Tuesday 11 June 2024

What is Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS)? | What is the difference between IPS and IDS? | How to configure Cisco intrusion prevention systems (IPS)? cyber security | intrusion prevention

 An intrusion prevention system (IPS) is a network security tool is also known as Intrusion Detection and Prevention System. (which can be a hardware device or software). An intrusion prevention system (IPS) continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. intrusion prevention system (IPS) is placed inline in the network traffic flow between the source and destination. IPS analyzes all traffic flows that enter the network and can detect or prevent network security attacks.




What do IPS and IDS sensors do?

An IPS/IDS sensor is a device that continuously monitors the  traffic on the network and then makes a decision based on a set of rules to indicate whether that traffic is okay or whether it is malicious in some way. 


An intrusion prevention system (IPS) is placed directly inline with the flow of network traffic and each packet goes through the IPS sensor on its way. if the malicious traffic is found by the IPS it can drop the packet and deny reaching the destination based on the rules configured. this concept is called IPS. The IPS adds a small amount of delay before forwarding packets. because the IPS is inline, it can manipulate traffic inline based on a current set of rules. 

What is the inline sensor?

A sensor is placed inline with the traffic, which means whatever the network traffic is going through the network is forced to go in one physical port on the sensor and the sensor is going to analyze the traffic. let's take a look at inline topology. 




The instruction detection system also continuously monitors the network traffic analyzes the traffic identifies the malicious packets and generates alerts but IDS can not prevent the attack by dropping the packets because this is an intrusion detection system not prevention. The original packet is already on its way to reach the destination so how it can drop the packet. IDS is not inline with the flow of network traffic, IDS is sent copies of the original packets. IPS adds a small amount of delay but IDS does not add any delay to the original network traffic. IDS cannot manipulate any original inline traffic. let's take a look of IDS not inline. 



IPS/IDS sensor platform

We must use IPS/IDS sensors in our network and enhance network protection. Cisco has several IPS/IDS sensor platforms that enable us to implement network protection as follows:

  • A dedicated IPS appliance
  • Software based on the router
  • A module in an IOS router like AIM-IPS, NME-IPS
  • A multilayer switches a blade that works in a 6500 series
  • Cisco firepower7000/8000 series appliance
  • ASA with firepower services 


Malicious traffic on the network identification

IPS/IDS sensors can identify the malicious packets in the network in many different ways based on the rules that are placed in the sensors, some of the rules are default, and some we can create or modify. There are several different methods IPS/IDS sensors can be configured for identifying malicious traffic.

  • Signature-based IPS/IDS
  • Policy-based IPS/IDS
  • Anomaly-based IPS/IDS
  • Reputation-based IPS/IDS

(in the next we will look deeply into these methods and actions)


Let's see how to configure the IOS Intrusion Prevention System (IPS)

Topology:-configure IOS Intrusion Prevention System (IPS)




Goal: The task is to enable IPS on R1 to scan traffic entering the 192.168.10.0 network. the Syslog server 192.168.10.20 is used to log IPS messages. From the pc-red zone attempting to ping the PC-green zone should fail and from the pc-green zone attempting to ping the PC-red zone should pass.

  • Enable IOS IPS 
  • Enable the security technology package
  • Verify network connectivity
  • Create an IOS IPS configuration directory in Flash
  • Configure the IPS signature location
  • Create an IPS rule
  • Enable logging
  • Configure IOS IPS to use the signature categories
  • Apply the IPS rule to an interface

  • Modify the signature 
  • Change the event action of the signature
  • Verify that IPS is working properly 
  • Fom pc-redzone attempt to ping PC-greenzone should fail
  • From pc-greenzone attempt to ping PC-redzone should pass
  • View the Syslog messages





Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#interface gigabitethernet 0/1
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#ip route 192.168.40.0 255.255.255.0 192.168.20.2
Router(config)#exit
 
Router2(config)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 192.168.20.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Router2(config)#ip route 192.168.40.0 255.255.255.0 192.168.30.2
Router2(config)#exit
Router3(config)#interface gigabitEthernet 0/0
Router3(config-if)#ip address 192.168.30.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#interface gigabitEthernet 0/1
Router3(config-if)#ip address 192.168.40.1 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#ip route 192.168.10.0 255.255.255.0 192.168.30.1
Router3(config)#exit
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc2)
 
 
License Info:
 
License UDI:
 
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524UTQ7-
 
 
Technology Package License Information for Module:'c1900'
 
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
 
Configuration register is 0x2102
 
 
Router(config)#license boot module c1900 technology-package securityk9
 
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE
 
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
 
Router(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot level = securityk9 and License = securityk9
 
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
Router#reload
Proceed with reload? [confirm]

Router#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

Router(config)#ip ips config location flash:ipsdir

Router(config)#ip ips ?
config Location of IPS configuration files
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition

Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#service timestamps log datetime msec
Router(config)#logging host 192.168.10.20
Router(config)#ip ips signature-category


Router(config-ips-category)#?

category Category keyword

exit Exit from Category Mode

no Negate or set default values of a command



Router(config-ips-category)#category all


Router(config-ips-category-action)#?

exit Exit from Category Actions Mode

no Negate or set default values of a command

retired Retire Category Signatures



Router(config-ips-category-action)#retired true

Router(config-ips-category-action)#exit


Router(config-ips-category)#category ?

all All Categories

ios_ips IOS IPS (more sub-categories


Router(config-ips-category)#category ios_ips basic

Router(config-ips-category-action)#retired false

Router(config-ips-category-action)#exit

Router(config-ips-category)#exit


Do you want to accept these changes? [confirm]

Applying Category configuration to signatures ...

%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#ip ips iosips out

Router(config-if)#exit


*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDS_STARTED: 00:16:37 UTC Mar 01 1993

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned

*Mar 01, 00:16:37.1616: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms


*Mar 01, 00:16:53.1616: %SYS-5-CONFIG_I: Configured from console by console

*Mar 01, 00:16:53.1616: *Mar 01, 00:16:53.1616: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.10.20 port 514 started - CLI initiated



Router(config)#ip ips signature-definition

Router(config-sigdef)#signature 2004 0

Router(config-sigdef-sig)#status

Router(config-sigdef-sig-status)#retired false

Router(config-sigdef-sig-status)#enable true

Router(config-sigdef-sig-status)#exit



Router(config-sigdef-sig)#?

engine Engine

exit Exit from Signature Definition Mode

status Status


Router(config-sigdef-sig)#engin

Router(config-sigdef-sig-engine)#event-action ?

deny-packet-inline Deny Packet

produce-alert Produce Alert

Router(config-sigdef-sig-engine)#event-action produce-alert

Router(config-sigdef-sig-engine)#event-action deny-packet-inline

Router(config-sigdef-sig-engine)#exit

Router(config-sigdef-sig)#exit

Router(config-sigdef)#exit


Do you want to accept these changes? [confirm]


%IPS-6-ENGINE_BUILDS_STARTED:

%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms




Router#show ip ips all

IPS Signature File Configuration Status

Configured Config Locations: flash:ipsdir

Last signature default load time:

Last signature delta load time:

Last event action (SEAP) load time: -none-


General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled


IPS Auto Update is not currently configured


IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled

Event notification through SDEE is enabled


IPS Signature Status

Total Active Signatures: 1

Total Inactive Signatures: 0


IPS Packet Scanning and Interface Status

IPS Rule Configuration

IPS name iosips

IPS fail closed is disabled

IPS deny-action ips-interface is false

Fastpath ips is enabled

Quick run mode is enabled

Interface Configuration

Interface GigabitEthernet0/1

Inbound IPS rule is not set

Outgoing IPS rule is iosips


IPS Category CLI Configuration:

Category all

Retire: True

Category ios_ips basic

Retire: False


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::202:16FF:FE76:76AD

IP Address......................: 192.168.10.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.40.10


Pinging 192.168.40.10 with 32 bytes of data:


Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time=2ms TTL=125


Ping statistics for 192.168.40.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 2ms, Average = 0ms



C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::201:43FF:FEBA:6555

IP Address......................: 192.168.40.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.40.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>







Router#

*Mar 01, 00:25:49.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:25:55.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:01.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:07.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:35.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:41.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:47.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:53.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25









Friday 22 March 2024

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP. VRRP enhances the availability of default gateway for devices on a LAN.

VRRP is an IEEE standard gateway redundancy protocol. VRRP uses the multicast group IP address 224.0.0.18 and transport port number UDP 112. VRRP does not provide load balancing like GLBP does. VRRP advertise timer is 1 second and master down time is 3 advertisements. yes, we can change the timer and priority, if both router priorities are the same then the highest IP address is a tiebreaker. One router becomes the master and the rest of the routers are for backup in case of failover of the master. If the master router is back on, it will automatically become a master router. By default, pre-empt is on in VRRP.

(Please take a look at HSRP and GLBP click here)


Let's see the configuration for a better understanding:- 


Topology:-


Goal:

  • configure the topology as per the diagram 
  • assign the IP address as per the topology 
  • assign the IP addresses on PCs and default gateway 100.1.1.100
  • configure a default route on router 1 and router 2 
  • configure router 3 to act as ISP router and assign IP on loopbacks
  • configure static routing on router 3
  • configure VRRP on router 1 and make this router master 
  • configure VRRP authentication MD5 internet
  • configure VRRP on router 2 and make this router backup
  • make sure LAN traffic can access the internet routes
  • make the event failover and ensure router 2 which is for the back, becomes the master. 




VRRP-PRIME-R1-(config)#interface serial 4/0
VRRP-PRIME-R1-(config-if)#ip address 13.1.1.1 255.0.0.0
VRRP-PRIME-R1-(config-if)#no shutdown
VRRP-PRIME-R1-(config-if)#exit

VRRP-PRIME-R1-(config)#interface fastethernet 1/1
VRRP-PRIME-R1-(config-if)#ip address 100.1.1.10 255.255
VRRP-PRIME-R1-(config-if)#ip address 100.1.1.10 255.255.255.0
VRRP-PRIME-R1-(config-if)#no shutdown
VRRP-PRIME-R1-(config-if)#exit
 
VRRP-SEC-R2-(config)#interface serial 4/1
VRRP-SEC-R2-(config-if)#ip address 23.2.2.1 255.0.0.0
VRRP-SEC-R2-(config-if)#no shutdown
VRRP-SEC-R2-(config-if)#exit

VRRP-SEC-R2-(config)#interface fastethernet 0/0
VRRP-SEC-R2-(config-if)#ip address 100.1.1.20 255.255.255.0
VRRP-SEC-R2-(config-if)#no shutdown
VRRP-SEC-R2-(config-if)#exit
 
 
 
R3(config)#hostname ISP-R3-
ISP-R3-(config)#interface serial 4/1
ISP-R3-(config-if)#ip address 23.2.2.2 255.0.0.0
ISP-R3-(config-if)#no shutdown
ISP-R3-(config-if)#exit
 
ISP-R3-(config)#interface serial 4/0
ISP-R3-(config-if)#ip address 13.1.1.2 255.0.0.0
ISP-R3-(config-if)#no shutdown
ISP-R3-(config-if)#exit

ISP-R3-(config-if)#ip address 33.1.1.1 255.255.255.0
ISP-R3-(config-if)#exit

ISP-R3-(config)#interface loopback 1
ISP-R3-(config-if)#ip address 33.1.1.1 255.255.255.0
ISP-R3-(config-if)#exit

ISP-R3-(config)#interface loopback 2
ISP-R3-(config-if)#ip address 33.1.2.1 255.255.255.0
ISP-R3-(config-if)#exit
 
 
PC1> ip 100.1.1.2 255.255.255.0 100.1.1.100
Checking for duplicate address...
PC1 : 100.1.1.2 255.255.255.0 gateway 100.1.1.100
 
PC1> show ip
 
NAME        : PC1[1]
IP/MASK     : 100.1.1.2/24
GATEWAY     : 100.1.1.100

DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10031
RHOST:PORT  : 127.0.0.1:10032
MTU:        : 1500
 
PC1>
 
 
PC2> ip 100.1.1.3 255.255.255.0 100.1.1.100
Checking for duplicate address...
PC1 : 100.1.1.3 255.255.255.0 gateway 100.1.1.100
 
PC2> show ip
 
NAME        : PC2[1]
IP/MASK     : 100.1.1.3/24
GATEWAY     : 100.1.1.100

DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10033
RHOST:PORT  : 127.0.0.1:10034
MTU:        : 1500
 
PC2>
 
 
 
PC3> ip 100.1.1.4 255.255.255.0 100.1.1.100
Checking for duplicate address...
PC1 : 100.1.1.4 255.255.255.0 gateway 100.1.1.100
 
PC3> show ip
 
NAME        : PC3[1]
IP/MASK     : 100.1.1.4/24
GATEWAY     : 100.1.1.100

DNS         :
MAC         : 00:50:79:66:68:02
LPORT       : 10035
RHOST:PORT  : 127.0.0.1:10036
MTU:        : 1500
 
PC3>
 
 
 
PC4> ip 100.1.1.5 255.255.255.0 100.1.1.100
Checking for duplicate address...
PC1 : 100.1.1.5 255.255.255.0 gateway 100.1.1.100
 
PC4> show ip
 
NAME        : PC4[1]
IP/MASK     : 100.1.1.5/24
GATEWAY     : 100.1.1.100

DNS         :
MAC         : 00:50:79:66:68:03
LPORT       : 10037
RHOST:PORT  : 127.0.0.1:10038
MTU:        : 1500
 
PC4>

VRRP-PRIME-R1-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
VRRP-PRIME-R1-(config)#exit
 
VRRP-SEC-R2-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
VRRP-SEC-R2-(config)#exit
 
VRRP-PRIME-R1-(config)#interface fastethernet 1/1
VRRP-PRIME-R1-(config-if)#vrrp 100 ip 100.1.1.100



VRRP-PRIME-R1-(config-if)#vrrp 100 priority 120
VRRP-PRIME-R1-(config-if)#vrrp 100 authentication md5 key-string internet
VRRP-PRIME-R1-(config-if)#vrrp 100 track 1
VRRP-PRIME-R1-(config-if)#exit

*Mar 21 22:54:11.779: %VRRP-6-STATECHANGE: Fa1/1 Grp 100 state Init -> Backup

*Mar 21 22:54:15.391: %VRRP-6-STATECHANGE: Fa1/1 Grp 100 state Backup -> Master

VRRP-PRIME-R1-(config)#track 1 interface serial 4/0 line-protocol
VRRP-PRIME-R1-(config-track)#interface fastethernet 1/1
VRRP-PRIME-R1-(config-if)#vrrp 100 track 1 decrement 30
VRRP-PRIME-R1-(config-if)#exit


 
VRRP-SEC-R2-(config)#interface fastethernet 0/0
VRRP-SEC-R2-(config-if)#vrrp 100 ip 100.1.1.100
VRRP-SEC-R2-(config-if)#vrrp 100 authentication md5 key-string  internet
VRRP-SEC-R2-(config-if)#end

 *Mar 21 23:01:28.271: %VRRP-6-STATECHANGE: Fa0/0 Grp 100 state Init -> Backup

*Mar 21 23:01:31.883: %VRRP-6-STATECHANGE: Fa0/0 Grp 100 state Backup -> Master
*Mar 21 23:01:58.271: %VRRP-6-STATECHANGE: Fa0/0 Grp 100 state Master -> Backup



ISP-R3-(config)#ip route 100.1.1.0 255.255.255.0 serial 4/0
ISP-R3-(config)#ip route 100.1.1.0 255.255.255.0 serial 4/1 10
ISP-R3-(config)#exit
 
VRRP-PRIME-R1-#show vrrp interface fastEthernet 1/1
FastEthernet1/1 - Group 100
  State is Master
  Virtual IP address is 100.1.1.100
  Virtual MAC address is 0000.5e00.0164
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 120
    Track object 1 state Up decrement 30
  Authentication MD5, key-string
  Master Router is 100.1.1.10 (local), priority is 120
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.531 sec
 
VRRP-PRIME-R1-#show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Fa1/1              100 120 3531       Y  Master  100.1.1.10      100.1.1.100
 
 
VRRP-SEC-R2-#show vrrp
FastEthernet0/0 - Group 100
  State is Backup
  Virtual IP address is 100.1.1.100
  Virtual MAC address is 0000.5e00.0164
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Authentication MD5, key-string
  Master Router is 100.1.1.10, priority is 120
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 2.989 sec)
 
VRRP-SEC-R2-#show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Fa0/0              100 100 3609       Y  Backup  100.1.1.10      100.1.1.100
 
 
PC1> ping 33.1.1.1
84 bytes from 33.1.1.1 icmp_seq=1 ttl=254 time=49.541 ms
84 bytes from 33.1.1.1 icmp_seq=2 ttl=254 time=47.846 ms
84 bytes from 33.1.1.1 icmp_seq=3 ttl=254 time=46.660 ms
84 bytes from 33.1.1.1 icmp_seq=4 ttl=254 time=47.615 ms
84 bytes from 33.1.1.1 icmp_seq=5 ttl=254 time=48.413 ms
 
 
PC3> ping 33.1.2.1
84 bytes from 33.1.2.1 icmp_seq=1 ttl=254 time=47.187 ms
84 bytes from 33.1.2.1 icmp_seq=2 ttl=254 time=47.018 ms
84 bytes from 33.1.2.1 icmp_seq=3 ttl=254 time=46.555 ms
84 bytes from 33.1.2.1 icmp_seq=4 ttl=254 time=32.160 ms
84 bytes from 33.1.2.1 icmp_seq=5 ttl=254 time=48.195 ms
 
PC4> ping 33.1.3.1
84 bytes from 33.1.3.1 icmp_seq=1 ttl=254 time=46.460 ms
84 bytes from 33.1.3.1 icmp_seq=2 ttl=254 time=46.906 ms
84 bytes from 33.1.3.1 icmp_seq=3 ttl=254 time=47.081 ms
84 bytes from 33.1.3.1 icmp_seq=4 ttl=254 time=47.244 ms
84 bytes from 33.1.3.1 icmp_seq=5 ttl=254 time=47.286 ms
 
 
VRRP-PRIME-R1-(config)#interface fastEthernet 1/1
VRRP-PRIME-R1-(config-if)#shutdown

*Mar 21 23:25:48.295: %VRRP-6-STATECHANGE: Fa1/1 Grp 100 state Master -> Init

 
VRRP-SEC-R2-#show vrrp
FastEthernet0/0 - Group 100
  State is Master
  Virtual IP address is 100.1.1.100
  Virtual MAC address is 0000.5e00.0164
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Authentication MD5, key-string
  Master Router is 100.1.1.20 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec


Monday 18 March 2024

What Bootstrap Router (BSR) ? How to configure Multicast PIM Bootstrap Router (BSR)?


What is Rendezvous's point?

The rendezvous point is a meeting point in the Multicast PIM sparse mode for all the multicast traffic. We have two ways to configure the Rendezvous point manually and automatically. Manual RP is for small networks and Auto RP is for large networks.

 

We have two discovery protocols for finding the Rendezvous point on the multicast network

 

1.     Auto Rendezvous point (Auto-RP)

2.     PIMv2 bootstrap router (BSR)

Multicast Bootstrap Router (BSR) 

Multicast PIM Bootstrap, also known as Protocol Independent Multicast (PIM) Bootstrap, is a protocol used in multicast routing to efficiently manage multicast traffic distribution in a network. PIM BSR router function is similar to Auto-RP but BSR is a standard-based protocol PIMv2 standard and also BSR supports IPv6 multicast. 

 




How does Multicast Bootstrap Router (BSR) work? 

 

  • Candidate BSR: Bootstrap Router collects information from the available Rendezvous points in the multicast network and advertises it on PIM-enabled interfaces throughout the multicast network. 
  • Candidate Rendezvous Point: Uses unicast PIM to advertise itself to BSR. 
  • BSR messages are sent hop-by-hop using multicast address 224.0.0.13 with a TTL of 1. These messages are routed only within the local segment.
  • When a multicast router receives a BSR message, it re-sends it to all other PIM-enabled interfaces.
  • BSR messages contain information about the BSR itself and RP-to-group mappings.

BSR vs. Auto-RP:

  • BSR is a standard protocol included in PIMv2, whereas Auto-RP is a Cisco proprietary protocol.
  • BSR uses unicast packets for RP announcements, while Auto-RP uses multicast.
  • BSR does not select the RP; it advertises all RPs with their associated multicast groups, allowing multicast routers to choose the RP they prefer.

 

 

Let's see the topology as per the diagram?

 

 

Topology:-https://youtu.be/vWHXTLczQUs?si=bduAb8ruzpumR8O1

 



 

Goal:

 

1.     configure the topology as per the diagram 

2.     configure IP addresses as per the topology

3.     configure IGP OSPF and advertise directly connected interfaces

4.     enable Multicasting on all the router

5.     configure PIM-SM on all interfaces 

6.     configure IGMP-group  224.50.50.50 on router 5 fa0/0

7.     configure Router 5 to advertise themselves as Rendezvous Point for all the groups

 

 

 

R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit
 
R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit


R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit
 
R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit


R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit


R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no keepalive
R3(config-if)#no shutdown
R3(config-if)#exit
 
R4(config)#interface serial 4/2
R4(config-if)#ip address 3.3.3.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface serial 4/4
R4(config-if)#ip address 5.5.5.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit


R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
 
R5(config)#interface serial 4/4
R5(config-if)#ip address 5.5.5.1 255.0.0.0
R5(config-if)#no shutdown
R5(config-if)#exit

R1(config)#router ospf 100
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#exit
 
*Mar 16 12:21:51.463: %OSPF-5-ADJCHG: Process 100, Nbr 20.1.1.1 on Serial4/0 from LOADING to FULL, Loading Done
 
R2(config)#router ospf 100
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 1.0.0.0 0.255.255.255 area 0
R2(config-router)#network 2.0.0.0 0.255.255.255 area 0
R2(config-router)#exit
 
*Mar 16 12:22:02.455: %OSPF-4-DUP_RTRID_NBR: OSPF detected duplicate router-id 20.1.1.1 from 2.2.2.2 on interface Serial4/1
*Mar 16 12:21:51.299: %OSPF-5-ADJCHG: Process 100, Nbr 10.1.1.1 on Serial4/0 from LOADING to FULL, Loading Done

 
R3(config)#router ospf 100
R3(config-router)#network 30.0.0.0 0.255.255.255 area 0
R3(config-router)#network 2.0.0.0 0.255.255.255 area 0
R3(config-router)#network 3.0.0.0 0.255.255.255 area 0
R3(config-router)#exit
 
R4(config)#router ospf 100
R4(config-router)#network 40.0.0.0 0.255.255.255 area 0
R4(config-router)#network 3.0.0.0 0.255.255.255 area 0
R4(config-router)#network 5.0.0.0 0.255.255.255 area 0
R4(config-router)#exit
*Mar 16 12:34:31.987: %OSPF-5-ADJCHG: Process 100, Nbr 50.1.1.1 on Serial4/4 from LOADING to FULL, Loading Done
*Mar 16 12:32:10.451: %OSPF-5-ADJCHG: Process 100, Nbr 30.1.1.1 on Serial4/2 from LOADING to FULL, Loading Done

 
R5(config)# router ospf 100
R5(config-router)#network 50.0.0.0 0.255.255.255 area 0
R5(config-router)#network 5.0.0.0 0.255.255.255 area 0
R5(config-router)#exit
*Mar 16 12:34:31.687: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 on Serial4/4 from LOADING to FULL, Loading Done
 
 
R1(config)#ip multicast-routing
R1(config)#interface serial 4/0
R1(config-if)#ip pim sparse-mode
R1(config-if)#exit
 
R1(config)#interface fastethernet 0/0
R1(config-if)#ip pim sparse-mode
R1(config-if)#exit
 
R2(config)#ip multicast-routing
R2(config)#interface serial 4/0
R2(config-if)#ip pim sparse-mode
R2(config-if)#exit
 
R2(config)#interface serial 4/1
R2(config-if)#ip pim sparse-mode
R2(config-if)#exit
R2(config)#exit
 
*Mar 16 12:46:14.519: %PIM-5-NBRCHG: neighbor 1.1.1.1 UP on interface Serial4/0
*Mar 16 12:46:58.943: %PIM-5-NBRCHG: neighbor 2.2.2.2 UP on interface Serial4/1

R3(config)#ip multicast-routing
R3(config)#interface serial 4/1
R3(config-if)#ip pim sparse-mode
R3(config-if)#exit
 
R3(config)#interface serial 4/2
R3(config-if)#ip pim sparse-mode
R3(config-if)#exit
 
R3(config)#interface fastethernet 0/0
R3(config-if)#ip pim sparse-mode
R3(config-if)#exit
*Mar 16 12:46:58.947: %PIM-5-NBRCHG: neighbor 2.2.2.1 UP on interface Serial4/1
*Mar 16 12:47:59.979: %PIM-5-NBRCHG: neighbor 3.3.3.2 UP on interface Serial4/2

 
 
R4(config)#ip multicast-routing
R4(config)#interface serial 4/2
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit
R4(config)#interface serial 4/3
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit
 
*Mar 16 12:47:59.783: %PIM-5-NBRCHG: neighbor 3.3.3.1 UP on interface Serial4/2
*Mar 16 13:09:18.855: %PIM-5-NBRCHG: neighbor 5.5.5.1 UP on interface Serial4/4

 
R5(config)#interface loopback 0
R5(config-if)#ip address 15.1.1.1 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#exit
R5(config)#router ospf 100
R5(config-router)#network 15.1.1.0 255.0.0.0 area 0
R5(config-router)#exit
 
R5(config)#ip multicast-routing
R5(config)#interface serial 4/4
R5(config-if)#ip pim sparse-mode
R5(config-if)#exit
 
R5(config)#interface loopback 0
R5(config-if)#ip pim sparse-mode
R5(config-if)#exit
 
R5(config)#interface fastEthernet 0/0
R5(config-if)#ip igmp join-group 224.50.50.50
R5(config-if)#exit
 
R5(config)#interface f0/0
R5(config-if)#ip pim sparse-mode
R5(config-if)#exit
 
*Mar 16 13:42:16.819: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 50.1.1.1 on interface FastEthernet0/0
 
R5(config)#ip pim rp-candidate loopback 0
R5(config)#ip pim bsr-candidate loopback 0
 
R5(config)#do show ip pim rp mapping
PIM Group-to-RP Mappings
This system is a candidate RP (v2)
This system is the Bootstrap Router (v2
)
 
Group(s) 224.0.0.0/4
  RP 15.1.1.1 (?), v2
    Info source: 15.1.1.1 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:00:58, expires: 00:01:29
 
R1#show ip pim rp mapping
PIM Group-to-RP Mappings
 
Group(s) 224.0.0.0/4
  RP 15.1.1.1 (?), v2
    Info source: 15.1.1.1 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:07:26, expires: 00:02:01

 
 
R1#ping 224.50.50.50
 
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.50.50.50, timeout is 2 seconds:
 
Reply to request 0 from 5.5.5.1, 116 ms
Reply to request 0 from 5.5.5.1, 144 ms

 
 
R2#show ip pim rp mapping
PIM Group-to-RP Mappings
 
Group(s) 224.0.0.0/4
  RP 15.1.1.1 (?), v2
    Info source: 15.1.1.1 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:41:52, expires: 00:01:4
7
R2#ping 224.50.50.50
 
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.50.50.50, timeout is 2 seconds:
 
Reply to request 0 from 5.5.5.1, 108 ms
Reply to request 0 from 5.5.5.1, 128 ms

 
R3#show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
2.2.2.1           Serial4/1                01:06:01/00:01:35 v2    1 / S P
3.3.3.2           Serial4/2                01:05:00/00:01:24 v2    1 / S P
R3#
R3#show ip pim rp mapping
PIM Group-to-RP Mappings
 
Group(s) 224.0.0.0/4
  RP 15.1.1.1 (?), v2
    Info source: 15.1.1.1 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:42:53, expires: 00:01:44
 
R4#show ip pim interface
 
Address          Interface                Ver/   Nbr    Query  DR     DR
                                          Mode   Count  Intvl  Prior
3.3.3.2          Serial4/2                v2/S   1      30     1      0.0.0.0
4.4.4.1          Serial4/3                v2/S   0      30     1      0.0.0.0
5.5.5.2          Serial4/4                v2/S   1      30     1      0.0.0.0
R4#show ip pim rp mapping
PIM Group-to-RP Mappings
 
Group(s) 224.0.0.0/4
  RP 15.1.1.1 (?), v2
    Info source: 15.1.1.1 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:43:22, expires: 00:02:18


R4#ping 224.50.50.50
 
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.50.50.50, timeout is 2 seconds:
 
Reply to request 0 from 5.5.5.1, 24 ms
Reply to request 0 from 5.5.5.1, 64 ms

 

 
R2#show ip pim bsr-router
PIMv2 Bootstrap information
  BSR address: 15.1.1.1 (?)
  Uptime:      00:44:28, BSR Priority: 0, Hash mask length: 0
  Expires:     00:01:54
x

 

How to configure the DHCP server on a Cisco ASA device?

How to configure the DHCP server on a Cisco ASA device?    DHCP (Dynamic Host Configuration Protocol) servers provide all the basic informat...