Implementing High Availability. in a Campus Environment. Implementing High Availability. Single Forwarding Path vs. Single Forwarding Path.

Similar documents
Layer 3 Switch Processing. CEF-Based Multilayer Switches. Layer 3 Switch Processing (Cont.)

Network Design First Hop

Configuring HSRP. Understanding HSRP CHAPTER

Configuring VRRP. Finding Feature Information. The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns

Configuring VRRP. Finding Feature Information. Contents

Cisco IOS First Hop Redundancy Protocols Command Reference

Hot Standby Router Protocol (HSRP): Frequently Asked Questions

Migrating from Cisco HSRP to industry standard VRRP

standby arp gratuitous through track vrrp

Exam questions. 1. How many HSRP (Hot Standby Routing Protocol) groups will need to be configured for each VLAN?

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

HP Load Balancing Module

Internetwork Expert s CCNP Bootcamp. Gateway Redundancy Protocols & High Availability. What is High Availability?

Chapter 6 Lab 6-1, First Hop Redundancy Protocols HSRP and VRRP INSTRUCTOR VERSION

HOT STANDBY ROUTING PROTOCOL (HSRP) - A Deep Dive

Home Agent Redundancy

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA

This module was first published on May 2, 2005, and last updated on May 2, 2005.

S Series Switch. Cisco HSRP Replacement. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

IP Application Services Commands default (tracking) default {delay object object-number threshold percentage}

Sybex ICND2/CCNA R/S Chapter 17: IP Services. Instructor & Todd Lammle

Configuring HSRP. Finding Feature Information. Restrictions for HSRP

M2M CDMA Router. VRRP Configuration Guide

Exam Questions

Lab Hot Standby Router Protocol

VRRPv3 Protocol Support

HSRP (Hot Stand by Routing Protocol) Reliability Issues Over the Internet Service Provider s Network

Virtual Router Redundancy Protocol (VRRP) Technical Support Guide

REDDIG II Computer Networking Training

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Top-Down Network Design

Lab Configuring HSRP and GLBP Topology

Lab Hot Standby Router Protocol

GoCertify Advanced Cisco CCIE Lab Scenario # 1

H3C S5830V2 & S5820V2 Switch Series

Configuring IP Unicast Routing

Building Cisco Multilayer Switched Networks

Zone-Based Policy Firewall High Availability

HP VPN Firewall Appliances

Configuring IPv4 Broadcast Packet Handling

GLBP Weights, Load Balancing, and Redirection

Spanning Tree Protocol(STP)

Network-Level High Availability

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

RealCiscoLAB.com. Configure inter-vlan routing with HSRP to provide redundant, fault-tolerant routing to the internal network.

Campus Networking Workshop CIS 399. Core Network Design

Configuring IPv4 Broadcast Packet Handling

Operation Manual VRRP. Table of Contents

Cisco.Actualtests v New Questions.by.Nev.32q.vce

Interconnecting Cisco Networking Devices Part 2 (ICND2 v3.0)

Performance Evaluation of First HOP Redundancy Protocols (HSRP, VRRP & GLBP)

Configuring IGMP Snooping

Chapter 6 Lab 6-3, Gateway Load Balancing Protocol (GLBP) INSTRUCTOR VERSION

Assignment Six: Configure Hot Standby Router Protocol. Brian Dwyer. Morrisville State College

Configuring IP Unicast Routing

Deploying LISP Host Mobility with an Extended Subnet

Configuring IP Unicast Routing

Configuring Stateful Interchassis Redundancy

Configuring RIP. RIP Configuration Task List

Configuring Rapid PVST+ Using NX-OS

Redundancy for Routers using Enhanced VRRP

Configuring Rapid PVST+

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Section 6.2, IP Routing. Section 6.4, IP/VPN Policy. Section 6.5, IP Quality of Service. Section 6.6, The BANDIT as Firewall

Pass-Through Technology

Configuring IP Multicast Routing

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Switched Networks. Version: Demo

Lab 5-1 Hot Standby Router Protocol

CCNA Semester 3 labs. Part 1 of 1 Labs for chapters 1 8

Configuring PIM. Information About PIM. Send document comments to CHAPTER

Configuring EtherChannels and Link-State Tracking

Top-Down Network Design

Configuring NAT for High Availability

Configuring InterVLAN Routing

Mobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1

Performance Routing (PfR) Master Controller Redundancy Configuration

Content Switching Module with SSL Commands

ITDumpsKR. IT 인증시험한방에패스시키는최신버전시험대비덤프

Configuring Routes on the ACE

Chapter 3 LAN Configuration

Vodafone MachineLink. VRRP Configuration Guide

Configuring Rapid PVST+

CS 457 Lecture 11 More IP Networking. Fall 2011

Static NAT Mapping with HSRP

Layer 3 Routing (UI 2.0) User s Manual

IP: Addressing, ARP, Routing

Configuring ARP. Prerequisites for Configuring ARP. Restrictions for Configuring ARP

Describing the STP. Enhancements to STP. Configuring PortFast. Describing PortFast. Configuring. Verifying

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

Configuring STP and RSTP

Setting Up Virtual Routers

HPE FlexFabric 5940 Switch Series

actualtests.cisco.ccnp switch by.passforu

Configuring IP Multicast Routing

ICS 451: Today's plan

Unit 3: Dynamic Routing

Hot Standby Router Protocol Features and Functionality

Implementing Inter-VLAN Routing. 2003, Cisco Systems, Inc. All rights reserved. 2-1

HP 3600 v2 Switch Series

Configuring Resilient Ethernet Protocol

Transcription:

Implementing High Availability Implementing High Availability in a Campus Environment To achieve high network availability, the following network components are required: Reliable, fault-tolerant network devices Hardware and software reliability to automatically identify and overcome failures. Device and link redundancy Devices Devices modules Links Resilient network technologies Fast recovery er for devices or links. Optimized network design Well-defined network topologies and configurations to ensure no single point of failure. Best practices Documented procedures for deploying and maintaining a robust e-commerce network infrastructure. Change control o Better e control o over changes made to network devices and maintenance of documentation regarding those changes. 2003, Cisco Systems, Inc. All rights reserved. 2-1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-2 Single Forwarding Path vs Redundancy Single Forwarding Path Adding Redundancy Implementing High Availability Redundancy does not mean co-located in the same physical location. Power outage Paraphrasing Jim Warner, Network Engineer at UCSC, When adding redundancy, know what you are trying to protect yourself from. It doesn t help to have redundant devices when there is a power failure, or redundant links when the cables are in the same conduit. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-3 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-4

Implementing Default Gateway Router Redundancy in Multilayer Switched Networks Implementing Default Gateway Router Redundancy in Multilayer Switched Networks Examples of (non-redundant) dynamic router discovery are as follows: Static/DHCP Host is statically configured or uses DHCP. Proxy ARP The host uses Address Resolution Protocol (ARP) to determine the nexthop MAC address for off-network destinations. Local routers respond to the ARP request with their own MAC address. Routing protocol The host listens to dynamic routing protocol updates (for example, Routing Information Protocol [EIGRP]) and forms its own routing table. ICMP Router Discovery Protocol (IRDP) client The host runs an Internet Control Message Protocol (ICMP) router discovery client. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-5 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-6 Static or DHCP Proxy ARP The most common method of providing a host with a default gateway address is: Static configuration DHCP Advantage of DHCP: Simplifies end-device configuration Disadvantage of DHCP: Creates a single point of failure. If the default gateway fails, the end device is limited it to communicating only on the local IP network segment and is cut off from the rest of the network. 2003, Cisco Systems, Inc. All rights reserved. 7 BCMSN v2.0 2-7 2003, Cisco Systems, Inc. All rights reserved. 8 BCMSN v2.0 2-8

Proxy ARP I am on the 172.16.0.0/16 network so I can reach 172.16.20.200! Proxy ARP ARP Request: Hey everyone on my network, whoever is 172.16.20.200, 16 20 200 send me your Ethernet MAC Address! Router has Proxy ARP enabled on all interfaces. Host A has a /16 subnet mask. Host A believes that it is directly connected to all of network 172.16.0.0/16. 16 0/16 Host A is really on the 172.16.10.0/24 network, as segmented by the router, but Host A does not know that. Host A has a packet to send to Host D Host A believes that Host D is directly connected. Host A sends an ARP request to Host D. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-9 To reach Host D (172.16.20.200), Host A needs the MAC address of Host D. Layer 2, Ethernet broadcast (FFFF.FFFF.FFFF). The ARP request reaches all nodes in the Subnet A. The broadcast will not reach Host D. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-10 Proxy ARP Host A s ARP Table Proxy ARP Host A s ARP Table Since the router knows that the target address (172.16.20.200) 16 20 200) is on another subnet and can reach Host D, it will reply with its own MAC address to Host A. Proxy ARP Reply from Router to Host A ARP Request/Reply: I can reach 172.16.20.200 on another network, so I will Reply to the Host A with my MAC address. From now on Host A will forward all the packets that it wants to reach 172.16.20.200 (Host D) to the MAC address 00-00-0c-94-36-ab (router). All packets destined to Subnet B are sent to the router including this packet for Host B. The router forwards the packets to Host B and also for other hosts in Subnet B. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-11 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-12

Proxy ARP Host A s ARP Table Non Proxy ARP Host A s ARP Table 172.16.20.200 00-00-0c-94-36-bb Different Situation and Addresses: Host A pings Host B Host B has the IP address 172.16.20.200/24 ARP Request 172.16.20.200/24 0000.0c94.36bb 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-13 ARP Request/Reply What if Host A has a packet to send Host B? In this case, both the Router and Host B will receive the ARP Request (MAC broadcast). Switch floods the broadcast. Host B will send an ARP Reply. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-14 Non Proxy ARP Host A s ARP Table 172.16.20.200 00-00-0c-94-36-bb Proxy ARP ICMP Echo Request/Reply Host A sends the Echo Request to Host B. Host B wants to send Echo Reply, BUT sees source and destination IP addresses on different networks. Host B sends ARP Request (after checking ARP cache) for default gateway, Router. Router sends ARP Reply. Host B sends ICMP Echo Reply to Router. Router sends ICMP Echo Reply to Host A. ICMP Echo Request 172.16.20.200/24 0000.0c94.36bb ICMP Echo Reply Router(config)# ip arp proxy disable Router(config)# interface Fa 0/0 Router(config-if)# no ip proxy-arp Disables Proxy ARP globally Disables Proxy ARP per interface Proxy ARP is enabled by default. Proxy ARP can be disabled globally or on a per interface basis. Proxy ARP should be used on the network where IP hosts are not configured with default gateway. Disadvantages of Proxy ARP It increases the amount of ARP traffic on your segment (instead of one default gateway, ARPing for several hosts). Security may be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing." 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-15 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-16

Proxy ARP Proxy ARP Packets Packets Limited redundancy with Proxy ARP. If the responsible router fails, the host continues to send packets for the destination to the MAC address of that t router. Those packets subsequently are discarded. Packets dropped Once the ARP flushes the entry due to flush timer expiry, the host recovers the default gateway MAC address. Nevertheless, Cisco does not recommend the use of proxy ARP, because it makes troubleshooting very difficult. Router down, but Host ARP entry is still Router A, packets continue to get dropped. Once ARP entry times out on host, it will send another ARP Request Router B will send a Proxy ARP Reply with its MAC address Host now sends packets to Router B for File Server A. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-17 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-18 IRDP ICMP Router Discovery Message Protocol IRDP ICMP Router Discovery Message Protocol IP hosts may use IRDP to find a new path when an existing primary router becomes unavailable. Extension to ICMP Mechanism for routers to advertise useful default routes. No routing protocols No manual configuration 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-19 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-20

IRDP ICMP Router Discovery Message Protocol A host that uses IRDP: Listens for hello multicast messages from the preferred default router. The IRDP-based advertisements have a predefined lifetime value. I will use Router A as my default gateway. IRDP Advertisements IRDP ICMP Router Discovery Message Protocol IRDP Advertisements: Sent every 7 to 10 minutes. Default lifetime the Host will keep the IRDP Advertisement: 30 minutes. Can be modified For more details, consult RFC 1256. I haven t heard from Router A in a while so I will use Router B. IRDP Advertisements As with other host redundancy methods, IRDP is not very common and is very difficult to troubleshoot in medium-size to large networks. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-21 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-22 Redundancy Protocols Router Redundancy Cisco IOS offers several features to provide a redundant default gateway to end devices. The following are the default gateway redundancy features supported by Cisco IOS routers and switches: Hot Standby Routing Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-23 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-24

Router Redundancy (Cont.) HSRP (Hot Standby Routing Protocol) Cisco proprietary protocol RFC 2281 Method of providing IP address sharing and redundancy d for default gateways. The protocol consists of a: Virtual MAC address IP address Shared between two routers: Active Router Standby Router Routers exchange HSRP hello messages at regular intervals 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-25 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-26 ARP Table = 0000.0c07.ac01 My default gateway is 16 10 1 One standby router The backup router in case the active router fails for the subnet. It will then forward traffic destined to the virtual IP address. One virtual router One active router The virtual router is not an The active router actual router. forwards traffic destined Represents the HSRP group to the virtual IP address. acting as one virtual router. It is the default gateway as far as hosts on the subnet are concerned. 172.16.10.202 0010.0b79.5800 0000.0c07.ac01 172.16.10.201 0010.f6b3.d000 The host connected to the switch sends the packet destined for the virtual router, but in reality the active router does the packet forwarding. Note: Additional HSRP member routers Other routers are neither active nor standby, but they are configured to participate in the same HSRP group. They monitor the current active and standby routers and transition into one of those roles if the current router fails for the subnet. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-27 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-28

ARP Table = 0000.0c07.ac01 My default gateway is 16 10 1 ARP Table = 0000.0c07.ac01 My default gateway is 16 10 1 172.16.10.202 0010.0b79.5800 HSRP Hello s: Standby 0000.0c07.ac01 HSRP Hello s: Active 172.16.10.201 0010.f6b3.d000 172.16.10.202 0010.0b79.5800 0000.0c07.ac01 HSRP Hello s: Standby 172.16.10.201 0010.f6b3.d000 The active router assumes and maintains its active role through the transmission of hello messages (default every 3 seconds). Sent by active and standby routers. Multicast 224.0.0.2 ( all routers ) using UDP port 1985 The router with the highest standby priority - active router. 0 to 255 Default = 100 (configurable) Otherwise, the router with the highest IP address When the preempt option is not configured, the first router to initialize HSRP becomes the active router. (May not be what you want!) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-29 The second router in the HSRP group to initialize or second highest priority is elected as the standby router. Monitor the operational status of the HSRP group Quickly assumes packet-forwarding responsibility if the active router becomes inoperable. The standby router also transmits hello messages to inform all other routers in the group of its standby router role and status. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-30 The Standby Router ARP Table = 0000.0c07.ac01 My default gateway is 16 10 1 I receive and forward packet sent to the virtual router. 172.16.10.202 0010.0b79.5800 0000.0c07.ac01 172.16.10.201 0010.f6b3.d000 The standby router listens for periodic hello messages on 224.0.0.2. 0 2 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-31 The virtual router presents a consistent available router (default gateway) to the hosts. Assigned its: Own IP address Own virtual MAC address The active router acting as the virtual router actually forwards the packets. Additional HSRP member routers: These routers in listen state monitor the hello messages but do not respond. Do forward any packets addressed to the routers' IP addresses. Do not forward packets destined for the virtual router because they are not the active router. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-32

ARP Table = 0000.0c07.ac01 I don t see Hellos from Active (10 secs), so I will receive and forward packets sent to the virtual router. 172.16.10.202 0010.0b79.5800 New Active Router 0000.0c07.ac01 My default gateway is 16 10 1 172.16.10.201 0010.f6b3.d000 ARP Table = 0000.0c07.ac01 My default gateway is 16 10 1 HSRP Hello s HSRP Hello s: Active 172.16.10.202 0010.0b79.5800 0000.0c07.ac01 172.16.10.201 0010.f6b3.d000 When the active router fails, the other HSRP routers stop receiving hello messages and the standby router assumes the role of the active router. When the holdtime expires (default 10 seconds). Because the new active router assumes both the IP address and virtual MAC address of the virtual router, the end stations see no disruption in service. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-33 When the active router only fails: Standby takes over. If there are other routers participating in the group, those routers then contend to be the new standby router. The new active router remains the forwarding router even when the former active router with the higher priority regains service in the network unless preempt is configured (coming). If both the active and standby routers fail: All routers in the HSRP group contend for the active and standby router roles. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-34 Virtual IP To configure a router as a member of an HSRP standby group, enter this command in interface configuration mode: (Physical interface or VLAN interface if VLANs are used) Switch(config-if)#standby groupnumber ip virtual-ip-address group-number refers to the HSRP standby group number. The group number can range from 0 to 255. virtual-ip-address indicates the virtual IP address of the HSRP group. DLS1 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 Router B ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-35 Virtual IP Switch(config-if)#standby y group- number ip virtual-ip-address DLS1 group-number refers to the HSRP ip add 172.16.10.201 255.255.255.0 standby group number. standby 1 priority 200 The group number can range from 0 to 255. 0 is the default interface vlan 20 Most Cisco switches support only up ip add 172.16.20.202 255.255.255.0 16 groups. standby 1 priority 210 Each VLAN does NOT have to have standby 1 ip 172.16.20.1 it s own group number. Group numbers are locally significant to that VLAN or interface. interface vlan 30 ip add 172.16.30.202 255.255.255.0 standby 1 priority 220 standby 1 ip 172.16.30.1 2003, Cisco Systems, Inc. All rights reserved. 36 BCMSN v2.0 2-36

Priority To set the priority value of a router, enter this command in interface configuration mode: Switch(config-if)#standby groupnumber priority priority-value The priority-value i indicates the number that prioritizes a potential standby router. The range is 0 to 255; the default is 100. Some documentation states 1 to 255. During the election process, the router in an HSRP group with the highest priority becomes the forwarding router. DLS1 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 If several routers have the same priority, the physical IP address of the router's interface is used as a tiebreaker. Router B The router with the numerically highest h IP address wins. ip add 172.16.10.202 255.255.255.0 In reality the router that boots up first will most standby 1 priority 100 likely become the active router. Best to use the preempt command (coming) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-37 Timers Both the hellotime and the holdtime parameters are configurable. Switch(config-ig)# standby group timers [msec] hellotime [msec] holdtime Hellotime Default = 3 seconds Value varies from 1 to 255. Holdtime Default = 10 seconds Value varies from 1 to 255. Timers will be in milliseconds (1/1,000 th) of the msec keyword precedes a value. To reinstate the default standby timer values, enter the following command: no standby group-number timers 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-38 HSRP Group Identifier DLS1 has a priority of 200 DLS2 has a default priority of 100. Who is the active router? DLS1 assumes the active router role and forwards all frames addressed to the well-known MAC address of: 0000.0c07.acxx0c07 where xx is the HSRP group identifier. DLS1 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 Router B ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 201 202 1 If the HSRP group number of router A is 01, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac01. If the HSRP group number of router A is 47, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac2f. Group number (47) converted to hexadecimal (2f). 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-39 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-40

Preempt Delay The standby router automatically assumes the active router role when the active router fails or is removed from service. This new active router remains the forwarding router even when the former active router with the higher priority regains service in the network. The former active router can be configured to resume the forwarding router role from a router with a lower priority. To enable a router to resume the active state after a state change, enter the following command in interface configuration mode: Switch(config-if)#standby groupnumber preempt [delay [minimum seconds] [reload seconds]] To remove the interface from preemptive status, enter the following command: Switch(config-if)#no standby group-number preempt DLS1 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 Router B ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 Switch(config-if)#standby group-number preempt [delay [minimum seconds] [reload seconds]] Default: Router will immediately preempt another router that has an active role. minimum: Router will wait for (0 to 3600 seconds) before attempting to overthrow the active router with a lower priority This time begins as soon as the router is capable of assuming the the active role. Interface comes up HSRP is configured reload: Router will wait for (0 to 3600 seconds) after it has been reloaded or restarted before attempting to overthrow the active router with a lower priority. This is helpful when you need time for the routing protocol to converge. DLS1 ip add 172.16.10.201 255.255.255.0 standby 1 priority 200 Router B ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-41 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-42 Plain Text Authentication MD5 Authentication Switch(config-if)# if)# standby group- number authentication string Sent in plain text to authenticate HSRP peers. DLS1 Can be easily intercepted and used to impersonate a legitimate peer. ip add 172.16.10.20116 10 201 255.255.255.0 Intended only to prevent peers with a standby 1 priority 200 default configuration (no authentication) from participating in HSRP. p standby 1 authentication nosecret Router B ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 standby 1 authentication nosecret 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-43 Switch(config-if)# standby group- number authentication ti ti md5 keystring [0 7] string Message Digest 5 (MD5) hash is computed on a portion of each HSRP DLS1 message. More secure than plain text t authentication. ti ti ip add 172.16.10.20116 10 201 255.255.255.0 standby 1 priority 200 Can use key chains when using multiple keys: standby 1 authentication ti ti md5 keystring nosecret Switch(config-if)# standby group authentication md5 key-chain hsrp1 Router B Switch(config)# key chain hsrp1 Switch(config-keychain)# key 1 Switch(config-keychain-key)# key-string secretkey ip add 172.16.10.202 255.255.255.0 standby 1 priority 100 standby 1 authentication md5 keystring nosecret 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-44

Listen Speak Learn state state HSRP The routers The router Initial in router knows speak state has the All send not virtual routers periodic determined hello IP begin address, messages in the the virtual and initial but actively state. IP neither participate address, This the in the Active state Standby election of In the the state active active or standby state, the standby and has not yet seen state router. the a is hello entered The router state, message via remains is currently the HSRP a configuration in the speak forwarding router is a candidate state from the active change unless it router. or becomes when an In an active packets active that or standby to router are become router. sent nor to the the next standby router. All other routers participating in this the state, the router is interface virtual active MAC and sends periodic hello messages. still waiting is initiated. and IP address of the HSRP group. HSRP The There active group must router besides also at the least sends active one periodic standby or to hear hello router from routers messages. in the the reside active HSRP in router. group. this state. HSRP States t Router A does not hear any higher priority than itself, so promotes itself to standby. Router A does not hear an active router, so promotes itself to active. Router A Priority 100 Initial Learn Listen Speak Standby Active HSRP Standby Group 1 Listen Router B Priority 50 Initial Learn Listen Speak Speak Standby All other routers remain in this state. Router B hears that router A has a higher priority, so router B returns to the listen state. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-45 Configuring HSRP on Routers R1 interface gig 0/2 ip address 10.10.10.10 255.255.255.0 standby 1 priority 120 standby 1 ip 10.10.10.1 R2 interface gig 0/2 ip address 10.10.10.11 255.255.255.0 standby 1 priority 110 standby 1 ip 10.10.10.1 Virtual Router 10.10.10.10/24 10.10.10.11/24 10.10.10.1/24 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-46 HSRP Load Balancing HSRP Load Balancing 172.16.10.2 172.16.10.2 172.16.10.2 172.16.10.2 While a router is actively forwarding traffic for one HSRP group, it can be in the standby or listen state for another group. Each standby group emulates a single virtual router. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-47 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-48

HSRP Load Balancing Load balancing HSRP 172.16.10.2 Note: There can be up to 255 standby groups on any VLAN or interface. Increasing the number of groups in which a router participates increases the management load on the router and may affect the performance of the router for very large numbers of HSRP groups. Both DLS1 and DLS2 are members of groups 1 and 2. DLS1: Active forwarding router for group 1 Standby router for group 2. DLS2: Active forwarding router for group 2 Standby router for group 1. 172.16.10.2 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-49 172.16.10.2 DLS1 ip add 172.16.10.82 255.255.255.0 standby 1 priority 200 standby 2 priority 100 standby 2 ip 172.16.10.2 standby 2 preempt DLS2 ip add 69 255.255.255.0 standby 1 priority 100 standby 2 priority 200 standby 2 ip 172.16.10.2 standby 2 preempt 172.16.10.2 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-50 172.16.10.2 Configuring HSRP Interface Tracking Configuring HSRP Interface Tracking Active Router Active Router X Router A sends ICMP Redirect to Host, pointing it to Router B. Host now sends packets to Router B. In some situations, the status of an interface directly affects which router needs to become the active router. This is particularly true when each of the routers in an HSRP group has a different path to resources within the campus network. Routers A and B are exchanging hello messages through their E0 interfaces. Primary T1 link experiences a failure. Without HSRP enabled, router A would detect the failed link and send an ICMP redirect to router B. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-51 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-52

Configuring HSRP Interface Tracking Configuring HSRP Interface Tracking Active Router X Router A still sends HSRP Hello s. Active Router X Router A still sends HSRP Hello s. Hosts continue to send packets to Router A. Hosts continue to send packets to Router A. However, when HSRP is enabled, ICMP redirects are disabled. Enabling HSRP on a Cisco router interface automatically disables ICMP redirects to ensure that the actual addresses of the participating HSRP routers are not discovered. Although the S1 interface on router A is no longer functional, router A still sends hello messages out interface E0, indicating that router A is still the active router. Packets sent to the virtual router for forwarding to headquarters cannot be routed. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-53 Interface tracking enables the priority of a standby group router to be automatically adjusted based on availability of the other interfaces on that router. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-54 Configuring HSRP Interface Tracking Active Router X Router B assumes Active role after holdtime. Router A tracks S1 and automatically decrements its priority and stops sending hello messages. Hosts now send packets to Router B. The E0 interface on router A tracks the S1 interface. If the link between the S1 interface and headquarters fails, the router automatically decrements its priority on that interface (default by 10 per interface tracked) and stops transmitting hello messages out interface E0. Router B assumes the active router role when no hello messages are detected for the specific holdtime period. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-55 Router A interface Ethernet0 ip address 171.16.6.5 /24 no ip redirects standby 1 priority 105 standby 1 ip 171.16.6.100 standby 1 track Serial1 Router B interface Ethernet0 ip address 171.16.6.6 /24 no ip redirects standby 1 priority 100 standby 1 ip 172.16.6.100 standby 1 track Serial1 interface Serial1 interface Serial1 ip address 171.16.2.5 /24 ip address 171.16.7.6 /24 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-56

Before Failure After Failure 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-57 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-58 VRRP Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with VRRP Like HSRP, VRRP is a default gateway redundancy method. RFC 2338 Similar in functionality to HSRP. Slight differences in terminology and in operation. Nevertheless, in enterprise and service provider networks, HSRP deployments far outnumber VRRP deployments. At the time of this presentation only available in Catalyst 4500 and 6500. 2003, Cisco Systems, Inc. All rights reserved. 2-59 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-60

VRRP VRRP If you understand HSRP you will understand VRRP. HSRP Active Router = VRRP Master Router (highest priority). All other VRRP routers are in backup state (HSRP only one Standby router). VRRP group numbers: 0 to 255 (HSRP 0 to 255) VRRP priority: 1 to 254 (HSRP 0 to 255) 254 is the highest (HSRP 255) 100 is default (HSRP 100) Virtual router MAC addresses: 0000.5e00.01xx xx = VRRP group number (0000.0c07.acxx 0c07 HSRP) If you understand HSRP you will understand VRRP. VRRP advertisements: Sent every 1 second (HSRP every 3 seconds) VRRP preempt: Default (HSRP must be configured) VRRP interface tracking: None (HSRP has interface tracking) Multicast address and protocol: 224.0.0.18 (VRRP) (HSRP uses 224.0.0.2 all routers ) IP protocol 112 (HSRP protocol 17 for UDP) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-61 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-62 VRRP VRRP The virtual router can use a physical IP address or a virtual IP address. The virtual router can use a physical IP address or a virtual IP address. Routers A, B, and C, are VRRP-enabled routers. Routers A, B, and C form a virtual router, with 10.0.0.1 as the virtual IP address. IP address of the virtual router is the same as that configured for the Ethernet interface of Router A (10.0.0.1). Because the virtual router uses the IP address of the physical Ethernet interface of router A, router A assumes the role of the master virtual router and is known as the IP address owner. Hosts 1 through 3 are configured with the default gateway IP address of 10.0.0.1. Routers B and C function as backup virtual routers. If the master virtual router fails, the router configured with the higher priority will become the master virtual router and provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the master virtual router again. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-63 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-64

VRRP VRRP Load Balancing The virtual router can use a physical IP address or a virtual IP address. RouterA(config)#interface fa 0/1 RouterA(config-if)#ip address 10.0.0.1 255.255.255.0 RouterA(config-if)#vrrp 1 ip 10.0.0.1 Interface IP address = Virtual IP address for the VRRP group Owning router is the master in a VRRP group The priority associated with that interface should be configured as 255. Otherwise, the highest priority wins the election and is the master. Backup values range from 1 to 254; the default value is 100. LAN topology in which VRRP is configured such that: Router A is default gateway for Hosts 1 and 2. Router B is default gateway for Hosts 3 and 4. Each router acts as the backup virtual router if the other router fails. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-65 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-66 VRRP VRRP Load Balancing 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-67 In terms of failover, the takeover time of a standby router to an active router depends on two timers: Advertisement interval: Time interval between advertisements (seconds). The default is 1 second. Configurable Master-down interval: Time interval for backup to declare the master down (seconds). Not configurable At least three times the value of the advertisement interval. The higher the advertisement interval, the more time it takes to detect the failure of the master and hence, failover. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-68

GLBP Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with GLBP Cisco designed GLBP to: Allow automatic selection and simultaneous use of multiple available gateways To provide automatic ti detection ti and failover to a redundant d path in the event of failure to any active gateway Allows for both of these without the extra administrative burden of configuring multiple groups and managing multiple default gateway configurations. At the time of this presentation only available in Catalyst 6500. 2003, Cisco Systems, Inc. All rights reserved. 2-69 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-70 GLBP 1 router Up to 4 members GLBP A GLBP group has up to four member routers acting as IP default gateways. Known as the Active Virtual Forwarders (AVFs). GLBP: Automatically manages the virtual MAC address assignment 0007.b4xx.xxyy xx.xx (16 bits) six 0 bits, followed by ten bit GLBP group number yy - is the virtual forwarder number Determines who handles the forwarding Ensures that each station has a forwarding path in the event of failures to gateways or tracked interfaces. These functions are accomplished by one of the routers in the group acting as the active virtual gateway (AVG). 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-71 Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Highest priority or highest IP address becomes AVG GLBP Priority: 1 to 255 (default = 100) GLP Group Numbers: 0 to 1023 Other group members (AVFs) provide backup for the AVG in the event that the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC address. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-72

GLBP Client 1 ARP Reply: 0007.b400.0101 0101 Router A is the AVG for a GLBP group, and is responsible for the virtual IP address 10.21.8.10. Responsible for responding to ARP Requests for default gateway (10.21.8.10) and handing out a MAC address of an AVF. Router A is also an AVF for the virtual MAC address 0007.b400.0101. Router B is a member of the same GLBP group and is designated as the AVF for the virtual MAC address 0007.b400.0102. Same virtual IP address of 10.21.8.10 Client 1 has a default gateway IP address of 10.21.8.10 and a gateway MAC address of 0007.b400.0101. Client 2 shares the same default gateway IP address but receives the gateway MAC address 0007.b400.0102 because Router B is sharing the traffic load with Router A. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-73 ARP Request for 10.21.8.10 Send Packet encapsulated in frame to 0007.b400.0101 0007.b400. 0101 Default Gateway = 10.21.8.10 Default Gateway = 10.21.8.10 000C.0417. 91CC 10.21.8.100 0 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-74 Client 2 ARP Reply: 0007.b400.0102 0102 X I I ll will take also over be the for AVG frames for GLBP X the sent group. to RouterA s virtual MAC address and my own. 0007.b400. 0102 ARP Request for 10.21.8.10 Send Packet encapsulated in frame to 0007.b400.0102 Default Gateway = 10.21.8.10 Default Gateway = 10.21.8.10 000C.0417. 91CC 10.21.8.100 0 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-75 GLBP Timers: Hello messages every 3 seconds Holdtime is 10 seconds Switch(config-ig)# glbp group timers [msec] hellotime [msec] holdtime If Router A becomes unavailable Client 1 will not lose access to the WAN. Router B will assume responsibility for forwarding packets sent to the virtual MAC address of Router A Continues responding to packets sent to its own virtual MAC address. After a period of time (see redirect and timout timers) Router B will only use a single MAC address. Router B will also assume the role of the AVG for the entire GLBP group. Communication for the GLBP members continues despite the failure of a router in the GLBP group. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-76

GLBP GLBP Operation GLBP supports the following operational modes for load balancing: Round-robin load-balancing algorithm Each virtual forwarder MAC address takes turns being included in address resolution replies for the virtual IP address. The round-robin load-balancing algorithm is the default. Weighted load-balancing algorithm The amount of load directed to an AVF depends on the weighting value advertised by the gateway containing that AVF. Host-dependent load-balancing algorithm A host is guaranteed to use the same virtual MAC address as long as that virtual MAC address is participating in the GLBP group. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-77 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-78 GLBP Operation GLBP Interface Tracking Hosts A and B send their off-network traffic to separate next-hop routers because they each have cached a different MAC address for the single virtual gateway IP address in this case, 10.88.1.10. Each GLBP router is an AVF for the MAC address it has been assigned. Like HSRP, GLBP can be configured to track interfaces. Router(config-if)# track 1 interface serial1/0 The link from router R1 is lost. GLBP detects the failure. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-79 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-80

GLBP Interface Tracking Summary The responsibility of forwarding packets destined for virtual MAC 1 is taken over by the secondary virtual forwarder (router R2). VRRP provides router redundancy in a manner similar to HSRP. VRRP supports a master and one or more backup routers. VRRP and GLBP are configured per interface. GLBP provides router redundancy and load balancing. GLBP balances traffic by allocating a virtual MAC address to each AVF. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-81 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-82

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback