이중화 protocol : xxRP
HSRP : hot stanby router protocol
VRRP : virtual router redundancy protocol
GLBP : cisco
★★
icmp redirec //왔을때 나 아니야.
proxy arp - 이중화 대용
이중화 프로토콜의 old버전, 정지시켜줘야한다. 기본 활성화
int fa 0/0
no ip proxy
HSRP v1, v2?
3초 10초 default
hellow
★★
1. failover link 성능체크 //hsrp 재 연결시 퍼포먼스가 느림
broadcast 20%성능에 unicast
hellow안왔을떄
2. preempt할건가 말건가?
110 - 50
90 S -> A되야되나 안된다. preempt (우리나라는 안치는게 일반
적)
cisco는 VRRP가 표준 (우리나라는 preempt 안쳐준다)
3. icmp redirection, proxy arp (cisco는 켜져있고 주니퍼는 꺼
져있다.
4. 엔드단에 멀티케스팅이 심하면 꺼준다.
HSRP v1 : group 0~255
v2 : 0~4095 0000.0c9f.fxxx , 224.0.0.102
yersinia로 공격 가상시나리오
쌤 23
121.160.70.20번
★★★★ 이중화시 체크해야할 것 5개
1. failover link 성능 체크
2. preempt 사용 여부
3. icmp redirect
4. proxy arp
5. STP 수렴 시간 ===> RSTP 강추
// 참고 ip os dead-interval minimal hello-multiplier 20 //1
초에 20번 쏜다. 광케이블이면 가능
R1
int fa 0/0
no shut
ip addr 121.160.70.20 255.255.255.0
ip nat outside
int fa 0/1
no shut
ip add 10.1.100.254 255.255.255.0
ip nat inside
exi
access-list 10 per 10.1.0.0 0.0.255.255
ip nat inside source list 10 int fa 0/0
ip route 0.0.0.0 0.0.0.0 121.160.70.254
ip route 10.1.0.0 255.255.0.0 10.1.100.2
ip route 10.1.0.0 255.255.0.0 10.1.100.3 100
router os 1
router-id 1.1.1.1
net 10.1.0.0 0.0.255.255 a 0
default-infor orginate
// default-infor orginate allways는 살았거나 죽었거나 보냄
sw
vlan 100
name GW-vlan
exi
int rang fa 1/8 - 10
sw mo ac
sw acc vlan 100
spann portfast
exi
vlan 10
exi
int rang fa 1/2 - 5
sw mo acc
sw acc vlan 10
spann portfast
exi
R2
int fa 0/1
no shut
ip add 10.1.100.2 255.255.255.0
exi
int fa 0/0
no shut
ip add 10.1.10.2 255.255.255.0
exi
ip route 0.0.0.0 0.0.0.0 10.1.100.254
router os 1
router-id 2.2.2.2
net 10.1.0.0 0.0.255.255 a 0
passive-inter fa 0/0
no ip redirecs
no ip proxy-arp
int fa 0/0
no shut
standby 1 ip 10.1.10.254
standby 1 mac-addre 0001.0001.0001
standby 1 preempt delay minimum 30
standby 1 priority 110
standby 1 track fa 0/1 50
show standby brief
R3
int fa 0/1
no shut
ip add 10.1.100.3 255.255.255.0
exi
int fa 0/0
no shut
ip add 10.1.10.3 255.255.255.0
exi
ip route 0.0.0.0 0.0.0.0 10.1.100.254
router os 1
router-id 3.3.3.3
net 10.1.0.0 0.0.255.255 a 0
passive-inter fa 0/0
exi
// clear ip os process 다시 협상 매게 할 때
여시니아 아이피를 거꾸로 입력함
100.10.1.10
10.1.10.100보낸다.
r2
int fa 0/1
standby 1 authentification md5 key-string cisco123
show arp
10.1.10.254
\\\\\\\\\\\\\\\\\\\학원문서
이중화 protocol : xxRP
HSRP : hot standby router protocol
VRRP : virtual router redundancy protocol
GLBP : cisco
ip os dead-interval minimal hello-multiplier 20
1. failover link 성능 체크
2. preempt 사용 여부
3. icmp redirect
4. proxy arp
5. STP 수렴 시간 ==> RSTP 강추
==> 이중화 하기 전 체크 사항
설정완료 후 가상mac 관리를
스위치 mac 테이블로 반드시 확인할 것
R1
int fa 0/0
no shut
ip add 121.160.70.x 255.255.255.0
ip nat outside
exi
int fa 0/1
no shut
ip add 10.1.100.254 255.255.255.0
ip nat inside
ip os pri 255
exi
access-list 10 per 10.1.0.0 0.0.255.255
ip nat inside source list 10 int fa 0/0
ip route 0.0.0.0 0.0.0.0 121.160.70.254
router os 1
router-id 1.1.1.1
net 10.1.0.0 0.0.255.255 area 0
default-information originate
exi
SW
vlan 100
name GW-vlan
exi
int rang fa 1/8 - 10
sw mo acc
sw acc vlan 100
spann portfast
exi
R2
int fa 0/1
no shut
ip add 10.1.100.2 255.255.255.0
exi
int fa 0/0
no shut
ip add 10.1.10.2 255.255.255.0
ip os pri 0
exi
router os 1
router-id 2.2.2.2
net 10.1.0.0 0.0.255.255 a 0
passive-inter fa 0/0
exi
R3
int fa 0/1
no shut
ip add 10.1.100.3 255.255.255.0
exi
int fa 0/0
no shut
ip add 10.1.10.3 255.255.255.0
ip os pri 0
exi
router os 1
router-id 3.3.3.3
net 10.1.0.0 0.0.255.255 a 0
passive-interface fa 0/0
exi
SW
vlan 10
exi
int rang fa 1/2 - 5
sw mo acc
sw acc vlan 10
spann portfast
exi
======================
R2
int fa 0/0
no shut
no ip redirects
no ip proxy-arp
standby 1 ip 10.1.10.254
standby 1 mac-address 0001.0001.0001
standby 1 preempt delay minimum 30
standby 1 priority 110
standby 1 track fa 0/1 50
exi
R3
int fa 0/0
no shut
no ip redirects
no ip proxy-arp
standby 1 ip 10.1.10.254
standby 1 mac-address 0001.0001.0001
standby 1 preempt
standby 1 priority 90
exi
여시니아로 hsrp 2번째꺼 아이피 거꾸로 해서 공격 1.100.1.10
np-yersinia.net
\\\\\\\\\\\\\\\\\\\\\\\\\\\
NP-HSRP1.net
5: eigrp 서머리
20 : ebgp
90 : eigrp
100 : irgrp
rtr (responder time report)
HSRP 그룹을 나눠서 해본다
keepalive : 죽은 사실알려주는거
layer3가 중계기를 넘어가므로 icmp를 주기적으로 쏜다
라우터는 probe 정찰패킷을 주기적으로 보내서 인터넷이 안되는
것을 확인함
R1
int fa 0/0
no shut
ip add 121.160.70.20 255.255.255.0
ip nat outside
exi
int fa 0/1
no shut
ip add 10.1.123.1 255.255.255.0
ip nat inside
exi
ip route 0.0.0.0 0.0.0.0 121.160.70.254
ip route 10.1.100.0 255.255.255.0 10.1.123.2 track 1
ip route 10.1.100.0 255.255.255.0 10.1.123.3 200
ip sla 11 life forever start-time now
icmp-echo 10.1.123.2
timeout 1000
fr 1
exi
track 1 rtr 1 reachability
exi
SW
vlan 123
exi
int rang fa 1/8 - 10
sw mo acc
sw acc vlan 123
spann portfast
exi
R2
int fa 0/1
no shut
ip add 10.1.123.2 255.255.255.0
exi
int fa 0/0
no shut
exi
int fa 0/0.100
en dot 100
ip add 10.1.100.2 255.255.255.0
int fa 0/0.200
en dot 100
ip add 10.1.200.2 255.255.255.0
exi
ip sla 11
icmp-echo 1.1.123.1
time out 1000
frequency 1
exi
ip sla schedule 11 life forever start-time now
track 1 rtr 11 reachability
exi
ip route 0.0.0.0 0.0.0.0 1.1.123.1
int fa 0/0.100
standby 1 ip 10.1.100.254
standby 1 mac 0001.0001.0001
standby 1 priority 110
standby 1 track 1 decrement 50
standby 1 authentication md5 key-string cisco123
standby 1 preempt delay min 30
exi
int fa 0/0.200
standby 2 ip 10.1.200.254
standby 2 mac 0002.0002.0002
standby 2 priority 90
standby 2 autentication md5 key-string cisco456
standby 2 preempt
exi
\\\\\\ fail shut
icmp가 중간에거 흘려도 잡아준다
R1
int fa 0/0
no shut
ip add 121.160.70.23 255.255.255.0
ip nat outside
exi
int fa 0/1
no shut
ip add 10.1.123.1 255.255.255.0
ip nat inside
exi
ip route 0.0.0.0 0.0.0.0 121.160.70.254
ip sla 11
icmp-echo 10.1.123.2 //핑 떄리는거
timeout 1000
frequency 1 //
exi
ip sla schedule 11 life forever start-time now
track 1 rtr 11 reachability
exi
ip route 10.1.100.0 255.255.255.0 10.1.123.2 track 1
ip route 10.1.100.0 255.255.255.0 10.1.123.3 200
SW
vlan 123
exi
int rang fa 1/8 - 10
sw mo acc
sw acc vlan 123
spann portfast
exi
R2
int fa 0/1
no shut
ip add 10.1.123.2 255.255.255.0
exi
int fa 0/0
no shut
exi
int fa 0/0.100
en dot 100
ip add 10.1.100.2 255.255.255.0
exi
int fa 0/0.200
en dot 200
ip add 10.1.200.2 255.255.255.0
exi
ip sla 11
icmp-echo 1.1.123.1
timeout 1000
frequency 1
exi
ip sla schedule 11 life forever start-time now
track 1 rtr 11 reachability
exi
ip route 0.0.0.0 0.0.0.0 1.1.123.1
int fa 0/0.100
standby 1 ip 10.1.100.254
standby 1 mac 0001.0001.0001
standby 1 priority 110
standby 1 track 1 decrement 50
standby 1 authentication md5 key-string cisco123
standby 1 preempt delay min 30
exi
int fa 0/0.200
standby 2 ip 10.1.200.254
standby 2 mac 0002.0002.0002
standby 2 priority 90
standby 2 authentication md5 key-string cisco456
standby 2 preempt
exi
R3
int fa 0/1
no shut
ip add 10.1.123.3 255.255.255.0
exi
int fa 0/0
no shut
exi
int fa 0/0.100
en dot 100
ip add 10.1.100.3 255.255.255.0
exi
int fa 0/0.200
en dot 200
ip add 10.1.200.3 255.255.255.0
exi
ip sla 11
icmp-echo 1.1.123.1
timeout 1000
frequency 1
exi
ip sla schedule 11 life forever start-time now
track 1 rtr 11 reachability
exi
ip route 0.0.0.0 0.0.0.0 1.1.123.1
int fa 0/0.100
standby 1 ip 10.1.100.254
standby 1 mac 0001.0001.0001
standby 1 priority 90
standby 1 authentication md5 key-string cisco123
standby 1 preempt
exi
int fa 0/0.200
standby 2 ip 10.1.200.254
standby 2 mac 0002.0002.0002
standby 2 priority 110
standby 2 authentication md5 key-string cisco456
standby 2 preempt delay min 30
standby 2 track 1 decrement 50
exi
리피터, 광전송장치, keep alive가 못올 때 사용 복잡하다
ip route 1.1.1.0 255.255.255.0 1.1.12.2
ip route 1.1.1.0 255.255.255.0 se 1/0
5 : eigrp 서머리
20 : ebgp
90 : eigrp
100 : igrp
110 : ospf
115 : isis
120 : rip
160 : odr
170 : eigrp
200 : ibgp
254 : dhcp
255 : unknown
rtr
responder time report
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
VRRP(표준) hsrp는 액티브스탠바이?
R3는 백업 R2는 마스터
vrrp는
R2 [마스터]
track 100 int fa 0/1 line-protocol
int fa 0/0.100
vrrp 1 description Group1_master_config
vrrp 1 ip 1.1.100.254
vrrp 1 preempt delay min 60
vrrp 1 priority 110
vrrp 1 timer advertise msec 500
vrrp 1 authentication md5 key-string cisco1
vrrp 1 track 100 decrement 50
R3 [백업설정]
int fa 0/0.100
vrrp 1 description Group1_backup_config
vrrp 1 ip 1.1.100.254
vrrp 1 preempt
vrrp 1 priority 90
vrrp 1 timer learn
vrrp 1 authentication md5 key-string cisco1
다음주는 GLBP
'CCNP(SWITCH)' 카테고리의 다른 글
| 15일차 GLBP, SLB(서버로드벨런스) (0) | 2013.03.27 |
|---|---|
| 14일차 RADIUS 복습과 TACAS로 인증. (0) | 2013.03.25 |
| 12일차 이중화 게이트웨이 프로토콜 (0) | 2013.03.22 |
| 11일차 radius, tacacs+ (0) | 2013.03.21 |
| 10일차 dot1q 인증(ACS서버) (0) | 2013.03.19 |