Tuesday, February 9, 2016
Port Security
Port Security controls port access based on MAC addresses.
Max number of MAC addresses per port is 1024.
By default, port security learns MAC addresses dynamically and stores them in the CAM table and runnung configuration. If the switch reloads, port security will have to relearn a new set of MAC addresses. Use "sticky" to make the MAC addresses persistent across a switch reload.
switchport port-security violation {shutdown | restrict | protect}
Shutdown: Port is immediately put into errdisable mode. Must be reenabled manually / throuth errdisable recovery.
Restrict: Port is allowed to stay up, and all packets from the violating MAC address are dropped. Switch keeps record and can send an SNMP trap and Syslog message.
Protect: Port is allowed to stay up, and packets from the violating MAC addresses are dropped. No record is kept.
Spanning Tree
802.1D Overview
Spanning Tree Protocol (STP) provides network link redundancy so that a Layer 2 switched network can recover from failures without intervention in a timely manner.
Transparent Bridge - A network device that isolates two physical LANs but forwards ethernet frames between them. Frames forwarded across the bridge cannot be modified by the bridge itself. Therefore, the bridging process is effectively transparent.
Spanning Tree Communication: Bridge Protocol Data Units
Configuration BPDU, used for spanning-tree computation.
Topology Change Notification (TCN) BPDU, used to announce changes in the network topology.
BPDU Message Content
Protocol ID 2
Version 1
Message Type (Config / TCN) 1
Flags 1
Root Bridge ID 8
Root Path Cost 4
Sender Bridge ID 8
Port ID 2
Message Age 2
Maximum Age 2
Hello Time 2
Forward Delay 2
Electing a Root Bridge
Bridge ID is an 8-Byte value with the following fields:
Bridge Priority (2 bytes) Values: 0 - 65,535, and defaults to 32,768.
MAC Address (6 bytes) Hard coded unique value.
1.) Root bridge is elected.
Every switch begins by sending out BPDUs with a root bridge and sender bridge equal to its own bridge ID.
After the root bridge is elected, configuration BPDUs are sent out only by the Root Bridge. All other bridges must forward or relay the BPDUs, adding their own sender bridge IDs to the message.
Best bridge ID has the lowest value.
Root bridge election is an ongoing process, triggered by root bridge ID changes in the BPDUs every 2 seconds.
2.) Electing Root Ports
Each non-root switch must figure out where it is in relation to the root bridge. This is done by selecting only one non-root port for each non root switch. The root port always points to the current root bridge.
Calculate the root path cost to select the root port. This is the cumulative value of all links leading to the root bridge.
Only the root path cost is carried in the BPDU. As the root path cost travels along, other switches can modify it's value to make it cumulative. The path cost is local to the switch and not carried in the BPDU.
4 Mbps 250
10 Mbps 100
100 Mbps 19
1Gbps 4
10 Gbps 2
The root path cost is incremented by the ingress port path cost as the BPDU is received at each switch down the line.
3.) Electing Designated Ports
The final step in the election process. Elects one designated port on each network segment.
For each determination process, if two or more links have equal root path costs, other factors need to be considered to break up the tie.
1.) Lowest root bridge ID
2.) Lowest root path cost to root bridge
3.) Lowest sender bridge ID
4.) Lowest sender port ID
STP State The Port Can... The Port cannot... Duration
Disabled N/A Send or receive data N/A
Blocking Receive BPDUs Send or receive data or Indefinite as long as loop
learn MAC addresses has not been detected.
Listening Send and receive BPDUs Send or receive data or Fwd delay timer 15 secs
learn MAC addresses
Learning Send and receive BPDUs Send and receive data Fwd delay timer 15 secs
and learn MAC addresses
Forwarding Send and receive BPDUs,
Learn MAC addresses, Indefinite as long as port is
and send and receive data. up and loop is not detected.
STP Portfast feature on a port with a single attached PC. TCNs are not sent when the port changes state, the port is brought into the Forwarding state when the link comes up.
In 802.1Q. All CST BPDUs are transmitted over trunk links using the native VLAN with untagged frames.
PVST - Cisco Proprietary - Requires ISL.
PVST+ - Provides interoperability between CST and PVST - Both 802.1Q and ISL.
Root Port: The one port on a switch that is closest to the root bridge.
Designated Port: The port on a LAN segment that is closest to the root. Relays, or transmits, BPDUs down the tree.
Blocking Port: Neither root or designated.
Alternate Port: Candidates for root ports. Close to the root bridge and in blocking state.
Forwarding Ports: No other STP activity is detected or expected. Normal end user connections.
Root Guard
Means to control where candidate root bridges can be connected and found on a network. If it receives a superior BPDU, the port will be moved and kept in the root-inconsistent state until the superior BPDUs cease.
The switch can only forward or relay BPDUs; the port cannot be used to receive BPDUs.
When superior BPDUs are no longer received, the port is cycled through the normal STP states to return to normal use.
BPDU Guard
Developed to further protect the integrity of switch ports that have PortFast enabled. If any BPDU is received on a port, that port is immediately put into the errdisable state.
When the BPDUs no longer are received, the port still remains in the errdisable state.
Use BPDU Guard on all switch ports where STP PortFast is enabled.
If the absence of BPDUs is actually a mistake and BPDUs are not being received even though there is no topology change, bridging loops can form.
Loop Guard - When BPDUs go missing, Loop Guard moves the port into the loop-inconsistent state.
When BPDUs are received again, Loop Guard allows the port to move through the normal STP states and become active.
Blocks on a per-Vlan basis, so the the entire port is not blocked.
Loop Guard can be enabled on all switch ports.
UDLD -
A unidirectional link poses a potential danger to STP topologies because BPDUs will not be received on one end of the link. If that end of the link would normally be in the blocking state, it will not be that way for long.
Use the Cisco proprietary UDLD STP feature to prevent this.
Uses an echo process to determine if both sides are up or not. Both sides need to be configured.
UDLD can detect a unidirectional link after about three times the UDLD message interval (45 seconds total) using default. Needs to detect the link failure before STP moves it into forwarding state.
Can be enabled per port or globally for fiber optic switch ports.
Enabling UDLD globally does not affect copper media because it does not suffer from the conditions that allow a unidirectional link to form.
Once UDLD aggressive mode has put a switch port into errdisable state, you must use the following command to reenable it.
Switch# udld reset
Rapid Spanning Tree Protocol
By default, a switch operates in Per-VLAN Spanning Tree Plus (PVST+) mode using traditional 802.1D STP.
Root Port: The one root port that has the best root path cost. Identical to 802.1D
Designated Port: Best root path cost to the root.
Alternate Port: Alternate path to the root, different from the path the root port takes.
Backup Port: Redundant but less desirable connection to a segment where another switch port already connects.
Defines states only according to what the port does with incoming frames.
Discarding - Incoming frames are simply dropped. No MAC addresses learned. Combines 802.1D Disabled, Blocking, and Listening. (The Listening state is not needed because RSTP quickly can negotiate a state change without listening for BPDUs first).
Learning - Incoming frames are dropped, MAC addresses are learned.
Forwarding - Incoming frames are forwarded according according to their corresponding MAC addresses.
Edge Port - Port at the "edge of the network where only one host connects. Switch# spanning-tree portfast
Root Port - Port that has the best cost to the root of the STP instance. Only one root port, although alternative paths can exist on other ports.
Point-to-point port - Any port that connects to another switch and becomes a designated port. BPDUs are exchanged back and forth in the form of a proposal and agreement.
Spanning Tree Protocol (STP) provides network link redundancy so that a Layer 2 switched network can recover from failures without intervention in a timely manner.
Transparent Bridge - A network device that isolates two physical LANs but forwards ethernet frames between them. Frames forwarded across the bridge cannot be modified by the bridge itself. Therefore, the bridging process is effectively transparent.
Spanning Tree Communication: Bridge Protocol Data Units
Configuration BPDU, used for spanning-tree computation.
Topology Change Notification (TCN) BPDU, used to announce changes in the network topology.
BPDU Message Content
Protocol ID 2
Version 1
Message Type (Config / TCN) 1
Flags 1
Root Bridge ID 8
Root Path Cost 4
Sender Bridge ID 8
Port ID 2
Message Age 2
Maximum Age 2
Hello Time 2
Forward Delay 2
Electing a Root Bridge
Bridge ID is an 8-Byte value with the following fields:
Bridge Priority (2 bytes) Values: 0 - 65,535, and defaults to 32,768.
MAC Address (6 bytes) Hard coded unique value.
1.) Root bridge is elected.
Every switch begins by sending out BPDUs with a root bridge and sender bridge equal to its own bridge ID.
After the root bridge is elected, configuration BPDUs are sent out only by the Root Bridge. All other bridges must forward or relay the BPDUs, adding their own sender bridge IDs to the message.
Best bridge ID has the lowest value.
Root bridge election is an ongoing process, triggered by root bridge ID changes in the BPDUs every 2 seconds.
2.) Electing Root Ports
Each non-root switch must figure out where it is in relation to the root bridge. This is done by selecting only one non-root port for each non root switch. The root port always points to the current root bridge.
Calculate the root path cost to select the root port. This is the cumulative value of all links leading to the root bridge.
Only the root path cost is carried in the BPDU. As the root path cost travels along, other switches can modify it's value to make it cumulative. The path cost is local to the switch and not carried in the BPDU.
4 Mbps 250
10 Mbps 100
100 Mbps 19
1Gbps 4
10 Gbps 2
The root path cost is incremented by the ingress port path cost as the BPDU is received at each switch down the line.
3.) Electing Designated Ports
The final step in the election process. Elects one designated port on each network segment.
For each determination process, if two or more links have equal root path costs, other factors need to be considered to break up the tie.
1.) Lowest root bridge ID
2.) Lowest root path cost to root bridge
3.) Lowest sender bridge ID
4.) Lowest sender port ID
STP State The Port Can... The Port cannot... Duration
Disabled N/A Send or receive data N/A
Blocking Receive BPDUs Send or receive data or Indefinite as long as loop
learn MAC addresses has not been detected.
Listening Send and receive BPDUs Send or receive data or Fwd delay timer 15 secs
learn MAC addresses
Learning Send and receive BPDUs Send and receive data Fwd delay timer 15 secs
and learn MAC addresses
Forwarding Send and receive BPDUs,
Learn MAC addresses, Indefinite as long as port is
and send and receive data. up and loop is not detected.
STP Portfast feature on a port with a single attached PC. TCNs are not sent when the port changes state, the port is brought into the Forwarding state when the link comes up.
In 802.1Q. All CST BPDUs are transmitted over trunk links using the native VLAN with untagged frames.
PVST - Cisco Proprietary - Requires ISL.
PVST+ - Provides interoperability between CST and PVST - Both 802.1Q and ISL.
Root Port: The one port on a switch that is closest to the root bridge.
Designated Port: The port on a LAN segment that is closest to the root. Relays, or transmits, BPDUs down the tree.
Blocking Port: Neither root or designated.
Alternate Port: Candidates for root ports. Close to the root bridge and in blocking state.
Forwarding Ports: No other STP activity is detected or expected. Normal end user connections.
Root Guard
Means to control where candidate root bridges can be connected and found on a network. If it receives a superior BPDU, the port will be moved and kept in the root-inconsistent state until the superior BPDUs cease.
The switch can only forward or relay BPDUs; the port cannot be used to receive BPDUs.
When superior BPDUs are no longer received, the port is cycled through the normal STP states to return to normal use.
BPDU Guard
Developed to further protect the integrity of switch ports that have PortFast enabled. If any BPDU is received on a port, that port is immediately put into the errdisable state.
When the BPDUs no longer are received, the port still remains in the errdisable state.
Use BPDU Guard on all switch ports where STP PortFast is enabled.
If the absence of BPDUs is actually a mistake and BPDUs are not being received even though there is no topology change, bridging loops can form.
Loop Guard - When BPDUs go missing, Loop Guard moves the port into the loop-inconsistent state.
When BPDUs are received again, Loop Guard allows the port to move through the normal STP states and become active.
Blocks on a per-Vlan basis, so the the entire port is not blocked.
Loop Guard can be enabled on all switch ports.
UDLD -
A unidirectional link poses a potential danger to STP topologies because BPDUs will not be received on one end of the link. If that end of the link would normally be in the blocking state, it will not be that way for long.
Use the Cisco proprietary UDLD STP feature to prevent this.
Uses an echo process to determine if both sides are up or not. Both sides need to be configured.
UDLD can detect a unidirectional link after about three times the UDLD message interval (45 seconds total) using default. Needs to detect the link failure before STP moves it into forwarding state.
Can be enabled per port or globally for fiber optic switch ports.
Enabling UDLD globally does not affect copper media because it does not suffer from the conditions that allow a unidirectional link to form.
Once UDLD aggressive mode has put a switch port into errdisable state, you must use the following command to reenable it.
Switch# udld reset
Rapid Spanning Tree Protocol
By default, a switch operates in Per-VLAN Spanning Tree Plus (PVST+) mode using traditional 802.1D STP.
Root Port: The one root port that has the best root path cost. Identical to 802.1D
Designated Port: Best root path cost to the root.
Alternate Port: Alternate path to the root, different from the path the root port takes.
Backup Port: Redundant but less desirable connection to a segment where another switch port already connects.
Defines states only according to what the port does with incoming frames.
Discarding - Incoming frames are simply dropped. No MAC addresses learned. Combines 802.1D Disabled, Blocking, and Listening. (The Listening state is not needed because RSTP quickly can negotiate a state change without listening for BPDUs first).
Learning - Incoming frames are dropped, MAC addresses are learned.
Forwarding - Incoming frames are forwarded according according to their corresponding MAC addresses.
Edge Port - Port at the "edge of the network where only one host connects. Switch# spanning-tree portfast
Root Port - Port that has the best cost to the root of the STP instance. Only one root port, although alternative paths can exist on other ports.
Point-to-point port - Any port that connects to another switch and becomes a designated port. BPDUs are exchanged back and forth in the form of a proposal and agreement.
Stacking and VSS
StackWise/StackWise Plus enable separate physical switches to act as a single logical switch.
Cisco Catalyst 3750-E, 3750-X, and 3850 platforms.
Virtual Switching System (VSS)
Cisco Catalyst 4500R, 6500, and 8500.
VSS - configure two identical chassis to act as one logical switch.
One supervisor in one of the chassis controls the operation of the logical switch. If it fails, the supervisor in the other chassis takes over.
The chassis must be linked together by multiple interfaces that have been configured as a virtual switch link (VSL).
Route Processor Redundancy (RPR) - The redundant supervisor is only partially booted and initialized. To become ative, the Standby module must reload every module in the switch and initialize all supervisor functions.
Route Processor Redundancy Plus (RPR+) - The redundant supervisor is booted, allowing the supervisor and route engine to initialize. No L2/L3 functions are started. To become active, the Standby module finishes initializing without reloading other switch modules.
Stateful Switchover (SSO) - The redundant supervisor is fully booted and initialized. Startup and running configurations are are synchronized between the supervisor models. L2 information is maintained on both supervisors so that hardware switching can continue during a failover.
Single Server Mode (SRM) - Two route processors are being used, but one is active.
Dual Router Mode (DRM) - Two route processors are active at all times. HSRP is used to provide redundancy in DRM.
SRM is not compatible with RPR and RPR+, because the route processor portion is not initialized by the standby unit.
SRM is inherent with SSO, witch brings up the standby processor.
Tuesday, January 27, 2015
HSRP, VRRP, & GLBP
HSRP
In HSRP version 1, millisecond timer values are not advertised or learned, HSRP version 2 advertises and learns millisecond timers. This change ensures stability in the groups in all cases.
Version 1 Group Numbers: 0-255
Version 2 Group Numbers: 0-4095
For example,HSRPv1 MAC address range will be used, 0000.0C07.ACxx, where xx = 000-FFF (0-255).
For example,HSRPv2 MAC address range will be used, 0000.0C9F.Fyyy, where yyy = 000-FFF (0-4095).
Version 1 Multicast Address: 224.0.0.2
Version 2 Multicast Address: 224.0.0.102
Version 2 Packet Format: Includes 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address. This improves troubleshooting network loops and configuration errors.
Version 2: Allows for IPV6 support.
HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value (TLV) format. HSRP version 2 packets received by an HSRP version 1 router will have the type field mapped to the version field by HSRP version 1, and subsequently ignored.
A new command will allow changing of the HSRP version on a per-interface level standby version [1, 2]. Note that HSRP version 2 will not inter operate with HSRP version 1. However, the different versions can be run on different physical interfaces of the same router.
HSRP defines a standby group of routers, with one router as the active one.
Provides gateway redundancy by sharing IP and MAC addresses between redundant gateways.
Consists of virtual MAC and IP addresses that are shared between two routers that belong to the same HSRP group.
Active Router - Currently forwarding packets to the virtual router.
Standby Router - Primary backup router.
Standby Group - Set of routers participating in HSRP that jointly emulate a virtual router.
Configuration
standby group-number ip ip-address
Active & Standby Routers
Active Router
- Responds to ARP requests of the default gateway with the MAC address of the virtual router.
- Assumes the act of forwarding packets to the virtual router.
- Sends hello messages.
- Knows the virtual router's IP address.
- Listens for periodic hello messages.
- Assumes the act of forwarding packets if no messages are heard from the active router.
HSRP States
Initial - State at the start. After a configuration change when the interface comes up.
Listen - The router knows the virtual ip address. Listens for hello messages.
Speak - (has virtual IP addresses) Sends hello messages and actively participates in the election.
Standby - It is a candidate to become the next active router and sends hello messages.
Active - Currently for forwards packets that are sent to the group virtual MAC address.
Each router has a default priority of 100. The router with the highest IP address is elected as the active router with the default priority.
Highest Priority, then highest IP address.
Config
standby group-number priority priority-value
standby group-number preempt delay
standby group-number timers hello-time hold-time
Hello Time - Default is 3 seconds. Hello interval.
Hold Time - Default is 10 seconds. Time before active / standby is declared down.
Config
standby 10 preempt
standby 10 preempt delay minimum 300
VRRP
Active router referred to as the master virtual router.
Selection of master virtual virtual router.
- Real IP address.
- Virtual IP address.
- The router with the highest priority.
- The master uses VRRP messages to inform group members.
Three Timers
- Advertisement interval (Default = 1 sec)
- Master down interval. Default: 3 x Advertisement + Skew. (Default = skew + 1)
- Skew time. (256-priority/256)ms
VRRP Transition Times
Router A (Master) is sending advertisements by default every 1 second.
Router A fails -> Advertisements stop.
Router B & Router C stop receiving advertisements and wait for their respective master down interval to expire before transitioning to master state.
Skew is inversely proportional to priority, so master down of Router B is less than that Router C.Router B & Router C stop receiving advertisements and wait for their respective master down interval to expire before transitioning to master state.
Router B skew time (256-200/256) = 0.2 sec.
Router C skew time (256-100/256) = 0.6 sec.
Router B transitions to master after 3.2 seconds. (master down + skew)
Router C receives the advertisement from the new master, so it resets its master down interval and remains in the backup state.
VRRP Commands
vrrp group-number ip virtual-gateway-addressvrrp group-number priority priority-value
vrrp group-number timers advertise timer-value (on master router)
vrrp group-number ip timers learn (on non-master routers)
GLBP
Allows full use of resources on all devices without the administrative burden of creating groups.
Provides one virtual ip address and many virtual mac addresses.
Routes to a single gateway distributed across routers.
Provides automatic re-routing in the event of any failure.
HSRP vs. GLBP
Cisco Proprietary - 1994 Cisco Proprietary - 2005
16 Groups max 1024 Groups max
One active, one standby, several candidates One AVG, several AVFs
AVG load balances traffic among AVFs.
Virtual IP diff from active & standby real IP. Virtual ip diff from AVG & AVF real IP.
One virtual mac per group. One virtual mac per AVG/AVF per group.
224.0.0.2 224.0.0.102
Track int/obj. Track obj.
Default timers: 3/10 Default timers: 3/10
Auth supported. Auth supported.
GLBP Functions
Load sharing.
- Multiple virtual routers.
- Up to 1024 [GLBP Groups] on each physical interface of a router and up to 4 virtual forwarders per group.
- Pre-emption
- Pre-empt an AVG with a higher priority backup virtual gateway.
- Efficient resource utilization.
- Any router can serve as a backup.
- All available routers can support traffic.
Operational Modes for Load balancing
- Weighted load-balancing algorithm
- Amount of load is dependent of the weighting value.
- Host-Dependent load-balancing algorithm
- Host guaranteed use of same virtual mac address.
- Round-Robin load-balancing algorithm
- Reply to each client arp request contains the mac of the next router in round robin fashion.
GLBP weighting is used to determine whether a router can act as a virtual router.
- GLBP- Two thresholds are defined.
- One lower threshold that applies when the router loses weight.
- One upper threshold that applies when the router gains weight.
glbp group-number ip virtual gateway-address
glbp group-number priority priority-value
glbp group-number ip timers hello-value holdtime-value
vrrp group-number priority priority-value
vrrp group-number timers advertise timer-value (on master router)
vrrp group-number ip timers learn (on non-master routers)
VRRP Commands
vrrp group-number ip virtual-gateway-addressvrrp group-number priority priority-value
vrrp group-number timers advertise timer-value (on master router)
vrrp group-number ip timers learn (on non-master routers)
Subscribe to:
Posts (Atom)