Session 1 ARP Proxy technology
1. ARP Proxy
The ARP proxy feature is the L3 layer gateway device for all functions, routers or L3 layer switches. The ARP proxy function uses the ARP protocol's unreliability to replace the terminal to carry on the L3 layer forwarding, because Arp-requst broadcast is L3 layer isolation, therefore needs L3 layer gateway to replace the terminal to carry on the Arp-requst, when the PC sends Arp-requst to the different destination network segment, The gateway device receives an ARP broadcast and returns the MAC address of the host that the PC requests with its own MAC address back to the sending PC (using the ARP spoofing principle) to have the PC build a destination IP corresponding to the frame of the Gateway Mac, In this way to send unicast data again when the L2 header is the gateway's MAC address, and the source, destination IP or terminal pc and destination PC, the gateway after receiving this frame to modify the source of the L2 header for the gateway itself to route the export of the MAC for the next purpose interface or target PC Mac, Send the data frame to the destination PC (also using the ARP spoofing principle to enable the destination PC's ARP table also corresponds to the sender of the PC's IP and gateway connection to the purpose of the PC interface Mac), the purpose of the PC in reply arp-reply to the sender's PC, according to the ARP table directly sent to the Gateway interface, The gateway modifies the L2 header again for proxy forwarding. Specific forwarding process see LAYER2, L3 layer forwarding principle.
ARP Proxy redundancy: The ARP proxy is turned on for two gateway devices, and the terminal does not need to fill out a default gateway. The terminal PC sends data through the Gateway (fake) ARP response to forward the data, 2 gateways who post to use the address of which gateway to do the default gateway, when one of the devices down (the situation here is not the device itself is bad, But the device is disconnected from the Internet) another device will continue to receive forwarding work, the disadvantage is that when a L3 gateway device down, because the PC's ARP table will not be cleared immediately, so before the end of the Age-time 30min of the arp of the PC, The PC is the MAC address of the down gateway, so when the PC sends the data will not send the ARP broadcast, will only send the data to the extranet down gateway, but the extranet down gateway is unable to connect to the Internet caused by the inability to communicate, The MAC address of the redundant gateway will not be learned until the ARP is 30min or the cache is manually cleared.
Although the L3 layer gateway device is turned on the ARP proxy function, the terminal PC connected under the gateway can not need to set the default gateway address, and ARP broadcast to let the gateway device actively help forward, but in the real environment, Win7 more than the operating system (WinXP not tested) when distributing a packet without setting a default gateway, if the destination IP address of that data is detected by the host and not on the same network segment, then the host will not send an ARP request to drop directly, However, you can set the default gateway address to trigger the ARP broadcast so that the gateway device can receive the ARP packet of the PC terminal and the proxy PC to forward the data, even if the gateway is written and the address of the PC is completely not a network, the gateway will be forwarded according to the destination IP address and MAC address Proxy.
Now this ARP proxy technology is basically eliminated, so it is recommended that the interface be shut down.
SW (config-fi) #no IP Proxy-arp,cisco is turned on by default
Add:
1, Proxy ARP can work on the premise that this device in the interface connected to the client to open the proxy ARP function, and have to go to the destination IP address of the route forwarding can, or proxy ARP will not work.
2, in a multi-point network (MA network), static routing suggested to write the next address is the reason that if the peer device does not turn on the proxy ARP function, write out the interface routing entry communication will not pass. The principle of non-pass is: ARP Request packet encapsulation problem, for example description.
Pc1:192.168.1.2/24 R1 's F0/0:12.1.1.1/24
Pc2:172.16.1.2/24 R2 's F0/0:12.1.1.2/24
Conditions: 1, R1, R2 did not turn on the ARP proxy, PC1 set the gateway for R1 f0/0 interface IP
PC1 to send data to PC2, (assuming PC1 filled out the gateway, then PC1 sent the ARP packet L2 layer header destination address is not broadcast, but R1 the f0/0 interface MAC address, if PC1 did not fill the gateway then it will send a L2 layer destination MAC is broadcast ARP, This arp in the R1 received after two cases, R1 if the ARP proxy is turned on, it will help PC1 forward the ARP broadcast packet, and back to the PC1 own MAC address, if not open ARP Proxy, ARP broadcast directly dropped packets, will send a unicast arp to R1, R1 received after the first is to see if there is no route, found there! There is a static route to the PC2 network, using the Out interface. Route has, then R1 can send data, R1 will PC1 ARP Request package reassembled, in L2 layer source address with its own F0/1 interface Mac, the destination address is FFFF.FFFF.FFFF,L3 layer uses the source IP is its own F0/1 port IP, Destination IP is PC2 IP (because the router does not have a gateway, so when R2 found PC2 address and its own F0/1 is not a network segment when the same as the PC to send ARP broadcast, rather than to R2 billing), this broadcast is R2 received directly discarded (R2 not open ARP proxy), equals R1 directly to request the MAC address of PC2, does not pass.
And if R1 arrives at PC2 's network static route to write the next hop (R2 f0/0 interface), then R1 will first send ARP request r2f0/0 Port MAC address, and then will help PC1 forwarded ARP packets in unicast form to r2,r2 in accordance with the route forwarding to PC2, complete a single communication, The packets returned to PC1 by PC2 are unicast Arp-offer to complete the two-way communication between PC1 and PC2.
So this is why it is better to write the next hop address than to write the interface, or the interface, the next hop to write at the same time. It is true that the Cisco routers in the environment are enabled by default ARP proxy, so all can pass.
2, IP redirection technology to resolve the ARP proxy down
SW (Config-fi) #ip Redirects,cisco is turned on by default
This command is in the ARP proxy instance above when one of the L3 layer gateways to the Internet is down, and then the data frame of the PC terminal is returned to the PC terminal an ICMP redirect, the content is the destination address of the MAC address (redirected to another gateway Mac), Enable the terminal PC to immediately update its own ARP table entry binding destination IP with another gateway MAC address, so as to achieve the switching function.
3. IRDP redundancy (host without default gateway technology)
IRDP is the ICMP Discovery protocol technology that uses the L2 layer switch instead of the PC to find the L3 layer Gateway MAC address, which requires the condition:
L3 layer running RIP routing protocol (SW listening RIP routing protocol), PC Support IRDP protocol (WinXP above are not supported), to achieve the purpose of the PC without gateway communication, due to limitations too large, has been eliminated.
Session 2 Gateway Redundancy technology
First, HSRP
Hot Standby Routing Protocol Thermal Backup routing protocol,Cisco Private Protocol . is to use L3 Layer gateway device virtual one IP and Mac gateway address for PC use (ARP write), to realize the gateway redundancy and fast switching gateway function after the fault.
HSRP uses the UDP protocol instead of the transmission, the port source and the purpose are 1985, the specific format shown in the figure can be seen using UDP transmission
Three types of messages from the L3 layer device in the HSRP protocol:
1, hello message: The primary router sends priority and status information, the default 3s at a time. At the time of the initial election, the master and slave routers are sent for comparison
2. Coup message: Sent when the route becomes primary
3. Resign message: When the primary route discovers a higher priority route, or when the main route is closed or restarted, it is sent (power off is not counted).
The six-state (similar to STP) experienced by the L3 layer gateway running the HSRP protocol
1. Init or Disable initial state, indicating that HSRP is not running. Modify the state of a configuration or interface when it is just started
2, learn learning status, learning status, do not know the virtual IP, do not see the active router to send hello. Wait for the active router to send hello
3, listen monitoring state, L3 layer device has been the virtual IP address, but it is neither active router nor wait for routers (such as redundant gateways have 3, then go out and the rest of the state from the left). It listens for Hello messages from both the active router and the waiting router.
4, speak speaking state, in the state of the router regularly send hello messages, if within a certain period of time to find a higher priority Hello package into the Listen state
5. Standby standby status, send Hello message periodically from router, detect the status of active primary router
6. Active Active status, send Hello message regularly and provide gateway Service for PC
Specific configuration commands for HSRP:
SW (config-if) #standby IP 192.168.1.150 virtual IP configuration in HSRP Group 10 (Mac automatically virtual out), requires two L3 layer devices are input
Show Stanbdy View status information for HSRP
HSRP election active gateways and alternate gateways are elected based on: 1, priority (large), IP address (Large) of the election as the main router
SW (config-if) #standby Use-bia let HSRP use real interface physical MAC address to do virtual MAC address to the PC, both to input, the use of early hardware devices do not support an interface with 2 MAC addresses, so only the interface real physical address.
SW (config-if) #standby 150 to modify the precedence of HSRP, the default is 100
SW (config-if) #standby preempt configuration preemption, the configured device immediately becomes active to perform data forwarding (provided the priority is high because the feature of HSRP is that once the standby device becomes active the router is not changed, Even if the main equipment failure repair is not able to become active, so you need to configure preemption to complete the return of active, in the project is recommended on the active router to ensure that the active router failure is repaired after the switch back to the active route state for forwarding data.
SW (CONFIG-IF) #standby authentication MD5 Cisco Configure the authentication password for the HSRP group
SW (config-if) #standby FOLLW Cisco configures the group name of HSRP with no practical meaning
SW (config-if) #standby mac-address 1234.1234.1234 Custom configuration virtual MAC address
SW (config-if) #standby 3 10 Specify Hello packet send interval 3-10 seconds default is
SW (Config-if) #standby times msec 200 Specify Hello packet send interval of 200ms
SW (config-if) #standby track F0/1 50 detects the F0/1 status of the device and, once down, reduces its priority by 50 (default is 10). For the main gateway itself is not down but the Internet-connected fiber is broken, will detect their own Internet connection port, once down to reduce their own priority, so that the backup gateway ladder to complete their own data transfer, with the standby gateway device preemption. (You can track a lot of things, like a list number.) In the global setting of the content of this monitoring can detect the tracking status, including routing entries, route metrics, data latency, and the global track technology and SLA technology is very useful, recommended to study alone, not the focus of HSRP).
2, VRRP
VRRP (Router redundancy Protocol): Virtual Routing Redundancy Protocol
The difference with HSRP
1. Public Standard Gateway Redundancy protocol
2, virtual IP address can use the interface real IP address, virtual MAC address is 0000.5e00.01xx, where xx is the VRRP group number
When the virtual IP address is set to the real interface IP address of a gateway device, the priority of this device is automatically set to 255 to become the primary gateway.
3, HSRP election is an active ' one standby, and VRRP is a master multiple standby (that is, in a VRRP group except the master other devices are backup). And only the active device will send a Hello packet
4. Default priority for each route gateway, default is 100, if configured to 0 means no longer a member of the VRRP virtual group
5, Protocol number 112, multicast address 224.0.0.18, default notification interval 3s,hold=3
6, VRRP Default has preemption mechanism, no need to configure separately.
7, HSRP support direct track tracking interface, VRRP does not support the direct track tracking interface, only support tracks call a project (object). This project is a pre-defined project in the global schema that defines parameters for some traffic, such as source, destination, IP, routing metrics, latency, voice, video data, protocol, and so on. (Knowledge in traffic engineering, not focus in VRRP)
8, HSRP L4 layer calls the UDP protocol for transmission, VRRP itself is the public protocol transmission does not invoke other protocol transmission
The message structure of the VRRP is as follows:
9, VRRP there is only one message packet: announcement, when the device's interface is down, The priority in the message automatically changes to 0
Session 2
VRRP configuration command
SW (config-if) #vrrp authentication
MD5 Cisco configuration VRRP Group authentication password
SW (config-if) #vrrp description
V10zu configuration VRRP Group named V10zu, with no actual meaning
SW (config-if) #vrrp timers Advertise
Specifies that the Hello packet is sent at 10s, and the default is 1s
SW (config-if) #vrrp Track 1 decrement
detect tracks a tracking project 1, If it fails, the priority automatically decreases by
session 3 glbp
Glbp:gateway Load balancing Protocol Gateway Load Balancing protocol, cisco Private protocol .
GLBP provides a single virtual IP address to the user when configuring multiple gateway routing devices and up to 4 virtual MAC addresses (up to 4 gateway devices with terminal forwarding data, including AVG, Alternate avg and AVF), so that all gateway devices in the GLBP group can provide data forwarding to users, not idle devices that become backups. All members of the group use the Hello Packet for communication, the default 3s,holdtime=10s, using the multicast address for 224.0.0.102,BLBP as with HSRP borrowing L4 layer UDP protocol transmission, Port 322.
In the GLBP group, only one device becomes AVG (active virtual
Gateway Dynamic Virtual gateways), in addition to a single device as from Avg. Other Routers act as AFV (active Virtualforward dynamic virtual forwarding device), when AVG is unavailable, the AVG is replaced by AVG (alternate avg and AVF do not conflict, typically a device is both standby avg and AVF). The task of AVG in the group is to assign virtual MAC addresses (one per group member, up to 4) for the devices in the group, and to respond to the average of these MAC addresses to the user's PC, so that multiple users can send data to multiple gateway devices, thus creating a load balancer (typically AVG is also a AVF role, Also responsible for the allocation of MAC address and data forwarding). These can provide users with data forwarding is the device is called AVF.
GLBP supports load Balancing mode:
1, host-dependent ensure that the host using the same virtual Mac, has been eliminated
2, Round-robin each rotation of the allocation of AVF Virtual MAC address to the end user
3, weighted Weight: terminal to AVF traffic size depends on AVF own wighted value size, the greater the higher the priority
Status of GLBP:
GLBP supports up to 1024 virtual routes and 4 virtual MAC addresses, Avg Active state
Alternate AVG is standby state, the remaining AVF are listen states, weighted defaults to 100, and the maximum value is 200
The AVG election is the same as HSRP by comparing the priority value and the interface IP address (large) to select
Preemption preempt in GLBP is turned off by default, and requires manual configuration as HSRP, configured with preempt and can immediately preempt avg back from the alternate AVG after the AVG fault has been processed.
Configuration of the GLBP
R1 (config-if) #glbp 10?
Authentication authentication Method Configuration GLBP authentication method, optional MD5 or clear text, use key or keychain
Forwarder Forwarder configuration router will be preempted to AVG, priority lower than
IP Enable Group and set virtual IP address to configure a shared dummy IP
Load-balancing Load Balancing Method Select the mode of loading balance
Name redundancy names to configure GLBP groups
preempt overthrow lower priority designated routers allows the router to do AVG preemption, otherwise priority will not be preempted
Priority priorities level, default to 100, big priority becomes active primary router
Timers Adjust GLBP Timers Configuring Hello Time
Weighting Gateway weighting and tracking configuration weights
Basic Configuration Example:
R1 (config-if) #glbp IP 12.1.1.10 configuration virtual IP address is 12.1.1.10
R1 (CONFIG-IF) #glbp authentication MD5 key-chain 123 configuration MD5 ciphertext authentication, password 123
R1 (config-if) #glbp preempt delay minimum 2 preemptive function, delay 2s preemption
R1 (CONFIG-IF) #glbp Priority 200 configuration Router 200, priority to become the primary gateway
R1 (config-if) #glbp load-balancing weighted Configure load Balancing mode for comparison weighted
R1 (config-if) #glbp weighting $ Configure the device with a weight of 200 and user traffic takes precedence R1
Expansion configuration:
R1 (CONFIG-IF) #glbp weighting track 1 Decrement 50 configuration weights reduce weight by 50 when track works 1 fails (only valid when configuring track)
In the actual project, HSRP, VRRP, GLBP are not many, because neither HSRP nor VRRP can be load-balanced, only one active device for data forwarding, and the other standby gateway device is always idle (the main gateway without fault), Cause a lot of waste of bandwidth and expense. In order to solve this problem derived from the GLBP technology, can be implemented under the premise of redundancy load balance, so that the resources are maximized utilization, but GLBP in many practical cases are not very good work, such as NAT environment, when configured with GLBP Avgdown, Then the outside address of the NAT becomes the external address of the alternate AVG (or other AVF) from the AVG's extranet address, and traffic that was previously NAT out of AVG cannot be returned via the AVG's extranet address NAT, causing the communication to fail. There are also many ISP technology will be in these redundant protocols to create serious problems, so in the actual project is the use of professional load balancing devices to support the network, especially the financial, military and other requirements delay and packet loss of 0 of the network, these technologies are only in a simple enterprise network use.
layer2-Gateway Redundancy Technology HSRP, VRRP, GLBP