My Cisco Learning Path

CCNA and CCNP courses summary

Frame Relay

sept 25

Posted by N.MICHEL in CCIE

This is the basics of Frame Relay. I didnt put advanced stuff because it took me a lot of time to lab :)

Will put them later (PPPoFR, Back To Back, FREEK)

  • Layer 3 resolution needed to bind LOCAL layer 2 address to remote layer 3 address. InverseArp is used.
  • Only directly connected devices can be resolved. (implies additional issues with partial mesh NBMA)

Multipoint Interfaces:

  • Can have multiple Layer 2 circuits
  • Requires L3 to L2 resolution
  • Ex: FR main interface / FR Multipoint sub-interface

Point to point Interfaces:

  • Only one DLCI
  • Does not require L3 to L2 resolution : Only one circuit = Only one L2
  • EX: FR Point to point Subinterface

Review:

  • NBMA : Address resolution apply
  • DLCI : L2 address / DLCI Number is locally significant
  • LMI:  DTE/DCE communication / Report VC Status

LMI:

  • Encapsulation frame-relay enables LMI automatically
  • Types :  Cisco / ANSI / Q933a  and should be automatically detected
  • show frame-relay pvc  Active / Inactive (PVC provided but not used) / Deleted (no PVC with that name)

Address resolution

  • Which DLCI do I use to reach this IP
  • Inverse-ARP or Statically map using Frame relay map
  • show frame-relay map.

Static Mapping:

  • Interface configuration mode
  • Static mapping override Dynamic mapping
  • Broadcast support must be manually configured with the broadcast keywork.

Tags:

No Comments

PPPoe !

sept 22

Posted by N.MICHEL in CCIE

Yesterday was all about PPPoE , yeah I may be slow but now I fully understand the concept.

I did some lab and was unsucessful, so I tried to understand the solution and still no luck but I did understand few concepts like virtual-template and such  BBA-group.
Then I viewed a video about it and it seems more clear …. Finnaly I read the doc CD which was very complex as usual and I did some labs :)

Now I can full understand it and can lab it without looking at the doc CD !! HOW COOL IS THAT !

Anyway I even found some error in routing-bits.com documentation because when you use different addresses on a subnet (IE unnumbered addres) the route that you have in your router will be a /32 and not a /8 :)

More to come

Tags:

No Comments

Voice

sept 20

Posted by N.MICHEL in CCIE

Voice has 3 options for configuration:

  • Voice and Data are separated from each other.  Port between switch and Phone is an 802.1q trunk. Phone will add a special value to the COS field within the header (5). Datas are sent untagged and received by the switch on the configured access VLAN.
interface FastEthernet0/4
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 146
 switchport trunk allowed vlan 146,600
 switchport mode trunk
 switchport voice vlan 600
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
  • Single vlan is used. internet switch within the phone acts like a normal bridge and do not tag. Port is an access one
  • Use a single data for voice and data but to add an 802.1p CoS tag. Data frames received from the PC on the phone, along with VOIP frames sent from the phone get a special 802.1q header that carries a vlan ID equal to 0 and has the CoS field set to 5 for VoIP. Switch accepts frames with Vlan Zero as if they are in the access vlan but also honor the CoS bits to calculate the internal QoS tag.
interface FastEthernet0/6
 switchport access vlan 146
 switchport voice vlan dot1p
 spanning-tree portfast
end

I did some private vlan stuff too , with flex link etc etc …

Tags: , ,

No Comments

MST !

sept 20

Posted by N.MICHEL in CCIE

Today I m reading the MST DOC-CD chapter and man it was a pain to read !!!

Instead I read Petr Lapukhov article on INE Blog. It is much more easier to read and understand.

First I want to tell that all the notes below belong to the author Petr Lapukhov. Nothing has been really written by me, I m just summarizing his article, this helps me to understand and memorize it. Thanks for understanding.

Things to remember:

  • All the switches in an MST region MUST have the same configurations:
  • Name
  • Revision number
  • Vlan to instance Mapping
  • All Vlans are mapped to the IST (the common ST instance)
  • The IST (MSTI0) carries all the STP related informations.
  • MSTP does not send MSTI information in separate BPDUs , this information is piggybacked into IST’s BPDU using special M record Field. TLV carry root priority, port priority and root path cost.

A good command to remember would be

 show spanning-tree mst interface fastEthernet 0/16
astEthernet0/16 of MST0 is root forwarding
Edge port: no             (default)        port guard : none        (default)
Link type: point-to-point (auto)           bpdu filter: disable     (default)
Boundary : internal                        bpdu guard : disable     (default)
Bpdus sent 550, received 1099

Instance Role Sts Cost      Prio.Nbr Vlans mapped
-------- ---- --- --------- -------- -------------------------------
0        Root FWD 200000    128.18   1-9,11-19,21-29,31-39,41-49,51-59
                                     61-4094
1        Desg FWD 200000    128.18   10,20,30
2        Altn BLK 200000    128.18   40,50,60

The CIST

  • Every MSTP region runs special instance of STP known as IST who serve the purpose of disseminating STP topology information for MSTIs.
  • IST got a root bridge elected based on the lowest Bridge ID.
  • When a switch detects BPDU messages sourced from another region, it marks the corresponding port as MSTP BOUNDARY.
  • When multiple regions connect together, every region needs to construct its own IST and all regions should build one common CIST spanning accross the region.
  • CIST Root is elected among all regions and CIST Regional root is elected in every regions.
  • IST root = CIST Regional root in case where multiple regions interoperate.
  • CIST Root has the lowest BID among ALL REGIONS.
  • CIST Regional root is a boundary switch elected for every region based on the shortest external path cost to reach the CIST root. Path cost is calculated based on costs of the links connecting the regions, excluding the internal regional paths: CIST Regional root becomes the root of the IST for the given region as well.

The CST

  • The CST connects all boundary and perceives every region as a single virtual bridge with the bridge ID equal to CIST regional Bridge ID.
  • CST is the construct where MSTP interoperates
  • The legacy switch regions join their STP instance with the CST and perceive MSTP regions as transparent virtual bridge
  • MSTP discovers the appropriate STP version


Tags: ,

No Comments

Bridging and Switching (L2PT and 802.1Q Tunneling + STP)

sept 16

Posted by N.MICHEL in CCIE

Tonight I did

  • 802.1Q tunneling practice with L2PT
  • STP until BackboneFast which I need to read the DOC-CD (I know uplinkfast is for direct failure and BBFast is for undirect failure). Also unicast increase the Priority to 49152 and cost on each interface to 3000

Task : 1.16 to 1.25

Lecture:

BPDUGuard And Portfast:

  • At the global level, you enable BPDU guard on Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down interfaces that are in a Port Fast-operational state if any BPDU is received on those interfaces.
  • At the interface level, you enable BPDU guard on any interface by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.

BPDUFilter And Portfast:

  • At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.
  • At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.

Uplinkfast

  • If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UplinkFast with the spanning-tree uplinkfast global configuration command, you can accelerate the choice of a new root port when a link or switch fails or when the spanning tree reconfigures itself. The new root port transitions to the forwarding state immediately without going through the listening and learning states
  • 49152 Priority of the BID
  • Each interface got a cost of 3000 +
  • Recovers from direct failure

BackboneFast

  • Undirect + Complementary to Uplinkfast
  • Optimizes the maximum-age timer
  • Triggered when receive inferior BPDU from a Designated switch (it has lost the path to the root !)
  • The switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ) request. The switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the network.
  • BackboneFast allows the blocked interface on Switch C to move immediately to the listening state without waiting for the maximum aging time for the interface to expire.

Rootguard.

  • Enforce the root bridge placement.
  • If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch
  • If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region configuration
  • Root guard enabled on an interface applies to all the VLANs to which the interface belongs.
  • You cannot enable both loop guard and root guard at the same time.

Loop Guard

  • prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.
  • This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
  • You cannot enable both loop guard and root guard at the same time.

Very good command to remember !

Rack12SW1#sh spannin int fa0/1 ?

active         Report on active instances only

cost           Port path cost

detail         Detailed information

inconsistency  Port inconsistency state

portfast       PortFast configuration

priority       Port priority

rootcost       Path cost to root

state          Port spanning tree state

|              Output modifiers
<cr>

12 days Bootcamp to London scheduled . :)  May the power be with me !

Tags: ,

2 Comments

Started CCIE !

sept 16

Posted by N.MICHEL in CCIE

I’m gonna blog about my notes taken during the workbook, stuff I need to remember and re read again and again :)

I first did few task on workbook 1 and here is my thoughts:

Workbook 1:

  • On 3560 , the default trunking mode is : switchport mode dynamic auto
  • I got a problem on VTP. Everything was configured correctly, I triple checked and I had different hash on all the VTP switches. Then I decided to create a vlan on VTP server and suddenly all the VTP clients matched their hash together … weird.
  • I also had a problem with etherchannel . Config was good too and the switch said that the config were mismatched and the IOS was wrong …
3d13h: %PM-4-ERR_DISABLE: channel-misconfig error detected on Fa0/13, putting Fa0/13 in err-disable state

3d13h: %SM-4-BADEVENT: Event 'dtp_complete' is invalid for the current state 'err_disable': pm_port 0/12

-Traceback= 6DDC68 1599E8 2E3CA8 2C8ECC 391168 242DAC 3911DC 243108 2499AC D089BC 249564 247C3C 248F08 391824 2D65E0 2D6A8C

3d13h: Last transition recorded:  (dtp_complete)-> post_dtp (pagp_continue)-> pre_pagp_may_suspend  (pagp_continue)-> pagp_may_suspend (pagp_continue)-> start_pagp  (pagp_con

Rack1SW3(config-if-range)#tinue)->  pagp (err_disable)-> dtp (err_disable)-> going_down  (err_disable)-> link_down (err_disable)->  err_disable_clear_persist (err_disable)-> err_disable

3d13h: %PM-4-ERR_DISABLE: channel-misconfig error detected on Fa0/15, putting Fa0/15 in err-disable state

3d13h: %SM-4-BADEVENT: Event 'dtp_complete' is invalid for the current state 'err_disable': pm_port 0/14

-Traceback= 6DDC68 1599E8 2E3CA8 2C8ECC 391168 242DAC 3911DC 243108 2499AC D089BC 249564 247C3C 248F08 391824 2D65E0 2D6A8C

3d13h: Last tr

Rack1SW3(config-if-range)#ansition  recorded: (dtp_complete)-> post_dtp (pagp_continue)->  pre_pagp_may_suspend (pagp_continue)-> pagp_may_suspend  (pagp_continue)-> start_pagp (pagp_continue)-> pagp  (err_disable)-> dtp (err_disable)-> going_down (err_disable)->  link_down (err_disable)-> err_disable_clear_persist  (err_disable)-> err_disable

3d13h: %PM-4-ERR_DISABLE: channel-misconfig error detected on Fa0/14, putting Fa0/14 in err-disable state

3d13h: %SM-4-BADEVENT: Event 'dtp_complete' is invalid for the current state 'err_disabl
  • Finally the switch was wrong , I just did a WR and a reload.
  • My memories of 802.1Q were not that good so I decided to give a shot to the doc-CD , which I ll always do now:

802.1Q http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swtunnel.html

  • The mtu should be 1504 at minimum to allow the frames to be switched.
  • After a System MTU, Switches have to be reloaded.
  • Native vlan on SP trunk should not be the same as Customer/SP trunk. or trunk native vlan using : vlan dot1q tag native
  • Tunnel port are L2 only.
  • SP link = Tunnel port / Customer Link = Access or trunk port.
  • Possible to config etherchannel.
  • No VTP, CDP and no DTP because asymetric config .
  • Bpdu-filter is started automatically.
  • SP cofnig :  switchport access vlan x / switchport mode dot1q-tunnel.
  • Show dot1q-tunnel.
  • Show vlan dot1q native.

L2PT:

  • Encapsulate inbound frames with a well known MAC.
  • Core switches process them as normal frames.
  • CDP, VTP,STP and any L2 PDU are working with that protocol
  • L2PT can be use with or without 802.1Q tunneling.
  • use L2PT to enhance Etherchannel creation by emulation P 2 P network topology

  • Configuration:
  • NO SWITCHPORT MODE DYN/AUTO !!!
  • NO DTP
  • When L2 PDU enter SP via tunnel port, SW override customer PDU dest mac , then double-tag occur . The edge then restore the L2 PDU + pop the VLAN ID

Tags: , , , ,

No Comments

Securing a Router ! 1/2

juil 1

Posted by N.MICHEL in CCNA Security, CCNP, Cisco

Hey there .

First of all I would like to apologize for my poor editing skills … I am an HTML noob and need some advices about my blog .

If some kind people could advise me about how to turn my cisco command in a good way, it will be very helpful :)  thanks .

Today we are going to learn so many security things. Those things are basics but are important for the goodness of your network .

  • First, let’s define a virtual interface called loopback interface. This interface will be designate as the source interface for lot of the traffic generated by the router.  This add a lot of benefits to the security and stability of the network.
SW-3750-1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
SW-3750-1(config)#int loopback 0
SW-3750-1(config-if)#ip address 100.0.0.1 255.255.255.255
SW-3750-1(config-if)#no shut
  • create a banner (won’t detail the command , they are so easy)
  • Disable the AUX line if not used (Create an ACL ,  Disable the line interface, apply the login local command)
ROUTER(config)#ip access-list standard LET'S-BLOCK-THAT-INTERFACE
ROUTER(config-std-nacl)#deny any
ROUTER(config-std-nacl)#exit
ROUTER(config)#line aux 0
ROUTER(config-line)#access-class LET'S-BLOCK-THAT-INTERFACE in
ROUTER(config-line)#exec-timeout 0 1
ROUTER(config-line)#no exec
ROUTER(config-line)#login local
  • Disable the VTY lines that you don’t need (generally 5 15)
  • Secure the VTY lines
ROUTER(config)#ip access-list extended SECURE-VTY
ROUTER(config-ext-nacl)#permit tcp host 10.0.0.1 any eq telnet
ROUTER(config-ext-nacl)#deny tcp any any
ROUTER(config-ext-nacl)#exit
ROUTER(config)#line vty 0 4
ROUTER(config-line)#access-class SECURE-VTY in
ROUTER(config-line)#exec-timeout 1 0
ROUTER(config-line)#login local
ROUTER(config-line)#logging synchronous (so usefull)
ROUTER(config-line)#transport output none (no way to telnet some router from this router
  • Use SSH if possible
ROUTER(config)#generate rsa usage-keys label KEYNAME modulus 1024 (generating a key without a domain name)
ROUTER(config)#line vty 0 4
ROUTER(config-line)#transport input telnet ssh
  • enable TCP keepalive services (cause the router to generate periodic TCP keepalive messages to detect TCP connection. (Attention, this service does NOT remove the need for setting an exec-timeout time as recommended above)
ROUTER(config)#service tcp-keealives-in
ROUTER(config)#service tcp-keealives-out
  • Disable CDP
ROUTER(config)#no cdp run
  • Disable TCP / UDP Small Services (list of simple services that host should provide)
ROUTER(config)#no service tcp-small-servers
ROUTER(config)#no service udp-small-servers
  • Disable finger service (used for querying a host about its logged users)
ROUTER(config)#no ip finger
ROUTER(config)#no service finger
  • Disable HTTP Server or use it with an ACL
  • Disable the BOOTP Server (Router can be used by some devices to loads their configs files)
ROUTER(config)#no ip bootp server
  • Disable the autobooting function (loading startup config from the network is not secure)
ROUTER(config)#no boot network
ROUTER(config)#no service config
  • Disable PAD Service (use it for X25 protocols only)
ROUTER(config)#no service pad
  • Disable IP Source Routing (Packet can choose its own route)
ROUTER(config)#no ip source-route
  • Disable Proxy ARP (disable it on all the interface)
ROUTER(config-inf)#no ip proxy-arp
  • Disable Directed Broadcast (Redirects Broadcast from a segment to another)
ROUTER(config-inf)#no ip directed-broadcast
  • Protect the router against ICMP Exploit
ROUTER(config-inf)#no ip redirects
ROUTER(config-inf)#no ip unreachables
ROUTER(config-inf)#no ip mask-reply
  • Disable MOP Service (Used by DECNet Protocol for maintenance)
ROUTER(config-inf)#no mop enabled
  • Disable NTP if not used
ROUTER(config-if)#ntp disable
  • Disable the ip domain-lookup
  • Disable unused interfaces
  • Allow SNMP Packets, only from the SNMP Server (SNMP ACL =STANDARD ACL ONLY)
ROUTER(config)#access-list 44 permit host 10.0.0.1
ROUTER(config)#access-list 44 deny any 
ROUTER(config)#snmp-server community S3CR3T-L0L-0WN3D ro 44

Next post will be securing the router with ACLs :)
See you

Tags:

4 Comments

BCMSN Cleared !

juin 26

Posted by N.MICHEL in CCNP

Hello !!!

I’ve been studying a lot for this exam and the result is : “PASS”.
I’m so happy about it !!!!! :lol:

Here is the materials I used :

The official exam is a nice book but for me it misses too much hands on practice. So if you prefer to have more detailed examples about what you are learning, buy the self study guide .

I passed Thursday but I think I’ll read the self-study book again because I don’t feel comfortable with some topics (wifi ! )

I’ll attend some CiscoWorks courses in 2 weeks, so I’ll let you informed about how is it going, and what can we do with that powerfull toy :mrgreen:

When I signed the contract with that new company, I ask them to offer me some CCNP courses and they did agree with that  (BSCI,ONT and ISCW are scheduled , so I hope I’ll be a CCNP by the end of the year  !!! ) . Isn’t that great ?

I’ll post some topics about thoses exams when I got more time :roll:

I also bought 2 books for my BSCI and CCIE written , and from what I heard about those books they are the “routing bible” :

I’ll do a quick review after I finish these routing books :)

Enjoy !!

PS : Feel free to congratulate me :)

Tags: ,

1 Comment

ETH0 Disappeared in your Vmware ? Weird isn’t it ?

juin 16

Posted by N.MICHEL in Linux

Hey guys !

There is a couple days , I’ve been through this . Each time I log into my ubuntu server (VMware) , i can’t get an IP address … That’s weird because everything should be fine with the VMware config.

So I decided to check in my VMware and here is the result

Pretty bad hu ? :)

So I’ve checked on google and found some tricks that resolve the config. Here is what I did :

vim /etc/udev/rules.d/70-persistent-net.rules


remove the first line SUBSYSTEM etc etc … and then rename eth1 by eth0 in the last line ! Save your file (esc + :wq! + <cr>) and reboot

Tadaaaaaaaaaaaaa

PS : don’t forget to do a ifconfig eth0 up after the reboot :)

Enjoy

Tags:

1 Comment

Router Redundancy !!!

mai 17

Posted by N.MICHEL in CCNP

 

Chapter 13: Router Redundancy (Part 1)


1) HSRP (Hot Standby Router Protocol)


HSRP is defined in the RFC 2281 and is Cisco proprietary. It was developed to allow several routers to appear as a single gateway IP address.


          1)       How does it function?


  •        One router is Active (The Forwarding Router)
  •        Another router is elected as Standby (The primary Backup router)
  •        All the other are put in the Listen State

 

 

Routers exchange “hello message” at regular interval to the multicast IP 224.0.0.2 using UDP port 1985.

 An HSRP Group must be assigned (0-255)

 The protocol consist of allocating a virtual IP and a virtual Mac-address that are shared 

 

 

           2)       HSRP Router Election:


HSRP Router election is based on a priority value (0 to 255 and default is 100). The highest value wins.

 If all the router have the same priority (or default), the router with the highest IP address wins the election.

The router with the 2nd best value is the standby router.

Others routers are in the listen state and can replace any router if failures occur

 

Router priority configuration

        Switch(config-if)#standby 1 priority 200

   HSRP State during the election:

  • Disabled
  • Init
  • Listen
  • Speak
  • Standby
  • Active

To minimize network traffic, only the active and the standby routers send periodic HSRP messages once the protocol has completed the election process

 

          3)       HSRP Virtual MAC and IP Addresses:

For each standby group, a single well-known MAC address is allocated to the group, as well as an IP address

The virtual Mac should be from that type :

 

0000 : 0C07 : ACXX

Cisco well known vendor code . 

 

HSRP well known address

 

 HSRP group number

 

While running HSRP, it is important to prevent the host from discovering the primary MAC addresses of the routers in its standby group. Thus, any protocol that informs a host of a router’s primary address should be disabled !!

 

Thus, routers participating in HSRP on an interface MUST NOT send ICMP redirects on that interface

 


 

 

          4)       HSRP Timers:


  •  Hello timer:  it contains the appropriate period between the Hello Message that the router sends. If the Hello time is not configured then it MAY be Learned from the Active Router
  • Holdtime timer : Hello message are valid for one Holdtime. The holdtime should be at least 3 times the value of the Hellotime and MUST be greater than the hello time. If the Holdtime is not configured then it MAY be learned from the Active Router

 

        Router(config-if)# standby  timers [msec] hello time [msec] holdtime

 

          5) Preempt

After Active router fails and the Standby router became actives, the original active router cannot immediately become active when it’s restored

 

             Router(config-if)# standby 1 preempt delay  minimum seconds reload seconds

 

         Minimum defines the time the router must wait after it becomes HSRP-capable for the interface (it will allow Routing table building). Reload defines the time it must wait after reloading

 

 

          6)       Interface Tracking

If a Wan interface is down, the router keeps sending HSRP hello to the LAN interface. So they (Active and Standby) both think that there is no problem, and there is one … The active router cannot forward packets on his LAN interface.

 Interface tracking does reduces Router HSRP priority by a certain amount as soon as the interface goes down (and increase back the priority when interface goes back up)

 Default is 10. Preempt must be configured

 

 

 

           Router(config-if)# standby 1 track interface fa0/1 value

 

 

 

 

          7)       HSRP configuration

 

           Router(config-if)# standby 1 ip 192.168.0.1
           Router(config-if)# standby 1 priority 200
           Router(config-if)# standby 1 preempt delay .. 
           Router(config-if)# standby 1 timers 20 70 
           Router(config-if)# standby 1 track interface fa0/1 value

  

          7) HSRP Load Balancing

 

We can create different HSRP groups but hosts MUST have different Gateway

 

 

2)   VRRP (Virtual Router Redundancy Protocol):

 

It’s defined in IETF Standard 2338 and RFC 3768 

There is a few differences with HSRP:

 

  • VRRP provides one redundant Gateway address from a group of routers. The Active router is called: Master. The Standby router is called : Backup
  • Virtual Mac:

 

0000 : 5E00 : 01XX

 

  • VRRP Advertisement are sent out 1 sec interval. Backup router can learn the advertisement interval from the router
  • By default, all VRRP routers are configured to PREEMPT
  • VRRP has no mechanism for tracking interface to allow more capable routers to take over master role
  • VRRP Sends advertisement to IP address : 224.0.0.18
  • In VRRP, Backup does not send advertisement. Master does not know about the Backup 

 

 

3)     GLBP (Gateway Load Balancing Protocol)


     Cisco proprietary, true load balancing

 


1) Active Virtual Gateway

 

  • One router is elected as the Active Virtual Gateway (AVG)
  • The AVG Answer to ALL Arp request for the virtuals routers. The Mac-adress returned by the AVG depends of the load balancing protocol. Up to 4 Virtual Mac address can be used in any group.
  • Each of these is refered to as an Active Virtual Forwarder
  • GLBP group numbers range from 0 to 1023. Priorities range from 0 to 255 (default is 100)

 

 

 

2)Active Virtual Forwarder

 

All routers sharing load in GLBP are AVFs

If an AVF fails, the AVG reassigns its virtual MAC to another router

Two timers are used to age out the Virtual MAC of a failed AVF

 

  • Redirect timer (default 600 secs) : Determines when the AVG will stop responding to ARP request with the MAC of the failed AVF
  • Timeout Timer (default 4 hours): Determines when the failed AVG is no longer expected to return, and its virtual MAC will be flushed from the GLBP group

 

            Router(config-if)# glbp 1 timers redirect

 

        Interfaces can be tracked and the AVF’s weight adjusted when interfaces go down

 

 

Switch(config)# track <object number> interface <interface> {line-protocol | ip routing}
Switch(config-if)# glbp <group> weighting <maximum> [lower <lower>] [upper <upper>]
Switch(config-if)# glbp <group> weighting track <object number> [decrement <value>]

When the upper or lower threshold is reached, the AVF enters or leaves the group, respectively.

 

3) Load Balancing Mode in GLBP


  • Weighted Load Balancing Algorithm: Amount of load is directed to an AVF depends of the weighting value by the gateway containing that AVF
  • Host Dependent Load Balancing Algorithm: Host is guaranteed to use the same MAC-Address as long as the Mac is participating in the GLBP Group
  • Round Robin Algorithm: Each virtual forwarder mac address takes turn included in address resolution replies for the virtual IP
Switch(config-if)# glbp 1 load-balancing {round-robin | weighted | host-dependent}
Switch(config-if)# glbp 1 priority 200
Switch(config-if)# glbp ip 10.88.1.10 [secondary]
Switch(config-if)# glbp 1 preempt [delay minimum <seconds>]

Timers only need to be configured on the AVG; other routers will learn from it.

 

PS: For those who are interested : My GLBP Lab

 

the HSRP lab will come during the week  .  Have fun !

Tags:

5 Comments