SP High Availablity – Part 1
Wow – This blog is 1 month old and 500 hits – Nice, hope people are enjoying this trip – I’m sure I’ll bore you with my configuration woes in the coming weeks – again moving side ways slightly prior to pushing headlong into MPLS.
SP Lab Blueprint -> HSRP, VRRP, GLBP, NSF, Fast Reroute and Link/Node Protection. I will cover the 1st three items as there is a fair bit to this section.
HSRP – Hot Standby Routing Protocol - Cisco proprietary, defined in RFC2281, offers default gateway redundancy, there are two roles, active and standby. The active router responds to ARP requests sent to the virtual IP address. It also maintains a virtual MAC Address. If the active router fails then the passive router takes over the responsibility of responding to requests and assumes the virtual IP/MAC Address.
The active router is that one that has the highest priority value. The default priority value is 100. This priority values decreases by a default of 10 for each outage on an interface on the router. The active router remains until it goes off the air or an election pre-emption takes place whereby another router with a higher priority is configured. Basic security can be configured with a password level protection with default value of cisco!
The monitoring of the router is accomplished by the track command. This tracking can be done at an interface or IP level. I recommend from experience to track on an IP Address. Why? We had setup HSRP for a remote branch office sitting on the end of an MPLS WAN Link. We setup tracking on the exterior serial interface and thought we were good. We checked the configuration and tested by shutting down the serial interface. This activated the failover to the backup router and the test was signed off. Then a few weeks later our ISP had a BGP cloud issue on the MPLS network. Guess what? Because the local loop of the link did not go down the serial interface remained activated and HSRP did not kick in. We could not reach the branch via IP and only by using a mobile call to a staff member to physically switch off the primary router could a failover be initiated to our IPSEC VPN Tunnel backup. Lesson Learned!!
Standard Configuration:
Router 1
ip address 192.168.2.2 255.255.255.0
standby 1 ip 192.168.2.1 <- Virtual IP Gateway Address
standby 1 preempt
standby 1 priority 110 <- Highest priority – Active Router!!
standby 1 track serial 0/0
Router 2
ip address 192.168.2.3 255.255.255.0
standby 1 ip 192.168.2.1
standby 1 preempt
standby 1 priority 100
standby 1 track serial 0/1
Verification: sh standby, look for “state is active” and the virtual ip address settings.
VRRP – Virtual Router Redundancy Protocol - Unlike HSRP is an industry standard that can be used on a number of different makes & models. Defined in RFC 2338/3768 and is incredibly similar to HSRP. Differences initially included HMAC based authentication in addition to the basic password security of HSRP [since removed!] the timing intervals are faster by default but these values are configurable for both, VRRP can assign a number of IP Addresses at one time, this is more clunky with HSRP where separate groups being defined.
VRRP enables a group of routers to form a single virtual router. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is also known as a VRRP group. What’s known in HSRP as the active router is the role of the master virtual router and is also known as the IP address owner.
The remaining routers are known as the backup virtual routers. If the master virtual router fails, the router configured with the higher priority will become the master virtual router and provide uninterrupted service for the LAN hosts. When the previous master router recovers, it becomes the master virtual router again. You can configure up to 255 virtual routers on a router physical interface. The actual number of virtual routers that a router interface can support depends on the following factors:
Router processing capability; Router memory capability; Router interface support of multiple MAC addresses
In a topology where multiple virtual routers are configured on a router interface, the interface can act as a master for one virtual router and as a backup for one or more virtual routers.
VRRP Router Priority determines the role that each VRRP router plays and what happens if the master virtual router fails. If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a master virtual router. Priority also determines if a VRRP router functions as a backup virtual router and the order of ascendancy to becoming a master virtual router if the master virtual router fails. You can configure the priority of each backup virtual router with a value of 1 through 254 using the vrrp priority command. Here is a configuration example.
Router A
interface ethernet 1/0
ip address 10.1.0.2 255.0.0.0
vrrp 1 priority 120
vrrp 1 authentication cisco
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 ip 10.1.0.10
vrrp 5 priority 100
vrrp 5 timers advertise 30
vrrp 5 timers learn
vrrp 5 ip 10.1.0.50
vrrp 100 timers learn
no vrrp 100 preempt
vrrp 100 ip 10.1.0.100
no shutdown
Router B
interface ethernet 1/0
ip address 10.1.0.1 255.0.0.0
vrrp 1 priority 100
vrrp 1 authentication cisco
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 ip 10.1.0.10
vrrp 5 priority 200
vrrp 5 timers advertise 30
vrrp 5 timers learn
vrrp 5 ip 10.1.0.50
vrrp 100 timers learn
no vrrp 100 preempt
vrrp 100 ip 10.1.0.100
no shutdown
Verification: sh vrrp, sh vrrp brief, sh vrrp int e0/0
GLBP – Gateway Load Balancing Protocol – protects data traffic from a failed router or circuit, like Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP), while allowing packet load sharing between a group of redundant routers. It provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222 (source and destination).
In a nutshell, both HSRP & VRRP only use one of the routers [The active or master] thus wasting the bandwidth & resources of the other routers, GLBP uses the other routers thus reducing administration and potentially achieving better performance. Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Other group members provide backup for the AVG in the event that the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC address. The AVG is responsible for answering Address Resolution Protocol (ARP) requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.
GLBP operates virtual gateway redundancy in the same way as HSRP. One gateway is elected as the AVG, another gateway is elected as the standby virtual gateway, and the remaining gateways are placed in a listen state.
A GLBP group allows up to four virtual MAC addresses per group. The AVG is responsible for assigning the virtual MAC addresses to each member of the group. Other group members request a virtual MAC address after they discover the AVG through hello messages. Gateways are assigned the next MAC address in sequence. A virtual forwarder that is assigned a virtual MAC address by the AVG is known as a primary virtual forwarder. Other members of the GLBP group learn the virtual MAC addresses from hello messages. A virtual forwarder that has learned the virtual MAC address is referred to as a secondary virtual forwarder.
Virtual forwarder redundancy is similar to virtual gateway redundancy with an AVF. If the AVF fails, one of the secondary virtual forwarders in the listen state assumes responsibility for the virtual MAC address.
GLBP gateway priority determines the role that each GLBP gateway plays and what happens if the AVG fails. Priority also determines if a GLBP router functions as a backup virtual gateway and the order of ascendancy to becoming an AVG if the current AVG fails. You can configure the priority of each backup virtual gateway with a value of 1 through 255 using the glbp priority command. By default, the GLBP gateway preemptive scheme is disabled. A backup virtual gateway can become the AVG only if the current AVG fails, regardless of the priorities assigned to the virtual gateways. You can enable the GLBP preemptive scheme using the glbp preempt command. Preemption allows a backup virtual gateway to become the AVG, if the backup virtual gateway is assigned a higher priority than the current AVG.
GLBP uses a weighting scheme to determine the forwarding capacity of each router in the GLBP group. The weighting assigned to a router in the GLBP group determines whether it will forward packets and, if so, the proportion of hosts in the LAN for which it will forward packets.
Configuration Example:
interface fastethernet 0/0
ip address 10.91.8.2 255.255.255.0
glbp 10 authentication text stringxyz <- plain text authentication string
glbp 10 forwarder preempt delay minimum 60 <- wait min 60 secs before taking over AVF
glbp 10 load-balancing host-dependent <- host always use the same router
glbp 10 preempt delay minimum 60 <- wait 60 secs before becoming AVG
glbp 10 priority 254 <- Higher is better, default = 100
glbp 10 timers 5 18 <- time between hello packets
glbp 10 timers redirect 600 7200 <- 10 mins [Timer redirect] & 2 Hours [Timeout]
Verification: sh glbp, sh glbp brief
Conclusion: These guys are very similar and if in the exam we are asked to provide redundancy I think a discussion with the proctor will be required to iron out any decisions a lab candidate would have to make regarding which of the technologies would be the right ones to configure up!
References:
http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html
http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
