CCNP Switch Notes First Hop Redundancy
Specifying a default gateway leads to a single point of failure. Proxy Address Resolution Protocol (ARP) is one method for hosts to dynamically discover gateways, but it has issues in a highly available environment. With Proxy ARP:
- Hosts ARP for all destinations, even remote.
- Router responds with its MAC.
- Problem: Slow failover because ARP entries take minutes to timeout.
Instead of making the host responsible for choosing a new gateway, router redundancy protocols enable two or more routers to support a shared MAC address. If the primary router is lost, the backup router assumes control of traffic forwarded to that MAC. This section refers to routers but includes those multilayer switches that can also implement Layer 3 redundancy.
Hot Standby Router Protocol
Hot Standby Router Protocol (HSRP) is a Cisco proprietary protocol.
With HSRP, two or more devices support a virtual router with a fictitious MAC address and unique IP address. Hosts use this IP address as their default gateway and the MAC address for the Layer 2 header. The virtual router’s MAC address is 0000.0c07.AC xx, in which xx is the HSRP group. Multiple groups (virtual routers) are allowed
The Active router forwards traffic. The Standby is backup. The standby monitors periodic hellos (multicast to 188.8.131.52, UDP port 1985) to detect a failure of the active router. On failure, the standby device starts answering messages sent to the IP and MAC addresses of the virtual router.
The active router is chosen because it has the highest HSRP priority (default priority is 100). In case of a tie, the router with the highest configured IP address wins the election. A new router with a higher priority does not cause an election unless it is configured topreempt—that is, take over from a lower priority router. Configuring a router to preempt also ensures that the highest priority router regains its active status if it goes down but then comes back online again.
Interface tracking reduces the active router’s priority if a specified circuit is down. This enables the standby router to take over even though the active router is still up.
HSRP devices move between these states:
- Initial: HSRP is not running.
- Learn: The router does not know the virtual IP address and is waiting to hear from the active router.
- Listen: The router knows the IP and MAC of the virtual router, but it is not the active or standby router.
- Speak: Router sends periodic HSRP hellos and participates in the election of the active router.
- Standby: Router monitors hellos from active router and assumes responsibility if active router fails.
- Active: Router forwards packets on behalf of the virtual router
To begin configuring HSRP, use the standby group-numberipvirtual-IP-addresscommand in interface configuration mode. Routers in the same HSRP group must belong to the same subnet/virtual LAN (VLAN.) Give this command under the interface connecting to that subnet or VLAN. For instance, use the following to configure the router as a member of HSRP group 39 with virtual router IP address 10.0.0.1:
Router(config-if)#standby 39 ip 10.0.0.1
HSRP authentication helps prevent unauthorized routers from seeing user traffic:
Router(config-if)#stand 2 authentication md5 key-string cisco
Tune HSRP with four options: Priority, Preempt, Timers, and Interface Tracking.
Manually select the active router by configuring its priority higher than the default of 100:
Router(config-if)#standby 39 priority 150
Along with configuring priority, configurepreemptto enable a router to take over if the active router has lower priority, as shown in the following commands. This helps lead to a predictable data path through the network. The second command shown delays preemption until the router or switch has fully booted and the routing protocol has converged.Time how long it takes to boot and add 50 percent to get the delay value in seconds:
Router(config-if)#standby 39 preempt Router(config-if)#standby 39 preempt delay minimum 90
Speed convergence by changing the hello and hold times. The following sets the hello interval to 1 second and the hold time to 3 seconds. They can be set between 1–255 seconds (the default hello is 3 seconds and hold time is 10 seconds):
Router(config-if)#standby 39 timers 1 3
Tracking an interface can trigger an election if the active router is still up but a critical interface (such as the one to the Internet) is down. In the following, if serial 1/0/0 is down, the router’s HSRP priority is decremented by 100 (the default value to decrement is 10):
Router(config-if)#standby 39 track s1/0/0 100
Another way to track an indirect connection is to use IP SLA (described in Chapter 5). With IP SLA tracking, HSRP can failover to the standby router if any connection on the path to a remote location fails or exceeds link-quality thresholds.The following sample configuration shows how to add tracking an IP SLA session number 5 to an existing HSRP interface configuration.
Router(config)#ip sla 5 Router(config-ip-sla)#udp-jitter 172.17.1.2 16000 Router(config)#track 10 rtr 5 Router(config-if)#int fa 1/0/15 Router(config-if)#stand 2 track 10 decrement 50
Multiple HSRP standby groups can be configured, and the same router can be active for some groups and standby for others by adjusting priorities. You can have a maximum of 255 groups. When using Layer 3 switches, configure the same switch as the primary HSRP router and the Spanning Tree root.
Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol (VRRP) is similar to HSRP, but it is an open standard (RFC 2338). Two or more devices act as a virtual router. With VRRP, however, the IP address used can be either a virtual one or the actual IP address of the primary router. VRRP is supported only on Cisco 4500 and 6500 series switches
The VRRPMasterrouter forwards traffic. The master is chosen because it owns the real address, or it has the highest priority. (The default is 100.) If a real address is supported, the owner of real address mustbe master. A Backuprouter takes over if the master fails, and there can be multiple backup routers. They monitor periodic hellos multicast by the master to 184.108.40.206, using UDP port 112, to detect a failure of the master router.
Multiple VRRP groups are allowed, just as with HSRP.
Routers in the same VRRP group must belong to the same subnet/VLAN. To enable VRRP, give this command vrrp group-numberipvirtual-IP-addressunder the interface connecting to that subnet or VLAN:
Router(config-if) #vrrp 39 ip 10.0.0.1
Control the master and backup elections by configuring priority values from 1–255. If a master VRRP router is shut down, it advertises a priority of 0. This triggers the backup routers to hold an election without waiting for the master’s hellos to time out.
Router(config-if)#vrrp 39 priority 175
VRRP uses the following timers:
- Advertisement, or hello, interval in seconds. Default is 1 second.
- Master down interval. Equals 3 x advertisement interval plus skew time. Similar to a hold or dead timer.
Skew time. (256–priority) / 256. This is meant to ensure that the highest priority backup router becomes
- master because higher priority routers have shorter master down intervals.
To change the timers on the master, use the following command because it is the router that advertises the hellos:
Router(config-if)#vrrp 39 timers advertise 5
To change the timers on the backup routers, use the following command because they hear the hellos from the master:
Router(config-if)#vrrp 39 timers learn
VRRP cannot track interfaces but can track IP SLA object groups.
One issue with both HSRP and VRRP is that only the primary router is in use; the others must wait for the primary to fail before they are used. These two protocols use groups to get around that limitation. However, Gateway Load Balancing Protocol (GLBP) enables the simultaneous use of up to four gateways, thus maximizing bandwidth. With GLBP, there is still one virtual IP address. However, each participating router has a virtual MAC address, and different routers’ virtual MAC addresses are sent in answer to ARPs for the virtual IP address. GLBP can also use groups up to a maximum of 1024 per physical interface. GLBP is supported only on Cisco 4500 and 6500 series switches.
The load sharing is done in one of three ways:
- Weighted load balancing: Traffic is balanced proportional to a configured weight.
- Host-dependent load balancing: A given host always uses the same router.
- Round-robin load balancing: Each router MAC is used to respond to ARP requests in turn.
GLBP routers elect an Active Virtual Gateway (AVG). It is the only router to respond to ARPs. It uses this capacity to balance the load among the GLBP routers. The highest priority router is the AVG; the highest configured IP address is used in case of a tie
The actual router used by a host is its Active Virtual Forwarder (AVF). GLBP group members multicast hellos every 3 seconds to IP address 220.127.116.11, UDP port 3222. If one router goes down, another router answers for its MAC address.
Configure GLBP with the interface commandglbpgroup-numberipvirtual-IP-address,as shown:
Router(config-if)#glbp 39 ip 10.0.0.1
To ensure deterministic elections, each router can be configured with a priority. The default priority is 100:
Router(config-if)#glbp 39 priority 150
Hello and hold (or dead) timers can be configured for each interface with the commandglbpgroup numbertimers [msec]hello-time[msec]hold-time. Values are in seconds unless themseckeyword is used.
GLBP can also track interfaces just as with HSRP. If a tracked interface goes down, another router answers for the first router’s MAC address.
Planning Router Redundancy Implementation
Before configuring first-hop redundancy, determine which protocol is best in your network. If you have the same VLAN on multiple access switches, use HSRP or VRRP. If you use local VLANs, contained to a single switch, GLBP is an option.
Before configuring HSRP or VRRP on a multilayer switch, determine which switch is the root bridge for each VLAN. The root bridge should be the active HSRP/VRRP router. Determine priorities to be used, and whether you need tracking or timer adjustment.
After your implementation, verify and test. To view the switch’s standby status, use the show standby interface interface command or show standby brief. To monitor standby activity, use the debug standby command.