The host recognizes that all packets destined off-net must be sent to the gateway’s MAC address rather than the far end’s MAC address.
Therefore, the host first sends an ARP request to find the gateway’s MAC address. Then packets can be relayed to the gateway directly without having to look for ARP entries for individual destinations.
Each of the routers that provides redundancy for a given gateway address is assigned to a common HSRP group.
One router is elected as the primary, or active, HSRP router; another is elected as the standby HSRP router; and all the others remain in the listen HSRP state.
The routers exchange HSRP hello messages at regular intervals so that they can remain aware of each other’s existence and that of the active router.
Note: HSRP sends its hello messages to the multicast destination 224.0.0.2 (“all routers”).
HSRP Router Election
HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group.
If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router.
To set the priority, use the following interface configuration command:
Switch(config-if)# standby group priority priority
Devices participating in HSRP must progress their interfaces through the following state sequence:
1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active
Note: Only the standby (the one with the second-highest priority) router monitors the hello messages from the active router.
By default, hellos are sent every 3 seconds. If hellos are missed for the duration of the holdtime timer (default 10 seconds, or three times the hello timer), the active router is presumed to be down. The standby router is then clear to assume the active role.
If you decide to change the timers on a router, you should change them identically on all routers in the HSRP group.
Switch(config-if)# standby group timers [msec] hello [msec] holdtime
You can configure a router to preempt or immediately take over the active role if its priority is the highest at any time.
Use the following interface configuration command to allow preemption:
Switch(config-if)# standby group preempt [delay [minimum seconds] [reload seconds]]
By default, the local router immediately can preempt another router that has the active role.
To delay the preemption, use the delay keyword followed by one or both of the following parameters:
- Add the minimum keyword to force the router to wait for seconds (0 to 3600 seconds) before attempting to overthrow an active router with a lower priority.
This delay time begins as soon as the router is capable of assuming the active role, such as after an interface comes up or after HSRP is configured.
- Add the reload keyword to force the router to wait for seconds (0 to 3600 seconds) after it has been reloaded or restarted.
This is handy if there are routing protocols that need time to converge. The local router should not become the active gateway before its routing table is fully populated.
- HSRP also can use an authentication method to prevent unexpected devices from spoofing or participating in HSRP.
All routers in the same standby group must have an identical authentication method and key:
Plain-Text HSRP Authentication
Switch(config-if)# standby group authentication string
MD5 Authentication
Switch(config-if)# standby group authentication md5 key-string [0 | 7] string
Alternatively, you can define an MD5 key string as a key on a key chain:
Switch(config)# key chain chain-name
Switch(config-keychain)# key key-number
Switch(config-keychain-key)# key-string [0 | 7] string
Switch(config)# interface type mod/num
Switch(config-if)# standby group authentication md5 key-chain chain-name
When a specific interface is tracked, HSRP reduces the router’s priority by a configurable amount as soon as the interface goes down.
If more than one interface is tracked, the priority is reduced even more with each failed interface. The priority is incremented by the same amount as interfaces come back up.
To configure interface tracking, use the following interface configuration command:
Switch(config-if)# standby group track type mod/num [decrementvalue]
Note: By default, the decrement value for an interface is 10.
Load balancing traffic across two uplinks to two HSRP routers with a single HSRP group is not possible.
The trick to load balance with HSRP is to use two HSRP groups:
- One group assigns an active router to one switch.
- The other group assigns another active router to the other switch.
Note: The clients or end users also must have their default gateway addresses configured as one of the two virtual HSRP group addresses.
In our topology, let's consider switches AS1, AS2, DS1 and DS2. The distribution switches will have HSRP with load balancing (or Multiple HSRP, MHSRP) configured.
All unused interfaces on AS1, AS2, DS1, DS2 should be shutdown.
All unused switches should be shutdown.
This is a simplified image of the topology we are going to use for this lab:
PC1 and PC2 (which are routers) will have IP addresses configured and point to the HSRP group addresses as default gateways.
PC1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.10 YES manual up up
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
PC2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.10 YES manual up up
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1
We should first configure the L2 (trunk) links between access and distribution switches.
The DS1-DS2 will be a L3 link.
AS1:
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
!
interface FastEthernet1/4
switchport mode trunk
!
AS2:
!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
DS1:
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.1 255.255.255.0
!
DS2:
!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.2 255.255.255.0
!
Let's create the VLANs on each access switch and assign the PC ports to the VLANs:
AS1#vlan database
AS1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
AS1(vlan)#exit
APPLY completed.
Exiting...
AS1(config)#interface fastEthernet 1/15
AS1(config-if)#switchport mode access
AS1(config-if)#switchport access vlan 10
AS2#vlan database
AS2(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
AS2(vlan)#exit
APPLY completed.
Exiting....
AS2(config)#interface fastEthernet 1/15
AS2(config-if)#switchport mode access
AS2(config-if)#switchport access vlan 20
Let's create the same VLANs on the distribution switches:
DS1#vlan database
DS1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
DS1(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
DS1(vlan)#exit
APPLY completed.
Exiting....
DS2#vlan database
DS2(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
DS2(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
DS2(vlan)#exit
APPLY completed.
Exiting....
Configuring HSRP on DS1 (will be Active for VLAN 10 and Standby for VLAN 20):
DS1(config)#interface vlan 10
DS1(config-if)#ip address 192.168.1.100 255.255.255.0
DS1(config-if)#standby 1 ip 192.168.1.1
DS1(config-if)#standby 1 priority 200
DS1(config-if)#standby 1 preempt
DS1(config-if)#standby 1 authentication CCnp
DS1(config)#interface vlan 20
DS1(config-if)#ip address 192.168.2.100 255.255.255.0
DS1(config-if)#standby 2 ip 192.168.2.1
DS1(config-if)#standby 2 authentication CCnp
Configuring HSRP on DS2 (will be Active for VLAN 20 and Standby for VLAN 10):
DS2(config)#interface vlan 10
DS2(config-if)#ip address 192.168.1.101 255.255.255.0
DS2(config-if)#standby 1 ip 192.168.1.1
DS2(config-if)#standby 1 authentication CCnp
DS2(config)#interface vlan 20
DS2(config-if)#ip address 192.168.2.101 255.255.255.0
DS2(config-if)#standby 2 ip 192.168.2.1
DS2(config-if)#standby 2 priority 101
DS2(config-if)#standby 2 preempt
DS2(config-if)#standby 2 authentication CCnp
Verifying HSRP - we can confirm our configurations with the following commands:
DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1
DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 Standby 192.168.1.100 local 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1
DS1#show standby all
Vlan10 - Group 1
State is Active
2 state changes, last state change 00:09:34
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.972 secs
Authentication text "CCnp"
Preemption enabled
Active router is local
Standby router is 192.168.1.101, priority 100 (expires in 9.908 sec)
Priority 200 (configured 200)
IP redundancy name is "hsrp-Vl10-1" (default)
Vlan20 - Group 2
State is Standby
4 state changes, last state change 00:02:17
Virtual IP address is 192.168.2.1
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.128 secs
Authentication text "CCnp"
Preemption disabled
Active router is 192.168.2.101, priority 101 (expires in 7.596 sec)
Standby router is local
Priority 100 (default 100)
IP redundancy name is "hsrp-Vl20-2" (default)
DS2#show standby all
Vlan10 - Group 1
State is Standby
1 state change, last state change 00:04:03
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.180 secs
Authentication text "CCnp"
Preemption disabled
Active router is 192.168.1.100, priority 200 (expires in 8.232 sec)
Standby router is local
Priority 100 (default 100)
IP redundancy name is "hsrp-Vl10-1" (default)
Vlan20 - Group 2
State is Active
2 state changes, last state change 00:02:55
Virtual IP address is 192.168.2.1
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.348 secs
Authentication text "CCnp"
Preemption enabled
Active router is local
Standby router is 192.168.2.100, priority 100 (expires in 8.428 sec)
Priority 101 (configured 101)
IP redundancy name is "hsrp-Vl20-2" (default)
As configured, DS1 will be Active for Group 1 and Standby for Group 2. DS2 will have reversed roles.
The virtual IPs are the ones PC1 and PC2 point to as default gateways.
Now, when the PCs are trying to reach an unknown destination, they will ask their configured default gateways to help them reach their targets.
Reminder: The host recognizes that all packets destined off-net must be sent to the gateway’s MAC address rather than the far end’s MAC address.
Therefore, the host first sends an ARP request to find the gateway’s MAC address. Then packets can be relayed to the gateway directly without having to look for ARP entries for individual destinations.
The virtual gateways respond to the host's ARP request with their virtual MAC (VMAC), as expected:
PC1#debug arp
ARP packet debugging is on
PC1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
*Mar 1 01:05:35.651: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 01:05:35.651: IP ARP: sent req src 192.168.1.10 cc04.236c.0000,
dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 01:05:35.683: IP ARP: rcvd rep src 192.168.1.1 0000.0c07.ac01, dst 192.168.1.10 FastEthernet0/0.U.U.
Success rate is 0 percent (0/5)
PC2#debug arp
ARP packet debugging is on
PC2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
*Mar 1 01:06:06.407: IP ARP: creating incomplete entry for IP address: 192.168.2.1 interface FastEthernet0/0
*Mar 1 01:06:06.407: IP ARP: sent req src 192.168.2.10 cc09.2638.0000,
dst 192.168.2.1 0000.0000.0000 FastEthernet0/0
*Mar 1 01:06:06.439: IP ARP: rcvd rep src 192.168.2.1 0000.0c07.ac02, dst 192.168.2.10 FastEthernet0/0.....
Success rate is 0 percent (0/5)
Now, let's say that we want HSRP to track an interface and if that interface gets shutdown for any reason to delegate the other HSRP router as Active for a particular group.
For this, we will create a loopback interface on DS1, which is the Active router for HSRP Group 1.
DS1 is Active because it has a HSRP priority of 200 for Group 1, compared to the default of 100 configured on DS2 for that same group.
So, in order to appoint DS2 as Active when the interface fails, we should make DS1 to lower its priority with at least the difference between them, which is 100.
DS1(config)#interface loopback 1000
DS1(config-if)#
*Mar 1 01:31:15.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up
DS1 is still Active for Group 1:
DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1
DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 Standby 192.168.1.100 local 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1
DS1(config)#interface vlan 10
DS1(config-if)#standby 1 track loopback 1000 150
Now, if the interface fails, DS1's new priority for Group 1 will be 200-150=50 and it will become standby for that group as well.
DS1(config)#interface loopback 1000
DS1(config-if)#shutdown
Although the interface has gone down, DS1 is still Active for Group 1:
DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1
This is because DS2 is not configured for preemption for Group 1, so even if DS1 lowers its priority to 50 it cannot immediately become Standby.
Let's bring the Loopback interface back UP on DS1 and configure preemption on DS2.
DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown
DS2(config)#interface vlan 10
DS2(config-if)#standby 1 preempt
DS1(config)#interface loopback 1000
DS1(config-if)#shutdown
*Mar 1 01:44:01.855: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Active -> Speak
*Mar 1 01:44:11.855: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Speak -> Standby
Now DS1 is Standby for both groups:
DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 50 P Standby 192.168.1.101 local 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1
DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 P Active local 192.168.1.100 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1
If the interface comes back UP, DS1 automatically becomes Active for Group 1, since it already has preemption enabled for this group.
DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown
*Mar 1 01:46:10.871: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Standby -> Active
DS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 200 P Active local 192.168.1.101 192.168.1.1
Vl20 2 100 Standby 192.168.2.101 local 192.168.2.1
DS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl10 1 100 P Standby 192.168.1.100 local 192.168.1.1
Vl20 2 101 P Active local 192.168.2.100 192.168.2.1
Note: HSRP is a Cisco proprietary protocol.
Note: If when modifying the vlan database you encounter the following error you can erase the flash to resolve this issue:
% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device
% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit
AS1(vlan)#abort
Aborting....
AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this VLAN and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml
% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device
% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit
AS1(vlan)#abort
Aborting....
AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this VLAN and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml
No comments:
Post a Comment