TSHOOT – Part IV, Access-layer

tshoot-access

Vi fortsätter från tidigare inlägg där vi avslutade med att konfa upp L3/Routing/Redist. mellan R4 & DSW1 & 2. Innan vi ger oss på att konfa NAT & DHCP så fixar vi klart vårat access-layer först. Är lite osäker på om det ens är möjligt att sätta upp HSRP över switch-modulen men det märker vi väl.. 🙂

Layer 2

För att lägga till VLAN i NM-16ESW måste vi använda legacy-metoden “vlan database”, observera även att vi måste använda “show vlan-switch”.

DSW1

DSW1#vlan database
 DSW1(vlan)#vlan 10
 VLAN 10 added:
 Name: VLAN0010
 DSW1(vlan)#vlan 20
 VLAN 20 added:
 Name: VLAN0020
 DSW1(vlan)#vlan 200
 VLAN 200 added:
 Name: VLAN0200
 DSW1(vlan)#exit
 DSW1(config)#int range fa1/9 - 10
 DSW1(config-if-range)#switchport mode trunk
 DSW1(config-if-range)#switchport trunk encapsulation dot1q
 DSW1(config-if-range)#description to ASW1
 DSW1(config-if-range)#channel-group 1 mode on
 Creating a port-channel interface Port-channel1
 DSW1(config-if-range)#
 DSW1(config)#int range fa1/5 - 6
 DSW1(config-if-range)#switchport trunk encapsulation dot1q
 DSW1(config-if-range)#switchport mode trunk
 DSW1(config-if-range)#descrip to ASW2
 DSW1(config-if-range)#channel-group 4 mode on
 Creating a port-channel interface Port-channel4
 DSW1(config-if-range)#

DSW2

DSW2#vlan database
 DSW2(vlan)#vlan 10
 VLAN 10 added:
 Name: VLAN0010
 DSW2(vlan)#vlan 20
 VLAN 20 added:
 Name: VLAN0020
 DSW2(vlan)#vlan 200
 VLAN 200 added:
 Name: VLAN0200
 DSW2(vlan)#exi
 APPLY completed.
 Exiting....
DSW2(config)#int range fa1/9 - 10
 DSW2(config-if-range)#switchport trunk encaps dot1q
 DSW2(config-if-range)#switchport mode trunk
 DSW2(config-if-range)#desc to ASW2
 DSW2(config-if-range)#channel-group 1 mode on
 Creating a port-channel interface Port-channel1
DSW2(config-if-range)#int range fa1/5 - 6
 DSW2(config-if-range)#switchport trunk encaps dot1q
 DSW2(config-if-range)#switchport mode trunk
 DSW2(config-if-range)#desc to ASW1
 DSW2(config-if-range)#channel-group 5 mode on
 Creating a port-channel interface Port-channel5

ASW1

ASW1#vlan database
 ASW1(vlan)#vlan 10
 VLAN 10 added:
 Name: VLAN0010
 ASW1(vlan)#vlan 20
 VLAN 20 added:
 Name: VLAN0020
 ASW1(vlan)#vlan 200
 VLAN 200 added:
 Name: VLAN0200
 ASW1(vlan)#exit
 APPLY completed.
 Exiting....
ASW1(config)#no ip routing
 ASW1(config)#int range fa1/9 - 10
 ASW1(config-if-range)#switchport trunk encaps dot1q
 ASW1(config-if-range)#switchport mode trunk
 ASW1(config-if-range)#desc to DSW1
 ASW1(config-if-range)#channel-group 1 mode on
 Creating a port-channel interface Port-channel1
ASW1(config)#inte range fa1/5 - 6
 ASW1(config-if-range)#switchport trunk encaps dot1q
 ASW1(config-if-range)#switchport mode trunk
 ASW1(config-if-range)#desc to DSW2
 ASW1(config-if-range)#channel-group 5 mode on
 Creating a port-channel interface Port-channel5

ASW2

ASW2#vlan database
 ASW2(vlan)#vlan 10
 VLAN 10 added:
 Name: VLAN0010
 ASW2(vlan)#vlan 20
 VLAN 20 added:
 Name: VLAN0020
 ASW2(vlan)#vlan 200
 VLAN 200 added:
 Name: VLAN0200
 ASW2(vlan)#exit
 APPLY completed.
 Exiting....
ASW2(config)#no ip routing
 ASW2(config)#int range fa1/9 - 10
 ASW2(config-if-range)#switchport trunk encap dot1q
 ASW2(config-if-range)#switchport mode trunk
 ASW2(config-if-range)#desc to DSW2
 ASW2(config-if-range)#channel-group 1 mode on
 Creating a port-channel interface Port-channel1
ASW2(config-if-range)#int range fa1/5 - 6
 ASW2(config-if-range)#switchport trunk encap dot1q
 ASW2(config-if-range)#switchport mode trunk
 ASW2(config-if-range)#desc to DSW1
 ASW2(config-if-range)#channel-group 4 mode on
 Creating a port-channel interface Port-channel4

Access-ports

ASW1

ASW1(config)#int range fa1/0 - 4
 ASW1(config-if-range)#switchport mode access
 ASW1(config-if-range)#switchport access vlan 10
 ASW1(config-if-range)#description Vlan10

ASW2

ASW2(config)#int range fa1/0 - 4
 ASW2(config-if-range)#switchport mode access
 ASW2(config-if-range)#switchport access vlan 20
 ASW2(config-if-range)#descrip Vlan20

Management-Vlan

DSW1

DSW1(config)#interface vlan 200
 DSW1(config-if)#ip add 192.168.1.129 255.255.255.248
 DSW1(config-if)#desc Management

DSW2

DSW2(config)#interface vlan 200
 DSW2(config-if)#ip add 192.168.1.130 255.255.255.248
 DSW2(config-if)#desc Management

ASW1

ASW1(config)#int vlan 1
 ASW1(config-if)#shut
 ASW1(config-if)#int vlan 200
 ASW1(config-if)#ip add 192.168.1.131 255.255.255.248
 ASW1(config-if)#desc Management

ASW2

ASW2(config-if-range)#ex
 ASW2(config)#int vlan 1
 ASW2(config-if)#shut
 ASW2(config-if)#inte vlan 200
 ASW2(config-if)#ip add 192.168.1.132 255.255.255.248
 ASW2(config-if)#desc Management

MLS Routing

DSW1

DSW1(config)#interface vlan 10
 DSW1(config-if)#ip add 10.2.1.1 255.255.255.0
 DSW1(config-if)#desc Vlan 10, Users
 DSW1(config-if)#interface vlan 20
 DSW1(config-if)#ip add 10.2.2.2 255.255.255.0
 DSW1(config-if)#desc Vlan 20, Servers
 DSW1(config-if)#exit
 DSW1(config)#router eigrp 10
 DSW1(config-router)#network 10.2.1.0 0.0.0.255
 DSW1(config-router)#network 10.2.2.0 0.0.0.255
 DSW1(config-router)#exit

DLSW2

DSW2(config)#interface vlan 10
 DSW2(config-if)#ip add 10.2.1.2 255.255.255.0
 DSW2(config-if)#desc Vlan 10, Users
 DSW2(config-if)#interface vlan 20
 DSW2(config-if)#ip add 10.2.2.1 255.255.255.0
 DSW2(config-if)#desc Vlan 20, Servers
 DSW2(config-if)#exit
 DSW2(config)#router eigrp 10
 DSW2(config-router)#network 10.2.1.0 0.0.0.255
 DSW2(config-router)#network 10.2.2.0 0.0.0.255
 DSW2(config-router)#end

HSRP

Endast Vlan10 använde HSRP och enligt spec. ska DSW1 vara Active, vi sätter därför prion över 100 som annars är default.

DSW1

DSW1(config)#interface vlan 10
 DSW1(config-if)#standby 1 ip 10.2.1.254
 DSW1(config-if)#standby 1 preempt
 DSW1(config-if)#standby 1 priority 150

DSW2

DSW2(config)#interface vlan 10
 DSW2(config-if)#standby 1 ip 10.2.1.254
 DSW2(config-if)#standby 1 preempt
 DSW2(config-if)#standby 1 priority 100
DSW1#sh standby brief
 P indicates configured to preempt.
 |
 Interface Grp Prio P State Active Standby Virtual IP
 Vl10 1 150 P Active local 10.2.1.2 10.2.1.254

Tyvärr verkade det som jag stött på en bugg här.
Klienter kan pinga DSW1’s riktiga IP-adress 10.2.1.1, men inte den virtuella gatewayen.

HostA#ping 10.2.1.254
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
 .....
 Success rate is 0 percent (0/5)

 HostA#ping 10.2.1.1
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/68 ms

Slår vi över till DSW2 istället så fungerar det utan problem märkligt nog.

DSW2(config)#int vlan 10
 DSW2(config-if)#standby 1 prio
 DSW2(config-if)#standby 1 priority 160
 DSW2(config-if)#end
 DSW2#
 *Mar 1 03:58:36.031: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Standby -> Active
 *Mar 1 03:58:36.355: %SYS-5-CONFIG_I: Configured from console by console
HostA#ping 10.2.1.254
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/32 ms
 HostA#ping 10.2.1.1
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/48 ms
 HostA#ping 10.2.1.2
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.2.1.2, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 12/228/1032 ms

Skumt! Verkar inte vara den enda som har samma problem för den delen men har inte lyckats hitta någon vettig lösning på problemet. Har tillsvidare lämnat DSW2 som Active istället, huvudsaken är väl att vi har en “virtuell gateway” till vår host.

Vi har nu åtminstone fullt flöde genom hela nätet!

HostA#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/136/176 ms
HostA#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
1 10.2.1.2 28 msec 56 msec 24 msec
 2 10.1.4.9 64 msec 28 msec 32 msec
 3 10.1.1.9 72 msec 108 msec 68 msec
 4 10.1.1.5 180 msec 120 msec 56 msec
 5 10.1.1.1 152 msec 200 msec 176 msec

Då återstår endast NAT på R1 & DHCP-servern på R4. 🙂 

MDH Lab – Private-VLANs & VACL

Topologi

pvlan

Objectives

  • Secure the server farm using private VLANs.
  • Secure the staff VLAN from the student VLAN.
  • Secure the staff VLAN when temporary staff personnel are used.

Background

In this lab, you will configure the network to protect the VLANs using router ACLs, VLAN ACLs, and private VLANs. First, you will secure the new server farm by using private VLANs so that broadcasts on one server VLAN are not heard by the other server VLAN.

Service providers use private VLANs to separate different customers’ traffic while utilizing the same parent VLAN for all server traffic. The private VLANs provide traffic isolation between devices, even though they might exist on the same VLAN.

You will then secure the staff VLAN from the student VLAN by using a RACL, which prevents traffic from the student VLAN from reaching the staff VLAN. This allows the student traffic to utilize the network and Internet services while keeping the students from accessing any of the staff resources.

Lastly, you will configure a VACL that allows a host on the staff network to be set up to use the VLAN for access but keeps the host isolated from the rest of the staff machines. This machine is used by temporary staff employees.

Genomförande

L2 basic konfig

Då vi ska använda oss av Private-VLANs i den här labben måste vi konfigurera våra switchar till VTP mode Transparent.

S1

Switch(config)#hostname S1
 S1(config)#line con 0
 S1(config-line)#logging sync
 S1(config-line)#!Trunk-links till S2
 S1(config-line)#int range fa0/1 - 2
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S1(config-if-range)#
 S1(config-if-range)#!Trunk-links till S3
 S1(config-if-range)#int range fa0/3 - 4
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 2 mode active
 Creating a port-channel interface Port-channel 2
S1(config-if-range)#exit
 S1(config)#vtp mode transparent
 Setting device to VTP TRANSPARENT mode.
S1(config)#vlan 100,150,200
 S1(config-vlan)#exit

S3

Switch(config)#hostname S3
 S3(config)#line con 0
 S3(config-line)#logging sync
 S3(config-line)#!Trunk-links till S2
 S3(config-line)#int range fa0/1 - 2
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S2
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S3(config-if-range)#
 S3(config-if-range)#!Trunk-links till S1
 S3(config-if-range)#int range fa0/3 - 4
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S1
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S3(config-if-range)#exit
 S3(config)#
 S3(config)#vtp mode transparent
 Setting device to VTP Transparent mode for VLANS.
 S3(config)#vlan 100,150,200
 S3(config-vlan)#exit

S2

Switch(config)#hostname S2
 S2(config)#line con 0
 S2(config-line)#logging sync
 S2(config-line)#!Trunk-links till S1
 S2(config-line)#int range fa0/1 - 2
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S1
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 1 mode passive
 Creating a port-channel interface Port-channel 1
S2(config-if-range)#
 S2(config-if-range)#!Trunk-links till S3
 S2(config-if-range)#int range fa0/3 - 4
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S3
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
 S2(config)#
S2(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
S2(config)#vlan 100,150,200
S2(config-vlan)#exit

HSRP

S1

S1(config)#interface vlan 1
 S1(config-if)#ip add 172.16.1.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.1.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 100
 S1(config-if)#
 S1(config-if)#interface vlan 100
 S1(config-if)#ip add 172.16.100.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.100.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 150
 S1(config-if)#
 S1(config-if)#interface vlan 150
 S1(config-if)#ip add 172.16.150.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.150.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 150
 S1(config-if)#
 S1(config-if)#interface vlan 200
 S1(config-if)#ip add 172.16.200.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.200.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 100
 S1(config-if)#

S3

S3(config)#interface vlan 1
 S3(config-if)#ip add 172.16.1.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.1.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 150
 S3(config-if)#
 S3(config-if)#interface vlan 100
 S3(config-if)#ip add 172.16.100.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.100.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 100
 S3(config-if)#
 S3(config-if)#interface vlan 150
 S3(config-if)#ip add 172.16.150.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.150.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 100
 S3(config-if)#
 S3(config-if)#interface vlan 200
 S3(config-if)#ip add 172.16.200.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.200.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 150
 S3(config-if)#

Verifiering

S1#sh standby brief
 P indicates configured to preempt.
 |
 Interface Grp Pri P State Active Standby Virtual IP
 Vl1 1 100 P Standby 172.16.1.30 local 172.16.1.1
 Vl100 1 150 P Active local 172.16.100.30 172.16.100.1
 Vl150 1 150 P Active local 172.16.150.30 172.16.150.1
 Vl200 1 100 P Standby 172.16.200.30 local 172.16.200.1

Private-VLANs

PVLANs provide layer 2-isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

Mer info om just PVLANs och design-rekommendationer finns att läsa här!

Vi börjar med att konfigurera upp våra secondary-vlans (Isolated- & Community-PVLAN) i S1 & S3.

S1(config)#vlan 151
S1(config-vlan)#private-vlan isolated
S1(config-vlan)#exit
S1(config)#!Community
S1(config)#vlan 152
S1(config-vlan)#private-vlan community
S1(config-vlan)#exit
S1(config)#

S3(config)#vlan 151
S3(config-vlan)#private-vlan isolated
S3(config-vlan)#exit
S3(config)#!Community
S3(config)#vlan 152
S3(config-vlan)#private-vlan community
S3(config-vlan)#exit

Vi behöver sedan associera våra PVLAN med “parent”-vlanet 150, “primary:n”.

S1(config)#vlan 150
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan association 151,152
S1(config-vlan)#exit

S3(config)#vlan 150
S3(config-vlan)#private-vlan primary
S3(config-vlan)#private-vlan association 151,152
S3(config-vlan)#exit

Då vi i detta exemplet använder SVI’s för att routa trafik direkt i switchen behöver vi även knyta våra Secondary-vlan till primaryn (150).

S1(config)#interface vlan 150
S1(config-if)#private-vlan mapping 151,152
S1(config-if)#
*Mar 1 01:35:40.794: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 01:35:40.794: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152

S3(config)#int vlan 150
S3(config-if)#private-vlan mapping 151,152
S3(config-if)#
*Mar 1 01:35:37.170: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 01:35:37.170: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152

Verifiera med “show vlan private-vlan”:

S1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated 
150 152 community

Nu återstår det endast att koppla interfacen till respektive secondary-vlan. Enligt uppgiften ska fördelningen se ut enligt följande:

  • Fa0/5-10 – Isolated
  • Fa0/11-15 – Community

S1

S1(config)#int range fa0/5 - 10
S1(config-if-range)#description Isolated-port
S1(config-if-range)#switchport mode private-vlan host
S1(config-if-range)#switchport private-vlan host-association 150 151
S1(config-if-range)#
S1(config-if-range)#int range fa0/11 - 15
S1(config-if-range)#description Community-port
S1(config-if-range)#switchport mode private-vlan host
S1(config-if-range)#switchport private-vlan host-association 150 152

S3

S3(config)#int range fa0/5 - 10
S3(config-if-range)#description Isolated-port
S3(config-if-range)#switchport mode private-vlan host
S3(config-if-range)#switchport private-vlan host-association 150 151
S3(config-if-range)#
S3(config-if-range)#int range fa0/11 - 15
S3(config-if-range)#description Community-port
S3(config-if-range)#switchport mode private-vlan host
S3(config-if-range)#switchport private-vlan host-association 150 152

Verifiering

S3#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10
150 152 community Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15

RACL

Vi skulle även skydda Vlan 200 (172.16.200.0/24) från Vlan 100 (172.16.100.0/24), vilket vi gör enkelt med en vanlig ACL.

S1(config)#ip access-list extended RACL
S1(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
S1(config-ext-nacl)#permit ip any any
S1(config-ext-nacl)#exit
S1(config)#interface vlan 200
S1(config-if)#ip access-group RACL in

S3

S3(config)#ip access-list extended RACL
S3(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
S3(config-ext-nacl)#permit ip any any
S3(config-ext-nacl)#exit
S3(config)#interface vlan 200
S3(config-if)#ip access-group RACL in
S3(config-if)#

VACL

Vlan-ACL är ett nytt koncept i CCNP, mer info finns att läsa här! Istället för att knyta det till ett interface används det istället direkt på VLAN:et, själva konfigureringen påminner väldigt mycket om route-maps som vi använt oss mycket av i tidigare inlägg om ex. route-filtering.

Enligt specifikationen skulle vi blockera hosten 172.16.100.150 från att nå någon annan på vlan 100. Vi skapar först en ACL för att ha något att använda i match-statement.

S1(config)#ip access-list extended VACL-BLOCK
S1(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
S1(config-ext-nacl)#exit

S3(config)#ip access-list extended VACL-BLOCK
S3(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
S3(config-ext-nacl)#exit

Vi bygger sedan vår VLAN Access-map, glöm inte att utan en match all/permit så blockerar vi all trafik precis som en vanlig ACL.

S1(config)#vlan access-map AM-VACL-BLOCK 10
S1(config-access-map)#match ip addr VACL-BLOCK
S1(config-access-map)#action drop
S1(config-access-map)#exit
S1(config)#vlan access-map AM-VACL-BLOCK 20
S1(config-access-map)#action forward
S1(config-access-map)#exit
S1(config)#

S3(config)#vlan access-map AM-VACL-BLOCK 10
S3(config-access-map)#match ip addr VACL-BLOCK
S3(config-access-map)#action drop
S3(config-access-map)#exit
S3(config)#vlan access-map AM-VACL-BLOCK 20
S3(config-access-map)#action forward
S3(config-access-map)#exit
S3(config)#

Sen återstår det bara att knyta detta till vlan:et.

S1(config)#vlan filter AM-VACL-BLOCK vlan-list 100
S3(config)#vlan filter AM-VACL-BLOCK vlan-list 100

Tyvärr har vi inga host att testa med så vi får helt enkelt räkna med att allt är ok! 😉

MDH Lab – HSRP & Securing L2

Topologi

6-1

Objectives

  • Secure the Layer 2 network against MAC flood attacks.
  • Prevent DHCP spoofing attacks.
  • Prevent unauthorized access to the network using AAA and 802.1X.

Background

A fellow network engineer that you have known and trusted for many years has invited you to lunch this week.

At lunch, he brings up the subject of network security and how two of his former co-workers had been arrested for using different Layer 2 attack techniques to gather data from other users in the office for their own personal gain in their careers and finances. The story shocks you because you have always known your friend to be very cautious with security on his network.

His story makes you realize that your business network has been cautious with external threats, Layer 3–7 security, firewalls at the borders, and so on, but insufficient at Layer 2 security and protection inside the local network. When you get back to the office, you meet with your boss to discuss your concerns.

After reviewing the company’s security policies, you begin to work on a Layer 2 security policy. First, you establish which network threats you are concerned about and then put together an action plan to mitigate these threats. While researching these threats, you learn about other potential threats to Layer 2 switches that might not be malicious but could threaten network stability.

You decide to include these threats in the policies as well. Other security measures need to be put in place to further secure the network, but you begin with configuring the switches against a few specific types of attacks, including MAC flood attacks, DHCP spoofing attacks, and unauthorized access to the local network. You plan to test the configurations in a lab environment before placing them into production.

Genomförande

Hoppar återigen över grundkonfigen för att få upp Port-channels/Trunking/VLAns, se tidigare inlägg för detta.

Vi börjar med att sätta upp HSRP mellan S1 & S3.

S1

S1(config)#int vlan 1 
S1(config-if)#ip add 172.16.1.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.1.1
S1(config-if)#standby 1 priority 100
S1(config-if)#standby 1 preempt
S1(config-if)#
S1(config-if)#int vlan 100
S1(config-if)#ip add 172.16.100.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.100.1
S1(config-if)#standby 1 priority 150
S1(config-if)#standby 1 preempt
S1(config-if)#
S1(config-if)#int vlan 200
S1(config-if)#ip add 172.16.200.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.200.1
S1(config-if)#standby 1 priority 100
S1(config-if)#standby 1 preempt
S1(config-if)#end

S3

S3(config)#int vlan 1 
S3(config-if)#ip add 172.16.1.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.1.1
S3(config-if)#standby 1 priority 150
S3(config-if)#standby 1 preempt
S3(config-if)#
S3(config-if)#int vlan 100
S3(config-if)#ip add 172.16.100.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.100.1
S3(config-if)#standby 1 priority 100
S3(config-if)#standby 1 preempt
S3(config-if)#
S3(config-if)#int vlan 200
S3(config-if)#ip add 172.16.200.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.200.1
S3(config-if)#standby 1 priority 150
S3(config-if)#standby 1 preempt
S3(config-if)#
S1#sh standby brief
 P indicates configured to preempt.
 |
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 100 P Standby 172.16.1.30 local 172.16.1.1
Vl100 1 150 P Active local 172.16.100.30 172.16.100.1
Vl200 1 100 P Standby 172.16.200.30 local 172.16.200.1

Nästa uppgift var att säkra vårat nät mot DHCP-spoofing attacker. För att lyckas med detta kan vi använda oss av “dhcp snooping“.

Då endast S2 är access-layer switch med användare inkopplade behöver vi bara konfa snooping där.

S2

S2(config)#!Aktiverar DHCP-snooping funktionen
S2(config)#ip dhcp snooping 
S2(config)#!Startar DHCP-snooping för vlan 100 & 200
S2(config)#ip dhcp snooping vlan 100,200

Alla portar räknas som per default untrusted, dvs får EJ skicka DHCPOFFERs & DHCPACKs. Vi måste därför konfigurera trusted där vi har vår DHCP-server. I detta fall har vi ingen lokalt på lanet, därför sätter vi trunk-portarna till trusted.

S2(config)#inte range fa0/1 - 4 , po1 - 2
S2(config-if-range)#ip dhcp snooping trust

Vi kan verifiera vår konfig med “sh ip dhcp snooping”.

S2#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,200
DHCP snooping is operational on following VLANs:
100,200
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
 circuit-id format: vlan-mod-port
 remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Int
*Mar 1 02:14:22.416: %SYS-5-CONFIG_I: Configured from console by consoleerface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 yes unlimited
FastEthernet0/3 yes unlimited
FastEthernet0/4 yes unlimited
Port-channel1 yes unlimited
Port-channel2 yes unlimited

MAC-flood attacker blir bara lite repetition från CCNA, genom att begränsa antal mac-adresser en port kan lära sig behöver vi inte vara rädda för att råka ut för cam-table overflow. Även här behöver vi endast konfa S2 då det är den enda switchen i access-layer.

S2(config)#int range fa0/6 - 20 
S2(config-if-range)#switchport mode access
S2(config-if-range)#switchport access vlan 100
S2(config-if-range)#switchport port-security
S2(config-if-range)#switchport port-security max 2
S2(config-if-range)#switchport port-security mac-address sticky
S2(config-if-range)#spanning-tree portfast
S2(config-if-range)#spanning-tree bpduguard enable

Detta gör att switchen endast kan lära sig max 2st mac-adresser per interface (2×15 =  30 mac-adresser).

För att begränsa access till nätet är ett alternativ att använda oss av 802.1x, vilket kräver att användarna autentiserar sig innan porten slår över till forwarding. Mer info om dot1x finns att läsa här.

S2(config)#aaa new-model
S2(config)#!Autentiserar anvandare mot anvandardatabasen som ligger lokalt pa switchen
S2(config)#aaa authentication dot1x default local
S2(config)#!aktiverar dot1x
S2(config)#dot1x system-auth-control
S2(config)#!skapar anvndare
S2(config)#username admin1 password cisco
S2(config)#username user1 password cisco
S2(config)#username user2 password cisco
S2(config)#inte range fa0/6 - 20
S2(config-if-range)#!aktiverar dot1x-autentisering pa interfacen
S2(config-if-range)#dot1x port-control auto
S2(config-if-range)#
*Mar 1 02:28:23.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to down
*Mar 1 02:28:23.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down

Observera att både Fa0/11 & Fa0/18 genast gick ner efter vi la in konfigen, detta pga användarna ej är autentiserade ännu.

S2#sh dot1x interface fa0/11
Dot1x Info for FastEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both 
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0

Rekommenderat är dock att koppla autentiseringen mot en extern RADIUS-server istället.

MDH Lab – HSRP

Topologi

lab5-2

Objective

Configure inter-VLAN routing with HSRP to provide redundant, fault-tolerant routing to the internal network.

Background

Hot Standby Router Protocol (HSRP) is a Cisco-proprietary redundancy protocol for establishing a faulttolerant default gateway. It is described in RFC 2281. HSRP provides a transparent failover mechanism to the end stations on the network. This provides users at the access layer with uninterrupted service to the network if the primary gateway becomes inaccessible.

The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP and is defined in RFC 3768. The two technologies are similar but not compatible. This lab focuses on HSRP.

Genomförande

Börjar med default-konfig för att få upp vlan/etherchannels/trunkar.

S1

Switch(config)#hostname S1
 S1(config)#line con 0
 S1(config-line)#logging sync
 S1(config-line)#!Trunk-links till S2
 S1(config-line)#int range fa0/1 - 2
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S1(config-if-range)#
 S1(config-if-range)#!Trunk-links till S3
 S1(config-if-range)#int range fa0/3 - 4
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 2 mode active
 Creating a port-channel interface Port-channel 2
S1(config-if-range)#exit
 S1(config)#
 S1(config)#vtp mode server
 Device mode already VTP SERVER.
 S1(config)#vtp domain CISCO
 Changing VTP domain name from NULL to CISCO
 S1(config)#
 S1(config)#vlan 10
 S1(config-vlan)#name Red
 S1(config-vlan)#vlan 20
 S1(config-vlan)#name Blue
 S1(config-vlan)#vlan 30
 S1(config-vlan)#name Orange
 S1(config-vlan)#vlan 40
 S1(config-vlan)#

S3

Switch(config)#hostname S3
 S3(config)#line con 0
 S3(config-line)#logging sync
 S3(config-line)#!Trunk-links till S2
 S3(config-line)#int range fa0/1 - 2
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S2
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S3(config-if-range)#
 S3(config-if-range)#!Trunk-links till S1
 S3(config-if-range)#int range fa0/3 - 4
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S1
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S3(config-if-range)#exit
 S3(config)#
 S3(config)#vtp mode client
 Setting device to VTP CLIENT mode.
 S3(config)#vtp domain CISCO

S2

Switch(config)#hostname S2
 S2(config)#line con 0
 S2(config-line)#logging sync
 S2(config-line)#!Trunk-links till S1
 S2(config-line)#int range fa0/1 - 2
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S1
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 1 mode passive
 Creating a port-channel interface Port-channel 1
S2(config-if-range)#
 S2(config-if-range)#!Trunk-links till S3
 S2(config-if-range)#int range fa0/3 - 4
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S3
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
 S2(config)#
 S2(config)#vtp mode client
 Setting device to VTP CLIENT mode.
 S2(config)#vtp domain CISCO
 Domain name already set to CISCO.

Då återstår det bara att sätta upp HSRP mellan S1 & S3. Enligt labben ska fördelningen vara enligt följande:

  • S1 Primary – Vl1, 20 & 40
  • S3 Primary – Vl10 & 30

Vi styr detta genom att modfiera priority-värdet för den switch vi vill ska vara active (default = 100, högst värde vinner).

S1

S1(config)#interface vlan 1
 S1(config-if)#ip add 172.16.1.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.1.1
 S1(config-if)#standby 1 priority 150
 S1(config-if)#standby 1 preempt
 S1(config-if)#
 S1(config-if)#interface vlan 10
 S1(config-if)#ip add 172.16.10.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.10.1
 S1(config-if)#standby 1 priority 100
 S1(config-if)#standby 1 preempt
 S1(config-if)#
 S1(config-if)#interface vlan 20
 S1(config-if)#ip add 172.16.20.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.20.1
 S1(config-if)#standby 1 priority 150
 S1(config-if)#standby 1 preempt
 S1(config-if)#
 S1(config-if)#interface vlan 30
 S1(config-if)#ip add 172.16.30.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.30.1
 S1(config-if)#standby 1 priority 100
 S1(config-if)#standby 1 preempt
 S1(config-if)#
 S1(config-if)#interface vlan 40
 S1(config-if)#ip add 172.16.40.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.40.1
 S1(config-if)#standby 1 priority 150
 S1(config-if)#standby 1 preempt
 S1(config-if)#exit
 S1(config)#ip routing

S3

S3(config)#interface vlan 1
 S3(config-if)#ip add 172.16.1.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.1.1
 S3(config-if)#standby 1 priority 100
 S3(config-if)#standby 1 preempt
 S3(config-if)#
 S3(config-if)#interface vlan 10
 S3(config-if)#ip add 172.16.10.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.10.1
 S3(config-if)#standby 1 priority 150
 S3(config-if)#standby 1 preempt
 S3(config-if)#
 S3(config-if)#interface vlan 20
 S3(config-if)#ip add 172.16.20.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.20.1
 S3(config-if)#standby 1 priority 100
 S3(config-if)#standby 1 preempt
 S3(config-if)#
 S3(config-if)#interface vlan 30
 S3(config-if)#ip add 172.16.30.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.30.1
 S3(config-if)#standby 1 priority 150
 S3(config-if)#standby 1 preempt
 S3(config-if)#
 S3(config-if)#interface vlan 40
 S3(config-if)#ip add 172.16.40.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.40.1
 S3(config-if)#standby 1 priority 100
 S3(config-if)#standby 1 preempt
 S3(config-if)#exit
 S3(config)#ip routing
 S3(config)#

S2

S2(config)#interface vlan 1
 S2(config-if)#ip add 172.16.1.2 255.255.255.0
 S2(config-if)#no shut
 S2(config-if)#exit
 S2(config)#
 S2(config)#ip default-gateway 172.16.1.1

Verifiering

S3#sh standby
Vlan1 - Group 1
 State is Standby
 Virtual IP address is 172.16.1.1
 Active virtual MAC address is 0000.0c07.ac01
 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 1.216 secs
 Preemption enabled
 Active router is 172.16.1.10, priority 150 (expires in 9.600 sec)
 Standby router is local
 Priority 100 (default 100)
 Group name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
 State is Active
 Virtual IP address is 172.16.10.1
 Active virtual MAC address is 0000.0c07.ac01
 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 0.208 secs
 Preemption enabled
 Active router is local
 Standby router is 172.16.10.10, priority 100 (expires in 10.112 sec)
 Priority 150 (configured 150)
 Group name is "hsrp-Vl10-1" (default)
Vlan20 - Group 1
 State is Standby
 Virtual IP address is 172.16.20.1
 Active virtual MAC address is 0000.0c07.ac01
 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 0.560 secs
 Preemption enabled
 Active router is 172.16.20.10, priority 150 (expires in 8.080 sec)
 Standby router is local
 Priority 100 (default 100)
 Group name is "hsrp-Vl20-1" (default)
Vlan30 - Group 1
 State is Active
 Virtual IP address is 172.16.30.1
 Active virtual MAC address is 0000.0c07.ac01
 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 1.824 secs
 Preemption enabled
 Active router is local
 Standby router is 172.16.30.10, priority 100 (expires in 10.496 sec)
 Priority 150 (configured 150)
 Group name is "hsrp-Vl30-1" (default)
Vlan40 - Group 1
 State is Standby
 Virtual IP address is 172.16.40.1
 Active virtual MAC address is 0000.0c07.ac01
 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 1.040 secs
 Preemption enabled
 Active router is 172.16.40.10, priority 150 (expires in 10.608 sec)
 Standby router is local
 Priority 100 (default 100)
 Group name is "hsrp-Vl40-1" (default)
S2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1007 ms

Allt ok så långt. Vi kan även testa failover:

S1(config)#inte range fa0/1 - 4
S1(config-if-range)#shut

En debug visar då följande på S3:

S3#
*Mar 1 00:19:36.980: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
*Mar 1 00:19:36.988: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
*Mar 1 00:19:36.997: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to down
S3#
*Mar 1 00:19:37.978: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
*Mar 1 00:19:38.012: %LINK-3-UPDOWN: Interface Port-channel2, changed state to down
*Mar 1 00:19:38.012: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down
S3#
*Mar 1 00:19:45.452: HSRP: Vl30 Grp 1 Standby router is unknown, was 172.16.30.10
*Mar 1 00:19:45.452: HSRP: Vl30 Nbr 172.16.30.10 no longer standby for group 1 (Active)
*Mar 1 00:19:45.452: HSRP: Vl30 Nbr 172.16.30.10 Was active or standby - start passive holddown
*Mar 1 00:19:45.872: HSRP: Vl10 Grp 1 Standby router is unknown, was 172.16.10.10
*Mar 1 00:19:45.872: HSRP: Vl10 Nbr 172.16.10.10 no longer standby for group 1 (Active)
*Mar 1 00:19:45.872: HSRP: Vl10 Nbr 172.16.10.10 Was active or
S3# standby - start passive holddown
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Standby: c/Active timer expired (172.16.1.10)
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Active router is local, was 172.16.1.10
*Mar 1 00:19:45.872: HSRP: Vl1 Nbr 172.16.1.10 no longer active for group 1 (Standby)
*Mar 1 00:19:45.872: HSRP: Vl1 Nbr 172.16.1.10 Was active or standby - start passive holddown
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Standby router is unknown, was local
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Standby -> Act
S3#ive
*Mar 1 00:19:45.872: %HSRP-5-STATECHANGE: Vlan1 Grp 1 state Standby -> Active
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Redundancy "hsrp-Vl1-1" state Standby -> Active
*Mar 1 00:19:45.872: HSRP: Vl1 Added 172.16.1.1 to ARP (0000.0c07.ac01)
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Activating MAC 0000.0c07.ac01
*Mar 1 00:19:45.872: HSRP: Vl1 Grp 1 Adding 0000.0c07.ac01 to MAC address filter
*Mar 1 00:19:45.872: HSRP: Vl1 IP Redundancy "hsrp-Vl1-1" standby, local -> unknown
*Mar 1 00:19:45.872: HSRP:
S3# Vl1 IP Redundancy "hsrp-Vl1-1" update, Standby -> Active
*Mar 1 00:19:46.023: HSRP: Vl20 Grp 1 Standby: c/Active timer expired (172.16.20.10)
*Mar 1 00:19:46.023: HSRP: Vl20 Grp 1 Active router is local, was 172.16.20.10
*Mar 1 00:19:46.023: HSRP: Vl20 Nbr 172.16.20.10 no longer active for group 1 (Standby)
*Mar 1 00:19:46.023: HSRP: Vl20 Nbr 172.16.20.10 Was active or standby - start passive holddown
*Mar 1 00:19:46.023: HSRP: Vl20 Grp 1 Standby router is unknown, was local
*Mar 1 00:19:46.02
S3#3: HSRP: Vl20 Grp 1 Standby -> Active
*Mar 1 00:19:46.023: %HSRP-5-STATECHANGE: Vlan20 Grp 1 state Standby -> Active
*Mar 1 00:19:46.023: HSRP: Vl20 Grp 1 Redundancy "hsrp-Vl20-1" state Standby -> Active
*Mar 1 00:19:46.023: HSRP: Vl20 Added 172.16.20.1 to ARP (0000.0c07.ac01)
*Mar 1 00:19:46.023: HSRP: Vl20 Grp 1 Activating MAC 0000.0c07.ac01
*Mar 1 00:19:46.023: HSRP: Vl20 Grp 1 Adding 0000.0c07.ac01 to MAC address filter
*Mar 1 00:19:46.023: HSRP: Vl20 IP Redundancy "hsrp-Vl20-1" standby, lo
S3#cal -> unknown
*Mar 1 00:19:46.023: HSRP: Vl20 IP Redundancy "hsrp-Vl20-1" update, Standby -> Active
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Standby: c/Active timer expired (172.16.40.10)
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Active router is local, was 172.16.40.10
*Mar 1 00:19:46.392: HSRP: Vl40 Nbr 172.16.40.10 no longer active for group 1 (Standby)
*Mar 1 00:19:46.392: HSRP: Vl40 Nbr 172.16.40.10 Was active or standby - start passive holddown
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Standby rout
S3#er is unknown, was local
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Standby -> Active
*Mar 1 00:19:46.392: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Standby -> Active
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Redundancy "hsrp-Vl40-1" state Standby -> Active
*Mar 1 00:19:46.392: HSRP: Vl40 Added 172.16.40.1 to ARP (0000.0c07.ac01)
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Activating MAC 0000.0c07.ac01
*Mar 1 00:19:46.392: HSRP: Vl40 Grp 1 Adding 0000.0c07.ac01 to MAC address filter
*Mar 1 00:19:46.392: HSRP:
S3# Vl40 IP Redundancy "hsrp-Vl40-1" standby, local -> unknown
*Mar 1 00:19:46.392: HSRP: Vl40 IP Redundancy "hsrp-Vl40-1" update, Standby -> Active
*Mar 1 00:19:48.875: HSRP: Vl1 IP Redundancy "hsrp-Vl1-1" update, Active -> Active
*Mar 1 00:19:49.043: HSRP: Vl20 IP Redundancy "hsrp-Vl20-1" update, Active -> Active
*Mar 1 00:19:49.412: HSRP: Vl40 IP Redundancy "hsrp-Vl40-1" update, Active -> Active

Pingar vi från S2 igen kan vi nu se att S3 har tagit över:

S2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms

Tar vi upp interfacen på S1 så går den återigen Active för Vl1, 20 & 40 pga “standby 1 preempt”.,

S1#sh standby brief
 P indicates configured to preempt.
 |
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 150 P Active local 172.16.1.30 172.16.1.1
Vl10 1 100 P Standby 172.16.10.30 local 172.16.10.1
Vl20 1 150 P Active local 172.16.20.30 172.16.20.1
Vl30 1 100 P Standby 172.16.30.30 local 172.16.30.1
Vl40 1 150 P Active local 172.16.40.30 172.16.40.1

Klart!

IPv6 – HSRP

Hot Standby Routing Protocol är ett Cisco proprietärt protokoll som erbjuder redundans genom användandet av en virtuell ip-adress som delas mellan routrar för att sedan användas som default-gateway. Denna video förklarar grunderna väldigt bra:

https://www.youtube.com/watch?v=kxhdPI1jh6I

Detta är dock som synes för IPv4, så funktionaliteten skiljer lite när vi använder oss av IPv6 istället. Något som jag själv inte kände till var att IPv6 faktiskt har en light-version av detta inbyggt i protokollet, och genom att modifiera timers för Router Advertisements & Neighbor Discoverys kan få “fail-over” tiden under 1 sekund. Packetlife.net har en väldigt läsvärd post om just detta här.

ipv6-hsrp

Vår host kommer ha sin default-gateway konfigurerad till FE80:CC1E:1, men innan den kan skicka paketen dit behöver den först ta reda på Lager 2-adressen (MAC). Då vi inte har ARP-requests i IPv6 skickas istället en “Neighbor Solicitation” över multicast till den L2-adress hosten TROR att FE80:CC1E;:1 har. Vi tog upp allt detta i en tidigare post om just Neighbor Solicitation här om du behöver friska upp minnet lite.

När vi konfigurerat upp HSRP kommer den aktiva routern att gå med i multicast-gruppen som relaterar till den virtuella adress vi konfigurerat. Den aktiva routern kommer då svara hosten med en tillhörande virtuell mac-adress (deriverad från HSRPs grupp-nummer).

Innan vi konfigurerat mer än grundkonfigen från ovanstående topologi så visar en show ipv6 int fa0/0 på R2 (mot SW1) följande:

FastEthernet0/0 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::2
 No Virtual link-local address(es):
 No global unicast address is configured
 Joined group address(es):
  FF02::1 <- all nodes
  FF02::2 <- all routers
  FF02::1:FF00:2 <- solicited-node

Hur konfar vi då upp HSRP? Enkelt! Vi gör det direkt på interfacet.

R2(config)#inte fa0/0
 R2(config-if)#standby ?
 <0-4095> group number
 authentication Authentication
 bfd Enable HSRP BFD
 delay HSRP initialisation delay
 follow Name of HSRP group to follow
 ip Enable HSRP IPv4 and set the virtual IP address
 ipv6 Enable HSRP IPv6
 mac-address Virtual MAC address
 mac-refresh Refresh MAC cache on switch by periodically sending packet
 from virtual mac address
 name Redundancy name string
 preempt Overthrow lower priority Active routers
 priority Priority level
 redirect Configure sending of ICMP Redirect messages with an HSRP
 virtual IP address as the gateway IP address
 timers Hello and hold timers
 track Priority tracking
 use-bia HSRP uses interface's burned in address
 version HSRP version

Vi har en hel del valmöjligheter för finjustering som synes, men för att få upp en enkel HSRP-session mellan R1 & R2 behövs endast följande:

R1

interface FastEthernet0/0
 standby version 2
 standby 1 ipv6 FE80:ccie::1
 standby 1 priority 101
 standby 1 preempt
*Mar  1 02:20:04.447: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

R2

interface FastEthernet0/0
 standby version 2
 standby 1 ipv6 FE80:ccie::1
 standby 1 priority 99
 standby 1 preempt
*Mar  1 02:28:31.107: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

För att kunna använda HSRP tillsammans med IPv6 krävs det att vi aktiverar version 2 av protokollet (standby version 2). Vi kan även styra vilken router som ska vara aktiv genom att modifiera priority, högst värde vinner (default: 100), i detta fall kommer därför R1 bli aktiv. Om vi inte inkluderar kommandot “preempt” kommer sekundären fortsätta vara aktiv även om den primära routern blir nåbar igen vid ett eventuellt avbrott.

Både R1 & R2 kommer nu börja skicka HSRPv2 Hello-paket till multicast-adressen FF02::66.

R1 skickar dock sitt Hello-paket med state – Active

ipv6-hsrp-hello

R3 markerar istället sitt Hello-paket som state – standby

ipv6-hsrp-hello-standby

Om vi återigen tar en titt på R2s interface kan vi nu se att den gått med i ytterligare två multicast-grupper som förväntat:

R2#sh ipv6 int fa0/0
 FastEthernet0/0 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::2 [UNA]
 Virtual link-local address(es):
 FE80:CC1E::1 [OOD]
 No global unicast address is configured
 Joined group address(es):
 FF02::1
 FF02::2
 FF02::66 <- HSRP
 FF02::1:FF00:1 <- Solicited-node adress för FE80:CC1E::1
 FF02::1:FF00:2

Och för R3:

R3#sh ipv6 int fa0/0
 FastEthernet0/0 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::3 [UNA]
 Virtual link-local address(es):
 FE80:CC1E::1 [UNA/OOD/TEN]
 No global unicast address is configured
 Joined group address(es):
 FF02::1
 FF02::2
 FF02::66
 FF02::1:FF00:3

Observera att R3 endast gått med i HSRP-multicastgruppen, bara den aktiva routern går med i solicited-node gruppen (FF02::1:FF00:1)! 

Vi kan verifiera att allt är ok via kommandot show standby:

R2#sh standby 
FastEthernet0/0 - Group 1 (version 2)
 State is Active
 2 state changes, last state change 00:25:37
 Virtual IP address is FE80:CC1E::1
 Active virtual MAC address is 0005.73a0.0001
 Local virtual MAC address is 0005.73a0.0001 (v2 IPv6 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 1.756 secs
 Preemption enabled
 Active router is local
 Standby router is FE80::3, priority 99 (expires in 7.040 sec)
 Priority 101 (configured 101)
 Group name is "hsrp-Fa0/0-1" (default)

Vi sätter nu denna virtuella adress som default-gateway på R1:

R1(config)#ipv6 route ::/0 FastEthernet0/0 FE80:cc1e::1
R1(config)#end
R1#ping ipv6 2001:db8:cc1e:4444::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:CC1E:4444::4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/92 ms

Vi stänger ner R2’s interface via shutdown och ser vad som händer..

R2 skickar ut ett HSRP Resign-paket för att informera om att den är på väg ner:

ipv6-hsrp-resign

R3 ser detta och ändrar state från Standby till Active.

*Mar  1 02:49:30.131: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
R1#ping ipv6 2001:db8:cc1e:4444::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:CC1E:4444::4, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 12/32/52 ms

Anledningen till att vi tappar paket är bara för att jag varit lite lat. R4 har två default-routes som pekar mot R2 & R3, så vartannat paket skickas tillbaka till R2 och timar ut.. 😉

När vi återigen aktiverar interfacet på R2 skickas ett HSRP “Coup”-paket innehållande R2’s priority. R3 ser detta och ändrar sin state från Active -> Speak -> Standby, samtidigt som R2 går tillbaka till Active.

ipv6-hsrp-coup
*Mar 1 02:56:18.195: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
*Mar 1 02:56:28.195: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

Om vi vill ge vår primära router lite tid att få “stabilisera” sig innan vi skickar över stafettpinnen igen kan vi konfigurera en delay-timer via kommandot:

R2(config-if)#standby 1 preempt delay minimum ?
 <0-3600> Number of seconds for minimum delay

Ytterligare en intressant sak är att efter vi aktiverat HSRP på ett interface så slutar routern annonsera sina övriga link-local prefix (FF80::2 / FF80::3) via Router Advertisement.

ipv6-hsrp-linklocal

Men konfigurerar vi istället ytterligare en global adress annonseras det:

R2(config-if)#ipv6 add 2001:db8:cc1e:999::1/64

ipv6-hsrp-globalRA

Det var allt jag hade om HSRP i IPv6, borde väl ta och sätta ihop en post som tar upp lite mer avancerade exempel för IPv4 men det får nog bli lite längre fram i tiden när vi är klara med IPv6.