Ch.

6 FHRP and HSRP

CIS 187 Multilayer Switched Networks

CCNP version 7
Rick Graziani
Spring 2016
Implementing High Availability
To achieve high network availability, the following network components are
required:
Reliable, fault-tolerant network devices Hardware and software
reliability to automatically identify and overcome failures.
Device and link redundancy
Devices
Devices modules
Links
Resilient network technologies Fast recovery for devices or links.
Optimized network design Well-defined network topologies and
configurations to ensure no single point of failure.
Best practices Documented procedures for deploying and
maintaining a robust e-commerce network infrastructure.
Change control Better control over changes made to network
devices and maintenance of documentation regarding those changes.

2
High Availability

3
 Single Forwarding Path vs Redundancy
Single Adding
Forwarding Path Redundancy

4
Implementing High Availability
Redundancy does not
mean co-located in the
same physical location.
Power outage
Paraphrasing Jim Warner,
Network Engineer at
UCSC, When adding
redundancy, know what you
are trying to protect yourself
from. It doesnt help to
have redundant devices
when there is a power
failure, or redundant links
when the cables are in the
same conduit.

5
Implementing Default Gateway Router
Redundancy in Multilayer Switched Networks

6
Implementing Default Gateway Router
Redundancy in Multilayer Switched Networks
Examples of (non-redundant) dynamic router discovery are as
follows:
Static/DHCP
Host is statically configured or uses DHCP.
Proxy ARP
The host uses Address Resolution Protocol (ARP) to determine
the next-hop MAC address for off-network destinations.
Local routers respond to the ARP request with their own MAC
address.
Routing protocol
The host listens to dynamic routing protocol updates (for
example, EIGRP and forms its own routing table.
ICMP Router Discovery Protocol (IRDP) client
The host runs an Internet Control Message Protocol (ICMP)
router discovery client.
7
Static or DHCP
The most common method of
providing a host with a default
gateway address is:
Static configuration
DHCP
Advantage of DHCP:
Simplifies end-device
configuration
Disadvantage of DHCP:
Creates a single point of
failure.
If the default gateway fails, the
end device is limited to
communicating only on the
local IP network segment and
is cut off from the rest of the
network.
8
Proxy ARP

9
 I am on the 172.16.0.0/16
Proxy ARP network so I can reach
172.16.20.200!

Router has Proxy ARP

enabled on all interfaces.
Host A has a /16 subnet
mask.
Host A believes that it is
directly connected to all of
network 172.16.0.0/16.
Host A is really on the
172.16.10.0/24 network, as
segmented by the router, but
Host A does not know that.
Host A has a packet to send
to Host D
Host A believes that Host
D is directly connected.
Host A sends an ARP
request to Host D.
10
 ARP Request: Hey everyone
on my network, whoever is
Proxy ARP 172.16.20.200, send me your
Ethernet MAC Address!

To reach Host D
(172.16.20.200), Host A
needs the MAC address of
Host D.
Layer 2, Ethernet
broadcast
(FFFF.FFFF.FFFF).
The ARP request reaches all
nodes in the Subnet A.
The broadcast will not reach
Host D. 11
 Host As ARP Table
Proxy ARP
Since the router knows that the target
address (172.16.20.200) is on another
subnet and can reach Host D, it will
reply with its own MAC address to Host
A. ARP Request/Reply: I can
reach 172.16.20.200 on
Proxy ARP Reply from Router to Host A
another network, so I will
Reply to the Host A with my
MAC address.

12
 Host As
Proxy ARP ARP Table

From now on Host A will

forward all the packets that it
wants to reach
172.16.20.200 (Host D) to
the MAC address 00-00-0c-
94-36-ab (router).
All packets destined to
Subnet B are sent to the
router including this packet
for Host B.
The router forwards the
packets to Host B and also
for other hosts in Subnet B.

13
 Host As
Non-Proxy ARP Table

ARP

14
Non Proxy Host As
ARP Table
ARP 172.16.20.200 00-00-0c-94-36-bb
Different Situation and
Addresses:
ARP
Host A pings Host B Request
Host B has the IP address 172.16.20.200/24
172.16.20.200/24 0000.0c94.36bb

ARP Request/Reply
What if Host A has a packet
to send Host B?
In this case, both the Router
and Host B will receive the
ARP Request (MAC
broadcast).
Switch floods the
broadcast.
Host B will send an ARP
Reply. 15
 Proxy ARP
Router(config)# ip arp proxy disable Disables Proxy ARP globally

Router(config)# interface Fa 0/0

Router(config-if)# no ip proxy-arp Disables Proxy ARP per interface

Proxy ARP is enabled by default.

Proxy ARP can be disabled globally or on a per interface basis.
Proxy ARP should be used on the network where IP hosts are not
configured with default gateway.
Disadvantages of Proxy ARP
It increases the amount of ARP traffic on your segment (instead
of one default gateway, ARPing for several hosts).
Security may be undermined. A machine can claim to be another
in order to intercept packets, an act called "spoofing."

17
Proxy ARP

Packets

Limited redundancy with Proxy

Packets
ARP. dropped
If the responsible router fails,
the host continues to send
packets for the destination to the
MAC address of that router.
Those packets subsequently are
discarded.

18
Proxy ARP Packets

Once the ARP flushes the entry

due to flush timer expiry, the host
recovers the default gateway MAC
address.
Nevertheless, Cisco does not
recommend the use of proxy ARP,
because it makes troubleshooting
very difficult. Router down, but Host ARP entry
is still Router A, packets continue
to get dropped.

Once ARP entry times out on

host, it will send another ARP
Request

Router B will send a Proxy ARP

Reply with its MAC address
Host now sends packets to
Router B for File Server A. 19
IRDP ICMP Router Discovery Message Protocol

20
Need for First Hop Redundancy Protocols
If the default gateway fails, a host
will be unable to send packets to
another subnet.
Even if a redundant router exists
that could serve as a default
gateway for that subnet, there is
no dynamic method by which
these devices can determine the
address of a new default gateway.
With first-hop router redundancy,
a set of routers or Layer 3
switches work together to present
the illusion of a single virtual
router to the hosts on the LAN.
By sharing an IP address and a
MAC (Layer 2) address, two or
more routers can act as a single 30
virtual router.
Redundancy Protocols
Cisco IOS offers several features to provide a redundant default
gateway to end devices.
The following are the default gateway redundancy features
supported by Cisco IOS routers and switches:
Hot Standby Routing Protocol (HSRP)
Virtual Router Redundancy Protocol (VRRP)
Gateway Load Balancing Protocol (GLBP)

31
 HSRP
Hot Standby Router Protocol
HSRP (Hot Standby Routing Protocol)
Cisco proprietary protocol
RFC 2281
Method of providing IP address
sharing and redundancy for
default gateways.
The protocol consists of a:
Virtual MAC address
IP address
Shared between two routers:
Active Router
Standby Router
Routers exchange HSRP hello
messages at regular intervals

33
One standby router
The backup router in case
the active router fails for the
subnet.
It will then forward traffic
destined to the virtual IP
address.
One virtual router One active router
The virtual router is not an The active router
actual router. forwards traffic destined
Represents the HSRP group to the virtual IP address.
acting as one virtual router.
It is the default gateway as
far as hosts on the subnet
are concerned.
34
ARP Table My default
172.16.10.1 = 0000.0c07.ac01 gateway is
172.16.10.1

172.16.10.202 172.16.10.1 172.16.10.201

0010.0b79.5800 0000.0c07.ac01 0010.f6b3.d000

The host connected to the switch sends the packet destined for the virtual
router, but in reality the active router does the packet forwarding.
Note: Additional HSRP member routers Other routers are neither active
nor standby, but they are configured to participate in the same HSRP group.
They monitor the current active and standby routers and transition into
one of those roles if the current router fails for the subnet.

35
 ARP Table My default
172.16.10.1 = 0000.0c07.ac01 gateway is
172.16.10.1

172.16.10.1
0000.0c07.ac01
172.16.10.202 172.16.10.201
0010.0b79.5800 0010.f6b3.d000
HSRP Hellos: Standby HSRP Hellos: Active

The active router assumes and maintains its active role through the transmission of
hello messages (default every 3 seconds).
Sent by active and standby routers.
Multicast 224.0.0.2 (all routers) using UDP port 1985
The router with the highest standby priority - active router.
0 to 255
Default = 100 (configurable)
Otherwise, the router with the highest IP address
When the preempt option is not configured, the first router to initialize HSRP
becomes the active router. (May not be what you want!)
36
 ARP Table My default
172.16.10.1 = 0000.0c07.ac01 gateway is
172.16.10.1

172.16.10.1
0000.0c07.ac01
172.16.10.202 172.16.10.201
0010.0b79.5800 0010.f6b3.d000
HSRP Hellos: Standby

The second router in the HSRP group to initialize or second highest priority is
elected as the standby router.
Monitor the operational status of the HSRP group
Quickly assumes packet-forwarding responsibility if the active router becomes
inoperable.
The standby router also transmits hello messages to inform all other routers in the
group of its standby router role and status.

37
 ARP Table My default
172.16.10.1 = 0000.0c07.ac01 gateway is
172.16.10.1 I receive and
forward
packet sent
to the virtual
router.
172.16.10.1
0000.0c07.ac01
172.16.10.202 172.16.10.201
0010.0b79.5800 0010.f6b3.d000

The virtual router presents a consistent available router (default gateway) to the hosts.
Assigned its:
Own IP address
Own virtual MAC address
The active router acting as the virtual router actually forwards the packets.
Additional HSRP member routers: These routers in listen state monitor the hello
messages but do not respond.
Do forward any packets addressed to the routers' IP addresses.
Do not forward packets destined for the virtual router because they are not the
active router.

38
 ARP Table My default
172.16.10.1 = 0000.0c07.ac01 gateway is
172.16.10.1
I dont see Hellos
from Active (10
secs), so I will
receive and forward
packets sent to the
virtual router. New Active 172.16.10.1
Router 0000.0c07.ac01
172.16.10.202 172.16.10.201
0010.0b79.5800 0010.f6b3.d000
HSRP Hellos HSRP Hellos: Active

When the active router fails, the other HSRP routers stop receiving hello messages
and the standby router assumes the role of the active router.
When the holdtime expires (default 10 seconds).
Because the new active router assumes both the IP address and virtual MAC
address of the virtual router, the end stations see no disruption in service.

39
ARP Table My default
172.16.10.1 = 0000.0c07.ac01 gateway is
172.16.10.1

172.16.10.202 172.16.10.1 172.16.10.201

0010.0b79.5800 0000.0c07.ac01 0010.f6b3.d000

When the only the active router fails:

Standby takes over.
If there are other routers participating in the group, those routers then
contend to be the new standby router.
The new active router remains the forwarding router even when the
former active router with the higher priority regains service in the network
unless preempt is configured (coming).
If both the active and standby routers fail:
All routers in the HSRP group contend for the active and standby router roles.40
 200 100
Virtual IP
To configure a router as a member of an HSRP
standby group, enter this command in interface
configuration mode:
(Physical interface or VLAN interface if VLANs
are used)

Switch(config-if)#standby group- DLS1

number ip virtual-ip-address interface vlan 10
ip add 172.16.10.201 255.255.255.0
group-number refers to the HSRP standby 1 priority 200
standby group number. standby 1 ip 172.16.10.1
The group number can range from 0 standby 1 preempt
to 255.
virtual-ip-address indicates the virtual IP
address of the HSRP group. DLS2
interface vlan 10
ip add 172.16.10.202 255.255.255.0
standby 1 priority 100
standby 1 ip 172.16.10.1
standby 1 preempt
41
 200
210 100
Virtual IP 220

Switch(config-if)#standby group-
number ip virtual-ip-address
group-number refers to the HSRP
standby group number.
The group number can range from 0
to 255.
0 is the default
Most Cisco switches support only up
16 groups.
Each VLAN does NOT have to have
its own group number.
Group numbers are locally significant
to that VLAN or interface.
DLS1
interface vlan 10
ip add 172.16.10.201 255.255.255.0
standby 1 priority 200
standby 1 ip 172.16.10.1
standby 1 preempt
interface vlan 20
ip add 172.16.20.202 255.255.255.0
standby 1 priority 210
standby 1 ip 172.16.20.1
standby 1 preempt
interface vlan 30
ip add 172.16.30.202 255.255.255.0
standby 1 priority 220
standby 1 ip 172.16.30.1
standby 1 preempt

42
 200 100
Priority
To set the priority value of a router, enter this
command in interface configuration mode:

Switch(config-if)#standby group-
number priority priority-value

The priority-value indicates the number

that prioritizes a potential standby router. DLS1
The range is 0 to 255; the default is 100. interface vlan 10
Some documentation states 1 to 255. ip add 172.16.10.201 255.255.255.0
During the election process, the router in standby 1 priority 200
an HSRP group with the highest priority standby 1 ip 172.16.10.1
becomes the forwarding router. standby 1 preempt

If several routers have the same priority, the

physical IP address of the router's interface is DLS2
used as a tiebreaker. interface vlan 10
The router with the numerically highest IP ip add 172.16.10.202 255.255.255.0
address wins.
standby 1 priority 100
In reality the router that boots up first will most
standby 1 ip 172.16.10.1
likely become the active router.
standby 1 preempt
Best to use the preempt command 43
(coming)
Timers
Both the hellotime and the holdtime parameters are configurable.

Switch(config-ig)# standby group timers [msec] hellotime

[msec] holdtime

Hellotime
Default = 3 seconds
Value varies from 1 to 255.

Holdtime
Default = 10 seconds
Value varies from 1 to 255.

Timers will be in milliseconds (1/1,000th) of the msec keyword precedes a

value.

To reinstate the default standby timer values, enter the following command:
no standby group-number timers
44
 200 100
HSRP Group
Identifier
DLS1 has a priority of 200
DLS2 has a default priority of 100.
Who is the active router?
DLS1 assumes the active router
role and forwards all frames DLS1
addressed to the well-known MAC interface vlan 10
address of: ip add 172.16.10.201 255.255.255.0
0000.0c07.acxx standby 1 priority 200
standby 1 ip 172.16.10.1
where xx is the HSRP group
standby 1 preempt
identifier.

DLS2
interface vlan 10
ip add 172.16.10.202 255.255.255.0
standby 1 priority 100
standby 1 ip 172.16.10.1
standby 1 preempt
45
 201
202
1

If the HSRP group number of router A is 01, the MAC address that
corresponds to the virtual IP address is 0000.0c07.ac01.
If the HSRP group number of router A is 47, the MAC address that
corresponds to the virtual IP address is 0000.0c07.ac2f.
Group number (47) converted to hexadecimal (2f).
46
 200 100
Preempt
The standby router automatically assumes the
active router role when the active router fails or
is removed from service.
This new active router remains the forwarding
router even when the former active router with
the higher priority regains service in the
network.
The former active router can be configured DLS1
to resume the forwarding router role from a interface vlan 10
router with a lower priority. ip add 172.16.10.201 255.255.255.0
To enable a router to resume the active state standby 1 priority 200
after a state change, enter the following standby 1 ip 172.16.10.1
command in interface configuration mode: standby 1 preempt
Switch(config-if)#standby
group-number preempt [delay
[minimum seconds] [reload DLS2
seconds]] interface vlan 10
ip add 172.16.10.202 255.255.255.0
To remove the interface from preemptive status, standby 1 priority 100
enter the following command: standby 1 ip 172.16.10.1
Switch(config-if)#no standby standby 1 preempt
group-number preempt 47
 200 100
Delay
Switch(config-if)#standby group-number
preempt [delay [minimum seconds]
[reload seconds]]

Default: Router will immediately preempt

another router that has an active role.
minimum: Router will wait for (0 to 3600
seconds) before attempting to overthrow the DLS1
active router with a lower priority interface vlan 10
This time begins as soon as the router is ip add 172.16.10.201 255.255.255.0
capable of assuming the the active role. standby 1 priority 200
Interface comes up standby 1 ip 172.16.10.1
HSRP is configured standby 1 preempt
reload: Router will wait for (0 to 3600
seconds) after it has been reloaded or
restarted before attempting to overthrow the DLS2
active router with a lower priority. interface vlan 10
ip add 172.16.10.202 255.255.255.0
This is helpful when you need time for the
standby 1 priority 100
routing protocol to converge.
standby 1 ip 172.16.10.1
standby 1 preempt
48
 200 100
Plain Text Authentication
Switch(config-if)# standby group-
number authentication string

Sent in plain text to authenticate HSRP

peers.
Can be easily intercepted and used to
impersonate a legitimate peer.
Intended only to prevent peers with a
default configuration (no authentication)
from participating in HSRP.
DLS1
interface vlan 10
ip add 172.16.10.201 255.255.255.0
standby 1 priority 200
standby 1 ip 172.16.10.1
standby 1 preempt
standby 1 authentication nosecret

DLS2
interface vlan 10
ip add 172.16.10.202 255.255.255.0
standby 1 priority 100
standby 1 ip 172.16.10.1
standby 1 preempt
standby 1 authentication nosecret
49
 200 100
MD5 Authentication
Switch(config-if)# standby group-
number authentication md5 key-
string [0|7] string

Message Digest 5 (MD5) hash is

computed on a portion of each HSRP
message.
DLS1
More secure than plain text authentication. interface vlan 10
Can use key chains when using multiple ip add 172.16.10.201 255.255.255.0
standby 1 priority 200
keys: standby 1 ip 172.16.10.1
standby 1 preempt
Switch(config-if)# standby group standby 1 authentication md5 key-
authentication md5 key-chain hsrp1 string nosecret
Switch(config)# key chain hsrp1
DLS2
Switch(config-keychain)# key 1
interface vlan 10
Switch(config-keychain-key)# key-string ip add 172.16.10.202 255.255.255.0
secretkey standby 1 priority 100
standby 1 ip 172.16.10.1
standby 1 preempt
MD5 and HSRP:
standby 1 authentication md5 key-
http://www.cisco.com/en/US/docs/ios/12_3t/ string nosecret
12_3t2/feature/guide/gthsrpau.html 50
 Learn
Speak
Listen
Standby
Active state state
state
In state HSRP
thestate The
The
active In router
Initial
routers
router
thethe
state, has
instate
the
standby
knows
routernot
speak determined
isAll
state,
the routers
state
thesend
virtual
currently the
begin virtual
IPperiodic
HSRP address,
router
forwarding aIP
inhello
the
isbut address,
initial
messages
candidatestate.
is neither and
to
and
packets actively
the has
become
that active
are not
sentthetoyet
participate
router
next seen
thein thethe
This
nor
active
virtual astate
hello
election
routerismessage
standby
MAC ofentered
and the
and
IProuter.
sendsfrom
active
address or
via
All thetheactive
standby
a
periodic
other
of routers
hello
HSRP router.
router.
configuration The In this or
router
change
messages.
participating in
state,
remains
group. Thethe
active
There
HSRPthe
in therouter
router
must speak
also
group
be is still
state
sends
atbesides
least waiting
unless
whenone the it to hear
becomes
anstandby
interface
periodic
activehello from
an
is
orrouter the
active active
or
initiated.
messages.
standbyin the
routers
HSRP router.
standby router.
reside
group. in this state.
HSRP Standby Group 1
HSRP Router A Router B
States Priority Priority
100 50
Initial Initial

Learn Learn
All other routers
Listen Listen remain in this
Router A does not state.
hear any higher
priority than itself, Speak Speak
so promotes itself Router B hears that
to standby. router A has a
Standby Listen higher priority, so
router B returns to
Router A does not
the listen state.
hear an active Active Speak
router, so promotes
itself to active.
Standby

51
 Configuring HSRP Virtual Router

on Routers 10.10.10.10/24 10.10.10.1/24 10.10.10.11/24

R1
interface gig 0/2
ip address 10.10.10.10 255.255.255.0
standby 1 priority 120
standby 1 preempt
standby 1 ip 10.10.10.1

R2
interface gig 0/2
ip address 10.10.10.11 255.255.255.0
standby 1 priority 110
standby 1 preempt
standby 1 ip 10.10.10.1
52
HSRP Load Balancing

Gateway: Gateway: Gateway: Gateway:

172.16.10.1 172.16.10.1 172.16.10.2 172.16.10.2

53
HSRP Load
Balancing

Gateway: Gateway: Gateway: Gateway:

172.16.10.1 172.16.10.1 172.16.10.2 172.16.10.2

While a router is actively forwarding traffic for one HSRP group, it

can be in the standby or listen state for another group.
Each standby group emulates a single virtual router.

54
 HSRP Load Balancing
Note: There can be up to
255 standby groups on any
VLAN or interface.
Increasing the number of
groups in which a router
participates increases the
management load on the
router and may affect the
performance of the router
for very large numbers of Gateway: Gateway: Gateway: Gateway:
HSRP groups. 172.16.10.1 172.16.10.1 172.16.10.2 172.16.10.2

Both DLS1 and DLS2 are members of groups 1 and 2.

DLS1:
Active forwarding router for group 1
Standby router for group 2.
DLS2:
Active forwarding router for group 2
Standby router for group 1.
55
 200 100
100 200
172.16.10.1
Load balancing HSRP 172.16.10.2

DLS1
interface vlan 10
ip add 172.16.10.82 255.255.255.0
standby 1 priority 200
standby 1 ip 172.16.10.1
standby 1 preempt
standby 2 priority 100
standby 2 ip 172.16.10.2
standby 2 preempt

Gateway: Gateway: Gateway: Gateway:

DLS2 172.16.10.1 172.16.10.1 172.16.10.2 172.16.10.2

interface vlan 10
ip add 172.16.10.169 255.255.255.0
standby 1 priority 100
standby 1 ip 172.16.10.1
standby 1 preempt
standby 2 priority 200
standby 2 ip 172.16.10.2
standby 2 preempt

56
Configuring HSRP Interface Tracking
Active Router

In some situations, the status of an interface directly affects which

router needs to become the active router.
This is particularly true when each of the routers in an HSRP group has
a different path to resources within the campus network.
Routers A and B are exchanging hello messages through their E0
interfaces.

57
Configuring HSRP Interface Tracking
Active Router Router A
sends ICMP
X Redirect to
Host, pointing
it to Router B.

Host now
sends
packets to
Router B.

Primary T1 link experiences a failure.

Without HSRP enabled, router A would detect the failed link and send
an ICMP redirect to router B.

58
Configuring HSRP Interface Tracking
Active Router Router A still
sends HSRP
X Hellos.

Hosts
continue to
send packets
to Router A.

However, when HSRP is enabled, ICMP redirects are disabled.

Enabling HSRP on a Cisco router interface automatically disables ICMP
redirects to ensure that the actual addresses of the participating HSRP
routers are not discovered.
Although the S1 interface on router A is no longer functional, router A still
sends hello messages out interface E0, indicating that router A is still the active
router.
Packets sent to the virtual router for forwarding to headquarters cannot be
routed. 60
Configuring HSRP Interface Tracking
Active Router Router A still
sends HSRP
X Hellos.

Hosts
continue to
send packets
to Router A.

Interface tracking enables the priority of a standby group router to be

automatically adjusted based on availability of the other interfaces on
that router.

61
Configuring HSRP Interface Tracking
Active Router Router A tracks S1
and automatically
decrements its
X priority and stops
sending hello
messages.

Hosts now
Router B assumes send packets
Active role after to Router B.
holdtime.
The E0 interface on router A tracks the S1 interface.
If the link between the S1 interface and headquarters fails, the router
automatically decrements its priority on that interface (default by 10 per
interface tracked) and stops transmitting hello messages out interface
E0.
Router B assumes the active router role when no hello messages are
detected for the specific holdtime period.
62
Router A Router B
interface Ethernet0 interface Ethernet0
ip address 171.16.6.5 /24 ip address 171.16.6.6 /24
no ip redirects no ip redirects
standby 1 priority 105 standby 1 priority 100
standby 1 preempt standby 1 preempt
standby 1 ip 171.16.6.100 standby 1 ip 172.16.6.100
standby 1 track Serial1 standby 1 track Serial1

interface Serial1 interface Serial1

ip address 171.16.2.5 /24 ip address 171.16.7.6 /24

63
 Before Failure
RouterA#show standby
Ethernet0 - Group 1
Local state is Active, priority 105, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:01.028
Hot standby IP address is 171.16.6.100 configured
Active router is local
Standby router is 171.16.6.6 expires in 00:00:08
Tracking interface states for 1 interface, 1 up:
Up Serial1

RouterB#show standby
Ethernet0 - Group 1
Local state is Standby, priority 100, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:00.772
Hot standby IP address is 171.16.6.100
Active router is 171.16.6.5 expires in 00:00:09
Standby router is local
Standby virtual mac address is 0000.0c07.ac01
Tracking interface states for 1 interface, 1 up:
Up Serial1
64
After Failure
RouterA#show standby
Ethernet0 - Group 1
Local state is Standby, priority 95, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:01.028
Hot standby IP address is 171.16.6.100 configured
Active router is 171.16.6.6 expires in 00:00:08
Standby router is local
Tracking interface states for 1 interface, 0 up:
Down Serial1
RouterB#show standby
Ethernet0 - Group 1
Local state is Active, priority 100, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:00.772
Hot standby IP address is 171.16.6.100
Active router is local
Standby router is 171.16.6.5 expires in 00:00:09
Standby virtual mac address is 0000.0c07.ac01
Tracking interface states for 1 interface, 1 up:
Up Serial1
65
For more information

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_not
e09186a0080094a91.shtml
66
 VRRP
Virtual Router Redundancy Protocol
VRRP

Like HSRP, VRRP is a default gateway redundancy method.

RFC 2338
Similar in functionality to HSRP.
Slight differences in terminology and in operation.
Nevertheless, in enterprise and service provider networks, HSRP
deployments far outnumber VRRP deployments.
At the time of this presentation only available in Catalyst 4500 and 6500.

68
VRRP

If you understand HSRP you will understand VRRP.

HSRP Active Router = VRRP Master Router (highest priority).
All other VRRP routers are in backup state (HSRP only one Standby router).
VRRP group numbers:
0 to 255 (HSRP 0 to 255)
VRRP priority: 1 to 254 (HSRP 0 to 255)
254 is the highest (HSRP 255)
100 is default (HSRP 100)
Virtual router MAC addresses:
0000.5e00.01xx xx = VRRP group number
(0000.0c07.acxx HSRP)
VRRP advertisements:
Sent every 1 second (HSRP every 3 seconds)
VRRP preempt:
Default (HSRP must be configured)
VRRP interface tracking:
None (HSRP has interface tracking)
Multicast address and protocol:
224.0.0.18 (VRRP) (HSRP uses 224.0.0.2 all routers)
IP protocol 112 (HSRP protocol 17 for UDP) 69
VRRP
The virtual router
can use a physical
IP address or a
virtual IP address.

Routers A, B, and C, are VRRP-enabled routers.

Routers A, B, and C form a virtual router, with 10.0.0.1 as the virtual IP address.
IP address of the virtual router is the same as that configured for the Ethernet
interface of Router A (10.0.0.1).

Because the virtual router uses the IP address of the physical Ethernet
interface of router A, router A assumes the role of the master virtual router
and is known as the IP address owner.
Hosts 1 through 3 are configured with the default gateway IP address of 10.0.0.1.
Routers B and C function as backup virtual routers.
If the master virtual router fails, the router configured with the higher priority
will become the master virtual router and provide uninterrupted service for the
LAN hosts. 70
When Router A recovers, it becomes the master virtual router again.
 VRRP
The virtual router
can use a physical
IP address or a
virtual IP address.

RouterA(config)#interface fa 0/1
RouterA(config-if)#ip address 10.0.0.1 255.255.255.0
RouterA(config-if)#vrrp 1 ip 10.0.0.1
RouterB(config)#interface fa 0/1
RouterB(config-if)#ip address 10.0.0.2 255.255.255.0
RouterB(config-if)#vrrp 1 ip 10.0.0.1
RouterC(config)#interface fa 0/1
RouterC(config-if)#ip address 10.0.0.3 255.255.255.0
RouterC(config-if)#vrrp 1 ip 10.0.0.1

71
 VRRP
The virtual router
can use a physical
IP address or a
virtual IP address.

RouterA(config)#interface fa 0/1
RouterA(config-if)#ip address 10.0.0.1 255.255.255.0
RouterA(config-if)#vrrp 1 ip 10.0.0.1
RouterA(config-if)#vrrp 1 priority 255

Interface IP address = Virtual IP address for the VRRP group

Owning router is the master in a VRRP group
The priority associated with that interface should be configured as 255.
Otherwise, the highest priority wins the election and is the master.
Backup values range from 1 to 254; the default value is 100. 72
VRRP Load
Balancing

LAN topology in which VRRP is configured such that:

Router A is default gateway for Hosts 1 and 2.
Router B is default gateway for Hosts 3 and 4.
Each router acts as the backup virtual router if the other router fails.

73
 VRRP 255
110
110
255

Load Balancing

RouterA(config)#interface fa 0/1
RouterA(config-if)#ip address 10.0.0.1 255.255.255.0
RouterA(config-if)#vrrp 1 ip 10.0.0.1
RouterA(config-if)#vrrp 1 priority 255
RouterA(config-if)#vrrp 2 ip 10.0.0.2
RouterA(config-if)#vrrp 2 priority 110
RouterB(config)#interface fa 0/1
RouterB(config-if)#ip address 10.0.0.2 255.255.255.0
RouterA(config-if)#vrrp 2 ip 10.0.0.2
RouterA(config-if)#vrrp 2 priority 255
RouterA(config-if)#vrrp 1 ip 10.0.0.1
RouterA(config-if)#vrrp 1 priority 110 74
VRRP 255
110
110
255

In terms of failover, the takeover time of a standby router to an active router depends
on two timers:
Advertisement interval:
Time interval between advertisements (seconds).
The default is 1 second.
Configurable
Master-down interval:
Time interval for backup to declare the master down (seconds).
Not configurable
Three times the value of the advertisement interval.
The higher the advertisement interval, the more time it takes to detect the 75
failure of the masterand hence, failover.
For more information

http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide
/st_vrrpx.html
76
 GLBP
Gateway Load Balancing Protocol
GLBP

Cisco designed GLBP to:

Allow automatic selection and simultaneous use of multiple
available gateways
To provide automatic detection and failover to a redundant path
in the event of failure to any active gateway
Allows for both of these without the extra administrative burden of
configuring multiple groups and managing multiple default gateway
configurations.
At the time of this presentation only available in Catalyst 6500. 78
 1 router Up to 4
members
GLBP

A GLBP group has up to four member routers acting as IP default

gateways.
Known as the Active Virtual Forwarders (AVFs).
Active Virtual Gateway (AVG):
Automatically manages the virtual MAC address assignment
0007.b4xx.xxyy
xx.xx (16 bits) six 0 bits, followed by ten bit GLBP group number
yy - is the virtual forwarder number
Determines who handles the forwarding
Ensures that each station has a forwarding path in the event of
failures to gateways or tracked interfaces.
These functions are accomplished by one of the routers in the group acting
as the active virtual gateway (AVG). 79
GLBP

Members of a GLBP group elect one gateway to be the active virtual gateway
(AVG) for that group.
Highest priority or highest IP address becomes AVG
GLBP Priority: 1 to 255 (default = 100)
GLP Group Numbers: 0 to 1023
Other group members (AVFs) provide backup for the AVG in the event that
the AVG becomes unavailable.
The AVG assigns a virtual MAC address to each member of the GLBP group.
Each gateway assumes responsibility for forwarding packets sent to the
virtual MAC address assigned to it by the AVG.
These gateways are known as active virtual forwarders (AVFs) for their virtual
80
MAC address.
GLBP

Router A is the AVG for a GLBP group, and is responsible for the virtual IP
address 10.21.8.10.
Responsible for responding to ARP Requests for default gateway
(10.21.8.10) and handing out a MAC address of an AVF.
Router A is also an AVF for the virtual MAC address 0007.b400.0101.
Router B is a member of the same GLBP group and is designated as the AVF
for the virtual MAC address 0007.b400.0102.
Same virtual IP address of 10.21.8.10
Client 1 has a default gateway IP address of 10.21.8.10 and a gateway MAC
address of 0007.b400.0101.
Client 2 shares the same default gateway IP address but receives the
gateway MAC address 0007.b400.0102 because Router B is sharing the 81
traffic load with Router A.
Client 1
ARP Reply:
0007.b400.0101

ARP Request
for 10.21.8.10 Send Packet
encapsulated
in frame to
0007.b400.0101

Default Gateway = 10.21.8.10 Default Gateway = 10.21.8.10

0007.b400. 000C.0417. 10.21.8.100 172.16.10.10

0101 91CC
82
Client 2
ARP Reply:
0007.b400.0102

ARP Request Send Packet

for 10.21.8.10 encapsulated in frame
to 0007.b400.0102

Default Gateway = 10.21.8.10 Default Gateway = 10.21.8.10

0007.b400. 000C.0417. 10.21.8.100 172.16.10.10

0102 91CC
83
 I willtake
Ill alsoover
be
the
for AVG
framesfor
GLBP X thesent
group.
RouterAs
to

virtual MAC
address and
my own.

GLBP Timers:
Hello messages every 3 seconds
Holdtime is 10 seconds
Switch(config-ig)# glbp group timers [msec] hellotime [msec] holdtime
If Router A becomes unavailable Client 1 will not lose access to the WAN.
Router B will assume responsibility for forwarding packets sent to the
virtual MAC address of Router A
Continues responding to packets sent to its own virtual MAC address.
After a period of time (see redirect and timout timers) Router B will only use
a single MAC address.
Router B will also assume the role of the AVG for the entire GLBP group.
Communication for the GLBP members continues despite the failure of a router
in the GLBP group. 84
 254 100
GLBP

RouterA(config)#interface vlan 21
RouterA(config-if)#ip address 10.21.8.1 255.255.255.0
RouterA(config-if)#glbp 21 ip 10.21.8.10
RouterA(config-if)#glbp 21 priority 254

RouterB(config)#interface fa 0/1
RouterB(config-if)#ip address 10.21.8.2 255.255.255.0
RouterA(config-if)#glbp 21 ip 10.21.8.10
RouterA(config-if)#glbp 21 priority 100

85
GLBP

GLBP supports the following operational modes for load balancing:

Round-robin load-balancing algorithm Each virtual forwarder MAC address
takes turns being included in address resolution replies for the virtual IP address.
The round-robin load-balancing algorithm is the default.
Weighted load-balancing algorithm The amount of load directed to an AVF
depends on the weighting value advertised by the gateway containing that AVF.
Host-dependent load-balancing algorithm A host is guaranteed to use the
same virtual MAC address as long as that virtual MAC address is participating in
the GLBP group.

86
GLBP Operation

Hosts A and B send their off-network traffic to separate next-hop

routers because they each have cached a different MAC address for
the single virtual gateway IP addressin this case, 10.88.1.10.
Each GLBP router is an AVF for the MAC address it has been
assigned.

87
GLBP Interface
Tracking

Like HSRP, GLBP can be configured to track interfaces.

Router(config-if)# track 1 interface serial1/0
The link from router R1 is lost.
GLBP detects the failure.

88
GLBP Interface
Tracking

The responsibility of forwarding packets destined for virtual MAC 1 is

taken over by the secondary virtual forwarder (router R2).

89
For more information

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft
_glbp.html
90
Implementing High Availability Options in
MLS with HSRP

CIS 187 Multilayer Switched Networks

CCNP 3
Rick Graziani