Hardware redundancy
<Redundant monitoring engine provided>
· The monitoring engine is an important component of modular SW. Once a monitoring engine encounters a problem, it cannot forward communication streams. There are two monitoring engines for redundancy in some high-end SW4500/5500/6500.
· SW uses RPRRouteProcessorRedundancy) and RPR + to support the monitoring engine.
· Currently, the common technology is SSO (stateful switching)
· MSFCMultilayerSwitchFeatureCard) is responsible for the operation of the routing protocol (exclusive)
PFCPolicyFeatureCard) is responsible for processing multi-layer switching (exclusive)
Failover time backup Monitoring Engine status
RPR started in 2-4 minutes but not running
RPR + 30-60 seconds started and running
SW:
Switch (config) # redundancy
Switch (config-red) # moderpr-plus
Switch # showredundancystates
Switch (config) # powerredundancy-modecombined | redundant power Redundancy
Switch # showpower
<SSO status switch>
SW:
Switch (config) # redundancy
Switch (config-red) # modesso
Switch # showredundancystates
<Provide power redundancy>
A modular switch can usually be installed with multiple power supplies. If one power supply can meet power consumption requirements, the other can be used for redundancy.
Enable power redundancy:
SW:
Powerredundancy-moderedundant
By default, power redundancy is enabled, and in redundancy mode, the power consumption of the system is shared by two power supplies. That is to say, it is load balancing.
Disable redundancy:
Powerredundancy-modecombined
In the 6500 series switch, when the non-redundant mode is adopted, the power provided to the system is the sum of the power of the two power supplies.
View the command:
Showpower
You can also run the following command to stop a single module:
Nopowerenablemoduleslot
Power-on again:
Powerenablemoduleslot
Note: If you use the command to stop power supply to the module, the configuration of the module will not be saved.
4500 the switch cannot power off the line module.
Reset module:
Powercyclemoduleslot
When the module is reset, the module will be powered off for 5 minutes and then powered on again.
Bytes ------------------------------------------------------------------------------------------
Gateway redirection
<What is gateway>
Gateway is also known as the inter-network connector and Protocol converter. The gateway is the most complex network interconnection device on the transport layer to achieve network interconnection. It is only used for different network interconnection between two high-level protocols. Gateways can be used for both Wan and LAN interconnection. A gateway is a computer system or device that acts as a conversion task. The gateway is a translator between two systems that use different communication protocols, data formats, languages, and even completely different architectures. Unlike the Net Bridge, the gateway repacks the received information to meet the needs of the target system. The gateway can also provide filtering and security functions.
As we all know, walking from one room to another must go through one door. Similarly, sending information from one network to another must go through a "Gateway", which is the gateway. As the name implies, a Gateway is the "Gateway" for a network to connect to another network ".
<How to obtain the gateway from the host>
A computer usually needs to specify a default gateway to access the external network. There are two ways for the computer to obtain the Gateway:
I. Static Configuration
Ii. Dynamic acquisition
1. Automatic DHCP allocation]
2. automatically enable ProxyARP]
3. Enable IRDP manually]
1) ProxyARP:
The role of proxy ARP-allows the host to access the outside without configuring a gateway
The proxy ARP informs the host without routing information about the MAC address of the gateway.
When the Gateway Router receives the host's ARP, it returns its MAC to the host. In this way, all the packets of the host are sent to the gateway, and the gateway forwards the packets to the target host, which is enabled by default)
The Ethernet port of the CISCO router enables the arp proxy by default.
Unable to immediately detect the link issue of the direct host.
If both gateways respond to the same ARP request, the host selects the Gateway
R1 (config-if) # noipproxy-arp disable proxy ARP
Showarp
Debugarp
Cleararp-cache
· When pc4ping1.1.1.1, r2 receives the arp packet. When a route arrives at 1.1.1.1, r2 responds and sends the mac address of r2 to pc4.
· ICMP redirection:
650) this. width = 650; "title =" 360software helper 20131005142508.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/04134K923-0.jpg "alt =" 150604449.jpg"/>
When the router finds that the interface for receiving the data packet is the same as the interface for forwarding, it will send a redirection message to this interface.
Set R2 as the default gateway in PC4
Pc4 keeps ping1.1.1.1. When the upstream interface of s0 port of r2 is down, the icmp packet will be resent from the e0 port of r2. After redirection, an additional route entry will be displayed on the PC pointing to the new gateway. You can see it in showiproute.
Clearipredirect clear redirection table items on PC
Redirection is enabled by default.
Noipredirects is used in the interface. Disable redirection.
· GratuitousARP free ARP): When the port is noshutdown, arp's own ip address can be used to detect ip conflicts.
Debugarp
R2 (config-if) # arptimeout0-2147483 modifies ARP table aging time
2) IRDPicmprouterdiscoveryprotocol
Icmp Router Discovery Protocol
Principle: use ICMP messages to automatically obtain the gateway from the host. Both the host and the router need to support this protocol.
1. router request message-sent by the host and sent to the vro to apply for a gateway address
2. Router announcement message-a gateway address sent by the router to the host
Configuration:
R1 (config) # inte0
R1 (config-if) # enable irdp for ipirdp
Shipirdp
R1 (config-if) # ipirdpholdtime1800 is 30 minutes by default
R1 (config-if) # ipirdppreference0
R1 (config-if) # ipirdpaddress10.1.1.2100 set the priority of an IP address separately
Bytes ---------------------------------------------------------------------------------------------------
<Implement redundancy of the default gateway>
If a network has multiple gateways, if one of the gateways is specified by our computer, when the gateway is down, the computer will no longer be able to access the outside, traffic is not automatically switched to other available gateways.
To enable other gateways to act as backups and achieve redundancy, we need to use the gateway redundancy technology.
There are three gateway redundancy technologies:
1. HSRP
2. VRRP
3. GLBP
HSRPHotStandbyRoutingProtocol )(Private protocol) can be implemented on layer-3 switches and routers)
· HSRP is a gateway redundancy protocol that provides uninterrupted IP path redundancy by sharing protocols and MAC between redundant gateways.
· HSRP creates virtual MAC addresses and virtual IP addresses between two or more routers. In fact, it combines multiple physical routers into one virtual router. This vro has its own IP address and MAC address, and the gateway of the host can be set to this virtual IP address.
· HSRP's hello packet includes priority (default 100), hello interval default 3 S), holdtime (default 10 S), and virtual gateway IP
· HSRP hello packet forwarding multicast address 224.0.0.2
· The default priority of the HSRP router is 100. When the priority is the same, the IP address is compared.
· An HSRP group can contain multiple routers. In a stable group, only two routers send hello packets. One is an active router and the other is a backup router. Other routers do not send hello packets, but all are in the listening status.
· HSRP can be configured with multiple groups to achieve load balancing.
· Virtual MAC address: the first 40 digits are fixed. You can replace the HSRP Group Identifier with the hexadecimal format.
For example, if the HSRP group is 47, the hexadecimal value is 2f.
The first 40 digits of the MAC address are 255.255.c07.ac.
Finally, the following figure is obtained: 0000.0c07.ac2f.
· Vro status in HSRP:
1. InitialAllroutersbeginintheinitialstate, whenHSRPisnotrunning
2. learn (No hello packet received, no virtual IP address, waiting to receive hello packet)
3. listen receives the hello packet and has a virtual IP address. All the routers except active and standby are in this status)
4. speak (send the hello packet periodically and select active and standbyrouter)
5. If Standby is not selected as active, the highest priority router except active will continue to send the hello packet, only one)
6. The forwarded router selected by the active server will continue sending the hello packet, only one)
For example, R1, R2, and R3 run the routing protocol to declare all interfaces.
1. Set HSRP for R2/R3:
R2 (config-if) # standby1ip10.1.1.100 create a virtual IP address. if the IP address is specified directly, it will not enter the learning status.
R3 (config-if) # standby1ip does not match the virtual IP address. It will automatically learn from the hello package and enter the learning status.
R2 (config-if) # The default value of standby1priority105 is 100)
R2 (config-if) # Standby1preempt enable preemptible priority. The priority is high and becomes active.
R2 (config-if) # standby1timershellotimeholdtime modify hello time, hold time, default 3 S, 10 S
R2 (config-if) # standby1timers515
R2 (config-if) # standby1timersmsecs5msecs15 is set to a millisecond level, which allows you to quickly discover the neighbor down and complete the conversion.
R2 (config-if) # nostandby1times Restore Default Value
Note: As long as you change the time on the active router, other routers will learn
R2 (config-if) # Get a name for the standby1nameMY-GATEWAY
R2 # showstandbyHSRP Basic Information
R2 # showstandbybrief
Debugstandbyevents
Debugstandbypackets
When HSRP is enabled, ICMP redirection is disabled by default. This prevents the host from automatically Learning the real gateway address.
2. PC4 Gateway:
PC4 (config) # ipdefault-gateway23.1.1.100
3. HSRP designed the track Technology (interface tracking) for the uplink interface DOWN)
R3 (config) # inte0 note that the e0 port is entered here, that is, the HSRP interface is implemented.
R3 (config-if) # standby1trackSerial1 default PRI minus 10)
R3 (config-if) # standby1trackSerial1decrement20 setting minus 20
When the s1 interface is DOWN, the priority of the e0 port is automatically reduced to give up the active status, provided that the preemption is enabled.
You can also track a specific route. You need to create an object first.
R3 (config) # track1iproute1.1.1.0/24 reachability
R3 (config-if) # standby1track1
In an HSRP group, you can track multiple objects. The option of each track interface is also an object.
4. Authentication
R3 (config-if) # standby1authentication12345678
In old IOS, only 8-bit plaintext authentication is supported. In new IOS, 12.4 supports md5 authentication)
Note: by default, cisco has been authenticated in plaintext with a lower-case password.
R3 (config-if) # standby1authenticationcisco
5. Multiple groups
R2 (config-if) # standby2ip23.1.1.200 configure multiple groups)
· HSRP load balancing:
If the number of hosts in a CIDR block is large, only one active router is used to access and the other is idle. Too wasteful.
It can be divided into two HSRP groups, with two different routers as active Routers and backing up each other. The hosts in the CIDR block are also divided into two batches, respectively, with different gateways.
Bytes ---------------------------------------------------------------------------------------------------------------
VRRP (VirtualRouterRedundancyProtocol)Industry Standard
· VRRP is also a default gateway redundancy method, which allows a group of routers to form a virtual router.
· The Protocol number in the IP package is 112, the multicast address is 224.0.0.18, the notice interval is 1 second, and the master router failure interval is three times the notice Interval
· Master and backup
· There is only one primary router, and other routers are used up. If the primary router goes down, the secondary router with a higher priority will become the primary router.
· The default priority of each vro is 100. If it is set to 0, it indicates that it is no longer a member of the virtual group.
· You can use the real IP address of a vro as a virtual IP address, which is different from HSRP.
· When the virtual IP address is set to the actual interface address of a vro, the priority of this vro will change to 255 and automatically become the master
· Prempt is enabled by default.
· The virtual MAC address starts with 2.16.5e. 00.01 represents VRRP, and the last two digits are group numbers.
For example, the MAC address of group 10 is 2.16.5e00000010a.
· Main differences between VRRP and HSRP:
In VRRP, the slave Router does not send a notice, so the master Router does not know the current slave router. The primary router sends hello every 1 second.
· In VRRP, there was no track Technology for the uplink line DOWN in earlier versions of ios]
Trace the uplink in vrrp:
Track100interfaceS0/0line-protocal use numbers to indicate the link status of an interface]
Vrrp1track100decrement30 [reducing this priority and using the preemption mechanism to develop the role]
When configuring the tracking port, the virtual IP address and the real physical IP address cannot be the same]
R2 (config-if) # vrrp1ip23.1.1.100 must be followed by an IP address
R2 (config-if) # vrrp1priority105 100 by default)
R2 (config-if) # vrrp1timersadvertise5 modify hello time to 5 S
R4 # showvrrp
R4 # showvrrpbrief
Debugippacketdetail
Debugvrrppackets
Bytes ------------------------------------------------------------------------------------------------------------------
Bytes ------------------------------------------------------------------------------------------------------------------
VRRP (VirtualRouterRedundancyProtocol, virtual routing redundancy protocol) is a fault tolerance protocol. Generally, a default route is set for all hosts in a network. In this way, packets sent from the host with a destination address not in this segment are sent to the router through the default route, thus, the communication between the host and the external network is realized. When a router fails, all the hosts with the routeentry as the default route in this section will be disconnected from external communication, resulting in a single point of failure. VRRP is proposed to solve the above problems. It is designed for LAN (such as Ethernet) with multicast or broadcast capabilities.
VRRP organizes a group of routers (including a Master, active router, and several Backup routers) in the LAN into a virtual router, which is called a Backup group. The vro has its own ip address 10.100.10.1 (this ip address can be the same as the interface address of a vro in the backup group, and the same ip address is called the ip owner ), vrouters in the Backup group also have their own IP addresses (for example, the Master IP address is 10.100.10.2 and the Backup IP address is 10.100.10.3 ). The host in the LAN only knows the IP address of the virtual router 10.100.10.1, but does not know the IP address of the specific Master router 10.100.10.2 and the IP address of the Backup router 10.100.10.3. [1] They set the next hop address of their default route to the IP address 10.100.10.1 of the vro. as a result, the host in the Network communicates with other networks through this virtual router. If the Master router in the Backup group breaks down, the Backup router selects a new Master router through the election policy and continues to provide routing services to the hosts in the network. In this way, the hosts in the network can communicate with the external network continuously.
650) this. width = 650; "style =" float: none; "title =" 360software handy 20131005144013.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/04134K0F-1.jpg "alt =" 151442377.jpg"/>
650) this. width = 650; "style =" float: none; "title =" 360software handy 20131005144025.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/04134JM9-2.jpg "alt =" 151442393.jpg"/>
Working Principle
A vrrp router has a unique identifier: VRID in the range of 0 to. This router acts as a unique virtual MAC address, the address format is 00-00-5E-00-01-[VRID] The Master router is responsible for responding to ARP requests using this MAC address, ensure that the unique IP address and MAC address are consistent for the terminal device, reducing the impact of switching on the terminal device [3]
There is only one VRRP control packet: VRRP announcement (advertisement), which uses IP multicast packets for encapsulation and the Group address is 224.0.0.18, the release range is limited to the same LAN. This ensures that VRID can be reused in different networks. To reduce network bandwidth consumption, only the master router can periodically send VRRP messages to the backup router. launch a new round of VRRP election after the notification fails to receive VRRP within the interval or receives a notice with priority 0 [3]
In a VRRP router group, the master router is selected by priority. The priority range of VRRP is 0-255. If the IP address of the VRRP router is the same as the interface IP address of the vro, the virtual router is the IP address owner in the VRRP group. The IP address owner automatically has the highest priority: 255 priority 0 is generally used when the IP address owner voluntarily waives the master role. The configurable priority range is 1-. The configuration principle can be used based on the link speed and cost, router performance and reliability, and other management policies. setting the election of the master router, A high-priority vro wins. Therefore, if there is an IP address owner in the VRRP group, it will always act as the role of the master route for candidate routers with the same priority, VRRP is selected in order of IP address size and provides a priority Preemption Policy. if this policy is configured, a high-priority backup router will deprive the current low-priority master router and become a new master router.
To ensure the security of VRRP, two security authentication measures are provided: plaintext authentication and IP header plaintext authentication. When a VRRP router group is added, the same VRID and plaintext password must be provided at the same time to avoid configuration errors in the LAN, but it cannot prevent the access to the IP Address Header Authentication through the network listener to provide higher security, prevents packet replay, modification, and other attacks.
Bytes ----------------------------------------------------------------------------------------------------
GLBPGatewayLoadBalancingProtocol)
· The GLBP group uses up to four gateways, which are called activevirtualforwarder.
An activevirtualgateway is selected to manage other activevirtualforwarder instances. Only activevirtualgateway responds to ARP requests.
You can also have an activevirtualgateway with four activevirtualforwarder instances. However, the activevirtualgateway cannot be activevirtualforwarder, that is, it cannot forward data.
· Activevirtualgateway can assign a virtual MAC address to activevirtualforwarder.
· Activevirtualgateway also has an Active and standby
· The default mode is GLBP for load balancing in a circular manner. Send different MAC addresses to the host requesting the MAC address.
· Manually configure Preemption
· Hello packet forwarding multicast address: 224.0.0.102UDP port 322
· Hello time 3 S, holdtime 10 S
· Each device sends a packet
· GLBP can also track upstream ports
R2 (config-if) # glbp1ip192.168.1.1
R2 (config-if) # glbp1times5
R2 (config-if) # glbp1priority120
Debupglbppackets
Showglbp
Bytes ------------------------------------------------------------------------------------------
<SPANSwitchedPortAnalyzer)>The Switch Port Analyzer can be used to capture packets.
· The network traffic of a VLAN or a group of ports can be copied to a specified port.
This does not affect the traffic of the source port or VLAN.
· SPAN supports the following three types of traffic:
1. inbound traffic
2. Outbound Traffic
3. bidirectional traffic
Local SPAN
Configure the source port, source VLAN, and target port on the same switch
Sw1 (config) # monitorsession1sourceintf0/1 (both | rx | tx) monitored port)
Sw1 (config) # monitorsession1destinationintf0/8 connector analyzer)
Sw1 # showmonitorsession1detail
Note: The target port cannot be used for other purposes.
RSPANRemoteSPAN)
· Supports monitoring source ports or VLANs of different SW.
Sw1 (config) # vlan100
Sw1 (config-vlan) # remote-span sets a spanVLAN, which can be distributed through VTP
Sw1 (config) # monitorsession1sourceintf0/1
Sw1 (config) # monitorsession1destinationremotevlan100reflector-portf0/8
Empty Interface)
Switch must be Trunking
Sw2 (config) # monitorsession1sourceremotevlan100
Sw2 (config) # monitorsession1destinationintf0/3 connector analyzer)
Showvlanremote-span
Note: vtp trimming is not required.
Filter VLANs. If the source port is a trunk port]
Monitorsessionnumberfiltervlan101 limits the traffic from the source to the specified vlan