Implementing High Availability. in a Campus Environment. Implementing High Availability. Single Forwarding Path vs. Single Forwarding Path.

Transcription

1 Implementing High Availability Implementing High Availability in a Campus Environment To achieve high network availability, the following network components are required: Reliable, fault-tolerant network devices Hardware and software reliability to automatically identify and overcome failures. Device and link redundancy Devices Devices modules Links Resilient network technologies Fast recovery er for devices or links. Optimized network design Well-defined network topologies and configurations to ensure no single point of failure. Best practices Documented procedures for deploying and maintaining a robust e-commerce network infrastructure. Change control o Better e control o over changes made to network devices and maintenance of documentation regarding those changes. 2003, Cisco Systems, Inc. All rights reserved , Cisco Systems, Inc. All rights reserved. BCMSN v Single Forwarding Path vs Redundancy Single Forwarding Path Adding Redundancy Implementing High Availability Redundancy does not mean co-located in the same physical location. Power outage Paraphrasing Jim Warner, Network Engineer at UCSC, When adding redundancy, know what you are trying to protect yourself from. It doesn t help to have redundant devices when there is a power failure, or redundant links when the cables are in the same conduit. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

2 Implementing Default Gateway Router Redundancy in Multilayer Switched Networks Implementing Default Gateway Router Redundancy in Multilayer Switched Networks Examples of (non-redundant) dynamic router discovery are as follows: Static/DHCP Host is statically configured or uses DHCP. Proxy ARP The host uses Address Resolution Protocol (ARP) to determine the nexthop MAC address for off-network destinations. Local routers respond to the ARP request with their own MAC address. Routing protocol The host listens to dynamic routing protocol updates (for example, Routing Information Protocol [EIGRP]) and forms its own routing table. ICMP Router Discovery Protocol (IRDP) client The host runs an Internet Control Message Protocol (ICMP) router discovery client. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Static or DHCP Proxy ARP The most common method of providing a host with a default gateway address is: Static configuration DHCP Advantage of DHCP: Simplifies end-device configuration Disadvantage of DHCP: Creates a single point of failure. If the default gateway fails, the end device is limited it to communicating only on the local IP network segment and is cut off from the rest of the network. 2003, Cisco Systems, Inc. All rights reserved. 7 BCMSN v , Cisco Systems, Inc. All rights reserved. 8 BCMSN v

3 Proxy ARP I am on the /16 network so I can reach ! Proxy ARP ARP Request: Hey everyone on my network, whoever is , send me your Ethernet MAC Address! Router has Proxy ARP enabled on all interfaces. Host A has a /16 subnet mask. Host A believes that it is directly connected to all of network / /16 Host A is really on the /24 network, as segmented by the router, but Host A does not know that. Host A has a packet to send to Host D Host A believes that Host D is directly connected. Host A sends an ARP request to Host D. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v To reach Host D ( ), Host A needs the MAC address of Host D. Layer 2, Ethernet broadcast (FFFF.FFFF.FFFF). The ARP request reaches all nodes in the Subnet A. The broadcast will not reach Host D. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Proxy ARP Host A s ARP Table Proxy ARP Host A s ARP Table Since the router knows that the target address ( ) ) is on another subnet and can reach Host D, it will reply with its own MAC address to Host A. Proxy ARP Reply from Router to Host A ARP Request/Reply: I can reach on another network, so I will Reply to the Host A with my MAC address. From now on Host A will forward all the packets that it wants to reach (Host D) to the MAC address c ab (router). All packets destined to Subnet B are sent to the router including this packet for Host B. The router forwards the packets to Host B and also for other hosts in Subnet B. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

4 Proxy ARP Host A s ARP Table Non Proxy ARP Host A s ARP Table c bb Different Situation and Addresses: Host A pings Host B Host B has the IP address /24 ARP Request / c94.36bb 2003, Cisco Systems, Inc. All rights reserved. BCMSN v ARP Request/Reply What if Host A has a packet to send Host B? In this case, both the Router and Host B will receive the ARP Request (MAC broadcast). Switch floods the broadcast. Host B will send an ARP Reply. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Non Proxy ARP Host A s ARP Table c bb Proxy ARP ICMP Echo Request/Reply Host A sends the Echo Request to Host B. Host B wants to send Echo Reply, BUT sees source and destination IP addresses on different networks. Host B sends ARP Request (after checking ARP cache) for default gateway, Router. Router sends ARP Reply. Host B sends ICMP Echo Reply to Router. Router sends ICMP Echo Reply to Host A. ICMP Echo Request / c94.36bb ICMP Echo Reply Router(config)# ip arp proxy disable Router(config)# interface Fa 0/0 Router(config-if)# no ip proxy-arp Disables Proxy ARP globally Disables Proxy ARP per interface Proxy ARP is enabled by default. Proxy ARP can be disabled globally or on a per interface basis. Proxy ARP should be used on the network where IP hosts are not configured with default gateway. Disadvantages of Proxy ARP It increases the amount of ARP traffic on your segment (instead of one default gateway, ARPing for several hosts). Security may be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing." 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

5 Proxy ARP Proxy ARP Packets Packets Limited redundancy with Proxy ARP. If the responsible router fails, the host continues to send packets for the destination to the MAC address of that t router. Those packets subsequently are discarded. Packets dropped Once the ARP flushes the entry due to flush timer expiry, the host recovers the default gateway MAC address. Nevertheless, Cisco does not recommend the use of proxy ARP, because it makes troubleshooting very difficult. Router down, but Host ARP entry is still Router A, packets continue to get dropped. Once ARP entry times out on host, it will send another ARP Request Router B will send a Proxy ARP Reply with its MAC address Host now sends packets to Router B for File Server A. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v IRDP ICMP Router Discovery Message Protocol IRDP ICMP Router Discovery Message Protocol IP hosts may use IRDP to find a new path when an existing primary router becomes unavailable. Extension to ICMP Mechanism for routers to advertise useful default routes. No routing protocols No manual configuration 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

6 IRDP ICMP Router Discovery Message Protocol A host that uses IRDP: Listens for hello multicast messages from the preferred default router. The IRDP-based advertisements have a predefined lifetime value. I will use Router A as my default gateway. IRDP Advertisements IRDP ICMP Router Discovery Message Protocol IRDP Advertisements: Sent every 7 to 10 minutes. Default lifetime the Host will keep the IRDP Advertisement: 30 minutes. Can be modified For more details, consult RFC I haven t heard from Router A in a while so I will use Router B. IRDP Advertisements As with other host redundancy methods, IRDP is not very common and is very difficult to troubleshoot in medium-size to large networks. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Redundancy Protocols Router Redundancy Cisco IOS offers several features to provide a redundant default gateway to end devices. The following are the default gateway redundancy features supported by Cisco IOS routers and switches: Hot Standby Routing Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

7 Router Redundancy (Cont.) HSRP (Hot Standby Routing Protocol) Cisco proprietary protocol RFC 2281 Method of providing IP address sharing and redundancy d for default gateways. The protocol consists of a: Virtual MAC address IP address Shared between two routers: Active Router Standby Router Routers exchange HSRP hello messages at regular intervals 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v ARP Table = c07.ac01 My default gateway is One standby router The backup router in case the active router fails for the subnet. It will then forward traffic destined to the virtual IP address. One virtual router One active router The virtual router is not an The active router actual router. forwards traffic destined Represents the HSRP group to the virtual IP address. acting as one virtual router. It is the default gateway as far as hosts on the subnet are concerned b c07.ac f6b3.d000 The host connected to the switch sends the packet destined for the virtual router, but in reality the active router does the packet forwarding. Note: Additional HSRP member routers Other routers are neither active nor standby, but they are configured to participate in the same HSRP group. They monitor the current active and standby routers and transition into one of those roles if the current router fails for the subnet. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

8 ARP Table = c07.ac01 My default gateway is ARP Table = c07.ac01 My default gateway is b HSRP Hello s: Standby c07.ac01 HSRP Hello s: Active f6b3.d b c07.ac01 HSRP Hello s: Standby f6b3.d000 The active router assumes and maintains its active role through the transmission of hello messages (default every 3 seconds). Sent by active and standby routers. Multicast ( all routers ) using UDP port 1985 The router with the highest standby priority - active router. 0 to 255 Default = 100 (configurable) Otherwise, the router with the highest IP address When the preempt option is not configured, the first router to initialize HSRP becomes the active router. (May not be what you want!) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v The second router in the HSRP group to initialize or second highest priority is elected as the standby router. Monitor the operational status of the HSRP group Quickly assumes packet-forwarding responsibility if the active router becomes inoperable. The standby router also transmits hello messages to inform all other routers in the group of its standby router role and status. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v The Standby Router ARP Table = c07.ac01 My default gateway is I receive and forward packet sent to the virtual router b c07.ac f6b3.d000 The standby router listens for periodic hello messages on , Cisco Systems, Inc. All rights reserved. BCMSN v The virtual router presents a consistent available router (default gateway) to the hosts. Assigned its: Own IP address Own virtual MAC address The active router acting as the virtual router actually forwards the packets. Additional HSRP member routers: These routers in listen state monitor the hello messages but do not respond. Do forward any packets addressed to the routers' IP addresses. Do not forward packets destined for the virtual router because they are not the active router. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

9 ARP Table = c07.ac01 I don t see Hellos from Active (10 secs), so I will receive and forward packets sent to the virtual router b New Active Router c07.ac01 My default gateway is f6b3.d000 ARP Table = c07.ac01 My default gateway is HSRP Hello s HSRP Hello s: Active b c07.ac f6b3.d000 When the active router fails, the other HSRP routers stop receiving hello messages and the standby router assumes the role of the active router. When the holdtime expires (default 10 seconds). Because the new active router assumes both the IP address and virtual MAC address of the virtual router, the end stations see no disruption in service. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v When the active router only fails: Standby takes over. If there are other routers participating in the group, those routers then contend to be the new standby router. The new active router remains the forwarding router even when the former active router with the higher priority regains service in the network unless preempt is configured (coming). If both the active and standby routers fail: All routers in the HSRP group contend for the active and standby router roles. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Virtual IP To configure a router as a member of an HSRP standby group, enter this command in interface configuration mode: (Physical interface or VLAN interface if VLANs are used) Switch(config-if)#standby groupnumber ip virtual-ip-address group-number refers to the HSRP standby group number. The group number can range from 0 to 255. virtual-ip-address indicates the virtual IP address of the HSRP group. DLS1 ip add standby 1 priority 200 Router B ip add standby 1 priority , Cisco Systems, Inc. All rights reserved. BCMSN v Virtual IP Switch(config-if)#standby y group- number ip virtual-ip-address DLS1 group-number refers to the HSRP ip add standby group number. standby 1 priority 200 The group number can range from 0 to is the default interface vlan 20 Most Cisco switches support only up ip add groups. standby 1 priority 210 Each VLAN does NOT have to have standby 1 ip it s own group number. Group numbers are locally significant to that VLAN or interface. interface vlan 30 ip add standby 1 priority 220 standby 1 ip , Cisco Systems, Inc. All rights reserved. 36 BCMSN v

10 Priority To set the priority value of a router, enter this command in interface configuration mode: Switch(config-if)#standby groupnumber priority priority-value The priority-value i indicates the number that prioritizes a potential standby router. The range is 0 to 255; the default is 100. Some documentation states 1 to 255. During the election process, the router in an HSRP group with the highest priority becomes the forwarding router. DLS1 ip add standby 1 priority 200 If several routers have the same priority, the physical IP address of the router's interface is used as a tiebreaker. Router B The router with the numerically highest h IP address wins. ip add In reality the router that boots up first will most standby 1 priority 100 likely become the active router. Best to use the preempt command (coming) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Timers Both the hellotime and the holdtime parameters are configurable. Switch(config-ig)# standby group timers [msec] hellotime [msec] holdtime Hellotime Default = 3 seconds Value varies from 1 to 255. Holdtime Default = 10 seconds Value varies from 1 to 255. Timers will be in milliseconds (1/1,000 th) of the msec keyword precedes a value. To reinstate the default standby timer values, enter the following command: no standby group-number timers 2003, Cisco Systems, Inc. All rights reserved. BCMSN v HSRP Group Identifier DLS1 has a priority of 200 DLS2 has a default priority of 100. Who is the active router? DLS1 assumes the active router role and forwards all frames addressed to the well-known MAC address of: c07.acxx0c07 where xx is the HSRP group identifier. DLS1 ip add standby 1 priority 200 Router B ip add standby 1 priority If the HSRP group number of router A is 01, the MAC address that corresponds to the virtual IP address is c07.ac01. If the HSRP group number of router A is 47, the MAC address that corresponds to the virtual IP address is c07.ac2f. Group number (47) converted to hexadecimal (2f). 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

11 Preempt Delay The standby router automatically assumes the active router role when the active router fails or is removed from service. This new active router remains the forwarding router even when the former active router with the higher priority regains service in the network. The former active router can be configured to resume the forwarding router role from a router with a lower priority. To enable a router to resume the active state after a state change, enter the following command in interface configuration mode: Switch(config-if)#standby groupnumber preempt [delay [minimum seconds] [reload seconds]] To remove the interface from preemptive status, enter the following command: Switch(config-if)#no standby group-number preempt DLS1 ip add standby 1 priority 200 Router B ip add standby 1 priority 100 Switch(config-if)#standby group-number preempt [delay [minimum seconds] [reload seconds]] Default: Router will immediately preempt another router that has an active role. minimum: Router will wait for (0 to 3600 seconds) before attempting to overthrow the active router with a lower priority This time begins as soon as the router is capable of assuming the the active role. Interface comes up HSRP is configured reload: Router will wait for (0 to 3600 seconds) after it has been reloaded or restarted before attempting to overthrow the active router with a lower priority. This is helpful when you need time for the routing protocol to converge. DLS1 ip add standby 1 priority 200 Router B ip add standby 1 priority , Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Plain Text Authentication MD5 Authentication Switch(config-if)# if)# standby group- number authentication string Sent in plain text to authenticate HSRP peers. DLS1 Can be easily intercepted and used to impersonate a legitimate peer. ip add Intended only to prevent peers with a standby 1 priority 200 default configuration (no authentication) from participating in HSRP. p standby 1 authentication nosecret Router B ip add standby 1 priority 100 standby 1 authentication nosecret 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Switch(config-if)# standby group- number authentication ti ti md5 keystring [0 7] string Message Digest 5 (MD5) hash is computed on a portion of each HSRP DLS1 message. More secure than plain text t authentication. ti ti ip add standby 1 priority 200 Can use key chains when using multiple keys: standby 1 authentication ti ti md5 keystring nosecret Switch(config-if)# standby group authentication md5 key-chain hsrp1 Router B Switch(config)# key chain hsrp1 Switch(config-keychain)# key 1 Switch(config-keychain-key)# key-string secretkey ip add standby 1 priority 100 standby 1 authentication md5 keystring nosecret 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

12 Listen Speak Learn state state HSRP The routers The router Initial in router knows speak state has the All send not virtual routers periodic determined hello IP begin address, messages in the the virtual and initial but actively state. IP neither participate address, This the in the Active state Standby election of In the the state active active or standby state, the standby and has not yet seen state router. the a is hello entered The router state, message via remains is currently the HSRP a configuration in the speak forwarding router is a candidate state from the active change unless it router. or becomes when an In an active packets active that or standby to router are become router. sent nor to the the next standby router. All other routers participating in this the state, the router is interface virtual active MAC and sends periodic hello messages. still waiting is initiated. and IP address of the HSRP group. HSRP The There active group must router besides also at the least sends active one periodic standby or to hear hello router from routers messages. in the the reside active HSRP in router. group. this state. HSRP States t Router A does not hear any higher priority than itself, so promotes itself to standby. Router A does not hear an active router, so promotes itself to active. Router A Priority 100 Initial Learn Listen Speak Standby Active HSRP Standby Group 1 Listen Router B Priority 50 Initial Learn Listen Speak Speak Standby All other routers remain in this state. Router B hears that router A has a higher priority, so router B returns to the listen state. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Configuring HSRP on Routers R1 interface gig 0/2 ip address standby 1 priority 120 standby 1 ip R2 interface gig 0/2 ip address standby 1 priority 110 standby 1 ip Virtual Router / / / , Cisco Systems, Inc. All rights reserved. BCMSN v HSRP Load Balancing HSRP Load Balancing While a router is actively forwarding traffic for one HSRP group, it can be in the standby or listen state for another group. Each standby group emulates a single virtual router. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

13 HSRP Load Balancing Load balancing HSRP Note: There can be up to 255 standby groups on any VLAN or interface. Increasing the number of groups in which a router participates increases the management load on the router and may affect the performance of the router for very large numbers of HSRP groups. Both DLS1 and DLS2 are members of groups 1 and 2. DLS1: Active forwarding router for group 1 Standby router for group 2. DLS2: Active forwarding router for group 2 Standby router for group , Cisco Systems, Inc. All rights reserved. BCMSN v DLS1 ip add standby 1 priority 200 standby 2 priority 100 standby 2 ip standby 2 preempt DLS2 ip add standby 1 priority 100 standby 2 priority 200 standby 2 ip standby 2 preempt , Cisco Systems, Inc. All rights reserved. BCMSN v Configuring HSRP Interface Tracking Configuring HSRP Interface Tracking Active Router Active Router X Router A sends ICMP Redirect to Host, pointing it to Router B. Host now sends packets to Router B. In some situations, the status of an interface directly affects which router needs to become the active router. This is particularly true when each of the routers in an HSRP group has a different path to resources within the campus network. Routers A and B are exchanging hello messages through their E0 interfaces. Primary T1 link experiences a failure. Without HSRP enabled, router A would detect the failed link and send an ICMP redirect to router B. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

14 Configuring HSRP Interface Tracking Configuring HSRP Interface Tracking Active Router X Router A still sends HSRP Hello s. Active Router X Router A still sends HSRP Hello s. Hosts continue to send packets to Router A. Hosts continue to send packets to Router A. However, when HSRP is enabled, ICMP redirects are disabled. Enabling HSRP on a Cisco router interface automatically disables ICMP redirects to ensure that the actual addresses of the participating HSRP routers are not discovered. Although the S1 interface on router A is no longer functional, router A still sends hello messages out interface E0, indicating that router A is still the active router. Packets sent to the virtual router for forwarding to headquarters cannot be routed. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Interface tracking enables the priority of a standby group router to be automatically adjusted based on availability of the other interfaces on that router. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Configuring HSRP Interface Tracking Active Router X Router B assumes Active role after holdtime. Router A tracks S1 and automatically decrements its priority and stops sending hello messages. Hosts now send packets to Router B. The E0 interface on router A tracks the S1 interface. If the link between the S1 interface and headquarters fails, the router automatically decrements its priority on that interface (default by 10 per interface tracked) and stops transmitting hello messages out interface E0. Router B assumes the active router role when no hello messages are detected for the specific holdtime period. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Router A interface Ethernet0 ip address /24 no ip redirects standby 1 priority 105 standby 1 ip standby 1 track Serial1 Router B interface Ethernet0 ip address /24 no ip redirects standby 1 priority 100 standby 1 ip standby 1 track Serial1 interface Serial1 interface Serial1 ip address /24 ip address / , Cisco Systems, Inc. All rights reserved. BCMSN v

15 Before Failure After Failure 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v VRRP Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with VRRP Like HSRP, VRRP is a default gateway redundancy method. RFC 2338 Similar in functionality to HSRP. Slight differences in terminology and in operation. Nevertheless, in enterprise and service provider networks, HSRP deployments far outnumber VRRP deployments. At the time of this presentation only available in Catalyst 4500 and , Cisco Systems, Inc. All rights reserved , Cisco Systems, Inc. All rights reserved. BCMSN v

16 VRRP VRRP If you understand HSRP you will understand VRRP. HSRP Active Router = VRRP Master Router (highest priority). All other VRRP routers are in backup state (HSRP only one Standby router). VRRP group numbers: 0 to 255 (HSRP 0 to 255) VRRP priority: 1 to 254 (HSRP 0 to 255) 254 is the highest (HSRP 255) 100 is default (HSRP 100) Virtual router MAC addresses: e00.01xx xx = VRRP group number (0000.0c07.acxx 0c07 HSRP) If you understand HSRP you will understand VRRP. VRRP advertisements: Sent every 1 second (HSRP every 3 seconds) VRRP preempt: Default (HSRP must be configured) VRRP interface tracking: None (HSRP has interface tracking) Multicast address and protocol: (VRRP) (HSRP uses all routers ) IP protocol 112 (HSRP protocol 17 for UDP) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v VRRP VRRP The virtual router can use a physical IP address or a virtual IP address. The virtual router can use a physical IP address or a virtual IP address. Routers A, B, and C, are VRRP-enabled routers. Routers A, B, and C form a virtual router, with as the virtual IP address. IP address of the virtual router is the same as that configured for the Ethernet interface of Router A ( ). Because the virtual router uses the IP address of the physical Ethernet interface of router A, router A assumes the role of the master virtual router and is known as the IP address owner. Hosts 1 through 3 are configured with the default gateway IP address of Routers B and C function as backup virtual routers. If the master virtual router fails, the router configured with the higher priority will become the master virtual router and provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the master virtual router again. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

17 VRRP VRRP Load Balancing The virtual router can use a physical IP address or a virtual IP address. RouterA(config)#interface fa 0/1 RouterA(config-if)#ip address RouterA(config-if)#vrrp 1 ip Interface IP address = Virtual IP address for the VRRP group Owning router is the master in a VRRP group The priority associated with that interface should be configured as 255. Otherwise, the highest priority wins the election and is the master. Backup values range from 1 to 254; the default value is 100. LAN topology in which VRRP is configured such that: Router A is default gateway for Hosts 1 and 2. Router B is default gateway for Hosts 3 and 4. Each router acts as the backup virtual router if the other router fails. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v VRRP VRRP Load Balancing 2003, Cisco Systems, Inc. All rights reserved. BCMSN v In terms of failover, the takeover time of a standby router to an active router depends on two timers: Advertisement interval: Time interval between advertisements (seconds). The default is 1 second. Configurable Master-down interval: Time interval for backup to declare the master down (seconds). Not configurable At least three times the value of the advertisement interval. The higher the advertisement interval, the more time it takes to detect the failure of the master and hence, failover. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

18 GLBP Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with GLBP Cisco designed GLBP to: Allow automatic selection and simultaneous use of multiple available gateways To provide automatic ti detection ti and failover to a redundant d path in the event of failure to any active gateway Allows for both of these without the extra administrative burden of configuring multiple groups and managing multiple default gateway configurations. At the time of this presentation only available in Catalyst , Cisco Systems, Inc. All rights reserved , Cisco Systems, Inc. All rights reserved. BCMSN v GLBP 1 router Up to 4 members GLBP A GLBP group has up to four member routers acting as IP default gateways. Known as the Active Virtual Forwarders (AVFs). GLBP: Automatically manages the virtual MAC address assignment 0007.b4xx.xxyy xx.xx (16 bits) six 0 bits, followed by ten bit GLBP group number yy - is the virtual forwarder number Determines who handles the forwarding Ensures that each station has a forwarding path in the event of failures to gateways or tracked interfaces. These functions are accomplished by one of the routers in the group acting as the active virtual gateway (AVG). 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Highest priority or highest IP address becomes AVG GLBP Priority: 1 to 255 (default = 100) GLP Group Numbers: 0 to 1023 Other group members (AVFs) provide backup for the AVG in the event that the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC address. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

19 GLBP Client 1 ARP Reply: 0007.b Router A is the AVG for a GLBP group, and is responsible for the virtual IP address Responsible for responding to ARP Requests for default gateway ( ) and handing out a MAC address of an AVF. Router A is also an AVF for the virtual MAC address 0007.b Router B is a member of the same GLBP group and is designated as the AVF for the virtual MAC address 0007.b Same virtual IP address of Client 1 has a default gateway IP address of and a gateway MAC address of 0007.b Client 2 shares the same default gateway IP address but receives the gateway MAC address 0007.b because Router B is sharing the traffic load with Router A. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v ARP Request for Send Packet encapsulated in frame to 0007.b b Default Gateway = Default Gateway = C CC , Cisco Systems, Inc. All rights reserved. BCMSN v Client 2 ARP Reply: 0007.b X I I ll will take also over be the for AVG frames for GLBP X the sent group. to RouterA s virtual MAC address and my own b ARP Request for Send Packet encapsulated in frame to 0007.b Default Gateway = Default Gateway = C CC , Cisco Systems, Inc. All rights reserved. BCMSN v GLBP Timers: Hello messages every 3 seconds Holdtime is 10 seconds Switch(config-ig)# glbp group timers [msec] hellotime [msec] holdtime If Router A becomes unavailable Client 1 will not lose access to the WAN. Router B will assume responsibility for forwarding packets sent to the virtual MAC address of Router A Continues responding to packets sent to its own virtual MAC address. After a period of time (see redirect and timout timers) Router B will only use a single MAC address. Router B will also assume the role of the AVG for the entire GLBP group. Communication for the GLBP members continues despite the failure of a router in the GLBP group. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

20 GLBP GLBP Operation GLBP supports the following operational modes for load balancing: Round-robin load-balancing algorithm Each virtual forwarder MAC address takes turns being included in address resolution replies for the virtual IP address. The round-robin load-balancing algorithm is the default. Weighted load-balancing algorithm The amount of load directed to an AVF depends on the weighting value advertised by the gateway containing that AVF. Host-dependent load-balancing algorithm A host is guaranteed to use the same virtual MAC address as long as that virtual MAC address is participating in the GLBP group. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v GLBP Operation GLBP Interface Tracking Hosts A and B send their off-network traffic to separate next-hop routers because they each have cached a different MAC address for the single virtual gateway IP address in this case, Each GLBP router is an AVF for the MAC address it has been assigned. Like HSRP, GLBP can be configured to track interfaces. Router(config-if)# track 1 interface serial1/0 The link from router R1 is lost. GLBP detects the failure. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

21 GLBP Interface Tracking Summary The responsibility of forwarding packets destined for virtual MAC 1 is taken over by the secondary virtual forwarder (router R2). VRRP provides router redundancy in a manner similar to HSRP. VRRP supports a master and one or more backup routers. VRRP and GLBP are configured per interface. GLBP provides router redundancy and load balancing. GLBP balances traffic by allocating a virtual MAC address to each AVF. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v