Tuesday, 14 June 2016

HSRP vs VRRP vs GLBP

ProtocolFeatures
HSRP
(Hot Standby Router protocol)
VRRP
(Virtual Redundancy Router Protocol)
GLBP
(Gateway Load Balancing Protocol)
Router role- 1 active router.- 1 standby router.- 1 or more listening routers.- 1 master router.- 1 or more backup routers.- 1 AVG (Active Virtual Gateway).- up to 4 AVF routers on the group (Active Virtual Forwarder) passing traffic.- up to 1024 virtual routers (GLBP groups) per physical interface.
- Use virtual ip address.- Can use real router ip address, if not, the one with highest priority become master.- Use virtual ip address.
ScopeCisco proprietaryIEEE standardCisco proprietary
ElectionActive Router:
1-Highest Priority
2-Highest IP (tiebreaker)
Master Router: (*)
1-Highest Priority
2-Highest IP (tiebreaker)
Active Virtual Gateway:
1-Highest Priority
2-Highest IP (tiebreaker)
Optimization featuresTracking
yes
yes
yes
Preempt
yes
yes
yes
Timer adjustments
yes
yes
yes
Traffic type224.0.0.2 – udp 1985 (version1)
224.0.0.102-udp 1985 (version2)
224.0.0.18 – IP 112224.0.0.102 udp 3222
TimersHello – 3 secondsAdvertisement – 1 secondHello – 3 seconds
(Hold) 10 seconds(Master Down Interval)3 * Advertisement + skew time(Hold) 10 seconds
(Skew time)(256-priority) / 256
Load-balancing functionality- Multiple HSRP group per interface/SVI/routed int.- Multiple VRRP group per interface/SVI/routed int.Load-balancing oriented- Weighted algorithm.- Host-dependent algorithm. - Round-Robin algorithm (default).
Requires appropriate distribution of Virtual GW IP per Clients for optimal load-balancing.(generally through DHCP)Requires appropriate distribution of Virtual GW IP per Clients for optimal load-balancing.(generally through DHCP)Clients are transparently updated with virtual MAC according to load-balancing algorithm through ARP requesting a unique virtual gateway.
* If the group VRRP Virtual IP on the master (higher priority) is the real IP configured on a different VRRP (Backup with lower priority) IOS will manage to make the VRRP router with the real IP, the master, by setting its priority to 255, knowing that the configurable range is [1-254].

VRRP Benefits

VRRP Benefits


The benefits of VRRP are as follows:

Redundancy—Enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network.

Load sharing—Allows traffic to and from LAN clients to be shared by multiple routers. The traffic load is shared more equitably among available routers.

Multiple VRRP groups—Supports up to 255 VRRP groups on a router physical interface if the platform supports multiple MAC addresses. Multiple VRRP groups enable you to implement redundancy and load sharing in your LAN topology.

Multiple IP addresses—Allows you to manage multiple IP addresses, including secondary IP addresses. If you have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.

Preemption—Enables you to preempt a backup router that has taken over for a failing master with a higher priority backup router that has become available.

Advertisement protocol—Uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment. IANA has assigned the IP protocol number 112 to VRRP.

VRRP tracking—Ensures that the best VRRP router is the master for the group by altering VRRP priorities based on interface states

Private Vlan Configuration

We know that a Layer 2 VLAN is an isolated Broadcast Domain and for communicating between VLANs a Layer 3 Device is required for inter-VLAN Routing. A Private VLAN gives us the  opportunity to divide a VLAN into Sub VLANs. In the case of PVLAN, a normal VLAN is mapped on Secondary VLANs. This helps us to restrict devices being connected in the same normal VLAN (subnet) to communicate with each other. Catalyst 3560 and higher models support PVLAN.
Often PVLANs are used in cases where servers are located in a DMZ on the same Layer2 Vlan and we want to restrict these servers to communicate between them. This helps a lot in security. If the servers are publicly accessible from the Internet, when one of the servers is compromised by hackers, we can block the attacker to access the other servers on the same Vlan. Of course we can do this with a L3 device or firewall, but in this case each server should have it’s own VLAN and as a result we’ll get a complex network. In the case of PVLAN, we’ll have one network (VLAN) and we’ll restrict the connection between servers by creating secondary VLANs.


Private VLAN Types and Port Types:
Promiscuous (P): Usually connects to a router (Default gateway) and also to span port – a type of a port which is allowed to send and receive frames from any other port on the Primary VLAN.
Isolated (I): This type of port is only allowed to communicate with P-ports – they are “stub”. This type of port usually connects to hosts. Only one isolated VLAN is created. The ports, which are in isolated VLAN, can communicate to each other.
Community (C): The ports in the same Community can communicate with each other and also are connected to Promiscuous port. There are multiple Communities available.
Community ports are allowed to talk to their buddies, sharing the same group (of course they can talk to P-ports).
Let’s see how to configure PVLANs
Equipment Used in this LAB:
Cisco  Catalyst 3560  – C3560-IPSERVICES-M  Version 12.2(50)SE
Cisco Router 2801 -  C2801-ADVIPSERVICESK9-M  Version 12.4(9)T4

Scenario: Create one Community vlan, in which SRV1 and SRV2 will belong to. Create also an Isolated VLAN, in which SRV3 and SRV4 will belong to. Make Ge0/1 promiscuous and connect to default gateway (router). According to this configuration, SRV1 and SRV2 can talk to each other and also with Router (Default Gateway). On the other hand, Servers in Isolated VLAN (SRV3 and SRV4) will not communicate between each other and also will not be able to talk with F0/0 (Router-Default Gateway).
Before starting PVLAN configuration, switching VTP Mode to Transparent is required. If VTP works in other mode, PVLAN will not work.
!switch to Transparent mode
Switch(config)# vtp mode transparentSetting device to VTP TRANSPARENT mode.
!Create Isolated VLAN
Switch(config)# vlan 102
Switch(config-vlan)# private-vlan isolated

!create community vlan
Switch(config)# vlan 101
Switch(config-vlan)#private-vlan community 
!Create Primary VLAN and map with secondary vlansSwitch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
switch(config-vlan)# private-vlan association 101 102

Our Complete Configuration looks Like This:
vlan 100
private-vlan primary
private-vlan association 101 102
!
vlan 101
private-vlan community

vlan 102
private-vlan isolated

! Create promiscuous port and map with the other vlans
Switch(config)# interface ge0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101 102

! association of Ge0/2 and Ge0/3 ports with Primary and Secondary VLANS. According to our scenario Ge0/2 and Ge0/3 should be in community Vlan. 
Switch(config)# interface range ge0/2-ge0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

! association Ge0/4 and Ge0/5 ports with Primary and Secondary VLANS. According to our !scenario Ge0/4 and Ge0/ should be in Isolated Vlan. 
Switch(config)# interface range ge0/4-ge0/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Configuration is completed now so let’s see how the output looks like.
Switch# show interface status
Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        connected    100        a-full  a-100 10/100BaseTX
Gi0/2                        connected    100,101 a-full  a-100 10/100/0BaseTX
Gi0/3                        connected    100,101 a-full  a-100 10/100BaseTX
Gi0/4                        connected    100,102 a-full  a-100 10/100BaseTX
Gi0/5                        connected    100,102 a-full  a-100 10/100BaseTX

Friday, 3 June 2016

(GLBP)   Gateway Load Balancing Protocol

Feature History
Release
Modification
12.2(14)S
This feature was introduced.


This document describes the Gateway Load Balancing Protocol feature in Cisco IOS Release 12.2(14)S and it includes the following sections:

Feature Overview

The Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts configured with a single default gateway on an IEEE 802.3 LAN. Multiple first hop routers on the LAN combine to offer a single virtual first hop IP router while sharing the IP packet forwarding load. Other routers on the LAN may act as redundant Gateway Load Balancing Protocol (GLBP) routers that will become active if any of the existing forwarding routers fail.
GLBP performs a similar, but not identical, function for the user as the Hot Standby Router Protocol (HSRP) and the Virtual Router Redundancy Protocol (VRRP). HSRP and VRRP protocols allow multiple routers to participate in a virtual router group configured with a virtual IP address. One member is elected to be the active router to forward packets sent to the virtual IP address for the group. The other routers in the group are redundant until the active router fails. These standby routers have unused bandwidth that the protocol is not using. Although multiple virtual router groups can be configured for the same set of routers, the hosts must be configured for different default gateways, which results in an extra administrative burden. GLBP provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222 (source and destination).

OSPF as a distance vector protocol..


Excellent Article on PacketLife which describes OSPF as Distance Vector also ..Gotcha in Mind :)

Examine the OSPF topology below. Assuming all links have an equal cost, which path will R3 take to R5?
topology.png
The obvious answer is the path through R4, as it is only two hops. However, the path that is actually taken is the one through R1 and R2 in area 0:
R3# traceroute 192.168.20.5

Type escape sequence to abort.
Tracing the route to 192.168.20.5

1 192.168.10.1 20 msec 12 msec 16 msec
  2 10.0.0.2 12 msec 24 msec 20 msec
  3 192.168.20.5 12 msec *  24 msec
Why? Although OSPF operates as a link-state routing protocol within an area, its behavior between areas ispredominantly distance vector. Link-state trees (formed from LSA types 1 and 2) are only maintained within an area; summary routes (type 3 LSAs) are used to statelessly transport routing information between areas. To prevent routing loops, areas must be connected in a logical star topology, centering around area 0. All type 3 LSAs must therefore pass into or out of area 0 when multiple areas are in use, whereas type 1 and 2 LSAs are confined to the local area.
lsa_flow.png
We can better observe this limitation by examining R3's OSPF database:
R3# show ip ospf database

OSPF Router with ID (3.3.3.3) (Process ID 1)

Router Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         1006        0x80000002 0x00F244 1
3.3.3.3         3.3.3.3         1001        0x80000002 0x0073B2 1
4.4.4.4         4.4.4.4         965         0x80000002 0x0035E7 1

Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.10.1    1.1.1.1         967         0x80000002 0x001F7D

Summary Net Link States (Area 10)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.0        1.1.1.1         987         0x80000003 0x0049D9
192.168.20.0    1.1.1.1         888         0x80000001 0x00A502
Note that the summary LSAs are only being advertised from R1, because that is the only router in area 10 also connected to area 0. R4, although it belongs to both areas, will not propagate LSAs from one area to the other, as it has no access to area 0. If it were to pass summary routes, for example, from area 10 to area 20, those routes would then be passed along by R2 to area 0 and by R1 back into area 10, forming a routing loop. By forcing all area border routers (ABRs) to attach to the common link-state tree in area 0, such loops are avoided.

BE AWARE OF FaKe Call

Phishing is defined as any attempt to obtain your personal and financial information. Mostly, phishing is carried out via emails. These ...