2014 - CCNP Labs

Friday, May 23, 2014

CCNP SWITCH: 8. Gateway Load Balancing Protocol (GLBP)

The Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol designed to overcome the limitations of existing redundant router protocols.

To provide a virtual router, multiple switches (routers) are assigned to a common GLBP group.
Instead of having just one active router performing forwarding for the virtual router address, all routers in the group can participate and offer load balancing by forwarding a portion of the overall traffic.

The load balancing is provided completely through the use of virtual router MAC addresses in ARP replies returned to the clients.
As a client sends an ARP request looking for the virtual router address, GLBP sends back an ARP reply with the virtual MAC address of a selected router in the group.

Active Virtual Gateway
One router is elected the active virtual gateway (AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest priority.
The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use.

The AVG also assigns the necessary virtual MAC addresses to each of the routers participating in the GLBP group.
Up to four virtual MAC addresses can be used in any group.
Each of these routers is referred to as an active virtual forwarder (AVF), forwarding traffic received on its virtual MAC address.

Assigning the GLBP priority to a router:
Switch(config-if)# glbp group priority level

Note: GLBP group numbers range from 0 to 1023. The router priority can be 1 to 255 (255 is the highest priority), defaulting to 100.

Enabling preempting and setting a time delay before preempting begins:
Switch(config-if)# glbp group preempt [delay minimum seconds]

Hello messages are sent between GLBP peers at hellotime intervals, with a default of 3 seconds.
If hellos are not received from a peer within a holdtime, defaulting to 10 seconds, that peer is presumed to have failed.

Adjusting the GLBP timers:
Switch(config-if)# glbp group timers [msec] hellotime [msec] holdtime

Active Virtual Forwarder
Each router participating in the GLBP group can become an AVF, if the AVG assigns it that role, along with a virtual MAC address.
The virtual MAC addresses always have the form 0007.b4xx.xxyy.
The 16-bit value denoted by xx.xx represents six zero bits followed by a 10-bit GLBP group number. The 8-bit yy value is the virtual forwarder number.

GLBP Load Balancing

The AVG establishes load balancing by handing out virtual router MAC addresses to clients in a deterministic fashion.

GLBP can use a weighting function to determine which router becomes the AVF for a virtual MAC address in a group.
Each router begins with a maximum weight value (1 to 254).
As specific interfaces go down, the weight is decreased by a configured amount.
GLBP uses thresholds to determine when a router can and cannot be the AVF. If the weight falls below the lower threshold, the router must give up its AVF role. When the weight rises above the upper threshold, the router can resume its AVF role.

Note: By default, a router receives a maximum weight of 100 and a minimum of 1.

Syntax:
Switch(config)# track object-number interface type mod/num {line-protocol | ip routing}
Switch(config-if)# glbp group weighting maximum [lower lower] [upper upper]
Switch(config-if)# glbp group weighting track object-number [decrement value]

You can use one of the following load-balancing methods in a GLBP group:

A. Round robin - Each new ARP request for the virtual router address receives the next available virtual MAC address in reply. Traffic load is distributed evenly across all routers participating as AVFs in the group, assuming that each of the clients sends and receives the same amount of traffic.
This is the default method used by GLBP.

B. Weighted - The GLBP group interface’s weighting value determines the proportion of traffic that should be sent to that AVF. A higher weighting results in more frequent ARP replies containing the virtual MAC address of that router. If interface tracking is not configured, the maximum weighting value configured is used to set the relative proportions among AVFs.

C. Host dependent - Each client that generates an ARP request for the virtual router address always receives the same virtual MAC address in reply. This method is used if the clients have a need for a consistent gateway MAC address.

Use the following interface configuration command to define the method:
Switch(config-if)# glbp group load-balancing [round-robin | weighted | hostdependent]

To enable GLBP, you must assign a virtual IP address to the group by using the following interface configuration command:
Switch(config-if)# glbp group ip [ip-address [secondary]]

Note: If the ip-address is not given in the command, it is learned from another router in the group. However, if this router is to be the AVG, you must explicitly configure the IP address.

In our topology, let's consider switches AS2, DS1, DS2 and DS3. The distribution switches will have GLBP configured.

All unused interfaces on AS2, DS1, DS2 and DS3 should be shutdown.
All unused switches should be shutdown.
PC1, PC2 and PC3 are all connected to AS2 in the topology for this lab.

This is a simplified image of the topology:

Click the image to enlarge

PC1, PC2 and PC3 (which are routers) will have IP addresses configured and point to the GLBP group address as default gateway.

PC1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.10    YES manual up                    up

PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

PC2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.20    YES manual up                    up

PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

PC3#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.30    YES manual up                    up

PC3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

We should first configure the L2 (trunk) links between access and distribution switches.
The DS1-DS2 and DS2-DS3 will be L3 links.

AS2:

!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/5
switchport mode trunk
!

DS1:

!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.12.1 255.255.255.0
!

DS2:

!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet1/2
no switchport
ip address 192.168.23.2 255.255.255.0
!

DS3:

!
interface FastEthernet1/6
switchport mode trunk
!
interface FastEthernet1/2
no switchport
ip address 192.168.23.3 255.255.255.0
!

Let's create the VLANs on the access switch and assign the PC ports to the VLANs:

AS2(vlan)#vlan 123
VLAN 123 added:
    Name: VLAN0123
AS2(vlan)#exit
APPLY completed.
Exiting....

AS2(config)#interface range fastEthernet 1/13 - 15
AS2(config-if-range)#switchport mode access
AS2(config-if-range)#switchport access vlan 123

Let's create the same VLAN on the distribution switches:

DS1(vlan)#vlan 123
VLAN 123 added:
    Name: VLAN0123
DS1(vlan)#exit
APPLY completed.
Exiting....

DS2(vlan)#vlan 123
VLAN 123 added:
    Name: VLAN0123
DS2(vlan)#exit
APPLY completed.
Exiting....

DS3(vlan)#vlan 123
VLAN 123 modified:
DS3(vlan)#exit
APPLY completed.
Exiting....

Configuring GLBP on DS1 (will be AVG, Round robin method):

DS1(config)#interface vlan 123
DS1(config-if)#ip address 192.168.1.101 255.255.255.0
DS1(config-if)#glbp 1 priority 200
DS1(config-if)#glbp 1 preempt
DS1(config-if)#glbp 1 ip 192.168.1.1
DS1(config-if)#glbp 1 authentication md5 key-string CCnp
DS1(config-if)#glbp 1 load-balancing round-robin   (default)

Configuring GLBP on DS2 (will be Standby AVG):

DS2(config)#interface vlan 123
DS2(config-if)#ip address 192.168.1.102 255.255.255.0
DS2(config-if)#glbp 1 priority 150
DS2(config-if)#glbp 1 preempt
DS2(config-if)#glbp 1 ip 192.168.1.1
DS2(config-if)#glbp 1 authentication md5 key-string CCnp
DS2(config-if)#glbp 1 load-balancing round-robin   (default)

Configuring GLBP on DS3 (will be AVF):

DS3(config)#interface vlan 123
DS3(config-if)#ip address 192.168.1.103 255.255.255.0
DS3(config-if)#glbp 1 priority 100                   (default)
DS3(config-if)#glbp 1 ip 192.168.1.1
DS3(config-if)#glbp 1 authentication md5 key-string CCnp
DS3(config-if)#glbp 1 load-balancing round-robin   (default)

Verifying GLBP - we can confirm our configurations with the following commands:

DS1#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   200 Active   192.168.1.1     local           192.168.1.102
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.102   -
Vl123       1    2   -   Active   0007.b400.0102 local           -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

DS2#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   150 Standby 192.168.1.1     192.168.1.101   local
Vl123       1    1   -   Active   0007.b400.0101 local           -
Vl123       1    2   -   Listen   0007.b400.0102 192.168.1.101   -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

DS3#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   100 Listen   192.168.1.1     192.168.1.101   192.168.1.102
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.102   -
Vl123       1    2   -   Listen   0007.b400.0102 192.168.1.101   -
Vl123       1    3   -   Active   0007.b400.0103 local           -

Note: Notice that DS1 is shown to be the AVG because it has a dash in the Fwd column and is in the Active state. It also is acting as AVF for virtual forwarder number 2.

Note: Because the GLBP group has three routers, there are three virtual forwarders and virtual MAC addresses.

Note: DS1 is in the Listen state for forwarders number 1 and 3, waiting to be given an active role in case one of those AVFs fails.

Note: DS2 is in the Standby role, waiting to take over in case the AVG fails. It is the AVF for virtual forwarder number 1.

Note: DS3 has the lowest GLBP priority, so it stays in the Listen state, waiting for the active or standby AVG to fail. It is also the AVF for virtual forwarder number 3.

Verifying detailed GLBP information on the AVG:

DS1#show glbp
Vlan123 - Group 1
State is Active
    2 state changes, last state change 00:14:46
Virtual IP address is 192.168.1.1
Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.948 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Authentication MD5, key-string "CCnp"
Preemption enabled, min delay 0 sec
Active is local
Standby is 192.168.1.102, priority 150 (expires in 9.048 sec)
Priority 200 (configured)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
    cc05.13b4.0000 (192.168.1.102) authenticated
    cc06.13b4.0000 (192.168.1.103) authenticated
    cc07.13b4.0000 (192.168.1.101) local
There are 3 forwarders (1 active)
Forwarder 1
    State is Listen
      2 state changes, last state change 00:10:56
    MAC address is 0007.b400.0101 (learnt)
    Owner ID is cc05.13b4.0000
    Redirection enabled, 597.216 sec remaining (maximum 600 sec)
    Time to live: 14397.212 sec (maximum 14400 sec)
    Preemption enabled, min delay 30 sec
    Active is 192.168.1.102 (primary), weighting 100 (expires in 7.204 sec)
Forwarder 2
    State is Active
      1 state change, last state change 00:11:26
    MAC address is 0007.b400.0102 (default)
    Owner ID is cc07.13b4.0000
    Redirection enabled
    Preemption enabled, min delay 30 sec
    Active is local, weighting 100
Forwarder 3
    State is Listen
    MAC address is 0007.b400.0103 (learnt)
    Owner ID is cc06.13b4.0000
    Redirection enabled, 597.416 sec remaining (maximum 600 sec)
    Time to live: 14397.416 sec (maximum 14400 sec)
    Preemption enabled, min delay 30 sec
    Active is 192.168.1.103 (primary), weighting 100 (expires in 7.416 sec)

From this detail output we can gather the following essential info about this GLBP Group:

- Virtual IP of the group: 192.168.1.1
- GLBP timers
- Authentication type and password
- Who is the Standby AVG and its priority
- Local priority and weighting
- Load balancing method
- Group members and their successful authentication within the group
- Info about all forwarders in the group and which forwarder numbers is allocated to the local router

Owner ID is cc07.13b4.0000
DS1#show mac-address-table address cc07.13b4.0000
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
cc07.13b4.0000          Self          1     Vlan1
cc07.13b4.0000          Self        123     Vlan123

A. Round Robin

Now let's initiate some (ICMP) traffic from each of the PCs and observe the round robin method:

PC1#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Mar 1 02:43:53.619: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 02:43:53.623: IP ARP: sent req src 192.168.1.10 cc04.13b4.0000,
                 dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 02:43:53.675: IP ARP: rcvd rep src 192.168.1.1 0007.b400.0101, dst 192.168.1.10 FastEthernet0/0

PC2#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

*Mar 1 02:44:03.967: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 02:44:03.971: IP ARP: sent req src 192.168.1.20 cc09.0848.0000,
                 dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 02:44:04.031: IP ARP: rcvd rep src 192.168.1.1 0007.b400.0102, dst 192.168.1.20 FastEthernet0/0

PC3#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

*Mar 1 02:44:07.635: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 02:44:07.639: IP ARP: sent req src 192.168.1.30 cc0a.0848.0000,
                 dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 02:44:07.667: IP ARP: rcvd rep src 192.168.1.1 0007.b400.0103, dst 192.168.1.30 FastEthernet0/0

B. Weighted

Let’s create a loopback interface on R1 and configure GLBP to track it and decrement the weight value when it goes down:
DS1(config)#interface loopback 1000
*Mar 1 03:12:43.175: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up

DS1(config)#track 500 interface loopback 1000 line-protocol

DS1(config-if)#glbp 1 weighting 100 lower 80 upper 90
DS1(config-if)#glbp 1 weighting track 500 decrement 30

This configuration on DS1 essentially says:
“Start with a weight value of 100.
If Loopback 1000 goes down, decrement the weight by 30.
If the the weight falls below 80, this router is no longer allowed to be an AVF.
Once the weight has fallen below 80, do not allow the router to become the AVF again until the weight is at least 90.”

Before shutting down Loopback 1000:

DS1#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   200 Active   192.168.1.1     local           192.168.1.102
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.102   -
Vl123       1    2   -   Active   0007.b400.0102 local           -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

Shutting down Loopback 1000 on DS1:

DS1(config)#interface loopback 1000
DS1(config-if)#shutdown
DS1(config-if)#
*Mar 1 03:28:03.779: %TRACKING-5-STATE: 500 interface Lo1000 line-protocol Up->Down
DS1(config-if)#
*Mar 1 03:28:05.779: %LINK-5-CHANGED: Interface Loopback1000, changed state to administratively down
*Mar 1 03:28:06.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to down
*Mar 1 03:28:34.283: %GLBP-6-FWDSTATECHANGE: Vlan123 Grp 1 Fwd 2 state Active -> Listen

DS1#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   200 Active   192.168.1.1     local           192.168.1.102
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.102   -
Vl123       1    2   -   Listen   0007.b400.0102 192.168.1.103   -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

The weight value has been decremented to 70:
DS1#show glbp
Vlan123 - Group 1
State is Active
    2 state changes, last state change 01:21:54
Virtual IP address is 192.168.1.1
Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.540 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Authentication MD5, key-string "CCnp"
Preemption enabled, min delay 0 sec
Active is local
Standby is 192.168.1.102, priority 150 (expires in 7.372 sec)
Priority 200 (configured)
Weighting 70, low (configured 100), thresholds: lower 80, upper 90
    Track object 500 state Down decrement 30

If we re-enable interface Loopback 1000, DS1 becomes Active for Fwd2 again:

DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown
DS1(config-if)#
*Mar 1 03:35:53.691: %TRACKING-5-STATE: 500 interface Lo1000 line-protocol Down->Up
DS1(config-if)#
*Mar 1 03:35:55.691: %LINK-3-UPDOWN: Interface Loopback1000, changed state to up
*Mar 1 03:35:56.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up
DS1(config-if)#
*Mar 1 03:36:29.567: %GLBP-6-FWDSTATECHANGE: Vlan123 Grp 1 Fwd 2 state Listen -> Active

DS1#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   200 Active   192.168.1.1     local           192.168.1.102
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.102   -
Vl123       1    2   -   Active   0007.b400.0102 local           -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

DS1#show glbp
Vlan123 - Group 1
State is Active
    2 state changes, last state change 01:25:18
Virtual IP address is 192.168.1.1
Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.712 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Authentication MD5, key-string "CCnp"
Preemption enabled, min delay 0 sec
Active is local
Standby is 192.168.1.102, priority 150 (expires in 9.552 sec)
Priority 200 (configured)
Weighting 100 (configured 100), thresholds: lower 80, upper 90
    Track object 500 state Up decrement 30

Now, let's say we manually configure the weight value on each router and set the Weighted load balancing method on all of them.

DS1(config)#no track 500 interface loopback 1000 line-protocol
DS1(config)#interface vlan 123
DS1(config-if)#no glbp 1 weighting 100 lower 80 upper 90
DS1(config-if)#no glbp 1 weighting track 500 decrement 30
DS1(config-if)#glbp 1 weighting 200
DS1(config-if)#glbp 1 load-balancing weighted

DS2(config)#interface vlan 123
DS2(config-if)#glbp 1 weighting 150
DS2(config-if)#glbp 1 load-balancing weighted

DS3(config)#interface vlan 123
DS3(config-if)#glbp 1 weighting 125
DS3(config-if)#glbp 1 load-balancing weighted

DS1#show glbp | i Weighting
Weighting 200 (configured 200), thresholds: lower 1, upper 200

DS2#show glbp | i Weighting
Weighting 150 (configured 150), thresholds: lower 1, upper 150

DS3#show glbp | i Weighting
Weighting 125 (configured 125), thresholds: lower 1, upper 125

Reminder: A higher weighting results in more frequent ARP replies containing the virtual MAC address of that router. If interface tracking is not configured, the maximum weighting value configured is used to set the relative proportions among AVFs.

This can be best simulated using traffic initiated from the PCs (traffic generator).

C. Host dependent

Note: Cisco IOS Release 12.4T is needed for being able to issue commands related to host dependent load balancing (glbp client-cache maximum, show glbp detail, show glbp client-cache).

DS1(config)#interface vlan 123
DS1(config-if)#no glbp 1 weighting 200
DS1(config-if)#no glbp 1 load-balancing weighted
DS1(config-if)#glbp 1 load-balancing host-dependent

DS2(config)#interface vlan 123
DS2(config-if)#no glbp 1 weighting 150
DS2(config-if)#no glbp 1 load-balancing weighted
DS2(config-if)#glbp 1 load-balancing host-dependent

DS3(config)#interface vlan 123
DS3(config-if)#no glbp 1 weighting 125
DS3(config-if)#no glbp 1 load-balancing weighted
DS3(config-if)#glbp 1 load-balancing host-dependent

DS1#show glbp | i Load balancing
Load balancing: host-dependent

DS2#show glbp | i Load balancing
Load balancing: host-dependent

DS3#show glbp | i Load balancing
Load balancing: host-dependent

After replacing the previous IOS image with a 12.4T one and reloading all the GLBP configs:

DS1#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   200 Active   192.168.1.1     local           192.168.1.102
Vl123       1    1   -   Active   0007.b400.0101 local           -
Vl123       1    2   -   Listen   0007.b400.0102 192.168.1.102   -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

DS2#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   150 Standby 192.168.1.1     192.168.1.101   local
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.101   -
Vl123       1    2   -   Active   0007.b400.0102 local           -
Vl123       1    3   -   Listen   0007.b400.0103 192.168.1.103   -

DS3#show glbp brief
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Vl123       1    -   100 Listen   192.168.1.1     192.168.1.101   192.168.1.102
Vl123       1    1   -   Listen   0007.b400.0101 192.168.1.101   -
Vl123       1    2   -   Listen   0007.b400.0102 192.168.1.102   -
Vl123       1    3   -   Active   0007.b400.0103 local           -

The GLBP client cache contains information about network hosts that are using a GLBP group as the default gateway.

DS1#show glbp detail | i Load balancing
Load balancing: host-dependent

Let's configure the client-cache parameters:
DS3(config)#interface vlan 123
DS1(config-if)#glbp 1 client-cache maximum 10 timeout 5

We will issue some pings from the PCs and see how the AVG populates the GLBP client-cache:

PC1#clear arp
PC1#ping 1.2.3.4

PC2#clear arp
PC2#ping 3.3.3.4

PC3#clear arp
PC3#ping 4.4.4.5

DS1#show glbp client-cache
Vlan123 - Group 1
Group clients within timeout:
    Forwarder 1 clients:
      None
    Forwarder 2 clients:
      cc09.15b8.0000   192.168.1.20          Age: 00:00:05.112 Updates: 1
    Forwarder 3 clients:
      cc04.0ec8.0000   192.168.1.10          Age: 00:00:57.728 Updates: 2
      cc0a.15b8.0000   192.168.1.30          Age: 00:00:30.364 Updates: 2

As of now, PC1 and PC3 will receive ARP replies only from Fwd3 and PC2 will receive ARP replies only from Fwd2.
The AVG assigned Fwd3 as a gateway for PCs 1 and 3, and Fwd2 as a gateway for PC2.

Reminder: Each client that generates an ARP request for the virtual router address always receives the same virtual MAC address in reply.

Note: More info about host dependent load balancing can be found at:
http://cisco-discussions.blogspot.ro/2013/09/cisco-gateway-load-balancing-protocol.html
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t15/tglbpcca.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-glbp.html#GUID-59CCB67D-8453-46D7-8FD7-6C53DF3890C9

Note: If when modifying the vlan database you encounter the following error you can erase the flash to resolve this issue:

% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device

% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit

AS1(vlan)#abort
Aborting....

AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete

Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this VLAN and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml

Thursday, May 22, 2014

CCNP SWITCH: 7. Virtual Router Redundancy Protocol (VRRP)

VRRP provides one redundant gateway address from a group of routers.
The active router is called the master router, whereas all others are in the backup state.
The master router is the one with the highest router priority in the VRRP group.

VRRP group numbers range from 0 to 255; router priorities range from 1 to 254. (254 is the highest, 100 is the default.)

The virtual router MAC address is of the form 0000.5e00.01xx, where xx is a two-digit hex VRRP group number.

VRRP advertisements are sent at 1-second intervals.

By default, all VRRP routers are configured to preempt the current master router if their priorities are greater.

Note: VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the master role.

Note: VRRP sends its advertisements to the multicast destination address 224.0.0.18 (VRRP).

In our topology, let's consider switches AS1, AS2, DS1 and DS2. The distribution switches will have VRRP configured.

All unused interfaces on AS1, AS2, DS1, DS2 should be shutdown.
All unused switches should be shutdown.

This is a simplified image of the topology we are going to use for this lab:

Click the image to enlarge

PC1 and PC2 (which are routers) will have IP addresses configured and point to the VRRP group addresses as default gateways.

PC1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.10    YES manual up                    up

PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

PC2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.2.10    YES manual up                    up

PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1

We should first configure the L2 (trunk) links between access and distribution switches.
The DS1-DS2 will be a L3 link.

AS1:

!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
!
interface FastEthernet1/4
switchport mode trunk
!

AS2:

!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!

DS1:

!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.1 255.255.255.0
!

DS2:

!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.2 255.255.255.0
!

Let's create the VLANs on each access switch and assign the PC ports to the VLANs:

AS1#vlan database
AS1(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
AS1(vlan)#exit
APPLY completed.
Exiting...
AS1(config)#interface fastEthernet 1/15
AS1(config-if)#switchport mode access
AS1(config-if)#switchport access vlan 10

AS2#vlan database
AS2(vlan)#vlan 20
VLAN 20 added:
    Name: VLAN0020
AS2(vlan)#exit
APPLY completed.
Exiting....
AS2(config)#interface fastEthernet 1/15
AS2(config-if)#switchport mode access
AS2(config-if)#switchport access vlan 20

Let's create the same VLANs on the distribution switches:

DS1#vlan database
DS1(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
DS1(vlan)#vlan 20
VLAN 20 added:
    Name: VLAN0020
DS1(vlan)#exit
APPLY completed.
Exiting....

DS2#vlan database
DS2(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
DS2(vlan)#vlan 20
VLAN 20 added:
    Name: VLAN0020
DS2(vlan)#exit
APPLY completed.
Exiting....

Note: VRRP can use the physical IP Address as Virtual IP, if needed, saving IP space.

Configuring VRRP on DS1 (will be Master for VLAN 10 and Backup for VLAN 20):

DS1(config)#interface vlan 10
DS1(config-if)#ip address 192.168.1.100 255.255.255.0
DS1(config-if)#vrrp 1 priority 150
DS1(config-if)#vrrp 1 ip 192.168.1.1
DS1(config-if)#vrrp 1 authentication md5 key-string CCnp

DS1(config)#interface vlan 20
DS1(config-if)#ip address 192.168.2.100 255.255.255.0
DS1(config-if)#no vrrp 2 preempt
DS1(config-if)#vrrp 2 priority 100
DS1(config-if)#vrrp 2 ip 192.168.2.1
DS1(config-if)#vrrp 2 authentication md5 key-string CCnp

Configuring VRRP on DS2 (will be Master for VLAN 20 and Backup for VLAN 10):

DS2(config)#interface vlan 10
DS2(config-if)#ip address 192.168.1.101 255.255.255.0
DS2(config-if)#no vrrp 1 preempt
DS2(config-if)#vrrp 1 priority 100
DS2(config-if)#vrrp 1 ip 192.168.1.1
DS2(config-if)#vrrp 1 authentication md5 key-string CCnp

DS2(config)#interface vlan 20
DS2(config-if)#ip address 192.168.2.101 255.255.255.0
DS2(config-if)#vrrp 2 priority 150
DS2(config-if)#vrrp 2 ip 192.168.2.1
DS2(config-if)#vrrp 2 authentication md5 key-string CCnp

Verifying VRRP - we can confirm our configurations with the following commands:

DS1#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   150 3414       Y Master 192.168.1.100   192.168.1.1
Vl20               2   100 3609          Backup 192.168.2.101   192.168.2.1

DS2#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   100 3609          Backup 192.168.1.100   192.168.1.1
Vl20               2   150 3414       Y Master 192.168.2.101   192.168.2.1

DS1#show vrrp all
Vlan10 - Group 1
State is Master
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Authentication MD5, key-string "CCnp"
Master Router is 192.168.1.100 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec

Vlan20 - Group 2
State is Backup
Virtual IP address is 192.168.2.1
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption disabled
Priority is 100
Authentication MD5, key-string "CCnp"
Master Router is 192.168.2.101, priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.001 sec)

DS2#show vrrp all
Vlan10 - Group 1
State is Backup
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption disabled
Priority is 100
Authentication MD5, key-string "CCnp"
Master Router is 192.168.1.100, priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 2.741 sec)

Vlan20 - Group 2
State is Master
Virtual IP address is 192.168.2.1
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Authentication MD5, key-string "CCnp"
Master Router is 192.168.2.101 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec

As configured, DS1 will be Master for Group 1 and Backup for Group 2. DS2 will have reversed roles.
The virtual IPs are the ones PC1 and PC2 point to as default gateways.

Now, when the PCs are trying to reach an unknown destination, they will ask their configured default gateways to help them reach their targets.

Reminder: The host recognizes that all packets destined off-net must be sent to the gateway’s MAC address rather than the far end’s MAC address.
Therefore, the host first sends an ARP request to find the gateway’s MAC address. Then packets can be relayed to the gateway directly without having to look for ARP entries for individual destinations.

The virtual gateways respond to the host's ARP request with their virtual MAC (VMAC), as expected:

PC1#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Mar 1 01:37:12.547: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 01:37:12.551: IP ARP: sent req src 192.168.1.10 cc04.13b4.0000,
                 dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 01:37:12.603: IP ARP: rcvd rep src 192.168.1.1 0000.5e00.0101, dst 192.168.1.10 FastEthernet0/0.....
Success rate is 0 percent (0/5)

PC2#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

*Mar 1 00:01:01.003: IP ARP: creating incomplete entry for IP address: 192.168.2.1 interface FastEthernet0/0
*Mar 1 00:01:01.007: IP ARP: sent req src 192.168.2.10 cc09.0848.0000,
                 dst 192.168.2.1 0000.0000.0000 FastEthernet0/0
*Mar 1 00:01:01.055: IP ARP: rcvd rep src 192.168.2.1 0000.5e00.0102, dst 192.168.2.10 FastEthernet0/0.....
Success rate is 0 percent (0/5)

Now, let's say that we want VRRP to track an interface and if that interface gets shutdown for any reason to delegate the other VRRP router as Master for a particular group.
For this, we will create a loopback interface on DS1, which is the Master router for VRRP Group 1.
DS1 is Master because it has a VRRP priority of 150 for Group 1, compared to the default of 100 configured on DS2 for that same group.
So, in order to appoint DS2 as Master when the interface fails, we should make DS1 to lower its priority with at least the difference between them, which is 50.

DS1(config)#interface loopback 1000
DS1(config-if)#
*Mar 1 01:48:14.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up

DS1 is still Master for Group 1:
DS1#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   150 3414       Y Master 192.168.1.100   192.168.1.1
Vl20               2   100 3609          Backup 192.168.2.101   192.168.2.1

DS2#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   100 3609          Backup 192.168.1.100   192.168.1.1
Vl20               2   150 3414       Y Master 192.168.2.101   192.168.2.1

DS1(config)#track 500 interface loopback 1000 line-protocol
DS1(config)#interface vlan 10
DS1(config-if)#vrrp 1 track 500 decrement 51

Now, if the interface fails, DS1's new priority for Group 1 will be 150-51=99 and it will become standby for that group as well.

DS1(config)#interface loopback 1000
DS1(config-if)#shutdown
DS1(config-if)#
*Mar 1 01:52:38.123: %TRACKING-5-STATE: 500 interface Lo1000 line-protocol Up->Down
DS1(config-if)#
*Mar 1 01:52:40.123: %LINK-5-CHANGED: Interface Loopback1000, changed state to administratively down
*Mar 1 01:52:41.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to down

DS1#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   99 3414       Y Master 192.168.1.100   192.168.1.1
Vl20               2   100 3609          Backup 192.168.2.101   192.168.2.1

DS1's priority was indeed decreased from 150 to 99, but it is still the Master router for Group 1.
This is because we configured DS2 with the "DS2(config-if)#no vrrp 1 preempt" command for this group.

Let's configure preemption on DS2:

DS2(config)#interface vlan 10
DS2(config-if)#vrrp 1 preempt
*Mar 1 01:57:41.511: %VRRP-6-STATECHANGE: Vl10 Grp 1 state Backup -> Master

Now DS1 is Backup for both groups:

DS1#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   99 3414       Y Backup 192.168.1.101   192.168.1.1
Vl20               2   100 3609          Backup 192.168.2.101   192.168.2.1

DS2#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   100 3609       Y Master 192.168.1.101   192.168.1.1
Vl20               2   150 3414       Y Master 192.168.2.101   192.168.2.1

If the interface comes back UP, DS1 automatically becomes Master for Group 1, since it already has preemption enabled for this group.

DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown
DS1(config-if)#
*Mar 1 01:59:35.967: %TRACKING-5-STATE: 500 interface Lo1000 line-protocol Down->Up
DS1(config-if)#
*Mar 1 01:59:37.963: %LINK-3-UPDOWN: Interface Loopback1000, changed state to up
DS1(config-if)#
*Mar 1 01:59:38.791: %VRRP-6-STATECHANGE: Vl10 Grp 1 state Backup -> Master
DS1(config-if)#
*Mar 1 01:59:38.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up

DS1#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   150 3414       Y Master 192.168.1.100   192.168.1.1
Vl20               2   100 3609          Backup 192.168.2.101   192.168.2.1

DS2#show vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Vl10               1   100 3609       Y Backup 192.168.1.100   192.168.1.1
Vl20               2   150 3414       Y Master 192.168.2.101   192.168.2.1

Note: VRRP is an open standard protocol, unlike HSRP which is Cisco proprietary.

Note: If when modifying the vlan database you encounter the following error you can erase the flash to resolve this issue:

% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device

% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit

AS1(vlan)#abort
Aborting....

AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete

Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this VLAN and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml

Wednesday, May 21, 2014

CCNP SWITCH: 6. Hot Standby Router Protocol (HSRP)

A host identifies its nearest router, also known as the default gateway or next hop, by its IP address.
The host recognizes that all packets destined off-net must be sent to the gateway’s MAC address rather than the far end’s MAC address.
Therefore, the host first sends an ARP request to find the gateway’s MAC address. Then packets can be relayed to the gateway directly without having to look for ARP entries for individual destinations.

Each of the routers that provides redundancy for a given gateway address is assigned to a common HSRP group.
One router is elected as the primary, or active, HSRP router; another is elected as the standby HSRP router; and all the others remain in the listen HSRP state.
The routers exchange HSRP hello messages at regular intervals so that they can remain aware of each other’s existence and that of the active router.

Note: HSRP sends its hello messages to the multicast destination 224.0.0.2 (“all routers”).

HSRP Router Election

HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group.
If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router.

To set the priority, use the following interface configuration command:
Switch(config-if)# standby group priority priority

Devices participating in HSRP must progress their interfaces through the following state sequence:
1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active

Note: Only the standby (the one with the second-highest priority) router monitors the hello messages from the active router.
By default, hellos are sent every 3 seconds. If hellos are missed for the duration of the holdtime timer (default 10 seconds, or three times the hello timer), the active router is presumed to be down. The standby router is then clear to assume the active role.

If you decide to change the timers on a router, you should change them identically on all routers in the HSRP group.
Switch(config-if)# standby group timers [msec] hello [msec] holdtime

You can configure a router to preempt or immediately take over the active role if its priority is the highest at any time.
Use the following interface configuration command to allow preemption:
Switch(config-if)# standby group preempt [delay [minimum seconds] [reload seconds]]

By default, the local router immediately can preempt another router that has the active role.
To delay the preemption, use the delay keyword followed by one or both of the following parameters:

- Add the minimum keyword to force the router to wait for seconds (0 to 3600 seconds) before attempting to overthrow an active router with a lower priority.
This delay time begins as soon as the router is capable of assuming the active role, such as after an interface comes up or after HSRP is configured.

- Add the reload keyword to force the router to wait for seconds (0 to 3600 seconds) after it has been reloaded or restarted.
This is handy if there are routing protocols that need time to converge. The local router should not become the active gateway before its routing table is fully populated.

- HSRP also can use an authentication method to prevent unexpected devices from spoofing or participating in HSRP.
All routers in the same standby group must have an identical authentication method and key:

Plain-Text HSRP Authentication
Switch(config-if)# standby group authentication string

MD5 Authentication
Switch(config-if)# standby group authentication md5 key-string [0 | 7] string

Alternatively, you can define an MD5 key string as a key on a key chain:
Switch(config)# key chain chain-name
Switch(config-keychain)# key key-number
Switch(config-keychain-key)# key-string [0 | 7] string
Switch(config)# interface type mod/num
Switch(config-if)# standby group authentication md5 key-chain chain-name

When a specific interface is tracked, HSRP reduces the router’s priority by a configurable amount as soon as the interface goes down.
If more than one interface is tracked, the priority is reduced even more with each failed interface. The priority is incremented by the same amount as interfaces come back up.
To configure interface tracking, use the following interface configuration command:
Switch(config-if)# standby group track type mod/num [decrementvalue]

Note: By default, the decrement value for an interface is 10.

Load balancing traffic across two uplinks to two HSRP routers with a single HSRP group is not possible.
The trick to load balance with HSRP is to use two HSRP groups:
- One group assigns an active router to one switch.
- The other group assigns another active router to the other switch.

Note: The clients or end users also must have their default gateway addresses configured as one of the two virtual HSRP group addresses.

In our topology, let's consider switches AS1, AS2, DS1 and DS2. The distribution switches will have HSRP with load balancing (or Multiple HSRP, MHSRP) configured.

All unused interfaces on AS1, AS2, DS1, DS2 should be shutdown.
All unused switches should be shutdown.

This is a simplified image of the topology we are going to use for this lab:

Click the image to enlarge

PC1 and PC2 (which are routers) will have IP addresses configured and point to the HSRP group addresses as default gateways.

PC1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.10 YES manual up up

PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

PC2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.10 YES manual up up

PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1

We should first configure the L2 (trunk) links between access and distribution switches.
The DS1-DS2 will be a L3 link.

AS1:

!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
!
interface FastEthernet1/4
switchport mode trunk
!

AS2:

!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!

DS1:

!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.1 255.255.255.0
!

DS2:

!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.2 255.255.255.0
!

Let's create the VLANs on each access switch and assign the PC ports to the VLANs:

AS1#vlan database
AS1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
AS1(vlan)#exit
APPLY completed.
Exiting...
AS1(config)#interface fastEthernet 1/15
AS1(config-if)#switchport mode access
AS1(config-if)#switchport access vlan 10

AS2#vlan database
AS2(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
AS2(vlan)#exit
APPLY completed.
Exiting....
AS2(config)#interface fastEthernet 1/15
AS2(config-if)#switchport mode access
AS2(config-if)#switchport access vlan 20

Let's create the same VLANs on the distribution switches:

DS1#vlan database
DS1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
DS1(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
DS1(vlan)#exit
APPLY completed.
Exiting....

DS2#vlan database
DS2(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
DS2(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
DS2(vlan)#exit
APPLY completed.
Exiting....

Configuring HSRP on DS1 (will be Active for VLAN 10 and Standby for VLAN 20):

DS1(config)#interface vlan 10
DS1(config-if)#ip address 192.168.1.100 255.255.255.0
DS1(config-if)#standby 1 ip 192.168.1.1
DS1(config-if)#standby 1 priority 200
DS1(config-if)#standby 1 preempt
DS1(config-if)#standby 1 authentication CCnp

DS1(config)#interface vlan 20
DS1(config-if)#ip address 192.168.2.100 255.255.255.0
DS1(config-if)#standby 2 ip 192.168.2.1
DS1(config-if)#standby 2 authentication CCnp

Configuring HSRP on DS2 (will be Active for VLAN 20 and Standby for VLAN 10):

DS2(config)#interface vlan 10
DS2(config-if)#ip address 192.168.1.101 255.255.255.0
DS2(config-if)#standby 1 ip 192.168.1.1
DS2(config-if)#standby 1 authentication CCnp

DS2(config)#interface vlan 20
DS2(config-if)#ip address 192.168.2.101 255.255.255.0
DS2(config-if)#standby 2 ip 192.168.2.1
DS2(config-if)#standby 2 priority 101
DS2(config-if)#standby 2 preempt
DS2(config-if)#standby 2 authentication CCnp

Verifying HSRP - we can confirm our configurations with the following commands:

DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1

DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 Standby 192.168.1.100 local 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1

DS1#show standby all
Vlan10 - Group 1
State is Active
2 state changes, last state change 00:09:34
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.972 secs
Authentication text "CCnp"
Preemption enabled
Active router is local
Standby router is 192.168.1.101, priority 100 (expires in 9.908 sec)
Priority 200 (configured 200)
IP redundancy name is "hsrp-Vl10-1" (default)
Vlan20 - Group 2
State is Standby
4 state changes, last state change 00:02:17
Virtual IP address is 192.168.2.1
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.128 secs
Authentication text "CCnp"
Preemption disabled
Active router is 192.168.2.101, priority 101 (expires in 7.596 sec)
Standby router is local
Priority 100 (default 100)
IP redundancy name is "hsrp-Vl20-2" (default)

DS2#show standby all
Vlan10 - Group 1
State is Standby
1 state change, last state change 00:04:03
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.180 secs
Authentication text "CCnp"
Preemption disabled
Active router is 192.168.1.100, priority 200 (expires in 8.232 sec)
Standby router is local
Priority 100 (default 100)
IP redundancy name is "hsrp-Vl10-1" (default)
Vlan20 - Group 2
State is Active
2 state changes, last state change 00:02:55
Virtual IP address is 192.168.2.1
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.348 secs
Authentication text "CCnp"
Preemption enabled
Active router is local
Standby router is 192.168.2.100, priority 100 (expires in 8.428 sec)
Priority 101 (configured 101)
IP redundancy name is "hsrp-Vl20-2" (default)

As configured, DS1 will be Active for Group 1 and Standby for Group 2. DS2 will have reversed roles.
The virtual IPs are the ones PC1 and PC2 point to as default gateways.

Now, when the PCs are trying to reach an unknown destination, they will ask their configured default gateways to help them reach their targets.

Reminder: The host recognizes that all packets destined off-net must be sent to the gateway’s MAC address rather than the far end’s MAC address.
Therefore, the host first sends an ARP request to find the gateway’s MAC address. Then packets can be relayed to the gateway directly without having to look for ARP entries for individual destinations.

The virtual gateways respond to the host's ARP request with their virtual MAC (VMAC), as expected:

PC1#debug arp
ARP packet debugging is on
PC1#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Mar 1 01:05:35.651: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 01:05:35.651: IP ARP: sent req src 192.168.1.10 cc04.236c.0000,
dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 01:05:35.683: IP ARP: rcvd rep src 192.168.1.1 0000.0c07.ac01, dst 192.168.1.10 FastEthernet0/0.U.U.
Success rate is 0 percent (0/5)

PC2#debug arp
ARP packet debugging is on
PC2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Mar 1 01:06:06.407: IP ARP: creating incomplete entry for IP address: 192.168.2.1 interface FastEthernet0/0
*Mar 1 01:06:06.407: IP ARP: sent req src 192.168.2.10 cc09.2638.0000,
dst 192.168.2.1 0000.0000.0000 FastEthernet0/0
*Mar 1 01:06:06.439: IP ARP: rcvd rep src 192.168.2.1 0000.0c07.ac02, dst 192.168.2.10 FastEthernet0/0.....
Success rate is 0 percent (0/5)

Now, let's say that we want HSRP to track an interface and if that interface gets shutdown for any reason to delegate the other HSRP router as Active for a particular group.
For this, we will create a loopback interface on DS1, which is the Active router for HSRP Group 1.
DS1 is Active because it has a HSRP priority of 200 for Group 1, compared to the default of 100 configured on DS2 for that same group.
So, in order to appoint DS2 as Active when the interface fails, we should make DS1 to lower its priority with at least the difference between them, which is 100.

DS1(config)#interface loopback 1000
DS1(config-if)#
*Mar 1 01:31:15.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up

DS1 is still Active for Group 1:
DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1

DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 Standby 192.168.1.100 local 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1

DS1(config)#interface vlan 10
DS1(config-if)#standby 1 track loopback 1000 150

Now, if the interface fails, DS1's new priority for Group 1 will be 200-150=50 and it will become standby for that group as well.

DS1(config)#interface loopback 1000
DS1(config-if)#shutdown

Although the interface has gone down, DS1 is still Active for Group 1:

DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1

This is because DS2 is not configured for preemption for Group 1, so even if DS1 lowers its priority to 50 it cannot immediately become Standby.
Let's bring the Loopback interface back UP on DS1 and configure preemption on DS2.

DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown

DS2(config)#interface vlan 10
DS2(config-if)#standby 1 preempt

DS1(config)#interface loopback 1000
DS1(config-if)#shutdown
*Mar 1 01:44:01.855: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Active -> Speak
*Mar 1 01:44:11.855: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Speak -> Standby

Now DS1 is Standby for both groups:

DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 50 P Standby 192.168.1.101 local 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1

DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 P Active local 192.168.1.100 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1

If the interface comes back UP, DS1 automatically becomes Active for Group 1, since it already has preemption enabled for this group.

DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown
*Mar 1 01:46:10.871: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Standby -> Active

DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1

DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 P Standby 192.168.1.100 local 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1

Note: HSRP is a Cisco proprietary protocol.

CCNP Labs

Social Icons

My Official Website

Like My Page!

Subscribe To My Channel!

Follow Me On Twitter!

Let's Connect On LinkedIn!

Translate

Popular Posts

About Me

Search (Don't Edit)

Navigation-Menus (Do Not Edit Here!)

Footer Attribution (Do Not Edit This !)