Skip to main content

NETWORK BASICS

Network A system of interconnected computers and computerized peripherals such as printers is called computer network. This interconnection among computers facilitates information sharing among them. Computers may connect to each other by either wired or wireless media. A computer network consists of a collection of computers, printers and other equipment that is connected together so that they can communicate with each other.  


Network application
A Network application is any application running on one host and provides a communication to another application running on a different host, the application may use an existing application layer protocols such as: HTTP(e.g. the Browser and web server), SMTP(e.g. the email-client). And may be the application does not use any existing protocols and depends on the socket programming to communicate to another application. So the web application is a type of the network applications. 
There are lots of advantages from build up a network, but the th…

Network Device Management and Security


Network Security Management | Process Street
THE FOLLOWING ICND2 EXAM TOPICS ARE COVERED IN THIS CHAPTER:

1.7 Describe common access layer threat mitigation techniques
1.7.a 802.1x
1.7.b DHCP snooping
Infrastructure Services
Configure, verify, and troubleshoot basic HSRP
Priorit
Preemption
Version
Infrastructure Maintenance
Configure and verify device-monitoring protocols
SNMPv2
SNMPv3
5.4 Describe device management using AAA with TACACS+ and RADIUS
We’re going to start this chapter by discussing how to mitigate threats at the access layer using various security techniques. Keeping our discussion on security, we’re then going to turn our attention to external authentication with authentication, authorization, and accounting (AAA) of our network devices using RADIUS and TACACS+.Next, we’re going to look at Simple Network Management Protocol (SNMP) and the type of alerts sent to the network management station (NMS).
Last, I’m going to show you how to integrate redundancy and load- balancing features into your network elegantly with the routers that you likely have already. Acquiring some overpriced load-balancing device just isn’t always necessary because knowing how to properly configure and use Hot Standby Router Protocol (HSRP) can often meet your needs instead.

Mitigating Threats at the Access Layer

The Cisco hierarchical model can help you design, implement, and maintain a scalable, reliable, cost-effective hierarchical internetwork. The access layer controls user and workgroup access to internetwork resources and is also sometimes referred to as the desktop layer. The network resources most users need at this layer will be available locally because the distribution layer handles any traffic for remote services. The following are some of the functions to be included at the access layer: Continued (from the distribution layer) use of access control and policies Creation of separate collision domains (microsegmentation/switches) Workgroup connectivity into the distribution layer Device connectivity

Resiliency and security service

Advanced technology capabilities (voice/video, PoE, port-security, etc.) Interfaces like Gigabit or FastEthernet switching frequently seen in the access layer Since the access layer is both the point at which user devices connect to the network and the connection point between the network and client device, protecting it plays an important role in protecting other users, applications, and the network itself from attacks.

Here are some of the ways to protect the access layer Mitigating threats at the access layer Port security You’re already very familiar with port security (or you should be!), but restricting a port to a specific set of MAC addresses is the most common way to defend the access layer. DHCP snooping DHCP snooping is a layer 2 security feature that validates DHCP messages by acting like a firewall between untrusted hosts and trusted DHCP servers. In order to stop rogue DHCP servers in the network, switch interfaces are configured as trusted or untrusted, where trusted interfaces allow all types of DHCP messages and untrusted interfaces allow only requests. Trusted interfaces are interfaces that connect to a DHCP server or are an uplink toward the DHCP server, DHCP snooping and DAI With DHCP snooping enabled, a switch also builds a DHCP snooping binding database, where each entry includes the MAC and IP address of the host as well as the DHCP lease time, binding type, VLAN, and interface. Dynamic ARP inspection also uses this DHCP snooping binding database.

Dynamic ARP inspection (DAI) DAI, used with DHCP snooping, tracks IP-to-MAC bindings from DHCP transactions to protect against ARP poisoning (which is an attacker trying to have your traffic be sent to him instead of to your valid destination). DHCP snooping is required in order to build the MAC-to-IP bindings for DAI validation. Identity-based networking Identity-based networking is a concept that ties together several authentication, access control, and user policy components in order to provide users with the network services you want them to have. In the past, for a user to connect to the Finance services, for example, a user had to be plugged into the Finance LAN or VLAN. However, with user mobility as one of the core requirements of modern networks, this is no longer practical, nor does it provide sufficient security. Identity-based networking allows you to verify users when they connect to a switch port by authenticating them and placing them in the right VLAN based on their identity. Should any users fail to pass the authentication process, their access can be rejected, or they might be simply put in a guest VLAN. Figure 16.3 shows this process. 

Identity-based networking

The IEEE 802.1x standard allows you to implement identity-based networking on wired and wireless hosts by using client/server access control. There are three roles:
Client Also referred to as a supplicant, this software runs on a client that is 802.1x compliant.
Authenticator Typically a switch, this controls physical access to the network and is a proxy between the client and the authentication server.
Authentication server (RADIUS) This is a server that authenticates each client before making available any services.


External Authentication Options Of course we only want authorized IT folks to have administrative access to our network devices such as routers and switches, and in a small to medium-sized network, just using local authentication is sufficient. However, if you have hundreds of devices, managing administrative connectivity would be nearly impossible since you’d have to configure local authentication on each device by hand, and if you changed just one password, it can take hours to update your network. Since maintaining the local database for each network device for the size of the network is usually not feasible, you can use an external AAA server that will manage all user and administrative access needs for an entire network. The two most popular options for external AAA are RADIUS and TACACS+, both covered next.

RADIUS 

Remote Authentication Dial-In User Service, or RADIUS, was developed by the Internet Engineering Task Force—the IETF—and is basically a security system that works to guard the network against unauthorized access. RADIUS, which uses only UDP, is an open standard implemented by most major vendors, and it’s one of the most popular types of security servers around because it combines authentication and authorization services into a single process. So after users are authenticated, they are then authorized for network services. RADIUS implements a client/server architecture, where the typical client is a router, switch, or AP and the typical server is a Windows or Unix device that’s running RADIUS software. The authentication process has three distinct stages:

1. The user is prompted for a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The RADIUS server replies with one of the following:

Response
Meaning
Accept
The user has been successfully authenticated.
Reject
The username and password are not valid.
Challenge
The RADIUS server requests additional information.
Change Password
The user should select a new password.

It’s important to remember that RADIUS encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is unencrypted.

Configuring RADIUS

To configure a RADIUS server for console and VTY access, first you need to enable AAA services in order to configure all the AAA commands. Configure the aaa new-model command in the global configuration mode.

Router(config)# aaa new-model

The aaa new-model command immediately applies local authentication to all lines and interfaces (except line con 0). So, to avoid being locked out of the router or switch, you should define a local username and password before starting the AAA configuration. Now, configure a local user:
Router(config)#username Todd password Lammle
Creating this user is super important because you can then use this same locally created user if the external authentication server fails! If you don’t create this and you can’t get to the server, you’re going to end up doing a password recovery.
Next, configure a RADIUS server using any name and the RADIUS key that is configured on the server.
Router(config)#radius server SecureLogin Router(config-radius-server)#address ipv4 10.10.10.254 Router(config-radius-server)#key MyRadiusPassword
Now, add your newly created RADIUS server to an AAA group of any name.
Router(config)#aaa group server radius MyRadiusGroup
Router(config-sg-radius)#server name SecureLogin
Last, configure this newly created group to be used for AAA login authentication. If the RADIUS server fails, the fallback to local authentication should be set.
Router(config)# aaa authentication login default group MyRadiusGroup local


TACACS+
Terminal Access Controller Access Control System (TACACS+) is also a security server that’s Cisco proprietary and uses TCP. It’s really similar in many ways to RADIUS; however, it does all that RADIUS does and more, including multi-protocol support.
TACACS+ was developed by Cisco Systems, so it’s specifically designed to interact with Cisco’s AAA services. If you’re using TACACS+, you have the entire menu of AAA features available to you—and it handles each security aspect separately, unlike RADIUS: Authentication includes messaging support in addition to login and password functions. Authorization enables explicit control over user capabilities. Accounting supplies detailed information about user activities.

Configuring TACACS+ This is pretty much identical to the RADIUS configuration. To configure a TACACS+ server for console and VTY access, first you need to enable AAA services in order to configure all the AAA commands. Configure the aaa new-model command in the global configuration mode (if it isn’t already enabled).

Router(config)# aaa new-model

Now, configure a local user if you haven’t already.

Router(config)#username Todd password Lammle Next, configure a TACACS+ server using any name and the key that is configured on the server.

Router(config)#radius server SecureLoginTACACS+ Router(config-radius-server)#address ipv4 10.10.10.254 Router(config-radius-server)#key MyTACACS+Password
Now, add your newly created TACACS+ server to a AAA group of any name.
Router(config)#aaa group server radius
MyTACACS+Group
Router(config-sg-radius)#server name
SecureLoginTACACS+ Last configure this newly created group to be used for AAA login authentication. If the TACACS+ server fails, the fallback to local authentication should be set. Router(config)# aaa authentication login default group MyTACACS+Group local

SNMP

Although Simple Network Management Protocol (SNMP) certainly isn’t the oldest protocol ever, it’s still pretty old, considering it was created way back in 1988 (RFC 1065)!

SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs)—for example, Cisco Prime or HP Open-view. These agents send messages to the NMS station, which then either reads or writes information in the database that’s stored on the NMS and called a management information base (MIB). The NMS periodically queries or polls the SNMP agent on a device to gather and analyze statistics via GET messages. End devices running SNMP agents would send an SNMP trap to the NMS if a problem occurs. This is demonstrated in

SNMP GET and TRAP messages
Admins can also use SNMP to provide some configurations to agents as well, called SET messages. In addition to polling to obtain statistics, SNMP can be used for analyzing information and compiling the results in a report or even a graph. Thresholds can be used to trigger a notification process when exceeded. Graphing tools are used to monitor the CPU statistics of Cisco devices like a core router. The CPU should be monitored continuously and the NMS can graph the statistics. Notification will be sent when any threshold you’ve set has been exceeded. SNMP has three versions, with version 1 being rarely, if ever, implemented today. Here’s a summary of these three versions: SNMPv1 Supports plaintext authentication with community strings and uses only UDP. SNMPv2c Supports plaintext authentication with community strings with no encryption but provides GET BULK, which is a way to gather many types of information at once and minimize the number of GET requests. It offers a more detailed error message reporting method called INFORM, but it’s not more secure than v1. It uses UDP even though it can be configured to use TCP. SNMPv3 Supports strong authentication with MD5 or SHA, providing confidentiality (encryption) and data integrity of messages via DES or DES-256 encryption between agents and managers. GET BULK is a supported feature of SNMPv3, and this version also uses TCP. 
Management Information Base (MIB) With so many kinds of devices and so much data that can be accessed, there needed to be a standard way to organize this plethora of data, so MIB to the rescue! A management information base (MIB) is a collection of information that’s organized hierarchically and can be accessed by protocols like SNMP. RFCs define some common public variables, but most organizations define their own private branches along with basic SNMP standards. Organizational IDs (OIDs) are laid out as a tree with different levels assigned by different organizations, with top-level MIB OIDs belonging to various standards organizations. Vendors assign private branches in their own products. Let’s take a look at Cisco’s OIDs, which are described in words or numbers to locate a particular variable in the tree, as  Cisco’s MIB OIDs Luckily, you don’t need to memorize the OIDs in Figure 16.5 for the Cisco exams! To obtain information from the MIB on the SNMP agent, you can use several different operations: GET: This operation is used to get information from the MIB to an SNMP agent. SET: This operation is used to get information to the MIB from an SNMP manager. WALK: This operation is used to list information from successive MIB objects within a specified MIB. TRAP: This operation is used by the SNMP agent to send a triggered piece of information to the SNMP manager. INFORM: This operation is the same as a trap, but it adds an acknowledgment that a trap does not provide.

Configuring SNMP

Configuring SNMP is a pretty straightforward process for which you only need a few commands. These five steps are all you need to run through to configure a Cisco device for SNMP access:

1.       Configure where the traps are to be sent.
2.       Enable SNMP read-write access to the router.
3.       Configure SNMP contact information.
4.       Configure SNMP location.
5.       Configure an ACL to restrict SNMP access to the NMS hosts. The only required configuration is the IP address of the NMS station and the community string (which acts as a password or authentication string) because the other three are optional. Here’s an example of a typical SNMP router configuration:
Router(config)#snmp-server host 1.2.3.4
Router(config)#snmp-server community ?
WORD SNMP community string
Router(config)#snmp-server community Todd ?
<1-99>                      Std IP accesslist allowing access
with this community string
<1300-1999>          Expanded IP accesslist allowing
access with this community      string
WORD                     Access-list name
ipv6                           Specify IPv6 Named Access-List
ro                              Read-only access with this
community string
rw                              Read-write access with this
community string view            Restrict this
community to a named MIB view
<cr>
Router(config)#snmp-server community
Todd rw Router(config)#snmp-server
location Boulder Router(config)#snmp
server contact Todd Lammle
Router(config)#ip access-list standard
Protect_NMS_Station Router(config-std
nacl)#permit host 192.168.10.254
Entering the snmp-server command enables SNMPv1 on the Cisco device.
You can enter the ACL directly in the SNMP configuration to provide security, using either a number or a name. Here is an example:
Router(config)#snmp-server community Todd Protect_NMS_Station rw Notice that even though there’s a boatload of configuration options under SNMP, you only really need to work with a few of them to configure a basic SNMP trap setup on a router. First, I set the IP address of the NMS station where the router will send the traps; then I chose the community name of Todd with RW access (read-write), which means the NMS will be able to retrieve and modify MIB objects from the router. Location and contact information comes in really handy for troubleshooting the configuration. Make sure you understand that the ACL protects the NMS from access, not the devices with the agents! Let’s define the SNMP read and write options. Read-only Gives authorized management stations read access to all objects in the MIB except the community strings and doesn’t allow write access Read-write Gives authorized management stations read and write access to all objects in the MIB but doesn’t allow access to the community strings Next we’ll explore a Cisco proprietary method of configuring redundant default gateways for hosts.

Client Redundancy Issues 

If you’re wondering how you can possibly configure a client to send data off its local link when its default gateway router has gone down, you’ve targeted a key issue because the answer is that, usually, you can’t! Most host operating systems just don’t allow you to change data routing. Sure, if a host’s default gateway router goes down, the rest of the network will still converge, but it won’t share that information with the hosts. Take a look at Figure 16.6 to see what I am talking about. There are actually two routers available to forward data for the local subnet, but the hosts know about only one of them. They learn about this router when you provide them with the default gateway either statically or through DHCP.
 Default gateway

This begs the question: Is there another way to use the second active router? The answer is a bit complicated, but bear with me. There is a feature that’s enabled by default on Cisco routers called Proxy Address Resolution Protocol (Proxy ARP). Proxy ARP enables hosts, which have no knowledge of routing options, to obtain the MAC address of a gateway router that can forward packets for them.
You can see how this happens in Figure 16.7. If a Proxy ARP–enabled router receives an ARP request for an IP address that it knows isn’t on the same subnet as the requesting host, it will respond with an ARP reply packet to the host. The router will give its own local MAC address—the MAC address of its interface on the host’s subnet—as the destination 
MAC address for the IP address that the host is seeking to be resolved. After receiving the destination MAC address, the host will then send all the packets to the router, not knowing that what it sees as the destination host is really a router. The router will then forward the packets toward the intended host.

Proxy ARP

So with Proxy ARP, the host device sends traffic as if the destination device were located on its own network segment. If the router that responded to the ARP request fails, the source host continues to send packets for that destination to the same MAC address. But because they’re being sent to a failed router, the packets will be sent to the other router on the network that is also responding to ARP requests for remote hosts. After the time-out period on the host, the proxy ARP MAC address ages out of the ARP cache. The host can then make a new ARP request for the destination and get the address of another proxy ARP router. Still, keep in mind that the host cannot send packets off of its subnet during the fail-over time. This isn’t exactly a perfect situation, so there has to be a better way, right? Well, there is, and that’s precisely where redundancy protocols come to the rescue!

Introducing First Hop Redundancy Protocols (FHRPs)

First hop redundancy protocols (FHRPs) work by giving you a way to configure more than one physical router to appear as if they were only a single logical one. This makes client configuration and communication easier because you can simply configure a single default gateway and the host machine can use its standard protocols to communicate. First hop is a reference to the default router being the first router, or first router hop, through which a packet must pass. So how does a redundancy protocol accomplish this? The protocols I’m going to describe to you do this basically by presenting a virtual router to all of the clients. The virtual router has its own IP and MAC addresses. The virtual IP address is the address that’s configured on each of the host machines as the default gateway. The virtual MAC address is the address that will be returned when an ARP request is sent by a host. The hosts don’t know or care which physical router is actually forwarding the traffic, 
FHRPs use a virtual router with a virtual IP address and virtual MAC address. It’s the responsibility of the redundancy protocol to decide which physical router will actively forward traffic and which one will be placed on standby in case the active router fails. Even if the active router fails, the transition to the standby router will be transparent to the hosts because the virtual router, which is identified by the virtual IP and MAC addresses, is now used by the standby router. The hosts never change default gateway information, so traffic keeps flowing.
There are three important redundancy protocols, but only HSRP is covered on the CCNA objectives now: Hot Standby Router Protocol (HSRP) HSRP is by far Cisco’s favorite protocol ever! Don’t buy just one router; buy up to eight routers to provide the same service, and keep seven as backup in case of failure! HSRP is a Cisco proprietary protocol that provides a redundant gateway for hosts on a local subnet, but this isn’t a load-balanced solution. HSRP allows you to configure two or more routers into a standby group that shares an IP address and MAC address and provides a default gateway. When the IP and MAC addresses are independent from the routers’ physical addresses (on a virtual interface, not tied to a specific interface), HSRP can swap control of an address if the current forwarding and active router fails. But there is actually a way you can sort of achieve load balancing with HSRP—by using multiple VLANs and designating a specific router active for one VLAN, then an alternate router as active for the other VLAN via trunking. This still isn’t a true load-balancing solution and it’s not nearly as solid as what you can achieve with GLBP! Virtual Router Redundancy Protocol (VRRP) Also provides a redundant—but again, not load-balanced—gateway for hosts on a local subnet. It’s an open standard protocol that functions almost identically to HSRP.
Gateway Load Balancing Protocol (GLBP) For the life of me I can’t figure out how GLBP isn’t a CCNA objective anymore! GLBP doesn’t just stop at providing us with a redundant gateway; it’s a true load-balancing solution for routers. GLBP allows a maximum of four routers in each forwarding group. By default, the active router directs the traffic from hosts to each successive router in the group using a round-robin algorithm. The hosts are directed to send their traffic toward a specific router by being given the MAC address of the next router in line to be used.

Hot Standby Router Protocol (HSRP)

Again, HSRP is a Cisco proprietary protocol that can be run on most, but not all, of Cisco’s router and multilayer switch models. It defines a standby group, and each standby group that you define includes the following routers:
Active router Standby router Virtual router
Any other routers that maybe attached to the subnet
The problem with HSRP is that with it, only one router is active and two or more routers just sit there in standby mode and won’t be used unless a failure occurs—not very cost effective or efficient! Figure 16.9 shows how only one router is used at a time in an HSRP group.
The standby group will always have at least two routers participating in it. The primary players in the group are the one active router and one standby router that communicate to each other using multicast Hello messages. The Hello messages provide all of the required communication for the routers. The Hellos contain the information required to accomplish the election that determines the active and standby router positions. They also hold the key to the fail-over process. If the standby router stops receiving Hello packets from the active router, it then takes over the active router role,  HSRP active and standby routers
Example of HSRP active and standby routers swapping interfaces As soon as the active router stops responding to Hellos, the standby router automatically becomes the active router and starts responding to host requests.

Virtual MAC Address

A virtual router in an HSRP group has a virtual IP address and a virtual MAC address. So where does that virtual MAC come from? The virtual IP address isn’t that hard to figure out; it just has to be a unique IP address on the same subnet as the hosts defined in the configuration. But MAC addresses are a little different, right? Or are they? The answer is yes—sort of. With HSRP, you create a totally new, made-up MAC address in addition to the IP address.

The HSRP MAC address has only one variable piece in it. The first 24 bits still identify the vendor who manufactured the device (the organizationally unique identifier, or OUI). The next 16 bits in the address tell us that the MAC address is a well-known HSRP MAC address. Finally, the last 8 bits of the address are the hexadecimal representation of the HSRP group number. Let me clarify all this with an example of what an HSRP MAC address would look like: 0000.0c07.ac0a The first 24 bits (0000.0c) are the vendor ID of the address; in the case of HSRP being a Cisco protocol, the ID is assigned to Cisco. The next 16 bits (07.ac) are the well-known HSRP ID. This part of the address was assigned by Cisco in the protocol, so it’s always easy to recognize that this address is for use with HSRP. The last 8 bits (0a) are the only variable bits and represent the HSRP group number that you assign. In this case, the group number is 10 and converted to hexadecimal when placed in the MAC address, where it becomes the 0a that you see. You can see this displayed with every MAC address added to the ARP cache of every router in the HSRP group. There will be the translation from the IP address to the MAC address, as well as the interface on which it’s located.

HSRP Timers 

Before we get deeper into the roles that each of the routers can have in an HSRP group, I want to define the HSRP timers for HSRP to function because they ensure communication between the routers, and if something goes wrong, they allow the standby router to take over. The HSRP timers include hello, hold, active, and standby. Hello timer The hello timer is the defined interval during which each of the routers send out Hello messages. Their default interval is 3 seconds and they identify the state that each router is in. This is important because the particular state determines the specific role of each router and, as a result, the actions each will take within the group. Figure 16.11 shows the Hello messages being sent and the router using the hello timer to keep the network flowing in case of a failure. This timer can be changed, and people used to avoid doing so because it was thought that lowering the hello value would place an unnecessary load on the routers. That isn’t true with most of the routers today; in fact, you can configure the timers in milliseconds, meaning the failover time can be in milliseconds! Still, keep in mind that increasing the value will make the standby router wait longer before taking over for the active router when it fails or can’t communicate.

HSRP Hellos 

Hold timer The hold timer specifies the interval the standby router uses to determine whether the active router is offline or out of communication. By default, the hold timer is 10 seconds, roughly three times the default for the hello timer. If one timer is changed for some reason, I recommend using this multiplier to adjust the other timers too. By setting the hold timer at three times the hello timer, you ensure that the standby router doesn’t take over the active role every time there’s a short break in communication. Active timer The active timer monitors the state of the active router. The timer resets each time a router in the standby group receives a Hello packet from the active router. This timer expires based on the hold time value that’s set in the corresponding field of the HSRP Hello message. Standby timer The standby timer is used to monitor the state of the standby router. The timer resets anytime a router in the standby group receives a Hello packet from the standby router and expires based on the hold time value that’s set in the respective Hello packet.

Large Enterprise Network Outages with FHRPs Years ago when HSRP was all the rage, and before VRRP and GLBP, enterprises used hundreds of HSRP groups. With the hello timer set to 3 seconds and a hold time of 10 seconds, these timers worked just fine and we had great redundancy with our core routers. However, as we’ve seen in the last few years and certainly will see in the future, 10 seconds is now a lifetime! Some of my customers have been complaining with the failover time and loss of connectivity to their virtual server farm. So lately I’ve been changing the timers to well below the defaults. Cisco had changed the timers so you could use sub-second times for failover. Because these are multicast packets, the overhead that is seen on a current high-speed network is almost nothing. The hello timer is typically set to 200 msec and the hold time is 700 msec. The command is as follows:(config-if)#Standby 1 timers msec 200 msec 700
This almost ensures that not even a single packet is lost when there is an outage.

Group Roles

Each of the routers in the standby group has a specific function and role to fulfill. The three main roles are as virtual router, active router, and standby router. Additional routers can also be included in the group.
Virtual router As its name implies, the virtual router is not a physical entity. It really just defines the role that’s held by one of the physical routers. The physical router that communicates as the virtual router is the current active router. The virtual router is nothing more than a separate IP address and MAC address to which packets are sent. Active router The active router is the physical router that receives data sent to the virtual router address and routes it onward to its various destinations. As I mentioned, this router accepts all the data sent to the MAC address of the virtual router in addition to the data that’s been sent to its own physical MAC address. The active router processes the data that’s being forwarded and will also answer any ARP requests destined for the virtual router’s IP address. Standby router The standby router is the backup to the active router. Its job is to monitor the status of the HSRP group and quickly take over packet-forwarding responsibilities if the active router fails or loses communication. Both the active and standby routers transmit Hello messages to inform all other routers in the group of their role and status. Other routers An HSRP group can include additional routers, which are members of the group but don’t take the primary roles of either active or standby states. These routers monitor the Hello messages sent by the active and standby routers to ensure that an active and standby router exists for the HSRP group that they belong to. They will forward data that’s specifically addressed to their own IP addresses, but they will never forward data addressed to the virtual router unless elected to the active or standby state. These routers send “speak” messages based on the hello timer interval that informs other routers of their position in an election.
Interface Tracking By now, you probably understand why having a virtual router on a LAN is a great idea. You also know why it’s a very good thing that the active router can change dynamically, giving us much needed redundancy on our inside network. But what about the links to the upstream network or the Internet connection off of those HSRP-enabled routers? And how will the inside hosts know if an outside interface goes down or if they are sending packets to an active router that can’t route to a remote network? Key questions and HSRP do provide a solution for them; it’s called interface tracking.
how HSRP-enabled routers can keep track of the interface status of the outside interfaces and how they can switch the inside active router as needed to keep the inside hosts from losing connectivity upstream.
 Interface tracking setup

If the outside link of the active router goes down, the standby router will take over and become the active router. There is a default priority of 100 on routers configured with an HSRP interface, and if you raise this priority (we’ll do this in a minute), it means your router has a higher priority to become the active router. The reason I am bringing this up now is because when a tracked interface goes down, it decrements the priority of this router.

Configuring and Verifying HSRP

Configuring and verifying the different FHRPs can be pretty simple, especially regarding the Cisco objectives, but as with most technologies, you can quickly get into advanced configurations and territory with the different FHRPs if you’re not careful, so I’ll show you exactly what you need to know. The Cisco objectives don’t cover much about the configuration of FHRPs, but verification and troubleshooting is important, so I’ll use a simple configuration on two routers here. Figure 16.13 shows the network I’ll use to demonstrate HSRP

 HSRP configuration and verification

This is a simple configuration for which you really need only one command: standby group ip virtual_ip. After using this single mandatory command, I’ll name the group and set the interface on router HSRP1 so it wins the election and becomes the active router by default.
HSRP1#config t HSRP1(config)#int fa0/0 HSRP1(config-if)#standby ?
<0-255>                                             group number authentication                                             Authentication
delay                                      HSRP initialisation delay
ip                                             Enable HSRP and set the virtual IP address
mac-address                         Virtual MAC address
name                                      Redundancy name string
preempt                                Overthrow lower priority Active routers
priority                                  Priority level

redirect                                 Configure sending of ICMP Redirect messages with an HSRP
virtual IP address as the gateway IP address
timers                                    Hello and hold timers
track                                       Priority tracking
use-bia                                   HSRP uses interface's burned in address
version                                  HSRP version

HSRP1(config-if)#standby 1 ip 10.1.1.10 HSRP1(config-if)#standby 1 name HSRP_Test HSRP1(config-if)#standby 1 priority ?
<0-255> Priority value

HSRP1(config-if)#standby 1 priority 110
000047: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
000048: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active110

There are quite a few commands available to use in an advanced setting with the standby command, but we’ll stick with the simple commands that follow the Cisco objectives. First, I numbered the group (1), which must be the same on all routers sharing HSRP duties; then I added the virtual IP address shared by all routers in the HSRP group. Optionally, I named the group and then set the priority of HSRP1 to 110, and I left HSRP2 to a default of 100. The router with the highest priority will win the election to become the active router. Let’s configure the HSRP2 router now:
HSRP2#config t
HSRP2(config)#int fa0/0
HSRP2(config-if)#standby 1 ip 10.1.1.10
HSRP2(config-if)#standby 1 name HSRP_Test
*Jun 23 21:40:10.699:%HSRP-5-STATECHANGE:FastEthernet0/0 Grp 1
state
Speak -> Standby

I really only needed the first command—naming it was for administrative purposes only. Notice that the link came up and HSRP2 became the standby router because it had the lower priority of 100 (the default).
Make a note that this priority comes into play only if both routers were to come up at the same time. This means that HSRP2 would be the active router, regardless of the priority, if it comes up first.
Let’s take a look at the configurations with the show standby and show standby brief commands:


HSRP1(config-if)#do show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:03:40 Virtual IP address is 10.1.1.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.076 secs Preemption disabled
Active router is local
Standby router is 10.1.1.2, priority 100 (expires in 7.448 sec) Priority 110 (configured 110)
IP redundancy name is "HSRP_Test" (cfgd)

HSRP1(config-if)#do show standby brief
P indicates configured to preempt.
|
Interface          Grp Prio P State                Active                            Standby Virtual IP
Fa0/0                1       110          Active         local                         10.1.1.2
10.1.1.10

Notice the group number in each output—it’s a key troubleshooting spot! Each router must be configured in the same group or they won’t work.
Also, you can see the virtual MAC and configured virtual IP address, as well as the hello time of 3 seconds. The standby and virtual IP addresses are also displayed.
HSRP2’s output tells us that it’s in standby mode:
HSRP2(config-if)#do show standby brief
P indicates configured to preempt.
|
Interface                 Grp Prio P                    State         Active                                   Standby Virtual IP
Fa0/0                          1 100                                              Standby 10.1.1.1
local                            10.1.1.10
HRSP2(config-if)#

Notice so far that you have seen HSRP states of active and standby, but watch what happens when I disable Fa0/0:
HSRP1#config t HSRP1(config)#interface Fa0/0 HSRP1(config-if)#shutdown
*Nov 20 10:06:52.369: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Active -> Init

The HSRP went into Init state, meaning it’s trying to initialize with a peer. The possible interface states for HSRP are shown in Table 16.1.
HSRP states

State
Definition
Initial (INIT)
This is the state at the start. This state indicates that HSRP does not run. This state is entered through a configuration change or when an interface first becomes available.
Learn
The router has not determined the virtual IP address and has not yet seen an authenticated Hello message from the active router. In this state, the router still waits to hear from the active router.
Listen
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for Hello messages from those routers.
Speak
The router sends periodic Hello messages and actively participates in the election of the active and/or standby router. A router cannot enter speak state unless the router has the virtual IP address.
Standby
The router is a candidate to become the next active router and sends periodic Hello messages. With the exclusion of transient conditions, there is, at most, one router in the group in standby state.
Active
The router currently forwards packets that are sent to the group virtual MAC address. The router sends periodic Hello messages. With the exclusion of transient conditions, there must be, at most, one router in active state in the group.
There is one other command that I want to cover. If you’re studying and want to understand HSRP, you should learn to use this debug command and have your active and standby routers move. You’ll really get to see what is going on.
HSRP2#debug standby
*Sep 15 00:07:32.344:HSRP:Fa0/0 Interface UP
*Sep 15 00:07:32.344:HSRP:Fa0/0 Initialize swsb, Intf state Up
*Sep 15 00:07:32.344:HSRP:Fa0/0 Starting minimum intf delay (1 secs)



*Sep 15 00:07:32.344:HSRP:Fa0/0 Grp 1 Set virtual MAC 0000.0c07.ac01
type: v1 default
*Sep 15 00:07:32.344:HSRP:Fa0/0 MAC hash entry 0000.0c07.ac01, Added
Fa0/0 Grp 1 to list
*Sep 15 00:07:32.348:HSRP:Fa0/0 Added 10.1.1.10 to hash table
*Sep 15 00:07:32.348:HSRP:Fa0/0 Grp 1 Has mac changed? cur 0000.0c07.ac01
new 0000.0c07.ac01
*Sep 15 00:07:32.348:HSRP:Fa0/0 Grp 1 Disabled -> Init
*Sep 15 00:07:32.348:HSRP:Fa0/0 Grp 1 Redundancy "hsrp-Fa0/0-1" state
Disabled -> Init
*Sep 15 00:07:32.348:HSRP:Fa0/0 IP Redundancy "hsrp-Fa0/0-1" added
*Sep 15 00:07:32.348:HSRP:Fa0/0 IP Redundancy "hsrp-Fa0/0-1" update,
Disabled -> Init
*Sep 15 00:07:33.352:HSRP:Fa0/0 Intf min delay expired
*Sep 15 00:07:39.936:HSRP:Fa0/0 Grp 1 MAC addr update Delete from SMF 0000.0c07.ac01
*Sep 15 00:07:39.936:HSRP:Fa0/0 Grp 1 MAC addr update Delete from SMF 0000.0c07.ac01
*Sep 15 00:07:39.940:HSRP:Fa0/0 ARP reload

HSRP Load Balancing

As you know, HSRP doesn’t really perform true load balancing, but it can be configured to use more than one router at a time for use with different VLANs. This is different from the true load balancing that’s possible with GLBP, which I’ll demonstrate in a minute, but HSRP still performs a load-balancing act of sorts. Figure 16.14 shows how load balancing would look with HSRP.
How can you get two HSRP routers active at the same time? Well for the same subnet with this simple configuration, you can’t, but if you trunk the links to each router, they’ll run and be configured with a “router on a stick” (ROAS) configuration. This means that each router can be the default gateway for different VLANs, but you still can have only one active router per VLAN. Typically, in a more advanced setting you won’t use HSRP for load balancing; you’ll use GLBP, but you can do load-sharing with HSRP, and that is the topic of an objective, so we’ll remember that, right? It comes in handy because it prevents situations where a single point of failure causes traffic interruptions. This HSRP feature improves network resilience by allowing for load-balancing and redundancy capabilities between subnets and VLANs.


 HSRP load balancing per VLAN

HSRP Troubleshooting

Besides HSRP verification, the troubleshooting of HSRP is the Cisco objective hotspot, so let’s go through this.
Most of your HSRP misconfiguration issues can be solved by checking the output of the show standby command. In the output, you can see the active IP and the MAC address, the timers, the active router, and more, as shown earlier in the verification section.
There are several possible misconfigurations of HSRP, but these are what you need to pay attention to for your CCNA:
Different HSRP virtual IP addresses configured on the peers Console messages will notify you about this, of course, but if you configure it this way and the active router fails, the standby router takes over with a virtual IP address, which is different than the one used previously, and different than the one configured as the default-gateway



address for end devices, so your hosts stop working, which defeats the purpose of a FHRP.
Different HSRP groups configured on the peers This misconfiguration leads to both peers becoming active, and you’ll start receiving duplicate IP address warnings. It seems like this would be easy to troubleshoot, but the next issue has the same warnings.
Different HSRP versions configured on the peers or ports blocked HSRP comes in two versions, 1 and 2. If there is a version mismatch, both routers will become active and you’ll again have duplicate IP address warnings.
In version 1, HSRP messages are sent to the multicast IP address
224.0.0.2 and UDP port 1985. HSRP version 2 uses the multicast IP address 224.0.0.102 and UDP port 1985. These IP addresses and ports need to be permitted in the inbound access lists. If the packets are blocked, the peers will not see each other and there will be no HSRP redundancy.

Summary
I started this chapter by discussing how to mitigate security threats at the access layer and then also discussed external authentication for our network devices for ease of management.
SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate to network management stations (NMSs). I discussed the basic information you need to use syslog and SNMP, that is, configuration and verification.
Last, I showed you how to integrate redundancy and load-balancing features into your network elegantly with the routers that you likely have already. HSRP is Cisco proprietary; acquiring some overpriced load- balancing device just isn’t always necessary because knowing how to properly configure and use Hot Standby Router Protocol (HSRP) can often meet your needs instead.

Exam Essentials

Understand how to mitigate threats at the access layer. You can mitigate threats at the access layer by using port security, DHCP snooping, dynamic ARP inspection, and identity-based networking.

Understand TACACS+ and RADIUS. TACACS+ is Cisco proprietary, uses TCP, and can separate services. RADIUS is an open standard, uses UDP, and cannot separate services.
Remember the differences between SNMPv2 and SNMPv3. SNMPv2 uses UDP but can use TCP; however, v2 still sends data to the NMS station in clear text, exactly like SNMPv1, plus SNMPv2 implemented GETBULK and INFORM messages. SNMPv3 uses TCP and authenticates users, plus it can use ACLs in the SNMP strings to protect the NMS station from unauthorized use.
Understand FHRPs, especially HSRP. The FHRPs are HSRP, VRRP, and GLBP, with HSRP and GLBP being Cisco proprietary.
Remember the HSRP virtual address. The HSRP MAC address has only one variable piece in it. The first 24 bits still identify the vendor who manufactured the device (the organizationally unique identifier, or OUI). The next 16 bits in the address tell us that the MAC address is a well- known HSRP MAC address. Finally, the last 8 bits of the address are the hexadecimal representation of the HSRP group number.
Let me clarify all this with an example of what an HSRP MAC address would look like:
0000.0c07.ac0a

Written Lab 16

You can find the answers to this lab in Appendix A, “Answers to Written Labs.”
1.       Which operation used by SNMP is the same as a trap but adds an acknowledgment that a trap does not provide?
2.       Which operation is used by SNMP to get information from the MIB to an SNMP agent?
3.       Which operation used by the SNMP agent to send a triggered piece of information to the SNMP manager?
4.       Which operation is used to get information to the MIB from an SNMP manager?
5.       This operation is used to list information from successive MIB objects within a specified MIB.
6. You have different HSRP virtual IP addresses configured on peers. What is the result?
7.       You configure HSRP on peers with different group numbers. What is the result?
8. You configure your HSRP peers with different versions (v1 and v2). What is the result?
9.       What is the multicast and port number used for both HSRP versions 1 and 2?
0.     The two most popular options for external AAA are what, and which one of them is Cisco proprietary?

Review Questions 

You can find the answers to these questions in Appendix B, “Answers to Review Questions.”

1.     How can you efficiently restrict the read-only function of a requesting SNMP management station based on the IP address?
A.     Place an ACL on the logical control plane.
B.     Place an ACL on the line when configuring the RO community string.
C.     Place an ACL on the VTY line.
D.     Place an ACL on all router interfaces.
2.     What is the default priority setting on an HSRP router?

A.     25
B.     50
C.  100
D.  125
3.     Which of the following commands will enable AAA on a router?
A.     aaa enable
B.     enable aaa
C.     new-model aaa
D.     aaa new-model
4.     Which of the following will mitigate access layer threats? (Choose two.)
A.     Port security
B.     Access lists
C.     Dynamic ARP inspection
D.     AAA
5.     Which of the following is not true about DHCP snooping?
A.     DHCP snooping validates DHCP messages received from untrusted sources and filters out invalid messages.
B.     DHCP snooping builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
C.     DHCP snooping rate-limits DHCP traffic from trusted and untrusted sources.
D.     DHCP snooping is a layer 2 security feature that acts like a firewall between hosts.
6.     Which of the following are true about TACACS+? (Choose two.)
A.     TACACS+ is a Cisco proprietary security mechanism.
B.     TACACS+ uses UDP.
C.     TACACS+ combines authentication and authorization services as a single process—after users are authenticated, they are also authorized.
D.     TACACS+ offers multiprotocol support.
7.     Which of the following is not true about RADIUS?
A.     RADIUS is an open standard protocol.
B.     RADIUS separates AAA services.
C.     RADIUS uses UDP.
D.     RADIUS encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is unencrypted.
8.     A switch is configured with the snmp-server community Cisco RO command running SNMPv2c. An NMS is trying to communicate to this router via SNMP, so what can be performed by the NMS? (Choose two.)
A.     The NMS can only graph obtained results.
B.     The NMS can graph obtained results and change the hostname of the router.
C.     The NMS can only change the hostname of the router.
D.     The NMS can use GETBULK and return many results.
9.     What is true regarding any type of FHRP?
A.     The FHRP supplies hosts with routing information.
B.     The FHRP is a routing protocol.
C.     The FHRP provides default gateway redundancy.
D.     The FHRP is only standards-based.
0.     Which of the following are HSRP states? (Choose two.)
A.     INIT
B.     Active
C.     Established
D.     Idle

11.     Which command configures an interface to enable HSRP with the virtual router IP address 10.1.1.10?
A.     standby 1 ip 10.1.1.10
B.     ip hsrp 1 standby 10.1.1.10
C. hsrp 1 ip 10.1.1.10
D. standby 1 hsrp ip 10.1.1.10
2.       Which command displays the status of all HSRP groups on a Cisco router or layer 3 switch?
A.     show ip hsrp
B.     show hsrp
C.     show standby hsrp
D.     show standby
E.     show hsrp groups
3.       Two routers are part of a HSRP standby group and there is no priority configured on the routers for the HSRP group. Which of the statements below is correct?
A.     Both routers will be in the active state.
B.     Both routers will be in the standby state.
C.     Both routers will be in the listen state.
D.     One router will be active, the other standby.
4.       Which of the following statement is true about the HSRP version 1 Hello packet?
A.     HSRP Hello packets are sent to multicast address 224.0.0.5.
B.     HSRP RP Hello packets are sent to multicast address 224.0.0.2 with TCP port 1985.
C.     HSRP Hello packets are sent to multicast address 224.0.0.2 with UDP port 1985.
D.     HSRP Hello packets are sent to multicast address 224.0.0.10 with UDP port 1986.
5.       Routers HSRP1 and HSRP2 are in HSRP group 1. HSRP1 is the active router with a priority of 120 and HSRP2 has the default priority. When HSRP1 reboots, HSRP2 will become the active router. Once HSRP1 comes back up, which of the following statements will be true? (Choose two.)
A.     HSRP1 will become the active router.
B.     HSRP2 will stay the active router.
C.     HSRP1 will become the active router if it is also configured to preempt.
D.     Both routers will go into speak state.
6.       What is the multicast address and port number used for HSRP version 2?
A.  224.0.0.2, UDP port 1985
B.  224.0.0.2, TCP port 1985
C.  224.0.0.102, UDP port 1985
D.  224.0.0.102, TCP port 1985
7.       Which is true regarding SNMP? (Choose two.)
A.     SNMPv2c offers more security than SNMPv1.
B.     SNMPv3 uses TCP and introduced the GETBULK operation.
C.     SNMPv2c introduced the INFORM operation.
D.     SNMPv3 provides the best security of the three versions.
8.       You want to configure RADIUS so your network devices have external authentication, but you also need to make sure you can fall back to local authentication. Which command will you use?
A.     aaa authentication login local group MyRadiusGroup
B.     aaa authentication login group MyRadiusGroup fallback local
C.     aaa authentication login default group MyRadiusGroup external local
D.     aaa authentication login default group MyRadiusGroup local
9.       Which is true about DAI?
A.     It must use TCP, BootP, and DHCP snooping in order to work.

B.     DHCP snooping is required in order to build the MAC-to-IP bindings for DAI validation.
C.     DAI is required in order to build the MAC-to-IP bindings, which protect against man-in-the-middle attacks.
D.     DAI tracks ICMP-to-MAC bindings from DHCP.
0.     The IEEE 802.1x standard allows you to implement identity-based networking on wired and wireless hosts by using client/server access control. There are three roles. Which of the following are these three roles?
A.     Client
B.     Forwarder
C.     Security access control
D.     Authenticator
E.     Authentication server


Comments

Popular posts from this blog

What if Analysis

What-If Analysis What-If Analysis in Excel allows you to try out different values (scenarios) for formulas. The following example helps you master what-if analysis quickly and easily.  Use scenarios to consider many different variables  A scenario is a set of values that Excel saves and can substitute automatically in cells on a worksheet. You can create and save different groups of values on a worksheet and then switch to any of these new scenarios to view different results. 
Create Different Scenarios 
Note: You can simply type in a different revenue and Cost into cell B2 and B3 respectively to see the corresponding result of a scenario in cell B4. However, what-if analysis enables you to easily compare the results of different scenarios.  
I. On the Data tab, click What-If Analysis and select Scenario Manager from the list. The Scenario Manager Dialog box appears  II. Add a scenario by clicking on Add.  III. Type a name (e.g. “First Case”), select cell B2 and B3 (represents “Revenue” and “…

PROFESSIONAL ENGLISH

Asking For and Giving Opinions on Likes and Dislikes

Words Meaning Sample Sentence Opinion A statement or judgment formed about some matter. Bhoomika gave her final opinion on the company’s matter. Dialogue A conversation between two or more people. Her dialogue stated her opinion about the company’s matter. Expression The action of making known one’s thought or feelings. Her expression was sad at the meeting. Frank An open, honest, and direct speech or writing Bhoomika is very frank with her friends. Recover Return to normal state of health, mind or strength. The company’s economic crisis will be recovered soon. Turmoil A state of great disturbance. The company is facing financial turmoil. Economics The branch of knowledge concerned with the production, consumption, and transfer of wealth. Bhoomika studied Economics at the State University. Betrayed Expose to danger by treacherously giving information to an enemy.

DAILY LIFE VOCABULARY

Apology Etiquette and Office Vocabulary 

Chapter Vocabulary

Word Meaning Sample Sentence Stressed A state of any mental or emotional tension. Ram seems much stressed after his poor exam. Launch An act of instance of starting something. The government launched a new scheme for the poor people. Error A mistake Ravi found a grammatical error in his new grammar book. Scold Blaming someone for any wrong doing Bhuvan scolded his employees for their poor performance. Accuse Claiming that someone has done something wrong. Bharati accuses her friend Chaya for stealing her necklace. Fair Good and honest Ravi got promoted for doing a fair job. Ashamed Embarrassed or guilty because of one’s action. <