Ch. 6 FHRP and HSRP CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016
Implementing High Availability To achieve high network availability, the following network components are required: Reliable, fault-tolerant network devices— Hardware and software reliability to automatically identify and overcome failures. Device and link redundancy— Devices Devices modules Links Resilient network technologies— Fast recovery for devices or links. Optimized network design— Well-defined network topologies and configurations to ensure no single point of failure. Best practices— Documented procedures for deploying and maintaining a robust e-commerce network infrastructure. Change control— Better control over changes made to network devices and maintenance of documentation regarding those changes. To achieve high network availability, the following network components are required: Reliable, fault-tolerant network devices— Hardware and software reliability to automatically identify and overcome failures. Device and link redundancy— Entire devices may be redundant or modules within devices may be redundant. Links may also be redundant. Resilient network technologies— Intelligence that ensures fast recovery around any device or link failure. Optimized network design— Well-defined network topologies and configurations designed to ensure that there is no single point of failure. Best practices— Documented procedures for deploying and maintaining a robust e-commerce network infrastructure. Change control— Better control over changes made to network devices and maintenance of documentation regarding those changes.
High Availability
Single Forwarding Path vs Redundancy Adding Redundancy
Implementing High Availability Redundancy does not mean co-located in the same physical location. Power outage Paraphrasing Jim Warner, Network Engineer at UCSC, ‘When adding redundancy, know what you are trying to protect yourself from. It doesn’t help to have redundant devices when there is a power failure, or redundant links when the cables are in the same conduit.’ The network devices that provide redundancy do not need to be co-located in the same physical location. This reduces the probability that problems with the physical environment, such as a power outage or other environmental issue, will interrupt service. Paraphrasing Jim Warner, Network Engineer at UCSC, ‘When adding redundancy, know what you are trying to protect yourself from. It doesn’t help to have redundant devices when there is a power failure, or redundant links when the cables laid in the same conduit.’
Implementing Default Gateway Router Redundancy in Multilayer Switched Networks
Implementing Default Gateway Router Redundancy in Multilayer Switched Networks Examples of (non-redundant) dynamic router discovery are as follows: Static/DHCP Host is statically configured or uses DHCP. Proxy ARP The host uses Address Resolution Protocol (ARP) to determine the next-hop MAC address for off-network destinations. Local routers respond to the ARP request with their own MAC address. Routing protocol The host listens to dynamic routing protocol updates (for example, EIGRP and forms its own routing table. ICMP Router Discovery Protocol (IRDP) client The host runs an Internet Control Message Protocol (ICMP) router discovery client. The availability of a default gateway router is a must for hosts in a multilayer switched network. There are several ways a LAN host can determine which router should be the first hop to a particular remote destination. The host can use a dynamic process or static configuration. Examples of dynamic router discovery are as follows: Proxy ARP— The host uses Address Resolution Protocol (ARP) to determine the next-hop MAC address for off-network destinations. Local routers respond to the ARP request with their own MAC address. Routing protocol— The host listens to dynamic routing protocol updates (for example, Routing Information Protocol [RIP]) and forms its own routing table. ICMP Router Discovery Protocol (IRDP) client— The host runs an Internet Control Message Protocol (ICMP) router discovery client. Static/DHCP – Host is statically configured or uses DHCP.
Static or DHCP The most common method of providing a host with a default gateway address is: Static configuration DHCP Advantage of DHCP: Simplifies end-device configuration Disadvantage of DHCP: Creates a single point of failure. If the default gateway fails, the end device is limited to communicating only on the local IP network segment and is cut off from the rest of the network. The most common method of providing a host with a default gateway address is: Static configuration DHCP This approach simplifies end-device configuration and processing, but creates a single point of failure. If the default gateway fails, the end device is limited to communicating only on the local IP network segment and is cut off from the rest of the network.
Proxy ARP
I am on the 172.16.0.0/16 network so I can reach 172.16.20.200! Proxy ARP Router has Proxy ARP enabled on all interfaces. Host A has a /16 subnet mask. Host A believes that it is directly connected to all of network 172.16.0.0/16. Host A is really on the 172.16.10.0/24 network, as segmented by the router, but Host A does not know that. Host A has a packet to send to Host D Host A believes that Host D is directly connected. Host A sends an ARP request to Host D. The Host A (172.16.10.100) on Subnet A needs to send packets to Host D (172.16.20.200) on Subnet B. Host A has a /16 subnet mask. Host A believes that it is directly connected to all of network 172.16.0.0. Host A is really on the 172.16.10.0/24 network, as segmented by the router, but Host A does not know that. When Host A needs to communicate with any devices it believes are directly connected, it will send an ARP request to the destination. Therefore, when Host A needs to send a packet to Host D, Host A believes that Host D is directly connected, so it sends an ARP request to Host D.
ARP Request: “Hey everyone on my network, whoever is 172. 16. 20 ARP Request: “Hey everyone on my network, whoever is 172.16.20.200, send me your Ethernet MAC Address! Proxy ARP To reach Host D (172.16.20.200), Host A needs the MAC address of Host D. Layer 2, Ethernet broadcast (FFFF.FFFF.FFFF). The ARP request reaches all nodes in the Subnet A. The broadcast will not reach Host D. To reach Host D (172.16.20.200), Host A needs the MAC address of Host D. This is a layer 2, Ethernet broadcast (FFFF.FFFF.FFFF). The ARP request reaches all the nodes in the Subnet A, including the router's e0 interface, but does not reach Host D. The broadcast will not reach Host D because routers, by default, do not forward broadcasts.
Host A’s ARP Table Proxy ARP Since the router knows that the target address (172.16.20.200) is on another subnet and can reach Host D, it will reply with its own MAC address to Host A. ARP Request/Reply: “I can reach 172.16.20.200 on another network, so I will Reply to the Host A with my MAC address.” Proxy ARP Reply from Router to Host A Since the router knows that the target address (172.16.20.200) is on another subnet and can reach Host D, it will reply with its own MAC address to Host A. The Proxy ARP reply that the router sends to Host A. The proxy ARP reply packet is encapsulated in an Ethernet frame with router's MAC address as the source address and Host A's MAC address as the destination address. The ARP replies are always unicast to the original requester. On receiving this ARP reply, Host A updates its ARP table as below
Host A’s ARP Table Proxy ARP From now on Host A will forward all the packets that it wants to reach 172.16.20.200 (Host D) to the MAC address 00-00-0c-94-36-ab (router). All packets destined to Subnet B are sent to the router including this packet for Host B. The router forwards the packets to Host B and also for other hosts in Subnet B. From now on Host A will forward all the packets that it wants to reach 172.16.20.200 (Host D) to the MAC address 00-00-0c-94-36-ab (router). Since the router knows how to reach Host D, the router forwards the packet to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B.
Host A’s ARP Table Non-Proxy ARP
Non Proxy ARP Different Situation and Addresses: Host A pings Host B Host A’s ARP Table Non Proxy ARP 172.16.20.200 00-00-0c-94-36-bb Different Situation and Addresses: Host A pings Host B Host B has the IP address 172.16.20.200/24 ARP Request/Reply What if Host A has a packet to send Host B? In this case, both the Router and Host B will receive the ARP Request (MAC broadcast). Switch floods the broadcast. Host B will send an ARP Reply. ARP Request 172.16.20.200/24 0000.0c94.36bb Different Situation and Addresses: Host A pings Host B ARP Request/Reply What if Host A has a packet to send Host B? In this case, both the Router and Host B will receive the ARP Request (MAC broadcast). The ARP Request is an ARP message in a L2 Ethernet frame, no IP packet. The switch will flood this broadcast out all ports. Host B will send an ARP Reply, a L2 Ethernet frame with no IP packet. When IP is not involved, only L2, the device on the same Ethernet segment will communicate directly. Now, lets see what happens when IP gets involved.
Proxy ARP Proxy ARP is enabled by default. Router(config)# ip arp proxy disable Router(config)# interface Fa 0/0 Router(config-if)# no ip proxy-arp Disables Proxy ARP globally Disables Proxy ARP per interface Proxy ARP is enabled by default. Proxy ARP can be disabled globally or on a per interface basis. Proxy ARP should be used on the network where IP hosts are not configured with default gateway. Disadvantages of Proxy ARP It increases the amount of ARP traffic on your segment (instead of one default gateway, ARPing for several hosts). Security may be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing." This is enabled by default. Proxy ARP can be disabled on a per interface basis with the interface configuration command no ip proxy-arp. To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command.
Proxy ARP Limited redundancy with Proxy ARP. Packets Limited redundancy with Proxy ARP. If the responsible router fails, the host continues to send packets for the destination to the MAC address of that router. Those packets subsequently are discarded. Packets dropped Host ARP entry: Has Router A’s MAC address for File Server A. With proxy ARP, the host behaves as if the destination device is connected to the same segment of the network. If the responsible router fails, the source end station continues to send packets for the destination to the MAC address of that router. Those packets subsequently are discarded.
Proxy ARP Packets Once the ARP flushes the entry due to flush timer expiry, the host recovers the default gateway MAC address. Nevertheless, Cisco does not recommend the use of proxy ARP, because it makes troubleshooting very difficult. Router down, but Host ARP entry is still Router A, packets continue to get dropped. To acquire the MAC address of the failover router, the source end station must either: initiate another ARP request wait for the ARP entry to be flushed dynamically. The ARP flush timer determines the period of time in which the source end station cannot communicate with the destination even though the routing protocol has converged. Once the ARP flushes the entry due to flush timer expiry, the host recovers the default gateway MAC address. Nevertheless, Cisco does not recommend the use of proxy ARP, because it makes troubleshooting very difficult. In addition, proxy ARP does not scale at all in medium-size to large networks. Once ARP entry times out on host, it will send another ARP Request Router B will send a Proxy ARP Reply with its MAC address Host now sends packets to Router B for File Server A.
IRDP – ICMP Router Discovery Message Protocol
Need for First Hop Redundancy Protocols If the default gateway fails, a host will be unable to send packets to another subnet. Even if a redundant router exists that could serve as a default gateway for that subnet, there is no dynamic method by which these devices can determine the address of a new default gateway. With first-hop router redundancy, a set of routers or Layer 3 switches work together to present the illusion of a single virtual router to the hosts on the LAN. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single “virtual” router.
Redundancy Protocols Cisco IOS offers several features to provide a redundant default gateway to end devices. The following are the default gateway redundancy features supported by Cisco IOS routers and switches: Hot Standby Routing Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP) Cisco IOS offers several features to provide a redundant default gateway to end devices. The redundancy protocol provides the mechanism for determining which router should take the active role in forwarding traffic, and when that role must be taken over by one of the other routers. The transition from one forwarding router to another is transparent to the end devices. The following are the default gateway redundancy features supported by Cisco IOS routers and switches: Hot Standby Routing Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP)
HSRP Hot Standby Router Protocol
HSRP (Hot Standby Routing Protocol) Cisco proprietary protocol RFC 2281 Method of providing IP address sharing and redundancy for default gateways. The protocol consists of a: Virtual MAC address IP address Shared between two routers: Active Router Standby Router Routers exchange HSRP hello messages at regular intervals HSRP, a Cisco proprietary protocol, supplies a method of providing nonstop path redundancy for IP by sharing protocol and MAC addresses between redundant gateways. The protocol consists of a: virtual MAC address IP address These are shared between two routers, and a process that monitors both LAN and serial interfaces via a multicast protocol.
The backup router in case the active router fails for the subnet. One standby router The backup router in case the active router fails for the subnet. It will then forward traffic destined to the virtual IP address. One virtual router The virtual router is not an actual router. Represents the HSRP group acting as one virtual router. It is the default gateway as far as hosts on the subnet are concerned. One active router The active router forwards traffic destined to the virtual IP address. One standby router The backup router in case the active router fails for the subnet. In that case, the standby router becomes the active router and starts forwarding traffic destined to the virtual IP address. One virtual router The virtual router is not an actual router. Rather, it is a concept of the entire HSRP group acting as one virtual router as far as hosts on the subnet are concerned. One active router The active router forwards traffic destined to the virtual IP address.
ARP Table 172.16.10.1 = 0000.0c07.ac01 My default gateway is 172.16.10.1 172.16.10.202 0010.0b79.5800 172.16.10.1 0000.0c07.ac01 172.16.10.201 0010.f6b3.d000 The host connected to the switch sends the packet destined for the virtual router, but in reality the active router does the packet forwarding. Note: Additional HSRP member routers— Other routers are neither active nor standby, but they are configured to participate in the same HSRP group. They monitor the current active and standby routers and transition into one of those roles if the current router fails for the subnet. The host connected to the switch sends the packet destined for the virtual router, but in reality the active router does the packet forwarding. Note: Additional HSRP member routers— Other routers are neither active nor standby, but they are configured to participate in the same HSRP group. They monitor the current active and standby routers and transition into one of those roles if the current router fails for the subnet.
ARP Table 172.16.10.1 = 0000.0c07.ac01 My default gateway is 172.16.10.1 172.16.10.1 0000.0c07.ac01 172.16.10.202 0010.0b79.5800 172.16.10.201 0010.f6b3.d000 HSRP Hello’s: Standby HSRP Hello’s: Active The active router assumes and maintains its active role through the transmission of hello messages (default every 3 seconds). Sent by active and standby routers. Multicast 224.0.0.2 (“all routers”) using UDP port 1985 The router with the highest standby priority - active router. 0 to 255 Default = 100 (configurable) Otherwise, the router with the highest IP address When the preempt option is not configured, the first router to initialize HSRP becomes the active router. (May not be what you want!) The active router assumes and maintains its active role through the transmission of hello messages (default 3 seconds). The hello interval time defines the interval between successive HSRP hello messages sent by active and standby routers. The router with the highest standby priority in the group becomes the active router. The default priority for an HSRP router is 100; however, this option is configurable on a per-standby-group basis. When the preempt option is not configured, the first router to initialize HSRP becomes the active router
ARP Table 172.16.10.1 = 0000.0c07.ac01 My default gateway is 172.16.10.1 172.16.10.1 0000.0c07.ac01 172.16.10.202 0010.0b79.5800 172.16.10.201 0010.f6b3.d000 HSRP Hello’s: Standby The second router in the HSRP group to initialize or second highest priority is elected as the standby router. Monitor the operational status of the HSRP group Quickly assumes packet-forwarding responsibility if the active router becomes inoperable. The standby router also transmits hello messages to inform all other routers in the group of its standby router role and status. The second router in the HSRP group to initialize or second highest priority is elected as the standby router. The function of the standby router is to monitor the operational status of the HSRP group and to quickly assume packet-forwarding responsibility if the active router becomes inoperable. The standby router also transmits hello messages to inform all other routers in the group of its standby router role and status.
I receive and forward packet sent to the virtual router. ARP Table 172.16.10.1 = 0000.0c07.ac01 My default gateway is 172.16.10.1 I receive and forward packet sent to the virtual router. 172.16.10.1 0000.0c07.ac01 172.16.10.202 0010.0b79.5800 172.16.10.201 0010.f6b3.d000 The virtual router presents a consistent available router (default gateway) to the hosts. Assigned its: Own IP address Own virtual MAC address The active router acting as the virtual router actually forwards the packets. Additional HSRP member routers: These routers in listen state monitor the hello messages but do not respond. Do forward any packets addressed to the routers' IP addresses. Do not forward packets destined for the virtual router because they are not the active router. The virtual router presents a consistent available router (default gateway) to the hosts. The virtual router is assigned its own IP address and virtual MAC address; however, the active router acting as the virtual router actually forwards the packets. Additional HSRP member routers: These routers in listen state monitor the hello messages but do not respond. Do forward any packets addressed to the routers' IP addresses. Do not forward packets destined for the virtual router because they are not the active router.
ARP Table 172.16.10.1 = 0000.0c07.ac01 My default gateway is 172.16.10.1 I don’t see Hellos from Active (10 secs), so I will receive and forward packets sent to the virtual router. New Active Router 172.16.10.1 0000.0c07.ac01 172.16.10.202 0010.0b79.5800 172.16.10.201 0010.f6b3.d000 HSRP Hello’s HSRP Hello’s: Active When the active router fails, the other HSRP routers stop receiving hello messages and the standby router assumes the role of the active router. When the holdtime expires (default 10 seconds). Because the new active router assumes both the IP address and virtual MAC address of the virtual router, the end stations see no disruption in service. When the active router fails, the other HSRP routers stop receiving hello messages and the standby router assumes the role of the active router. This occurs when the holdtime expires (default 10 seconds). Because the new active router assumes both the IP address and virtual MAC address of the virtual router, the end stations see no disruption in service. The end-user stations continue to send packets to the virtual router's virtual MAC address and IP address where the new active router delivers the packets to the destination.
ARP Table 172.16.10.1 = 0000.0c07.ac01 My default gateway is 172.16.10.1 172.16.10.202 0010.0b79.5800 172.16.10.1 0000.0c07.ac01 172.16.10.201 0010.f6b3.d000 When the only the active router fails: Standby takes over. If there are other routers participating in the group, those routers then contend to be the new standby router. The new active router remains the forwarding router even when the former active router with the higher priority regains service in the network unless preempt is configured (coming). If both the active and standby routers fail: All routers in the HSRP group contend for the active and standby router roles. If both the active and standby routers fail: all routers in the HSRP group contend for the active and standby router roles. When the active router only fails: the standby takes over. If there are other routers participating in the group, those routers then contend to be the new standby router. The following sections discuss HSRP mechanics in more detail.
200 100 Virtual IP To configure a router as a member of an HSRP standby group, enter this command in interface configuration mode: (Physical interface or VLAN interface if VLANs are used) Switch(config-if)#standby group-number ip virtual-ip-address group-number refers to the HSRP standby group number. The group number can range from 0 to 255. virtual-ip-address indicates the virtual IP address of the HSRP group. DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100
200 210 220 100 Virtual IP Switch(config-if)#standby group-number ip virtual-ip-address group-number refers to the HSRP standby group number. The group number can range from 0 to 255. 0 is the default Most Cisco switches support only up 16 groups. Each VLAN does NOT have to have it’s own group number. Group numbers are locally significant to that VLAN or interface. DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt interface vlan 20 ip add 172.16.20.202 255.255.255.0 standby 1 priority 210 standby 1 ip 172.16.20.1 interface vlan 30 ip add 172.16.30.202 255.255.255.0 standby 1 priority 220 standby 1 ip 172.16.30.1
200 100 Priority To set the priority value of a router, enter this command in interface configuration mode: Switch(config-if)#standby group-number priority priority-value The priority-value indicates the number that prioritizes a potential standby router. The range is 0 to 255; the default is 100. Some documentation states 1 to 255. During the election process, the router in an HSRP group with the highest priority becomes the forwarding router. If several routers have the same priority, the physical IP address of the router's interface is used as a tiebreaker. The router with the numerically highest IP address wins. In reality the router that boots up first will most likely become the active router. Best to use the preempt command (coming) DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100
Timers Both the hellotime and the holdtime parameters are configurable. Switch(config-ig)# standby group timers [msec] hellotime [msec] holdtime Hellotime Default = 3 seconds Value varies from 1 to 255. Holdtime Default = 10 seconds Timers will be in milliseconds (1/1,000th) of the msec keyword precedes a value. To reinstate the default standby timer values, enter the following command: no standby group-number timers Both the hellotime and the holdtime parameters are configurable. To configure the time between hello messages and the time before other group routers declare the active or standby router to be nonfunctioning, enter this command in interface configuration mode: standby group-number timers hellotime holdtime The value of the hellotime parameter is in seconds, 3 seconds being the default value. The hellotime parameter value varies from 1 to 255. The value of the holdtime parameter is also in seconds, 10 seconds being the default value. The holdtime parameter value varies from 1 to 255. To reinstate the default standby timer values, enter the following command: no standby group-number timers
HSRP Group Identifier 200 100 DLS1 has a priority of 200 DLS2 has a default priority of 100. Who is the active router? DLS1 assumes the active router role and forwards all frames addressed to the well-known MAC address of: 0000.0c07.acxx where xx is the HSRP group identifier. DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 Router A has a priority of 200 Router B has a default priority of 100. Router A assumes the active router role and forwards all frames addressed to the well-known MAC address of 0000.0c07.acxx, where xx is the HSRP group identifier.
Group number (47) converted to hexadecimal (2f). 201 202 1 If the HSRP group number of router A is 01, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac01. If the HSRP group number of router A is 2f, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac2f. The HSRP group number is the standby group number (47) converted to hexadecimal (2f). If the HSRP group number of router A is 01, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac01. If the HSRP group number of router A is 47, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac2f. Group number (47) converted to hexadecimal (2f).
200 100 Preempt The standby router automatically assumes the active router role when the active router fails or is removed from service. This new active router remains the forwarding router even when the former active router with the higher priority regains service in the network. The former active router can be configured to resume the forwarding router role from a router with a lower priority. To enable a router to resume the active state after a state change, enter the following command in interface configuration mode: Switch(config-if)#standby group-number preempt [delay [minimum seconds] [reload seconds]] To remove the interface from preemptive status, enter the following command: Switch(config-if)#no standby group-number preempt DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100
200 100 Delay Switch(config-if)#standby group-number preempt [delay [minimum seconds] [reload seconds]] Default: Router will immediately preempt another router that has an active role. minimum: Router will wait for (0 to 3600 seconds) before attempting to overthrow the active router with a lower priority This time begins as soon as the router is capable of assuming the the active role. Interface comes up HSRP is configured reload: Router will wait for (0 to 3600 seconds) after it has been reloaded or restarted before attempting to overthrow the active router with a lower priority. This is helpful when you need time for the routing protocol to converge. DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100
Plain Text Authentication 200 100 Plain Text Authentication Switch(config-if)# standby group-number authentication string Sent in plain text to authenticate HSRP peers. Can be easily intercepted and used to impersonate a legitimate peer. Intended only to prevent peers with a default configuration (no authentication) from participating in HSRP. DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt standby 1 authentication nosecret DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100
200 100 MD5 Authentication Switch(config-if)# standby group-number authentication md5 key-string [0|7] string Message Digest 5 (MD5) hash is computed on a portion of each HSRP message. More secure than plain text authentication. Can use key chains when using multiple keys: Switch(config-if)# standby group authentication md5 key-chain hsrp1 Switch(config)# key chain hsrp1 Switch(config-keychain)# key 1 Switch(config-keychain-key)# key-string secretkey MD5 and HSRP: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gthsrpau.html DLS1 interface vlan 10 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt standby 1 authentication md5 key-string nosecret DLS2 ip add 172.16.10.202 255.255.255.0 standby 1 priority 100
Speak state— HSRP routers in the speak state send periodic hello messages and actively participate in the election of the active or standby router. The router remains in the speak state unless it becomes an active or standby router. Listen state— The router knows the virtual IP address, but is neither the active router nor the standby router. All other routers participating in the HSRP group besides the active or standby routers reside in this state. Standby state— In the standby state, the HSRP router is a candidate to become the next active router and sends periodic hello messages. There must be at least one standby router in the HSRP group. Learn state— The router has not determined the virtual IP address, and has not yet seen a hello message from the active router. In this state, the router is still waiting to hear from the active router. Initial state— All routers begin in the initial state. This state is entered via a configuration change or when an interface is initiated. Active state— In the active state, the router is currently forwarding packets that are sent to the virtual MAC and IP address of the HSRP group. The active router also sends periodic hello messages. HSRP Standby Group 1 HSRP States Router A Priority 100 Router B Priority 50 Initial Initial Learn Learn All other routers remain in this state. Listen Listen Router A does not hear any higher priority than itself, so promotes itself to standby. Speak Speak Router B hears that router A has a higher priority, so router B returns to the listen state. Initial state— All routers begin in the initial state. This state is entered via a configuration change or when an interface is initiated. Learn state— The router has not determined the virtual IP address, and has not yet seen a hello message from the active router. In this state, the router is still waiting to hear from the active router. Listen state— The router knows the virtual IP address, but is neither the active router nor the standby router. All other routers participating in the HSRP group besides the active or standby routers reside in this state. Speak state— HSRP routers in the speak state send periodic hello messages and actively participate in the election of the active or standby router. The router remains in the speak state unless it becomes an active or standby router. Standby state— In the standby state, the HSRP router is a candidate to become the next active router and sends periodic hello messages. There must be at least one standby router in the HSRP group. Active state— In the active state, the router is currently forwarding packets that are sent to the virtual MAC and IP address of the HSRP group. The active router also sends periodic hello messages. Not all HSRP routers transition through all states. For example, a router that is not the standby or active router does not enter the standby or active states. Standby Listen Router A does not hear an active router, so promotes itself to active. Active Speak Standby
Configuring HSRP on Routers Virtual Router 10.10.10.10/24 10.10.10.11/24 10.10.10.1/24 R1 interface gig 0/2 ip address 10.10.10.10 255.255.255.0 standby 1 priority 120 standby 1 preempt standby 1 ip 10.10.10.1 R2 ip address 10.10.10.11 255.255.255.0 standby 1 priority 110
HSRP Load Balancing Gateway: 172.16.10.1 Gateway: 172.16.10.1 Gateway: 172.16.10.2 Gateway: 172.16.10.2
HSRP Load Balancing Gateway: 172.16.10.1 Gateway: 172.16.10.1 Gateway: 172.16.10.2 Gateway: 172.16.10.2 While a router is actively forwarding traffic for one HSRP group, it can be in the standby or listen state for another group. Each standby group emulates a single virtual router. To facilitate load sharing, a single router may be a member of multiple HSRP standby groups on a single segment or VLAN. Configuring multiple standby groups further enables redundancy and load sharing within networks and allows redundant routers to be more fully utilized. While a router is actively forwarding traffic for one HSRP group, it can be in the standby or listen state for another group. Each standby group emulates a single virtual router.
HSRP Load Balancing Note: There can be up to 255 standby groups on any VLAN or interface. Increasing the number of groups in which a router participates increases the management load on the router and may affect the performance of the router for very large numbers of HSRP groups. Gateway: 172.16.10.1 Gateway: 172.16.10.1 Gateway: 172.16.10.2 Gateway: 172.16.10.2 Both router A and router B are members of groups 1 and 2. However, router A is the active forwarding router for group 1 and the standby router for group 2. Router B is the active forwarding router for group 2 and the standby router for group 1. Both DLS1 and DLS2 are members of groups 1 and 2. DLS1: Active forwarding router for group 1 Standby router for group 2. DLS2: Active forwarding router for group 2 Standby router for group 1.
Load balancing HSRP 200 100 100 200 172.16.10.1 172.16.10.2 DLS1 interface vlan 10 ip add 172.16.10.82 255.255.255.0 standby 1 priority 200 standby 1 ip 172.16.10.1 standby 1 preempt standby 2 priority 100 standby 2 ip 172.16.10.2 standby 2 preempt DLS2 ip add 172.16.10.169 255.255.255.0 standby 1 priority 100 standby 2 priority 200 Gateway: 172.16.10.1 Gateway: 172.16.10.1 Gateway: 172.16.10.2 Gateway: 172.16.10.2
Configuring HSRP Interface Tracking Active Router In some situations, the status of an interface directly affects which router needs to become the active router. This is particularly true when each of the routers in an HSRP group has a different path to resources within the campus network. Routers A and B are exchanging hello messages through their E0 interfaces. In some situations, the status of an interface directly affects which router needs to become the active router. This is particularly true when each of the routers in an HSRP group has a different path to resources within the campus network. Router A and router B reside in a branch office. These two routers each support a T1 link to headquarters. Router A has the higher priority and is the active forwarding router for standby group 47. Router B is the standby router for that group. Routers A and B are exchanging hello messages through their E0 interfaces.
Configuring HSRP Interface Tracking Active Router Router A sends ICMP Redirect to Host, pointing it to Router B. X Host now sends packets to Router B. Primary T1 link experiences a failure. Without HSRP enabled, router A would detect the failed link and send an ICMP redirect to router B. Primary T1 link experiences a failure. Without HSRP enabled, router A would detect the failed link and send an ICMP redirect to router B.
Configuring HSRP Interface Tracking Active Router Router A still sends HSRP Hello’s. X Hosts continue to send packets to Router A. However, when HSRP is enabled, ICMP redirects are disabled. Enabling HSRP on a Cisco router interface automatically disables ICMP redirects to ensure that the actual addresses of the participating HSRP routers are not discovered. Although the S1 interface on router A is no longer functional, router A still sends hello messages out interface E0, indicating that router A is still the active router. Packets sent to the virtual router for forwarding to headquarters cannot be routed. However, when HSRP is enabled, ICMP redirects are disabled. Therefore, neither router A nor the virtual router sends an ICMP redirect. Although the S1 interface on router A is no longer functional, router A still sends hello messages out interface E0, indicating that router A is still the active router. Packets sent to the virtual router for forwarding to headquarters cannot be routed.
Configuring HSRP Interface Tracking Active Router Router A still sends HSRP Hello’s. X Hosts continue to send packets to Router A. Interface tracking enables the priority of a standby group router to be automatically adjusted based on availability of the other interfaces on that router. Interface tracking enables the priority of a standby group router to be automatically adjusted based on availability of the other interfaces on that router.
Configuring HSRP Interface Tracking Router A tracks S1 and automatically decrements its priority and stops sending hello messages. Active Router X Hosts now send packets to Router B. Router B assumes Active role after holdtime. The E0 interface on router A tracks the S1 interface. If the link between the S1 interface and headquarters fails, the router automatically decrements its priority on that interface (default by 10 per interface tracked) and stops transmitting hello messages out interface E0. Router B assumes the active router role when no hello messages are detected for the specific holdtime period. The E0 interface on router A tracks the S1 interface. If the link between the S1 interface and headquarters fails, the router automatically decrements its priority on that interface and stops transmitting hello messages out interface E0. Router B assumes the active router role when no hello messages are detected for the specific holdtime period.
Router A interface Ethernet0 ip address 171.16.6.5 /24 no ip redirects standby 1 priority 105 standby 1 preempt standby 1 ip 171.16.6.100 standby 1 track Serial1 interface Serial1 ip address 171.16.2.5 /24 Router B interface Ethernet0 ip address 171.16.6.6 /24 no ip redirects standby 1 priority 100 standby 1 preempt standby 1 ip 172.16.6.100 standby 1 track Serial1 interface Serial1 ip address 171.16.7.6 /24
Before Failure RouterA#show standby Ethernet0 - Group 1 Local state is Active, priority 105, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:01.028 Hot standby IP address is 171.16.6.100 configured Active router is local Standby router is 171.16.6.6 expires in 00:00:08 Tracking interface states for 1 interface, 1 up: Up Serial1 RouterB#show standby Ethernet0 - Group 1 Local state is Standby, priority 100, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:00.772 Hot standby IP address is 171.16.6.100 Active router is 171.16.6.5 expires in 00:00:09 Standby router is local Standby virtual mac address is 0000.0c07.ac01 Tracking interface states for 1 interface, 1 up: Up Serial1
After Failure RouterA#show standby Ethernet0 - Group 1 Local state is Standby, priority 95, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:01.028 Hot standby IP address is 171.16.6.100 configured Active router is 171.16.6.6 expires in 00:00:08 Standby router is local Tracking interface states for 1 interface, 0 up: Down Serial1 RouterB#show standby Ethernet0 - Group 1 Local state is Active, priority 100, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:00.772 Hot standby IP address is 171.16.6.100 Active router is local Standby router is 171.16.6.5 expires in 00:00:09 Standby virtual mac address is 0000.0c07.ac01 Tracking interface states for 1 interface, 1 up: Up Serial1
For more information http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a91.shtml
VRRP Virtual Router Redundancy Protocol
VRRP Like HSRP, VRRP is a default gateway redundancy method. RFC 2338 Similar in functionality to HSRP. Slight differences in terminology and in operation. Nevertheless, in enterprise and service provider networks, HSRP deployments far outnumber VRRP deployments. At the time of this presentation only available in Catalyst 4500 and 6500.
VRRP If you understand HSRP you will understand VRRP. HSRP Active Router = VRRP Master Router (highest priority). All other VRRP routers are in backup state (HSRP only one Standby router). VRRP group numbers: 0 to 255 (HSRP 0 to 255) VRRP priority: 1 to 254 (HSRP 0 to 255) 254 is the highest (HSRP 255) 100 is default (HSRP 100) Virtual router MAC addresses: 0000.5e00.01xx xx = VRRP group number (0000.0c07.acxx HSRP) VRRP advertisements: Sent every 1 second (HSRP every 3 seconds) VRRP preempt: Default (HSRP must be configured) VRRP interface tracking: None (HSRP has interface tracking) Multicast address and protocol: 224.0.0.18 (VRRP) (HSRP uses 224.0.0.2 “all routers”) IP protocol 112 (HSRP protocol 17 for UDP)
VRRP The virtual router can use a physical IP address or a virtual IP address. Routers A, B, and C, are VRRP-enabled routers. Routers A, B, and C form a virtual router, with 10.0.0.1 as the virtual IP address. IP address of the virtual router is the same as that configured for the Ethernet interface of Router A (10.0.0.1). Because the virtual router uses the IP address of the physical Ethernet interface of router A, router A assumes the role of the master virtual router and is known as the IP address owner. Hosts 1 through 3 are configured with the default gateway IP address of 10.0.0.1. Routers B and C function as backup virtual routers. If the master virtual router fails, the router configured with the higher priority will become the master virtual router and provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the master virtual router again.
VRRP The virtual router can use a physical IP address or a virtual IP address. RouterA(config)#interface fa 0/1 RouterA(config-if)#ip address 10.0.0.1 255.255.255.0 RouterA(config-if)#vrrp 1 ip 10.0.0.1 RouterB(config)#interface fa 0/1 RouterB(config-if)#ip address 10.0.0.2 255.255.255.0 RouterB(config-if)#vrrp 1 ip 10.0.0.1 RouterC(config)#interface fa 0/1 RouterC(config-if)#ip address 10.0.0.3 255.255.255.0 RouterC(config-if)#vrrp 1 ip 10.0.0.1
VRRP The virtual router can use a physical IP address or a virtual IP address. RouterA(config)#interface fa 0/1 RouterA(config-if)#ip address 10.0.0.1 255.255.255.0 RouterA(config-if)#vrrp 1 ip 10.0.0.1 RouterA(config-if)#vrrp 1 priority 255 Interface IP address = Virtual IP address for the VRRP group Owning router is the master in a VRRP group The priority associated with that interface should be configured as 255. Otherwise, the highest priority wins the election and is the master. Backup values range from 1 to 254; the default value is 100.
VRRP Load Balancing LAN topology in which VRRP is configured such that: Router A is default gateway for Hosts 1 and 2. Router B is default gateway for Hosts 3 and 4. Each router acts as the backup virtual router if the other router fails.
VRRP 255 110 110 255 Load Balancing RouterA(config)#interface fa 0/1 RouterA(config-if)#ip address 10.0.0.1 255.255.255.0 RouterA(config-if)#vrrp 1 ip 10.0.0.1 RouterA(config-if)#vrrp 1 priority 255 RouterA(config-if)#vrrp 2 ip 10.0.0.2 RouterA(config-if)#vrrp 2 priority 110 RouterB(config)#interface fa 0/1 RouterB(config-if)#ip address 10.0.0.2 255.255.255.0 RouterA(config-if)#vrrp 2 ip 10.0.0.2 RouterA(config-if)#vrrp 2 priority 255 RouterA(config-if)#vrrp 1 ip 10.0.0.1 RouterA(config-if)#vrrp 1 priority 110
VRRP 255 110 110 255 In terms of failover, the takeover time of a standby router to an active router depends on two timers: Advertisement interval: Time interval between advertisements (seconds). The default is 1 second. Configurable Master-down interval: Time interval for backup to declare the master down (seconds). Not configurable Three times the value of the advertisement interval. The higher the advertisement interval, the more time it takes to detect the failure of the master—and hence, failover.
For more information http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html
GLBP Gateway Load Balancing Protocol
GLBP Cisco designed GLBP to: Allow automatic selection and simultaneous use of multiple available gateways To provide automatic detection and failover to a redundant path in the event of failure to any active gateway Allows for both of these without the extra administrative burden of configuring multiple groups and managing multiple default gateway configurations. At the time of this presentation only available in Catalyst 6500.
GLBP 1 router Up to 4 members A GLBP group has up to four member routers acting as IP default gateways. Known as the Active Virtual Forwarders (AVFs). Active Virtual Gateway (AVG): Automatically manages the virtual MAC address assignment 0007.b4xx.xxyy xx.xx – (16 bits) six 0 bits, followed by ten bit GLBP group number yy - is the virtual forwarder number Determines who handles the forwarding Ensures that each station has a forwarding path in the event of failures to gateways or tracked interfaces. These functions are accomplished by one of the routers in the group acting as the active virtual gateway (AVG).
GLBP Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Highest priority or highest IP address becomes AVG GLBP Priority: 1 to 255 (default = 100) GLP Group Numbers: 0 to 1023 Other group members (AVFs) provide backup for the AVG in the event that the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC address.
GLBP Router A is the AVG for a GLBP group, and is responsible for the virtual IP address 10.21.8.10. Responsible for responding to ARP Requests for default gateway (10.21.8.10) and handing out a MAC address of an AVF. Router A is also an AVF for the virtual MAC address 0007.b400.0101. Router B is a member of the same GLBP group and is designated as the AVF for the virtual MAC address 0007.b400.0102. Same virtual IP address of 10.21.8.10 Client 1 has a default gateway IP address of 10.21.8.10 and a gateway MAC address of 0007.b400.0101. Client 2 shares the same default gateway IP address but receives the gateway MAC address 0007.b400.0102 because Router B is sharing the traffic load with Router A.
Client 1 ARP Reply: 0007.b400.0101 ARP Request for 10.21.8.10 Send Packet encapsulated in frame to 0007.b400.0101 Default Gateway = 10.21.8.10 Default Gateway = 10.21.8.10 0007.b400.0101 000C.0417.91CC 10.21.8.100 172.16.10.10
Client 2 ARP Reply: 0007.b400.0102 ARP Request for 10.21.8.10 Send Packet encapsulated in frame to 0007.b400.0102 Default Gateway = 10.21.8.10 Default Gateway = 10.21.8.10 0007.b400.0102 000C.0417.91CC 10.21.8.100 172.16.10.10
I will also be the AVG for the group. I’ll take over for frames sent to RouterA’s virtual MAC address and my own. X GLBP GLBP Timers: Hello messages every 3 seconds Holdtime is 10 seconds Switch(config-ig)# glbp group timers [msec] hellotime [msec] holdtime If Router A becomes unavailable Client 1 will not lose access to the WAN. Router B will assume responsibility for forwarding packets sent to the virtual MAC address of Router A Continues responding to packets sent to its own virtual MAC address. After a period of time (see redirect and timout timers) Router B will only use a single MAC address. Router B will also assume the role of the AVG for the entire GLBP group. Communication for the GLBP members continues despite the failure of a router in the GLBP group.
GLBP 254 100 RouterA(config)#interface vlan 21 RouterA(config-if)#ip address 10.21.8.1 255.255.255.0 RouterA(config-if)#glbp 21 ip 10.21.8.10 RouterA(config-if)#glbp 21 priority 254 RouterB(config)#interface fa 0/1 RouterB(config-if)#ip address 10.21.8.2 255.255.255.0 RouterA(config-if)#glbp 21 ip 10.21.8.10 RouterA(config-if)#glbp 21 priority 100
GLBP GLBP supports the following operational modes for load balancing: Round-robin load-balancing algorithm— Each virtual forwarder MAC address takes turns being included in address resolution replies for the virtual IP address. The round-robin load-balancing algorithm is the default. Weighted load-balancing algorithm— The amount of load directed to an AVF depends on the weighting value advertised by the gateway containing that AVF. Host-dependent load-balancing algorithm— A host is guaranteed to use the same virtual MAC address as long as that virtual MAC address is participating in the GLBP group.
GLBP Operation Hosts A and B send their off-network traffic to separate next-hop routers because they each have cached a different MAC address for the single virtual gateway IP address—in this case, 10.88.1.10. Each GLBP router is an AVF for the MAC address it has been assigned.
GLBP Interface Tracking Like HSRP, GLBP can be configured to track interfaces. Router(config-if)# track 1 interface serial1/0 The link from router R1 is lost. GLBP detects the failure.
GLBP Interface Tracking The responsibility of forwarding packets destined for virtual MAC “1” is taken over by the secondary virtual forwarder (router R2).
For more information http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
Implementing High Availability Options in MLS with HSRP CIS 187 Multilayer Switched Networks CCNP 3 Rick Graziani