espacio de convivencia inclusivo y participativo
4.2. El profesorado como agente clave en la prevención
4.2.3. Los documentos de planificación del centro escolar desde una perspectiva
On R2
R2#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 101 P Active local unknown 10.1.1.22 Fa0/0 2 100 Standby 10.1.1.3 local 10.1.1.33
On R3
R3#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 100 P Active local unknown 10.1.1.22 Fa0/0 2 101 P Active local 10.1.1.2 10.1.1.33
Let’s verify the configuration in detail:
On R2
R2#Show Standby | Inc Authentication
Authentication text "Cisco"
Let’s configure R3 to authenticate using “Cisco” as the string:
On R3
R3(config)#Int F0/0
R3(config-if)#Standby 1 authentication Cisco
To verify the configuration
On R3
R3#Show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 100 P Standby 10.1.1.2 local 10.1.1.22 Fa0/0 2 101 P Active local 10.1.1.2 10.1.1.33
On R2
R2#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 101 P Active local 10.1.1.3 10.1.1.22 Fa0/0 2 100 Standby 10.1.1.3 local 10.1.1.33
Task 11
Configure HSRP group 2 to be MD5 authenticated using “HSRP” as the password.
On R2 and R3
Rx(config)#Key chain tst Rx(config-keychain)#Key 1
Rx(config-keychain-key)#Key-string HSRP Rx(config)#Int F0/0
Rx(config-if)#Standby 2 authentication md5 key-chain tst
To verify the configuration
On R3
R3#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 100 P Standby 10.1.1.2 local 10.1.1.22 Fa0/0 2 101 P Active local 10.1.1.2 10.1.1.33
On R2
R2#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 101 P Active local 10.1.1.3 10.1.1.22 Fa0/0 2 100 Standby 10.1.1.3 local 10.1.1.33 R2#Show Standby | Inc Authentication|Group
FastEthernet0/0 - Group 1 Authentication text "Cisco"
Group name is "R2-3-HSRP-G1" (cfgd) FastEthernet0/0 - Group 2
Authentication MD5, key-chain "tst"
Group name is "hsrp-Fa0/0-2" (default)
Task 12
The F0/0 interfaces of R2 and R3 are connected to SW1’s port F0/2 and F0/3 respectively.
Configure SW1’s F0/2 and F0/3 interfaces with “Port-Security” using the default parameters. Configure HSRP to accommodate this request.
The default parameters of “Port-Security” only allows a single MAC address to be attached, how are we going to configure this task, since HSRP will also use a virtual MAC address. Let’s see the Mac-address-Table of SW1:
On SW1
SW1#Show mac-address-table dynamic vlan 234 Mac Address Table
---
Vlan Mac Address Type Ports ---- --- --- --- 234 0000.0c07.ac01 DYNAMIC Fa0/2 234 0000.0c07.ac02 DYNAMIC Fa0/3 234 000e.84b9.bf10 DYNAMIC Fa0/4 234 000e.84de.46e0 DYNAMIC Fa0/3 234 0014.a932.f9f0 DYNAMIC Fa0/2 Total Mac Addresses for this criterion: 5
You can see that each port on the switch has two MAC addresses, the HSRP’s VMAC and the MAC address of the router. Therefore, if the “Port-Security” is configured on F0/2 and F0/3, the ports will transition into “err-disable” state.
On R2 and R3
Rx(config)#int f0/0
Rx(config-if)#Standby use-bia Rx(config-if)#Shut
Rx(config-if)#No Shut
To verify the configuration:
On SW1
SW1#Show mac-address-table dynamic vlan 234 Mac Address Table
---
Vlan Mac Address Type Ports ---- --- --- --- 234 000e.84b9.bf10 DYNAMIC Fa0/4 234 000e.84de.46e0 DYNAMIC Fa0/3 234 0014.a932.f9f0 DYNAMIC Fa0/2 Total Mac Addresses for this criterion: 3
NOTE: HSRP uses the MAC addresses of the routers instead of the default HSRP MAC addresses.
Let’s enable port-security on the F0/2 and F0/3 interfaces of SW1:
On SW1
SW1(config)#Int Range f0/2-3
SW1(config-if-range)#Switchport port-security
To verify the configuration:
On SW1
SW1#Show port-security interface F0/2 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute
SecureStatic Address Aging : Disabled The VLAN Maximum MAC Addresses : 1
Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0
Last Source Address:Vlan : 0014.a932.f9f0:234 Security Violation Count : 0
On R2
R2#Show interface F0/0 | Inc bia
Hardware is Gt96k FE, address is 0014.a932.f9f0 (bia 0014.a932.f9f0) SW1#Show port-security interface F0/3
Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1
Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.84de.46e0:234 Security Violation Count : 0
On R3
R3#Show interface F0/0 | Inc bia
Hardware is Gt96k FE, address is 000e.84de.46e0 (bia 000e.84de.46e0) To test this feature properly, let’s remove the “Standby use-bia”, and verify the result:
On R2 and R3
Rx(config)#int f0/0
Rx(config-if)#No Standby use-bia Rx(config-if)#Shut
Rx(config-if)#No Shut
You should see the following console messages:
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down NOTE: The interface came up and went down and stayed down, let’s see why:
On SW1
SW1#Show port-security interface F0/2 Port Security : Enabled
Port Status : Secure-shutdown Violation Mode : Shutdown
Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1
Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0c07.ac01:234 Security Violation Count : 1
SW1#Show interface F0/2 status
Port Name Status Vlan Duplex Speed Type
Fa0/2 err-disabled 234 auto auto 10/100BaseTX
That’s exactly what we expected to see. Let’s re-configure the “Standby use-bia” command.
On R2 and R3
Rx(config)#int f0/0
Rx(config-if)#Standby use-bia Rx(config-if)#Shut
Rx(config-if)#No Shut
To verify the configuration:
On SW1
SW1#Show port-security inter f0/2 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1
Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0
Last Source Address:Vlan : 0014.a932.f9f0:234 Security Violation Count : 0
Task 13
Remove the “Standby 1 track S0/0.21 2” command that was configure in task 5, and reconfigure the same task using HSRP “Object Tracking”.
On R2
R2(config)#Int F0/0
R2(config-if)#Standby 1 track S0/0.21 2 To configure Object Tracking:
An object is tracked, in this case the object is the S0/0.21 sub-interface:
On R2
R2(config)#Int F0/0
R2(config)#Track 21 interface S0/0.21 line-protocol
NOTE: The above command tracks the line-protocol of R2’s S0/0.21 sub-interface and it uses an identifier of 21.
R2(config-if)#Standby 1 track 21 decrement 2
The above command tracks the state of object 21 and if the state of this object is down, it will reduce/decrement the priority by 2.
To test the configuration:
On R2
Let’s shutdown the S0/0.21 sub-interface of R2:
R2(config)#Int S0/0.21 R2(config-subif)#Shut
You should see the following console messages on R2:
The state of the tracked object transitions from up to down:
%TRACKING-5-STATE: 21 interface Se0/0.21 line-protocol Up->Down The HSRP’s priority for R2 is decremented by 2, and because R3 has the “Standby preempt”
command configured, it will take over as the active, and R2 will transition into Standby:
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
To verify the configuration:
On R2
R2#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 99 P Standby 10.1.1.3 local 10.1.1.22 Fa0/0 2 100 Standby 10.1.1.3 local 10.1.1.33
On R3
R3#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 100 P Active local 10.1.1.2 10.1.1.22 Fa0/0 2 101 P Active local 10.1.1.2 10.1.1.33 Let’s enable the S0/0.21 sub-interface of R2:
R2(config)#Int S0/0.21 R2(config-subif)#No shut
You should see the following console messages on R2:
%TRACKING-5-STATE: 21 interface Se0/0.21 line-protocol Down->Up
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
On R2
R2#Show Standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 101 P Active local 10.1.1.3 10.1.1.22 Fa0/0 2 100 Standby 10.1.1.3 local 10.1.1.33
Task 14
Erase the startup config and reload the routers before proceeding to the next lab.