13 - Redundancy in the Campus - HSRP, VRRP, and GLBP 2
For this lab, we will have to do it on the 2800, as VRRP is not supported on the 3550 ... (maybe another reason to run HRSP as that is supported on all cisco platforms)
VERY SIMILAR TO HRSP:
inter fa0/0
vrrp 20 ip 172.30.4.90
vrrp 20 preempt
vrrp 20 timers advertise msec 100
Dont have option to set dead timer like we did with HRSP, it will learn the timer from the hello timer
timers that are set on the MASTER - so on the MASTER we set advertise, and the backup hosts are configured as learn and they will learn this dynamically.
If MASTER notices if one of its tracked interfaces is down, it will set its priority to zero
server 1 = wants to send traffic, sends arp for VIP, router 1 gets arp request, he sends the mac addy,
server 2 = wants to send traffic, sends arp for VIP, router 2 gets arp request and passes to the AVG, but when he replies he replies with the MAC of R2.
Also R2 is now known as the AVF
The load balancing can be round robin, host dependent or weighted (equal or unequal) - is it true load-balancing ... well no, but it is a type of load balancing (it doesn't sit there idle)
for other weighing (ie not the default round robin) you have to configure quite abit of options (not covered in NP)
Config very similar as others:
inter fa0/0
glbp 1 ip 172.30.4.70
glbp 1 priority 150 (to set who is AVG) higher = better, default is 100
glbp 1 timers
supports IPv6 also!
14 - Campus Security - Basic Port Security and 802.1x
part of dsniff is macof which sources many, many MACs to that uplink which saturates that CAM table, which then turns the switch into a hub (as no more MACs can be learnt) now everything is braodcast, you can packet sniff it ;0)
most attacks focus on poisoning the MAC tables
See screenshot of when i used MACOF against my 2950 when study for the CCNA-S, check out the 8000+ MACs learnt by the switch! lol
conf t
inter fas0/21
switchport mode access
switchport port-security
switchport port-security maximum 1
show port-security inter fas0/21 to verify
switchport port-security violation
shutdown - your gonna hear about it, good choice to choose
restrict - does the same as protect, but the security violation counter will increase and will generate a SYSLOG event.
protect - when another MAC tries to connect, it will ignore them (but you the admin and user dont know about it)
state of the port goes into secure-shutdown, check in show ip int brief (shows as down/down)
Handy command to view this is:
we just saw security-violation, so lets configure that:
conf t
errdisable recovery cause security-violation
errdisable recovery interval X (secs)
pretty kool huh .... :0)
show port-security interface fa 0/21 to see the security information and counters
conf t
inter fas 0/21
switchport port-security max 10
switchport port-security mac-address *static IP*
BUT DO CONFIG as we have above the max macs allowed too, but be careful as it works a mix, i.e
it will allow the x1 MAC we configured plus 9 sticky ones. So configure as appropriate.
or we can do this with sticky macs
switchport port-security mac-address sticky
the switch will automatically hard-coded whatever device you have plugged into that switchport,
you need to save the config to nvram otherwise the configure will not be saved, also if we plug in another device you can see the running configure shows that mac also :0)
if these are the only two devices, we can then lower the maximum down to 2, job done lol
802.1x
Authenticator does not need to understand EAP, it is transparent in the process, so if at a later date we used a different security algorithm we dont have to upgrade the switch.
handy link:
http://www.cs.umd.edu/~mvanopst/8021x/howto/
To configure on the switch, we need AAA and to enable 802.1x globally:
