalyst switches, classification determines the internal DSCP value on frames. This is for internal QoS packet handling, including policing and scheduling as frames traverse the switch.

When planning QoS in the Campus Network, always apply QoS classification as close to the edge as possible, preferably in the access layer.

Trust Boundaries and Configurations

Covers how a frame is handled as it arrives in on the switch.

E.g. Switch receives a packet with a DSCP value of 46, the switch accepts the ingress QoS value, and internally also uses the same value.

Cisco switches support accepting DSCP, IP Precedence, or CoS values on ingress frames.

The following is the default mappings, for how each L2 and L3 classification is mapped between L2 and L3 respectively:

CoS

0

1

2

3

4

5

6

7

DSCP

0

8

16

24

32

40

48

56

 

IP Precedence

0

1

2

3

4

5

6

7

DSCP

0

8

16

24

32

40

48

56

Marking
Refers to changing the DSCP, CoS, or IP Precedence bits on ingress frames.
- Configurable on a per-interface basis via a policy-map.

Traffic Shaping and Policing

Shaping refers to metering traffic and buffering or delaying excessive traffic so that the traffic rate stays within a desired limit rate. Shaping therefore is not very good for delay-sensitive traffic flows such as voice, video, or storage, but is useful for typical, bursty TCP flows.

Policing differs in that it takes a specific action for out-of-profile traffic exceeding a specified limit.
Policing does not delay or buffer traffic.
Actions for exceeding traffic by default is block, but other options are available such as permissible, trusting, and marking.

Congestion Management

Covers several queuing mechanisms:
- FIFO queuing → switch places all egress frames into the same queue, regardless of classification. Packets are sent out in the same order that they are received.
- Weighted round robin (WRR) queueing → Popular and simple method of differentiating service among traffic classes. With WRR, the switch uses a configured weight value for each egress queue. This weight value determines the proportion of bandwidth of each queue.
- Priority queuing → Switch will process any traffic in the highest of queues before lower queues. Since this method can result in queue starvation in the nonpriority queues, the remaining queues are subject to the WRR queueing to avoid this issue.
- Custom queuing → Strictly for WAN.

Congestion Avoidance

Monitor network traffic loads in an effort to anticipate and avoid congestion at common network bottleneck points.

Then goes into some methods of collision avoidance such as Tail Drop, and Weighted Random Early Detection.

Introduction to IP Multicast in the Campus Network

Initially goes over some basic stuff about multicast, including application and different with unicast and broadcast.

Covers the different types of Multicast addresses:
- Reserved link local addresses – 224.0.0.0 – 224.0.0.255
- Globally scoped addresses – 224.0.1.0 – 238.255.255.255
- Source-specific multicast addresses 232.0.0.0 to 232.255.255.255 – PIM-SSM reserved
- GLOP addresses 233.0.0.0 to 233.255.255.255
- Limited-scope addresses 239.0.0.0 to 239.255.255.255

Multicast MAC Address Structure

Multicast IP addresses get mapped to L2 MAC addresses. Due to how the structuring of this works, each Multicast MAC address maps to 32 potential IP addresses. In other words, each multicast MAC address represents a possible 32 distinct IP multicast addresses.

Reverse Path Forwarding
Is a mechanism that performs an incoming interface check to determine whether to forward or drop an incoming multicast frame.

When a multicast router receives a multicast packet, it determines which direction is the upstream direction (toward the source) and which one is the downstream direction (toward the receiver). A router forwards multicast packets only if the packet is received on the correct upstream interface determined by the RPF process.

Multicast Forwarding Tree
- Source Trees
- Shared Trees

Comparison:
- Both source trees and shared trees avoid multicast traffic loops. Routing devices replicate the multicast packets only where the tree tranches.

Source Trees
- Maintains path information for each multicast source

Shared Trees
- Have the advantage of requiring the minimum amount of state information in each router.
- This lowers the overall memory requirements and complexity for a network that allows only shared trees.
- The disadvantage of shared trees is that, under certain circumstances, the paths between the source and receivers might not be the optimal path, which can introduce additional latency in packet delivery.
Shared trees might overuse some links and leave others unused. In comparison, source trees usually distribute traffic across a set of links.

IP Multicast Protocols

Similar to IP unicast, where it can its’ own routing, management, and L2 protocols.

This section covers:
- PIM (Protocol Independent Multicast) – L3
- IGMP (Internet Group Management Protocol) – L2

PIM
- A multicast routing protocol.
- Uses the current unicast routing protocol to forward IP multicast traffic to other PIM neighbors.

Has several different versions:
- PIM Dense Mode
- PIM Sparse Mode
- PIM Sparse-Dense Mode
- PIM bidirectional

Sparse-dense mode is most common in large enterprise networks.

PIM Dense Mode
- Relies on periodic flooding of the network with multicast traffic to set up and maintain the distribution tree.
- Generally considered obsolete and no longer deployed in campus networks.
- PIM-DM floods the multimedia packet to all routers in the network and then prunes routers that do not service members of that particular multicast group.

PIM Sparse Mode
- Based on the assumption that the multicast group members are sparsely distributed throughout the network and that bandwidth is limited.
- Important to note that PIM-SM does not imply that the group has few members, just that they are widely dispersed.

-PIM-SM differs from dense mode, in that it begins with an empty distribution tree and adds branches only as the result of explicit requests to join the distribution.

Rendezvous Point
- Instead of flooding the network to determine the status of multicast members, PIM-SM defines an RP. When a sender wants to send data, it first does so to the RP. When a receiver wants to receive data, it registers with the RP.
- When the data stream begins to flow from sender to RP to receiver, the routers in the path automatically optimise the path to remove unnecessary hops.

Automating Distribution of RP
Done via:
- Auto-RP
-Bootstrap Router (BSR)
- Anycast-RP

Configuring Internet Group Management Protocol (IGMP)
- Hosts use IGMP to dynamically register themselves in a multicast group on a particular LAN.
- Hosts identify group membership by sending IGMP messages to their local designated multicast router.

IGMP Snooping
Basically it’s a Layer 2 feature that makes sure only ports that have requested a multicast group receive them, and once that port has finished, or no longer sends keepalives, the port is pruned from the group.

In more detail, IGMP snooping requires the LAN switch to examine, or “snoop,” the IGMP join and leave messages sent between hosts and the first-hop designated multicast router.

Preparing the Campus Infrastructure to Support Wireless

Only interesting thing I read is that the only real configuration you need to do on Cisco switches, is configure the access point port as a trunk.

Preparing the Campus Infrastructure to Support Voice

Voice VLANs
Cisco switches offer a unique feature called Voice VLANs, alternatively named auxiliary VLAN. The voice VLAN feature enables you to overlay a voice topology on to a data network seamlessly. Voice VLANs provide for logical networks, even though the data and voice infrastructure are physically the same.

-If an end-user workstation is attached to the Cisco IP Phone that connects to a Cisco switch with a Voice VLAN configuration, traffic rom the user workstation is switched through the phone on the native VLAN, by default.
- The native VLAN is not tagged and is the actual switch port VLAN config. The Cisco IP Phone sends traffic with an 802.1q tag if a Voice VLAN is configured for a VLAN besides the native VLAN.

Basic IP Phone config:
S1(config)#mls qos
S1(config)#int fa0/0
S1(config-if)#switchport mode dynamic desirable
S1(config-if)#switchport voice vlan 700
S1(config-if)#mls qos trust cos
S1(config-if)#power inline auto
S1(config-if)#spanning-tree portfast

Phones download config files from TFP. Use option 150 on DHCP Server to specify TFTP Server location.

Implementing Cisco Switched Networks Chapter 6 Review

This is my review and notes of Chapter 6 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 6: Securing the Campus Infrastructure

Wasn’t too much of a fan of this chapter. It could just be because I’m pretty over reading this book. I feel like this chapter was generally alright, and I would recommend it if you’re looking into security for your campus network, but I still felt like at points it waffled on, and particularly had content which I highly doubt will be in the exam. Specifically some features that are only available on certain Cisco high end platforms.

What’s probably going to be in the exam:
- Switch Security Fundamentals
- Different types of L2 attacks and mitigation
- Port Security
- Brief understanding of different attack types (Mac spoofing, VLAN hopping, ARP Spoofing, DHCP attacks)
- VACLs
- IP Source Guard
- Dynamic ARP Inspection
- DHCP Snooping
- Understanding/recommendations on services to lock down on Cisco devices e.g. CDP, HTTP
- AAA ← I haven’t done very good notes on this, but I think it’s probably going to be pretty important for the exam.
- 802.1X
- SPAN/RSPAN

What the chapter also covers:
- SPAN to monitor CPU
- ERSPAN
- L2 Tracelog
- IOS Embedded Event Manager
- Network Analysis Module

Security at each layer

CORE—————-Server Farm
|
|
Distribution
|
|
Access

Server Farm
Use host and network based IPS, private VLANs, ACLs and secure passwords

Core
- Do not implement any packet manipulation here.

Distribution
- Use access lists to provide security.

Access
- Use switch port security to control access to the network.

Layer 2 Attack Methods

- MAC layer attacks
- VLAN attacks
- Spoofing attacks
- Attacks on switch devices

Attack methods and steps to Mitigate

Mac address flooding
Switch mac address table gets filled up causing the switch to then behave like a hub and flood traffic out all ports.

Enable port security methods

VLAN hopping
By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing L3 security mechanisms.

Remove dynamic trunk negotiations on ports

Attacks between devices on a common VLAN
Different customers on same subnet in service provider network.

Implement Private VLANs.

DHCP starvation and DHCP spoofing
Attacker uses all available DHCP addresses or establishes itself as a DHCP server in man-in-the-middle attack.

Use DHCP snooping

STP compromises
Spoofs root bridge. If successful, attacker can see a variety of frames.

Proactively configure the Root Bridge and backup. Enable Root Guard.

MAC spoofing
Attacker spoofs valid host’s MAC addrss.

Use DHCP Snooping and Port Security.

ARP Spoofing
Attacker crafts ARP Replies intended for valid hosts.

Use Dynamic ARP Inspection, DHCP snooping, and port security.

CDP Manipulation
CDP info is sent in clear text and unauthenticated allowing it to be captured.

Disable CDP.

SSH and Telnet attacks
Telnet is in clear text.

Use SSH version 2, and only use Telnet with ACLs setup for specific hosts.

Port Security

S1(config-if)#switchport port-security ← Enables port security
S1(config-if)#switchport port-security maximum ← Specify max allowed MAC addresses
S1(config-if)#switchport port-security mac-address xxx ← Manually specify MAC
S1(config-if)#switchport port-security violation {shutdown | restrict | protect }

Shutdown – IF any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, an SNMP trap is sent , and manual intervention or errdisable recovery must be used to make the interface useable. Shutdown mode is the default for violation.

Restrict – Frames from non-allowed address are dropped. A log message is created, and SNMP trap sent

Protect – Frames from the nonallowed address are dropped, but there is no log violation created.

Verify: S1(config-if)#show port-security [interface] [address]

Port Security with Mac Address Sticky

Port security can mitigate spoofing attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short time period but does not limit port access to a specific MAC address.

Port security has a sticky MAC address feature that can limit switch port access to a single, specific MAC address without the network administrator having to gather the MAC address of every legitimate device and manually associate it with a particular switch port.

To Enable:
S1(config-if)#switchport port-security
S1(config-if)#switch port-security mac-address sticky

Verify with show run int x

Blocking Unicast Flooding on Desired Ports
This feature basically stops flooding of unicast frames when the switch doesn’t know where the destination MAC address is.

This is useful when other switch ports have been configured with a static mac address or mac address sticky, and is likely to be the only host on that port.

This stops devices on those ports receiving abiet not much, but unnecessary traffic caused by above.

To Configure: int fa0/1, switchport block {unicast | multicast}

Understanding and Protecting Against VLAN Attacks

VLAN Hopping
Basically an attack method where a device is able to send/receive/capture packets in a VLAN that it should not be able to access. This attack is accomplished by tagging traffic with a specific VLAN ID, or by negotiating a trunk with a switch that has DTP enabled. This is done by switch spoofing or double tagging.

So as above, if a switch has port settings on default (aka DTP enabled) they could connect an unauthorised Cisco switch and negotiate a trunk, therefore having access to all VLANs, or a pc with an app that generates DTP packets.

Another method is double tagging. This is where the attacker sends in frames that have two 802.1Q tags configured. For this attack to work, the attacker needs the recipient to be connected via another switch. It also requires both switches to be connected in the same VLAN as the attacking switch port or native VLAN of the trunk between the switch and the attacked VLAN. I think what that means is if the attacker is in VLAN10 on switch A, switch B also needs to have a host in VLAN 10.

Possibly see Wikipedia for more: http://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging

Mitigation
- Configure all unused ports as access ports
- Place unused ports in shutdown state and put them in a VLAN specifically for unused ports.

When configuring Trunk links:
- Configure the native VLAN to be different from any data VLANs
- Trunking set to On, or Nonegotiate
- Trunks configured to only carry specific VLANs

VLAN Access Control Lists

Cisco Multi-Layer Switches support 3 types of ACLs:
- Router Access Control List (RACL) – Supported in the TCAM Hardware. RACLs can be applied to any routed interface, e.g. SVIs, or L3 Router interfaces.
- Port Access Control List (PACL) – Filters at the port level. Can be applied on L2 switchport, trunk port, or EtherChannel. Act at the L2 port level but can filter based on L3/L4 info.
- VLAN Access Control List (VACL) – Aka VLAN access-maps, apply to all traffic in a VLAN. VACLs support filtering based on Ethertype, and MAC Addresses. VACLs are order-sensitive, similar to route-maps. VACLs can control traffic flowing within the VLAN or control switched traffic, whereas RACLs control only routed traffic.

Configuring VACLs
Apply to all traffic on the VLAN. You can configure VACLs for IP and MAC-layer traffic.
- VACLs follow Route-map conventions, in which map sequences are checked in order.
- There are a few actions such as Permit, Redirect, Deny, VACL Capture, and VACL redirect, which are only available on the Catalyst 6500.

S1(config)#access-list 100 permit ip 10.1.1.1 0.0.0.255 any ← Identifying L3 list
S1(config)#mac access-list extended BACKUP_SERVER ← Identifying L2 list
S1(config-ext-mac)#permit any host 0000.1111.2222
S1(config)#vlan access-map ABC 10 ← Definding the VACL
S1(config-map)#match ip address 100 ← Matching previous L3 ACL
S1(config-map)#action drop ← Action
S1(config-map)#vlan access-map ABC 20
S1(config-map)#match mac address BACKUP_SERVER ← Matching previous L2 ACL
S1(config-map)#action drop
S1(config-map)#vlan access-map ABC 30
S1(config-map)#action forward
S1(config-map)#vlan filter ABC vlan-list 10,20

Spoofing Attacks
- Port security prevents MAC flooding attacks
- DHCP snooping prevents client attacks on the DHCP server and switch.
- Dynamic ARP inspection adds security to ARP using DHCP snooping table to minimise the impact of ARP poisoning and spoofing the attacks.
- IP Source Guard prevents IP spoofing addresses using DHCP the snooping table.

DHCP Spoofing Attack
Basically the attacker has a rogue DHCP server attached to the same segment which replies to DHCP requests before the valid DHCP server does. The attacker DHCP server gives the victim the attackers DNS and Default Gateway settings effectively making the attacker a man-in-the-middle.

Another method of attack is sending thousands of DHCP requests, potentially then exhausting the available addresses in the DHCP address pool.

DHCP Snooping
DHCP Snooping is a feature that determines which switch ports are “trusted” and allowed to response to DHCP requests.
- Per-port security mechanism used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a DHCP server or another switch.
- Can be enabled on a per-VLAN basis.
- Trusted ports can either have a DHCP server on it, or be an uplink port towards another DHCP server.
- If an attacker connects a rogue DHCP server on an untrusted port, in which it attempts to reply to a DHCP request, the port is shutdown.

To configure:
S1(config)#ip dhcp snooping
S1(config)#ip dhcp snooping information option ← Enables DHCP option 82. Optional. Switch info such as port ID of the DHCP request.
S1(config-if)#ip dhcp snooping trust ← Enable on the DHCP server port or uplink port.
S1(config-if)#ip dhcp snooping limit rate rate ← Used to stop the DHCP server from being overwhelmed in the case of an attack to use up the DHCP pool.
S1(config)#ip dhcp snooping vlan number X ← Enable on a specific interface.
Verify: show ip dhcp snooping

ARP Spoofing Attack
In normal network operation, if a device doesn’t know the MAC address location of a host, it broadcasts an ARP request, asking for the MAC address of where the device is in the network.

ARP Spoofing is an attack where the attacker device sends out a gratuitous ARP (Unsolicited message/frame) with its’ own MAC address telling other hosts that it is the location for IP address X. Other hosts then install in their ARP caches that device X is at the MAC address of the attacker.

To prevent this, use Dynamic ARP inspection

Dynamic ARP inspection prevents man-in-the-middle attacks by not relaying invalid or gratuitous ARP replies out to other ports in the same VLAN.

- D ARP inspection intercepts all ARP requests and all replies on untrusted ports.
- Each intercepted packet is verified for valid IP-to-MAC bindings that are gathered via DHCP snooping.
- Denied ARP packets are either dropped or logged by the switch for auditing, so ARP poisoning attacks are stopped.
- Incoming ARP packets on trusted ports are not inspected.
- D ARP inspection can also rate-limit ARP requests from client ports to minimize port scanning mechanisms.

So to use DAI, you need to have DHCP snooping on. This is because it uses DHCP snooping to validate the DHCP/MAC address bindings.

In the case of static address configurations, DAI can also validate ARP packets against user-configured ARP ACLs.

Configuration
S1(config)#ip arp inspection vlan X
S1(config)#int x/x
S1(config-if)# ip arp inspection trust ← with arp inspection, you only need to do config on the trusted ports, such as trunk links. All other ports are automatically considered untrusted.
S1(config)#ip arp inspection validate [src-mac|dst-mac|ip] ← Configures DAI to drop ARP packets when the IP addresses are invalid, or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.

Verify:
show ip arp inspection interfaces
show ip arp inspection vlan x
show ip dhcp snooping binding

Default action if the switch now receives a bogus ARP request is to simply drop the request. The switch can also be configured to err-disable or shut down the port and generate a syslog message.

IP Spoofing and IP Source Guard
IP spoofing is where an attacker is impersonating a legitimate host on the network.
- IP Source Guard prevents a malicious host from attacking the network by hijacking its neighbor’s IP address.
- Provides per-port IP traffic filtering of the assigned source IP addresses at wire speed.
- Dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings.
- IP Source Guard is typing deployed for untrusted switch ports in the access layer.

IP source Guard works closely with DHCP Snooping. This feature can be enabled on a DHCP snooping untrusted L2 port to prevent IP address spoofing.

When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port.

Methods of IP Source Guard filtering:
- Source IP address filter
- Source IP and MAC address filter

Configuration
S1(config)#ip dhcp snooping ← enables globally
S1(config)#ip dhcp snooping vlan X
S1(config-if)#ip verify source vlan dhcp-snooping ← Enables IP Source Guard filtering
OR S1(config)#ip verify source vlan dhcp-snooping port-security ← Above with MAC filtering.
S1(config)#ip source binding x.x.x.x ip vlan X interface fax/x ← Static binding on port.

Verify using ‘show ip source binding’

IP Source Guard can only be configured on L2 interfaces.

Securing Network Switches

This section covers protocols such as CDP, SSH, Telnet, VTY ACLs, HTTP Secure Server, AAA, and 802.1x.

Network Discovery Protocols
Covers CDP (Cisco Proprietary) and LLDP (IEEE equivalent).

CDP (Cisco Discovery Protocol)
- Enabled by default.
- ‘no cdp run’ – disables CDP globally
- ‘no cdp enable’ – disables on an interface
- ‘show cdp neighbor [detail]’ – Displays a summary of which devices are seen on which ports.

LLDP (Link Local Discovery Protocol)
- Disabled by default
- ‘lldp run’ enables globally
- ‘lldp enable’ enables on specific interface.
- ‘show lldp neighbor [detail]’ – Similar to CDP.

CDP is a powerful tool in the hands of an attacker, as it gives them a reconnaissance view of the network. Some programs such as CiscoWorks require the use of CDP (or at least are heavily limited without it), so rather than disable it globally, selectively disable it on all ports except trunk ports and management ports.

Telnet
- Convenient, but don’t use it. All data is in plain text. Use SSH instead.
- If Telnet must be used, configure VTY line ACLs to only allow connections from management IPs.

SSH
- Everything is encrypted.

Config:
S1(config)#username matt password cisco
S1(config)#ip domain-name abc.com
S1(config)#crypto key generate rsa
S1(config)#ip ssh version 2
S1(config)#line vty 0 15
S1(config-line)#login local
S1(config-line)#transport input ssh

VTY ACLs
S1(config)#access-list 100 permit ip 10.1.1.1 0.0.0.255 any
S1(config)#line vty 0 15
S1(config)#access-call 100 in

HTTP Secure Server
- Use HTTPS instead of unprotected HTTP by using the command ‘ip http secure-server’. Make sure to disable the unsecure by issuing ‘no ip http server’
- To use HTTPs, you need to have a certificate on the switch. This is done through ‘crypto key generate rsa’ (you need a domain name configured to do this though).
- Configure an ACL so only the management IPs can access the switch web server. Apply it using ‘http access-class XX’
- Configure users, if the switch needs configuration done via the web server. Apply it using ‘http authentication local’.

Authentication Authorisation Accounting (AAA)
See wiki for description of each: http://en.wikipedia.org/wiki/AAA_protocol

AAA is actually quite important. Although my notes here are small, it’s something that will probably be in the exam and something you should make sure you understand, and can configure.

Configuration
Varies depending on what exactly you’re trying to achieve.

Authentication example using Tacacs+:
S1(config)#aaa new-model ← Globally enables AAA
S1(config)#aaa authentication login TEST tacacs+
S1(config)#tacacs-server host 192.168.1.1
S1(config)#line vty 0 4
S1(config)#login authentication TEST

Authorisation example using Tacacs+:
S1(config)#aaa new-model
s1(config)#aaa authorization commands 0 default if-authenticated group tacas+
S1(config)#line vty 0 4
S1(config-line)#authorization commands 0 default.

Accounting example using Tacacs+:
S1(config)#aaa new-model
S1(config)#aaa accounting exec default start-stop group tacacs+
S1(config)#line vty 0 4
S1(config-line)#accounting exec default

Security Using IEEE 802.1X Port-Based Authentication
Basically when a device is attached to the network, a user needs to log in via their user credentials which are stored in an Authentication Server database typically done by RADIUS.

Until the workstation is authenticated, 8021X access control enable only Extensible Authentication Protocol over LAN (EAPOL) traffic on the port.

Configuration
dot1x port-control {auto | force-authorized | force-unauthorized}
force-authorized
- Disables 802.1x port-based authentication and causes the oprt to transition to the authorized state without any authentication exchange required.
- Default Setting

force-unauthorized
- Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
- Use this on ports where you don’t want any users to be able to connect from. I can’t see why you wouldn’t just shutdown the port instead…

auto
- Enables 802.1x port-based authentication.
- Port initializes in the unauthorised state, enabling only EAPOL packets
- The authentication process begins when either the link is brought up (authenticator initiation), or a client sends an EAPOL-start frame and the switch receives it (supplicant initiation).
- After this, the switch requests info identifying the client and this information is relayed between the switch and the authentication server.
- Clients are uniquely identified by their MAC address. This means that only an 802.1x capable host is connected to each access port.

When a client logs out, it sends an EAPOL-logout message, causing the switch port to transition to the unauthorised state.

Configuration

S1(config)#aaa new-model ← Enable AAA
S1(config)#radius-server host 10.1.1.1 auth-port 1821 key abc123
S1(config)#aaa authentication dot1x {default} group method1… ← Create an 802.1x port-based authentication method list
S1(config)#dot1x system-auth-control ← Enable 802.1x port authentication globally. Remember the global default for 802.1x is “force-authorized” which effectively allows anyone access on the ports.
S1(config)#int fa0/1
S1(config-if)#dot1x port-control auto ← Enabling authentication method on the interface

Switch Security Considerations
This section basically covers the thoughts and questions that should be asked when an organization is thinking about what it should cover in terms of security in their network.

One major point to consider is the a balance of reasonable network security against administrative overhead that is required for management of the network.

Cisco recommended minimum security configuration:
- Configure strong system passwords.
- Restrict management access using ACLs.
- Secure physical access to the console.
- Secure access to vty lines.
- Configure system warning banners.
- Disable unneeded or unused services.
- Trim and minimize the use of CDP/LLDP.
- Disable the inegreated HTTP daemon (where appropriate.)
- Configure basic system logging (syslog).
- Secure SNMP.
- Limit trunking connections and propagated VLANs.
- Secure STP.

Troubleshooting Performance and Connectivity

Techniques to Enhance Performance
I wasn’t going to include this, but I thought it was 3 good points for consideration within a production network:

- User performance
Based off the response time it takes for a user when using daily tools such as server databases. This variable gives the user their own perception of the reliability and performance of the network.

- Capacity Planning
This covers the idea of determining future network resource requirements to prevent a performance or availability impact on business-critical applications.

- Proactive fault management
- Responding to faults as they occur, and implementing solutions to prevent further faults in that area. This also comes under PPDIOO.

The next few pages of the book basically go into an analysis look of what things you should consider when looking at network performance, and trying to cover all necessary bases for a continual stable network.

Monitoring Performance with SPAN and VSPAN
Switched Port Analyzer is an important tool aiding in performance and troubleshooting in a network.

It’s basically mirrors all traffic in a VLAN or port[s] to a specific port. That port then usually has some form of network analyser (e.g. wireshark) connected to it.

Local SPAN is where the analyzer port and ports to be mirrored are all within the same switch.

VSPAN refers to mirroring of a VLAN to a single port.

SPAN supports capture of traffic in ingress, egress or both at the same time.

Configuration
S1(config)#monitor session 1 source interface fa0/1
S1(config)#monitor session 1 destination interface fa0/2
S1(config)#end
S1#show monitor session 1

Using SPAN to Monitor the CPU Interface of Switches
From what I understood, I believe this may only be on switches such as the Catalyst 4500 series.

It is helpful though as it gives you a view of what traffic is being processed by the SuperVisor CPU Engine.

cat4506(config)#monitor session 1 source cpu <>
cat4506(config)#monitor session 1 destination interface fa0/1
cat4506(config)#show monitor session 1

RSPAN (Remote Switched Port Analyser)
Similar to SPAN, but supports source ports, source VLANs, and destination ports on different switches, which provide remote monitoring of multiple switches across across a switched network.

- Each RSPAN session carries the SPAN traffic over a user-specified RSPAN VLAN. This VLAN is dedicated for that RSPAN session in all participating switches.

RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session.

- It is advisable to configure separate RSPAN source sessions and destination sessions on different network devices.
- To configure an RSPAN source session on one network device, associate a set of source ports and VLANs with an RSPAN VLAN.
- To configure an RSPAN destination session on another device, associate the destination port with the RSPAN VLAN.

RSPAN Guidelines
- Configure the RSPAN VLANs in all source, intermediate, and destination network devices. If enabled, VTP can propagate configurations of VLANS numbered 1 through 1024 as RSPAN VLANs.
- Switches don’t impose a limit on the number of RSPAN VLANs allowed.
- Configure any VLAN as an RSPAN VLAN as long as all participating network devices support configuration of RSPAN VLANs, and use the same RSPAN VLAN for each RSPAN session.

Configuration

-Create the RSPAN transport VLAN:
S1(config)#vlan 901
S1(config)#remote span
S1(config)#end

- Configure the ports you want to mirror on the remote switch:
S1(config)#no monitor session 1
S1(config)#monitor session 1 source interface gigabitethernet0/1 tx
S1(config)#monitor session 1 source interface gigabitethernet0/2 rx
S1(config)#monitor session 1 source interface port-channel 2
S1(config)#monitor session 1 destination remote vlan 901
S1(config)#end

- Configure the destination Switch
S2(config)# monitor session 1 source remote vlan 901
S2(config)# monitor session 1 destination interface gigabitethernet0/1
S2(config)# end

Verify:
Show monitor

Monitoring performance with ERSPAN
Enhanced Remote SPAN.

Features:
- support for source ports, source VLANs, and destination ports on different switches, even across L3 links.
- Carries SPAN traffic over a GRE tunnel.
- Currently only supported on Catalyst 6500 switches.

Config not listed as I doubt this will be in the exam.

Monitoring Performance using VACLs with the Capture Option
- Currently only supported on Catalyst 6500 series.

Basically it’s using a VACL on a SPAN port to filter at Layers 2,3, or 4 to only match traffic the administrator is interested in.

Troubleshooting Using L2 Traceroute
Behaves similarly to traceroute for L3, in which you specify the source and dest MAC addresses, and it will tell you the path the device takes to reach the Dest.
- Requires all switches along the way support L2 tracelog.
- Requires CDP to be on with neighboring switches.

To execute:
S1# traceroute mac 0000.0000.0002 0000.0000.1234

Last things the chapter talks about is Cisco Embedded Event Manager, and Catalyst 6500 Network Analysis Module. Both of which I doubt will be in the Switch exam.

Implementing Cisco Switched Networks Chapter 5 Review

This is my review and notes of Chapter 5 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 5: Implementing High Availability and Redundancy in a Campus Network

I think this chapter was probably quite good. Although I did find it pretty long, and there were various points I wish it would have just finished.

It followed a structure of theory behind High Availability trying to get the reader to think about why they’re implementing it, along with how they should implement it.

It then covered a bit on Cisco’s chassis or stack based HA options (failover methods of bad HW etc), and then moved into different monitoring methods (SNMP, IP SLA, Syslog etc).

Following that was a look at First Hop redundancy with HSRP, VRRP, and GLBP. Lastly was Cisco IOS Server Load Balancing (which I highly doubt is in the exam).

I find it hard to fault much in this chapter, there was just a lot there.

What’s probably going to be in the exam:
- Possibly a question on the 5 components of HA (Redundancy, Technology, People, Processes and Tools).
- Definitely on Network Monitoring (SNMP, Syslog, IP SLA)
- Very likely something on HSRP, VRRP, and GLBP.

What the chapter covers:
- The above summarises it quite well.

High Availability
High availability is technology that enables network wide resilience to increase IP network availability.

5 Components of High Availability

Redundancy
Attempts to eliminate single points of failure, where one failed device or design element brings down service.

Technology (HW/SW features)
Several Cisco routing continuity options such as Cisco Nonstop Forwarding (NSF) and Stateful Switchover (SSO) exist, and graceful restart capabilities improve availability. These technologies allow processor failover without a link flap, continued fowarding of packets, and maintenance of BGP adjacencies.

People
Redundant equipment and links and advanced technology are just the beginning of high availability. In PPDIOO, the people component is vitally important too. Staff work habits and skills can impact high availability.

Processes
Sound, repeatable processes can lead to high availability. Continual process improvement as part of PPDIOO plays a role in achieving high availability.

Tools
Use tools that provide performance thresholds and reporting to get a good understanding of how the network behaves in a good state. Also use tools for monitoring network uptime, with triggers that activate in the event of a service or device failure.

Cisco NSF (NonStop Forwarding) with SSO (Stateful SwitchOver)
All you probably need to know is that it’s a supervisor redundancy mechanism in IOS that allows a standby RP (Route Processor) to take over the device after a hardware or software fault on the Active RP. Works at layers 2-4.

Implementing Network Monitoring

This can be through:
- SNMP
- Syslog
- IP SLA

Syslog
If you’ve ever used a cisco device, you should know what syslog is. Important things to note for it are that you can modify the event/reporting level, where messages are reported to (local buffer, console, tty or remote syslog server).

Learn the Syslog severity levels for the exam
It’s the type of thing a question will probably be on. Level 0 = highest severity. Level 7 = Lowest.

Level 0 – Emergency
Level 1 – Alert
Level 2 - Critical
Level 3 – Error
Level 4 – Warning
Level 5 – Notice
Level 6 - Informational
Level 7 – Debug

Emerald Alley Cats Enjoy Whiskas Naturally Insightful Dinners

To time stamp log messages: conf t, service time-stamps [debug|log|datetime uptime|localtime|msec|show-timezone|year]

Configuring Syslog
To configure a syslog server: logging x.x.x.x
To configure which severity gets logged: logging trap ____
To configure local logs: logging buffered

SNMP

- Only disadvantage the book says is that there is a delay between the time that an event occurs and the time that it is noticed by the NMS. There is a trade-off between polling frequency and badwidth usage.
- SNMP uses UDP

SNMP Versions

- Version 1 and 2 both lack security
- Version 3 has security

SNMP Message types

1. Get Request – Retrieves value of specific MIB variable
2. Get Next Request – Retrieves next issuance of MIB variable
3. Set Request – Modifies the value of a MIB variable.
4. Get Response – Contains values of requested variable.
5. Trap – Transmits an unsolicited alarm condition

New SNMP Message types in version 2
- Get Bulk Request – Reduces repetitive requests/replies and improves performance when retrieving large amounts of data (e.g. tables)
- Inform Request – Alert SNMP manager of specific conditions (differs from SNMP traps as traps are udp and Inform request actually gets an ACK from the NMS)

SNMPv3 adds
NoAuthNoPriv – no authentication required
authNoPriv – Authentication with either HMAC-MD5 or HMAC-SHA
authPriv – CVC-DES encryption

Configuring SNMP

1. Configure SNMP access lists (So only authorised hosts have access)
2. Configure SNMP community strings
3. Configure SNMP trap receiver
4. Configure SNMPv3 user

S1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any
S1(config)#snmp-server community RO-PASSWORD RO 100
S1(config)#snmp-server community RW-PASSWORD RW 100
S1(config)#snmp-server trap 10.1.1.50

IP Service Level Agreement

An SLA is a contract between the network provider and its customers, or between a network department and internal corporate customers. It provides a form of guarantee to customers about the level of user experience.

Typically, the technical components of an SLA contain a guarantee level for network availability, network performance, in terms of route-trip time, and network response in terms of latency, jitter, and packet loss.

Common types of monitoring used by IP SLAs
- Edge to edge network availability monitoring
- Network performance monitoring and network performance visibility
- VoIP, video, and VPN monitoring
- IP service network health readiness or assessment
- MPLS network monitoring
- Troubleshooting of network operation

IP SLA Operations

- Network admin configures a target device, protocol, and UDP or TCP port numbers on the IP SLA source for each operation
- Operation can be encrypted with MD5
-Target could be DNS or HTTP, with the device being any suitable computer.

While the target can be “anything” as such, measurement accuracy is improved with an IP SLA Responder. An IP SLA responder is a device that runs IOS and is configured as an IP SLA reasurement responder with the command “ip sla monitor responder”

Operation with Responder

1. At the start of the control phase, the IP SLA source sends a control message with the configured IP SLA operation information to IP SLA control port UDP 1967 on the target router. The control message carries information such as protocol, port number, duration, and if configured, MD5 authentication.
2. If the responder processes the control message, it sends an OK message to the source router and listens on the port specified in the control message for a specified duration.
3. If the return code of control message is OK, the IP SLA operation moves ot the proving phase, where it sends one or more test packets to the responder for response time computations. Use “Show ip sla statistics” to view.
4. The responder accepts the test packets and responds. Based on the type of operation, the responder might add an “in” timestamp and an “out” timestamp in the response payload to account for CPU time spent in measuring 1-way packet loss, latency, and jitter. These timestamps help the IP SLA source to make accurate assessments on one-way delay, and the processing time in the target routers.

So basically, it’s two stages, initially setting up with the control phase (asks target to open port, target responses) and Probing Phase (Sends test IP SLA packet, responder accepts and responds).

IP SLA Timestamps
IP SLA source uses four time stamps for the round-trip time (RTT) calculation. The IP SLA source sends a test packet at time T1. The IP SLA responder includes both the receipt time (T2) and the transmitted time (T3). Because of other high-priority processes, routers can take tens of milliseconds to process incoming packets. The delay affects the response times because the reply to the test packets might be sitting in a queue while waiting to be processed.

The delta value is then subtracted from the overall RTT.

Configuring IP SLA

1. Configure IP SLA probe.
2. Activate probe.
3. Configure tracking object.
4. Configure action on tracking object.

Example
S1(config)#ip sla monitor 11
S1(config-sla)#type echo prot ipIcmpEcho 10.1.1.1 source-int fa0/1
S1(config-sla)#frequency 10
S1(config-sla)#exit
S1(config-sla)#ip sla monitor schedule 11 life forever start-time now
S1(config-sla)#track 1 ip sla 11 reachability

S2(config)#ip sla responder

Verify: show ip sla statistics, show ip sla configuration

Implementing Redundant Supervisor Engines in Catalyst Switches
The next 8ish pages is on this. I’m pretty confident the exam won’t have anything on this, so hardly any notes.

- Found in Calalyst 4500 and 6500.

Supports:
- RPR (Route Processor Redundancy) and RPR+

No longer preferred option. NSF with SSO = best.

- SSO (Stateful Switch Over)
- NSF (Non-stop Forwarding) with SSO.

NSF Offers:
- Improved network availability: NSF continues forwarding network traffic and application state information so that user traffic is not interrupted after a Supervisor switchover.
- Overall network stability: Improved by maintaining routing protocol neighbor relationships during Supervisor failover.

Understanding First Hop Redundancy Protocols

Refers to Default Gateway redundancy.

Covers:
- HSRP
- VRRP
- GLBP

Proxy ARP
Before default gateway was supported on most IP clients, networks were relying on the proxy ARP feature to reach IP devices outside the IP client subnet.

From wikipedia: Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic’s destination, and offers its own MAC address in reply, effectively saying, “send it to me, and I’ll get it to where it needs to go.” Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy.

Static Default Gateway
Now that a default gateway is configured on most devices, the Proxy ARP feature is not used anymore. Nevertheless, each client receives only one default gateway; there is not means by which to configure a secondary gateway, even if a second route exists to carry packets off the local segment.

Hot Standby Router Protocol (HSRP)
- Cisco Proprietary

With HSRP configured between a set of routers, they work in concert to present the appearance of a single virtual router to the hosts on the LAN.

The IP address of the virtual router will be configured as the default gateway for the workstations on a specific IP segment. When frames are to be sent from the host to the default GW, the host uses ARP to resolve the MAC address associated with the IP address of the default gateway. The ARP resolution returns the MAC address of the virtual router.

HSRP active and standby routers send hello messages to multicast address 224.0.0.2:1985 UDP.

All HSRP routers need to be L2 adjacent to that hello packets can be exchanged.

HSRP Roles:
Virtual Router – IP and MAC address pair that end devices have configured as their default GW.

Active Router – Within an HSRP group, one router is elected to be the active router. The active router physically forwards packets sent to the MAC address of the virtual router. There is one active router in an HSRP group.

Standby Router – Listens for periodic hello messages. If it fails to receive a hello, the standby router then assumes the role of the active router. There is one standby router in an HSRP group.

Other Routers – There can be more than two routers in an HSRP group, but only one active and one standby router. All routers in the group contend for the active and standby roles.

HSRP States

Initial
Beginning state. Indicates that HSRP does not run. This state is entered via a config change, or when the associated interface first comes up.
Listen
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers.
Speak
Router sends periodic hello messages and actively participates in the election of the active or standby router.
Standby
The router is a candidate to become the next active router and sends periodic hello messages.
Active
The router is currently forwarding packets that are sent to the group virtual MAC address. Router sends periodic hello messages.

When two routers participate in an election process, a priority can be configured to determine which router should be active. Without specific priority configuration, each router has a default priority of 100, and the router with the highest IP address is elected as the active router.

When STP is configured in the network, ensure that the active HSRP router is also the STP Root bridge, otherwise sub-optimal routing may occur.

Configuring HSRP
S1(config-if)#standby X ip x.x.x.x ← Group is optional. If none specific, 0 is used.

HSRP Priority and Preempt
S1(config-if)#standby x priority x ← Priority can be 0-255. Default = 100. Highest = best.

If the routers do not have preempt configured, a router that boots up significantly faster than the others in the standby group becomes the active router, regardless of the configured priority. The former active router can be configured to resume the forwarding router role by preempting a router with a lower priority.

S1(config-if)#standby x preempt {delay} [minimum delay]

HSRP Authentication
S1(config-if)#standby x authentication xxxxxxxx

HSRP Timers
By default, HSRP hellotime is 3 seconds, and hold time is 10 seconds, which means that failover time could be as much as 10 seconds for clients to start communicating with the new default GW.

The hold time value should be at least 3 times the value of the helllo time. To tune the timers:

S1(config-if)#standby x timers [msec] hellotime holdtime

As mentioned earlier, preempt is an important feature of HSRP that enables the primary router to resume the active role when it comes back online after failure or maintenance event.

If modifying the preempt timer, the rec for it should be the value of 50% greater than the device boot time.

S1(config-if)#standby 10 preempt delay minimum x

HSRP Versions

2 versions exist. Not backwards compatible.

HSRP Interface Tracking
Interface tracking enables the priority of a standby group router to be automatically adjusted, based on the availability of the router interfaces. When a tracked interface becomes unavailable, the HSRP priority of the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with an unavailable key interface will relinquish the active router role.

In other words, if the active HSRP router loses it’s own router uplink, tracking ensures that the standby HSRP router’s priority is increased and takes over the active role.

To configure:

1. Configure the standby group.
2. Configure priority (default 100).
3. Configure preempt on all devices within the HSRP group.
4. Configure the tracked interfaces and decrement (default decrement 10).

S1(config-if)standby X track interface [interface-priority]

HSRP Object Tracking

HSRP also offers tracking by an object, such as:
- An interface – Like above
- IP route
- A list of different objects
- IP SLA

Multiple HSRP Groups
Multigroup HSRP enables routers to simultaneously provide redundant backup and perform load sharing across different IP subnets. In other words, if at the access layer you have two VLANs, configure each distribution layer switch to be in different HSRP Groups, so each of your distribution switches is a HSRP active device for each vlan.

HSRP Monitoring

- Show standby brief
- Show standby
- Show standby neighbor vlanX

Virtual Router Redundancy Protocol (VRRP)
IEEE version of HSRP

Comparison with HSRP
- A HSRP group has one active router, one standby router, and potentially many listeners
- A VRRP group has one master router, and one or more backup routers.
- HSRP has max 16 Groups. VRRP is 255.
- In HSRP, the Virtual IP is different from Active and Standby routers real IP addresses. In VRRP, the Virtual IP can be the same as one of the group members real IP addresses.
- HSRP uses 224.0.0.2 for hello packets. VRRP uses 224.0.0.18
- VRRP timers are a lot shorter by default.
- HSRP can track interfaces or objects. VRRP can only track objects.

VRRP features

- VRRP provides redundancy for the real IP address of a router or for a virtual IP address shared among the VRRP group members.
- If a real IP address is used, the router with that address becomes the master. If a virtual IP address is used, the master is the router with the highest priority.
- A VRRP group has one master router and one or more backup routers. The master router uses VRRP messages to inform group members that it is the master.

- If the Virtual IP is set to that of a physical interface, the router with that config is set to the VRRP Master with a priority of 255. Default backup priority is 100.

- The priority value 0 can not be configured, and indicates that the current master has stopped participating in VRRP. This setting is used to trigger backup routers to quickly transition to the master without having to wait for the current master to time out.

- With VRRP, only the master sends out hellos.

VRRP Transition Process
- 3 timers: Advertisement interval (1 second), Master Down interval(3x Advertisement = 3 seconds), and skew time (256 – priority / 256. Ensures that the backup router with highest priority wins).

In the case of an orderly shutdown of the VRRP Master, it sends an advertisement with a priority of 0. This priority setting then triggers the backup router to take over quicker by waiting only the skew time instead of the master down interval.

VRRP Configuration

S1(config-if)#vrrp group ip virtual-gw-ip
S1(config-if)#vrrp X priority x
S1(config-if)#vrrp x timers advertise X
S1(config-if)#vrrp x timers learn ←Learns the timers from the VRRP Master

Verify:
Show vrrp interface vlan x

The main different between VRRP and HSRP, is the backup router does not send advertisements. Therefore, the VRRP Master is not aware of the current backup router.

Gateway Load Balancing Protocol

Cisco Proprietary solution created to enable automatic selection and simultaneous use of multiple available gateways in addition to automatic failover between those gateways.

HSRP is typically used in CIsco networks as usually there are only two gateways for any subnet. GLBP can be used if more than two gateways exist for subnets to load share across the gateways.

GLBP Functions

- GLBP active virtual gateway (AVG) – Members of a GLBP group elect one gateway to be the AVG for that group.

- GLBP active virtual forwarder (AVF) – Each gateway assumes responsibility for forwarding packets that are sent to the virtual MAC address assigned to that gateway by the AVG. These gateways are known as AVFs for their virtual MAC address

- GLBP communication: GLVP members send hello messages to eachover via multicast 224.0.0.102 every 3 seconds.

GLBP Features

- Load sharing
Multiple routers can share traffic from LAN clients

- Multiple virtual routers
Supports up to 1024 virtual routers (groups) on each physical interface and up to four virtual forwarders per group.

- Preemption
Enables you to preempt an AVG with a higher priority backup virtual gateway that has become available.

- Efficient resource utilization
Makes it possible for any router in a group to server as a backup, which eliminates the need for a dedicated backup router.

GLBP Operations

- Each member of the GLBP group elect one gateway to be the AVG for that group. Other members of the group provide backup for the AVG if it becomes unavailable.
- The AVG assigns a virtual MAC address to each member of the GLBP group. All routers become AVFs for frames addressed to that virtual MAC address.
- As clients send ARP requests for the address of the default gateway, the AFG sends these virtual MAC address in the ARP replies.
- A GLBP group can have up to 4 group members.

Load Balancing Methods

- Weighted load-balancing algorithm
- Host-dependent load-balancing algorithm
- Round-robin load-balancing algorithm
- default

GLBP, like HSRP, is also capable of being configured using interface tracking.

GLBP Weighting Mechanism

- Differs from HSRP/VRRP.
- With GLBP, two thresholds are defined.
- 1 lower threshold that applies when the router loses weight.
- 1 upper threshold when the router regains weight.
- This double threshold mechanism enables more flexibility than the single threshold system.

Do a google if you want to know more on this. I’m taking a bet it won’t be in the exam.

GLBP Configuration

S1(config-if)#glbp X ip X
S1(config-if)#glbp x priority x ← highest wins. default 100
S1(config-if)# x timers x x

Cisco IOS Server Load Balancing

- layer 4 – 7 switching feature
- Again, I doubt this is in the exam so haven’t made any notes on it.