From here to expert level.: January 2015

Monday, January 19, 2015

GLBP protocol

GLBP (Gateway Load Balancing Protocol ) as other fhrp VRRP and HSRP provides gateway redundancy for hosts. This protocol gives more load sharing then other fhrp with condition that clients will have just one default gateway configured. It is more flexible.

GLBP routers exchange messages which contain the information providing Active Virtual Gateway election, determines GLBP router roles and tracking their states. GLBP provides up to four gateways in the group. One router in the group is elected as AVG (Active Virtual Gateway) and one router is elected as standby virtual gateway, other routers within the group are placed in "Listening" state.

Active Virtual Gateway is responsible to reply for the ARP requests to virtual IP. AVG sends one of the forwarder's virtual MAC address inside the ARP reply. AVG maintaining virtual mac to IP mapping in the client cache.

All routers of the group are forwarders and each router is the owner of the virtual mac-address assigned by the AVG and responsible for sending packets to its virtual address.

Protocol does load sharing by responding to ARP request sent to virtual IP with different virtual mac-addresses assigned to all GLBP routers. There are three different load sharing schemes: round-robin (default), weighted and host dependent.

GLBP:

-hello timer - 3 sec by default

-hold timer 10 sec by default

-GLBP group number available: 1-1023

-redirect timer - AVG will reply to arp with failed forwarder's mac address due redirect time

-time to live - time while failed forwarder's virtual mac address is staying alive

-Virtual mac address has the following form: 0004.b4xx.xxyy where xx.xx - 16 bits where 6 bits are empty and next 10 bits are reserved for GLBP group number. yy - are the forwarder number.

-GLBP packets are sent to destination UDP port 3222 multicast address 224.0.0.102 to destination multicast MAC address 0105.5e00.0006 from source primary IP address and source virtual MAC address.

-Router with the priority equal to AVG and higher IP address didn't preempt the active GLBP router.

-GLBP is not IPv6 compatible

-GLBP doesn't support stacking feature

AVG election

AVG election is provided by priority (default value is 100). Router with the higher priority becomes AVG.

AVG fails

When AVG fails, the standby router becomes AVG after hold down timeout and new standby router would be elected.

AVF fails

After AVF fails it stops to send it's GLBP messages, One of the GLBP forwarders pick up this failed AVF's virtual mac address and this mac address become "Active" for it ----> now this backup forwarder has primary virtual address and secondary. this secondary virtual address is staying alive within minimum 600 seconds (default ARP timeout) and then flushes from arp table of clients. Due time to live backup forwarder sends additional TLV where specifyed onemore secondary virtual mac address.

GLBP scenario or what are we going to do:

Our GLBP mini-lab include the next two parts related to Active Virtual Gateway (AVG) and Active Virtual Forwarding (AVF).

AVG discovering:

- Enable GLBP on one router, looking for information related to AVG
- explore TCP dump with GLBP packets

- explore debugging
- Enable GLBP on the neighboring router
- Tuning AVG timers
- enable AVG preemption
- exploring AVG election procedure

AVF discovering:

- configure 3 GLBP routers
- configure simple topology for sample traffic forwarding and testing
- testing failover with default timers
- tuning timers
- configure weighting
- explore tracking and weights thresholds

As known GLBP datagrams are sent over UDP port 3222. GLBP information is transmitted inside the specified TLVs:

We enabled GLBP only on one router that is why the same router is will be the AVG and AVF.

R1(config-if)#glbp 1 ip 10.12.10.100

*Mar 1 01:56:31.767: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

*Mar 1 01:56:41.767: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active

All GLBP parameters are default.

R1(config-if)#do sh glbp
FastEthernet0/0 - Group 1
State is Active
    2 state changes, last state change 00:00:05
Virtual IP address is 10.12.10.100
Hello time 3 sec, hold time 10 sec <--------- default AVG timer values
    Next hello sent in 0.488 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption disabled
Active is local
Standby is unknown
Priority 100 (default)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
    0011.1111.1111 (10.12.10.1) local
There is 1 forwarder (0 active)
Forwarder 1
    State is Listen
    MAC address is 0007.b400.0101 (default)
    Owner ID is 0011.1111.1111
    Redirection enabled
    Preemption enabled, min delay 30 sec
    Active is unknown

HELLO TLV:

Router sends GLBP packet with only HELLO TLV while being starting GLBP process and while transition Init--->Listen and Listen---> Speak occurs.

Source MAC address is a primary mac of the router

Destination MAC address is a multicast MAC 0100.5e00.0066

Source IP address is a primary address of the router and destination IP is multicast IP address 224.0.0.102

PIC.1 Hello GLBP message:

Request/response

The next step after router advertised itself as a AVG, it is time to advertise itself as a AVF and it sends GLBP message with request/response TLV:

GLBP router sends Requet/response message with the virtual assigned source mac address to multicast mac address

Source IP address is a primary IP of the GLBP interface of the router.

GLBP router advertise assigned virtual mac-address.

Virtual mac address has the following form:

0004.b4xx.xxyy where xx.xx - 16 bits where 6 bits are empty and next 10 bits are reserved for GLBP group number. yy - are the forwarder number.

PIC.2 GLBP Request/response TLV

After advertising itself as a GLBP, router send GLBP messages with both TLVs with source virtual mac address:

PIC.3 GLBP message with both TLVs.

GLBP AVG preemption is disabled on the port by default, that is why after enabling GLBP on the neighboring router with higher priority or with the same priority, but higher IP address, new router GLBP state will be "Standby"

AVF preemption is enabled by default.

R3(config-if)#glbp 1 ip 10.12.10.100
R3(config-if)#
*Mar 1 03:15:44.911: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 2 state Listen -> Active
R3(config-if)#do sh glbp
FastEthernet0/0 - Group 1
State is Standby
    1 state change, last state change 00:51:53
Virtual IP address is 10.12.10.100
Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.380 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption disabled
Active is 10.12.10.1, priority 100 (expires in 8.656 sec)
Standby is local
Priority 100 (default)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
    0011.1111.1111 (10.12.10.1)
    0033.3333.3333 (10.12.10.3) local
There are 2 forwarders (1 active)
Forwarder 1
    State is Listen
    MAC address is 0007.b400.0101 (learnt)
    Owner ID is 0011.1111.1111
    Time to live: 14398.644 sec (maximum 14400 sec)
    Preemption enabled, min delay 30 sec     <--------------------- AVF preemption

As you can see from debugging there are two active forwarders, one active and one standby gateways:

*Mar 1 12:19:32.964: GLBP: Fa0/0 Grp 1 Hello out VG Active pri 100 vIP 10.12.10.100 hello 20000, hold 100000 VF 1 Active pri 167 vMAC 0007.b400.0101
*Mar 1 12:19:33.544: GLBP: Fa0/0 Grp 1 Hello in VG Standby pri 100 vIP 10.12.10.100 hello 20000, hold 100000 VF 2 Active pri 167 vMAC 0007.b400.0102

Let's tune timers on the AVG and look at the timers on standby gateway GLBP router:

R1(config-if)# glbp 1 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify timeout values for failed forwarders

R1(config-if)# glbp 1 timers 20 ?
<21-180> Hold time in seconds
msec Specify hold time in milliseconds

R1(config-if)# glbp 1 timers 20 100

Next look at the standby GLBP router's timers:

R3(config-if)#do sh glbp
FastEthernet0/0 - Group 1
State is Standby
1 state change, last state change 09:01:27
Virtual IP address is 10.12.10.100

Hello time 20 sec, hold time 100 sec <----------------Changing timers on the AVG

automatically changes timers for all GLBP standby gateways in the group

    Next hello sent in 1.888 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption enabled, min delay 0 sec
Active is 10.12.10.1, priority 100 (expires in 81.380 sec)
Standby is local
Priority 100 (default)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
    0011.1111.1111 (10.12.10.1)
    0033.3333.3333 (10.12.10.3) local
There are 2 forwarders (1 active)
Forwarder 1
    State is Listen
    MAC address is 0007.b400.0101 (learnt)
    Owner ID is 0011.1111.1111
    Time to live: 14381.368 sec (maximum 14400 sec)
    Preemption enabled, min delay 30 sec
    Active is 10.12.10.1 (primary), weighting 100 (expires in 89.940 sec)
Forwarder 2
    State is Active
      1 state change, last state change 09:02:26
    MAC address is 0007.b400.0102 (default)
    Owner ID is 0033.3333.3333
    Preemption enabled, min delay 30 sec
    Active is local, weighting 100

Let's enable AVG preemption:

R3(config-if)# glbp 1 preempt

R3(config-if)# do sh run int fa 0/0

Building configuration...

Current configuration : 162 bytes
!
interface FastEthernet0/0
mac-address 0033.3333.3333
ip address 10.12.10.3 255.255.255.0
speed 100
full-duplex
glbp 1 ip 10.12.10.100
glbp 1 preempt
end

Router with the priority equal to AVG and higher IP address didn't preempt the active GLBP router.

Now we change priority on the standby gateway:

R3(config-if)#glbp 1 priority ?
<1-255> Priority value
R3(config-if)#glbp 1 priority 105
R3(config-if)#

*Mar 1 12:29:21.072: GLBP: Fa0/0 1 Standby: l/Hello rcvd from lower pri Active router (100/10.12.10.1)
*Mar 1 12:29:21.076: GLBP: Fa0/0 1 Active router IP is local, was 10.12.10.1
*Mar 1 12:29:21.076: GLBP: Fa0/0 1 Standby router is unknown, was local
*Mar 1 12:29:21.076: GLBP: Fa0/0 1 Standby -> Active

*Mar 1 12:29:21.076: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

Look at the Active router debugging:

R1(config-if)#
*Mar 1 12:29:13.084: GLBP: Fa0/0 Grp 1 Hello out VG Active pri 100 vIP 10.12.10.100 hello 20000, hold 100000 VF 1 Active pri 167 vMAC 0007.b400.0101
*Mar 1 12:29:13.248: GLBP: Fa0/0 Grp 1 Hello in VG Active pri 105 vIP 10.12.10.100 hello 20000, hold 100000 VF 2 Active pri 167 vMAC 0007.b400.0102
*Mar 1 12:29:13.248: GLBP: Fa0/0 1 Active router IP is 10.12.10.3, was local
*Mar 1 12:29:13.252: GLBP: Fa0/0 1 Standby router is unknown, was 10.12.10.3
*Mar 1 12:29:13.252: GLBP: Fa0/0 1 Active: k/Hello rcvd from higher pri Active router (105/10.12.10.3)
*Mar 1 12:29:13.252: GLBP: Fa0/0 1 Active -> Speak
*Mar 1 12:29:13.252: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R1(config-if)#
*Mar 1 12:29:13.256: GLBP: Fa0/0 Grp 1 Hello out VG Speak pri 100 vIP 10.12.10.100 hello 20000, hold 100000 VF 1 Active pri 167 vMAC 0007.b400.0101

After some hello messages exchanging we have new active and standby GLBP routers:

R1(config-if)#
*Mar 1 12:30:53.160: GLBP: Fa0/0 Grp 1 Hello in VG Active pri 105 vIP 10.12.10.100 hello 20000, hold 100000 VF 2 Active pri 167 vMAC 0007.b400.0102
*Mar 1 12:30:53.252: GLBP: Fa0/0 1 Speak: f/Standby timer expired (unknown)
*Mar 1 12:30:53.252: GLBP: Fa0/0 1 Standby router is local
*Mar 1 12:30:53.252: GLBP: Fa0/0 1 Speak -> Standby
*Mar 1 12:30:53.252: GLBP: Fa0/0 Grp 1 Hello out VG Standby pri 100 vIP 10.12.10.100 hello 20000, hold 100000 VF 1 Active pri 167 vMAC 0007.b400.0101

Verify GLBP router's states:

R1(config-if)#do sh glbp bri
Interface   Grp Fwd Pri State    Address         Active router   Standby router
Fa0/0       1    -   100 Standby 10.12.10.100    10.12.10.3      local
Fa0/0       1    1   -   Active   0007.b400.0101 local           -
Fa0/0       1    2   -   Listen   0007.b400.0102 10.12.10.3      -

Let's configure third router to be in this GLBP group:

R4(config-if)#do sh run int fa 0/0

interface FastEthernet0/0
mac-address 0044.4444.4444
ip address 10.12.10.4 255.255.255.0
speed 100
full-duplex
glbp 1 ip 10.12.10.100
glbp 1 preempt
end

This config caused the router R1 with the lowest IP address to be in the "Listen" state and R3 and R4 in the Active and Standby states.

As conclusion we can say, that Standby GLBP router will preempt only when it's priority becomes higher then priority of the Active router. Routers with lower IP addresses automatically becomes "Listen" GLBP routers. There are only one Active and Only one standby router.

Weighting and tracking

In GLBP can be used three different schemes of load sharing.

Weighting can be assign manually and every GLBP router will advertise it to each other. ARP replies with virtual mac addresses will be sent proportionally weights of GLBP router s in the group.

You can set lower and upper threshold to track the state of GLBP router. You also can configure tracking the way you need to automatically tune GLBP weight depending of operation of your network. It is a very flexible tool to solve specific tasks related with load sharing.

Configuration example:

We need the weight of R1 to be decreased lower the threshold after line protocol of one of specified interfaces goes down.

R1(config-if)#do sh ip inter bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.12.10.1      YES manual up                    up
FastEthernet1/0            172.20.123.1    YES manual up                    up
R1(config-if)#int fa 0/0
R1(config-if)#glbp 1 weightin ?
<1-254> Weighting maximum value
track    Interface tracking

R1(config-if)#glbp 1 weightin 100 ?
lower Weighting lower threshold
upper Weighting upper threshold
<cr>

R1(config-if)#glbp 1 weightin 100 lower ?
<1-99> Weighting lower threshold value     <----------- Possible threshold values lower

R1(config-if)#glbp 1 weightin 100 lower 40 ?
upper Weighting upper threshold    <------------ Possible threshold values upper
<cr>

R1(config-if)#glbp 1 weightin 100 lower 40 upper 100
R1(config-if)#do sh run int fa 0/0
Building configuration...

Current configuration : 208 bytes
!
interface FastEthernet0/0
mac-address 0011.1111.1111
ip address 10.12.10.1 255.255.255.0
speed 100
full-duplex
glbp 1 ip 10.12.10.100
glbp 1 weighting 100 lower 40
end

Configure tracking

R1(config-if)#glbp 1 weighting track 1 decrement ?
<1-255> Decrement value
R1(config-if)#glbp 1 weighting track 1 decrement 70
R1(config-if)#exit
R1(config)#track 1 interface fa 1/0 line-protocol

Now we manually shut tracked interface and look at the debufg output:

R1(config-if)#do deb glbp terse <----- turn on brief debugging of GLBP
GLBP:
GLBP Errors debugging is on
GLBP Events debugging is on
(protocol, redundancy, track)
GLBP Packets debugging is on
(Request, Reply)
R1(config-if)#
R1(config-if)#int fa 1/0

R1(config-if)#shut <----Manually shutting interface
*Mar 2 13:06:34.674: %TRACKING-5-STATE: 1 interface Fa1/0 line-protocol Up->Down
*Mar 2 13:06:34.678: GLBP: Fa0/0 1 Track 1 object changed, state Up -> Down
*Mar 2 13:06:34.678: GLBP: Fa0/0 1 Weighting 100 -> 30
*Mar 2 13:06:36.674: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar 2 13:06:37.674: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Mar 2 13:07:06.118: GLBP: Fa0/0 1.1 Active: i/Hello rcvd from higher pri Active router (135/10.12.10.3)
*Mar 2 13:07:06.118: GLBP: Fa0/0 1.1 Active -> Listen
R1(config-if)#
*Mar 2 13:07:06.118: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Active -> Listen <---Forwarder becomes "Listen"
R1(config-if)#

Let's look at debugging on ohter GLBP routers :

Here is debugging from the router that became backup forwarder after R1 failed:

R4(config-if)#
*Mar 2 13:06:43.794: GLBP: Fa0/0 1.1 Preemption delayed, 30 secs remaining <----default preemption delay
*Mar 2 13:07:13.806: GLBP: Fa0/0 1.1 Listen: k/Hello rcvd from lower pri Active router (39/10.12.10.1) <---- R1 became a lower priority GLBP forwarder

*Mar 2 13:07:13.810: GLBP: Fa0/0 1.1 Listen -> Active

*Mar 2 13:07:13.810: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active

PIC.4 R4 becomes a backup forwarder fot R1 and carry two TLVs:

If you disable forwarding preemprtion on all GLBP routers then after time to live timer expire --> virtual mac address will become disable:

R4(config-if)#do sh run int fa 0/0 | i glbp
glbp 1 ip 10.12.10.100
glbp 1 timers redirect 10 610
glbp 1 preempt <-------------AVG preemption is enabled
glbp 1 load-balancing weighted
no glbp 1 forwarder preempt <------------ AVF preemption is disabled

R4(config-if)#do sh glbp | i live
Time to live: 0.568 sec (maximum 609 sec) <--------time to live timer expires
Time to live: 607.848 sec (maximum 610 sec)
R4(config-if)#
*Mar 1 18:36:48.839: GLBP: Fa0/0 1.1 Active: c/Secondary timer expired
*Mar 1 18:36:48.839: GLBP: Fa0/0 1.1 Active -> Disabled
*Mar 1 18:36:48.839: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Active -> Disabled
R4(config-if)#

%GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Active -> Disabled <----AVF's virtual mac is disabled

I the next part of GLBP protocol notes I will test GLBP in action.

Tuesday, January 13, 2015

CCIE HSRP notes: theory

HSRP notes. Theory.

Short HSRP tips:

- On a particular LAN, multiple hot standby groups may coexist and overlap.

- Each standby group emulates a single virtual router.

- For each standby group, a single well-known MAC address is allocated to the group, as well as an IP address. The IP address SHOULD belong to the primary subnet in use on the LAN, but MUST differ from the addresses allocated as interface addresses on all routers and hosts on the LAN, including virtual IP addresses assigned to other HSRP groups.

- HSRP router roles are Active and Standby

- HSRP runs on top of UDP and uses port 1985

- HSRP packets are sent to multicast address 224.0.0.2 with TTL 1

- Routers uses their own IP addresses as the source for protocol packets

- The router with a higher priority wins in active-standby election. If priorities are equal then higher IP address wins.

- Every standby router learns hello and holdtime values set in the hello message from Active router.

- Router uses virtual mac address as a source address of the sent HELLO messages ONLY when it is in the ACTIVE state

From Cisco.com :Table-1 Default HSRP Configuration

Feature	Default Setting
HSRP groups	None configured
Standby group number	0
Standby MAC address	System assigned as: 0000.0c07.acXX, where XX is the HSRP group number
Standby priority	100
Standby delay	0 (no delay)
Standby track interface priority	10
Standby hello time	3 seconds
Standby holdtime	10 seconds

HSRP conventions:

Active Router - forwarding packets for the virtual router

Standby Router - the primary backup router

Standby Group - the set of routers participating in HSRP

Hello Time - the interval between HSRP hellos

Hold Time - th interval between the receipt of hellos

Pic.1 HSRP packet format:

Version: usually version value "0" means version 1 (RFC 2281). In version 2 --> there is a 4096 possible HSRP groups and another frame format.

Op Code: describes the type of message: (1 octet)

- "0" hello ---> router is participating in HSRP and enabled to become Active or standby

Pic.2 Router sends HSRR hello once in a hellotime period

- "1" Coup ---> Router wishes to become the active router

Pic.3 HSRP router sends "Coup" message after changing priority to 200 and enabling Preempt feature:

- "2" Resign ---> router no longer wishes to be the active router

Pic.4 HSRP Resign message sent when "no standby 40 IP" command was entered:

- "3" Advertise ----> (not in RFC) Router that neither Active nor standby periodically send advertisements

Pic 5. HSRP Advertise message:

HSRP as a state machine:

Each HSRP router is implements a state of the HSRP state machine. Possible values are:

0 - Initial => starting state, HSRP is not running.

1 - Learn => router doesn't knows the virtual IP,it is waiting to hear hello messages from the active router

2 - Listen => router knows the virtual IP, but is neither active router nor standby, is listening hellos from all routers in a domain

4 - Speak => router sends periodic hellos and actively participate in election of active/standby router

8 - Standby => the router is a candidate to become the next active router, sends periodic hellos

16 - Active => the router is forwarding packets thet are sent to the group's virtual IP, send periodic hello messages

HSRP packet fields:

Hellotime - is given in seconds. ( 1 octet)

Holdtime - ( 1 octet) can be set manually in Cisco ( by RFC holdtime allowed to be learned from active router with authentication)

Priority - ( 1 octet) this field used to elect the active and standby router

Group - ( 1 octet) with a"Reserved" field there can be up to 4096 groups in Cisco HSRP

Authentication Data - (8 Octets)

Virtual IP address - (4 octets) The virtual IP address used by this group

Timers

Active_timer - monitors the activity of Active router. Starts when the hello message received from the Active router. Expires in the Holdtime after receiving Hello message

Standby_timer - monitors the activity of Standby router. Starts when the hello message received from the Standby router.

Hello_timer - expires in a hellotime period.

HSRP Preemption

Preemption should be enabled on the interface which priority allows to become the new active HSRP router. New appeared router with higher priority in HSRP group will become the new active router only if it will be enabled with preempt function.

Simple HSRP configuration

Interface IP address configuration:

R8(config)#int gi 0/0

R8(config-if)# ip address 10.10.10.8 255.255.255.0

Configure virtual IP for group 40:

R8(config-if)#standby 40 ip 10.10.10.10

Setting priority

R8(config-if)#standby 40 priority 200

Setting authentication with a plain text "admin"

R8(config-if)#standby 40 authentication text admin

Enable preemption

R8(config-if)#standby 40 preempt

Configure tracking depended on interface loopback8 line state

R8(config-if)#standby 40 track loopback 8 ?
<1-255> Decrement value
<cr>
R8(config-if)#standby 40 track loopback 8 70

R8(config-if)#standby 40 timers ?
<1-254> Hello interval in seconds
msec Specify hello interval in milliseconds

Change default HSRP timers values on the active router

R8(config-if)#standby 40 timers 4 ?
<5-255> Hold time in seconds

R8(config-if)#standby 40 timers 4 15

Manually assign HSRP virtual MAC address

R8(config-if)#standby 40 mac-address ?
H.H.H MAC address

R8(config-if)#standby 40 mac-address 0008.0008.0008 ?
<cr>

R8(config-if)#standby 40 mac-address 0008.0008.0008

Verify HSRP

R8(config-if)#do sh stand
GigabitEthernet0/0 - Group 40
State is Active
    14 state changes, last state change 00:02:06
Virtual IP address is 10.10.10.10
Active virtual MAC address is 0008.0008.0008
    Local virtual MAC address is 0008.0008.0008 (cfgd)
Hello time 4 sec, hold time 15 sec
    Next hello sent in 1.328 secs
Authentication text, string "admin"
Preemption enabled
Active router is local
Standby router is 10.10.10.4, priority 140 (expires in 16.208 sec)
Priority 200 (configured 200)
    Track interface Loopback8 state Up decrement 70
Group name is "hsrp-Gi0/0-40" (default)

Q&A

Q: How do HSRP version 1 and 2 inter operate?

A: HSRP Version 2 and 1 can not inter operate.

Q: what are HSRP roles?

A: Active and Standby.

Q: What is a HSRP packet's destination IP address and TTL? for 1 and 2 version of HSRP protocol.

A: HSRP V1 224.0.0.2 TTL 1 and HSRP V2 224.0.0.102 TTL 1

Q: What protocol HSRP uses as a transport

A: UDP port 1985

Q: What address uses router as a source address for HSRP protocol packets?

A: Routers uses their own interface IP addresses.

Q: What router will win HSRP master election? what is a tie breaking?

A: router with a numerically higher priority value will win, tie breaking is a IP address: higher IP address will win.

Q: How to create up to 4096 HSRP groups? Is it possible?

A: Yes. to create up to 4096 HSRP groups you must enable version 2 of HSRP protocol

Q: How to enable preemption between hsrp routers?

A: You should enable preemption on the router that can become an active HSRP router in case the current active router fails.

Q: What is the virtual mac address for the HSRP group number?

A: 0000.0C07.ACxx where xx is the number of HSRP group in HEX

Q: Does HSRP router uses virtual mac address as the source interface of HSRP hello messages? when?

A: HSRP router uses virtual mac address as source address in the HSRP hello message only when this router is in the active state.

Best regards!

Kravets Dmitry.

Wednesday, January 7, 2015

My VRRP notes

VRRP notes.

1. Set of the definitions.

VRP Router - A router tuning VRRP protocol. Can participate as one or more virtual routers.

Virtual router - an abstract router it consist of Virtual router identifier and a set of associated ipv4 or ipv6 addresses across a LAN. VRRP router may backup one or more virtual routers. Can be identified by Virtual router ID and

Ip address owner - The vrrp router , that has a virtual router's IPvX address as a real interface address.

Primary IP address - in ipv4 - it is the address selected from the set of real interface addresses, in IPv6 it is a link-local address of the interface.

Virtual Router Master - is a VRRP router, assuming the responsibility of forwarding packets sent to IPVX address associated with virtual router.

Virtual Router Backup - the set of VRRP routers, available to assume forwarding responsibility for a virtual router when a master router fails.

2. Features of VRRP

- IPvX address backup

- path preference among the redundant routers based on any environment (path cost or speed, any other considerations)

- none of another backup routers will become a master until current master router fails

- using a virtual router MAC-address as a source in a packets sent by the Master router

- send periodic messages wit proper intervals

- You can use the same interface within a different vrrp groups???

3. VRRP PROTOCOL

The purpose of VRRP packet is to communicate with all VRRP routers. The priority and a state of the Master router associated with VRID

VRRP packets protecting the IPvX address are sent encapsulated in IPvX packet with next parameters:

- They are sent to special multicast address: 224.0.0.18 for IPv4 and FF02:0:0:0:0:0:0:12 for IPv6. Source address is the primary address of the interface of a VRRP router.

- TTL value - 255

- IPv4 Protocol number = 112

- HOP limit = 255

- IPv6 next header protocol = 112

VRRP protocol fields descriptions:

- Version :2,3

- type = always 1 (ADVERTISEMENT)

- Virtual Router ID (VRID)

- Priority (8 bit field 1-255) default is 100 and 0 priority has a special meaning ---> Master stop to participate in VRRP

- count IPvX address is a number of IPvX addresses in VRRP advertisement

- RSVD - the field must be set to 0 and ignored

- Max advertising interval - 12 bit field that indicates time interval in centiseconds 100=1 sec between advertisements. for stable protocol working this value should be equal on all VRRP routers (master and backup) lower transmission rates than their Backup routers are unstable. This is because low-priority nodes configured to faster rates could come online and decide they should be Masters before they have heard anything from the higher-priority Master with a slower rate.

- CHECKSUM is the 16 bit field

- IPvX address - this field specifies addresses that are backed up by the virtual router. it either ipv4 or ipv6 adressess. if more than one address in this field it's recommended to all router to send these addresses in the same order.

4. Protocol state machine

Parameters per virtual router:

VRID - Configurable item range 1-255. Ther is no default

Priority - value to be used in master election. default is 100 range 1-255. 0 - releasing responsibility for the virtual router by Master.

IPv6_Addresses  or IPv4_Addresses - one or more ip addresses associated with virtual router.

Advertisement_Interval- the time between ADVERTISEMENTs sent (default 1 second)

Master_Adver_Interval - Advertisement_Interval time contained in ADVERTISEMENTs received from MASTER router

Skew_Time - the time to skew Master_Down_Interval = (((256-priority)*Master_Adver_Interval) /256)

Master_Down_Interval - the interval for Backup router to declare Master down = 3*Master_Adver_Interval  + skew_time

Preempt_Mode - true or false value  controls whether a higher-priority backup router preempts a lower-priority backup router (preempt bit is set in advertisement)

Accept_Mode - allow to receive packets addressed to vrrp router's non-virtual interface.

Virtual_Router_MAC_Address - a MAC address used for the source mac address in VRRP advertisements and advertised in the arp responses.

Timers

Master_Down_Timer

Adver_Timer

INIT state:

-router wait for a startup event

- router wait itself to become a MASTER or a BACKUP router

IF router owns the ip address associated with virtual router then: it sets the ADVER_timer to Advertisement_Interval, sends advertisements and transition to the MASTER

ELSE router sets ADVERTISEMENT interval, sets Master_Down_Interval to Advertisement_Interval, sets the Master_Down_Timer to Master_Down_Interval and transition to the BACKUP

BACKUP state:

Router in backup state monitors the state of the master router

staying in this state vrrp router must do the following:

-must not response to the ARP request for the virtual address

-must discard packets with a destination MAC-address of the virtual router MAC-address

-must not accept packets addressed to the virtual router

While router in the backup state following events can happen:

-- shutdown event received

-> cancel the master_down_timer

-> transition to INIT state

-- Master_Down_Timer fires

-> send an advertisement, send arp for IPv4 or ND for IPv6

-> set the Adver_Timer to Advertisement_interval

-- Advertisement received

-> If the priority in advertisement is zero, then set the master_down_timer to skew_time

-> Check received advertisement for a preemption and priority inside the advertisement and as a result reelects the MASTER

MASTER state:

The router in a master state is functioning as a forwarding router

-- Advertisement received

->transition to BACKUP only if there is a higher priority inside received ADVERTISEMENT or with the same priority, but greater IPvX address then local

5. VRRP packets

- VRRP packets are sent with source mac address of virtual router and source ip address of primary interface

- VRRP packets sends to a multicast group 224.0.0.18

- The virtual mac address assigned by IANA and looks like 00-00-5e-00-01-[VRID] for IPv4 and 00-00-5e-00-02-[VRID] for IPv6

- VRRP master must response to the ARP request with virtual MAC address

- VRRP master router should never send ARP with it's own physical interface address as a source

6. Configuring VRRP

vrrp config in IOS applies per interface:

basic config:

interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0vrrp 23 ip 10.10.10.10 <---- 23 is specified VRRP group [VRID] for VRRP process
end

Change default priority for a VRRP router in the group:

R1(config-if)#vrrp 23 priority 250

You can change advertisement interval:

R1(config-if)#vrrp 23 timers advertise 100

Configure vrrp router as a backup router to learn the advertising interval of the master router:

R1(config-if)#vrrp 23 timers learn

Configure authentication for VRRP for security purposes:

R1(config-if)#vrrp 23 authentication md5 key-string myplaintextpass

With an authentication mismatch you will see a message:

%VRRP-4-BADAUTHTYPE: Bad authentication from 10.10.10.1, group 23, type 254, expected 0

You can tune preempt feature:

R1(config-if)#vrrp 23 preempt delay minimum 200

Disable VRRP with following command:

R1(config-if)#vrrp 23 shutdown

%VRRP-6-STATECHANGE: Gi0/0 Grp 23 state Master -> Init

After disabling, VRRP process transition to INIT state

Configure track feature for VRRP convergence:

R1(config-if)#vrrp 23 track 1 decrement 90
R1(config)#track 1 interface fa 1/0 line-protocol

Verify:

R1(config-track)#do sh vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 250
    Track object 1 state Up decrement 90   <----here is our configuration
  Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec

Manually shut tracked interface:
R1(config-track)#int fa 1/0
R1(config-if)#shut
%TRACKING-5-STATE: 1 interface Fa1/0 line-protocol Up->Down   <------ tracking event coming
R1(config-if)#do sh vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)    <------------------ as you can see the priority value decremented on 90
    Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec

You can specify secondary virtual router interface for the same VRRP group:

R1(config-if)#int gi 0/0
R1(config-if)#vrrp 23 ip 172.19.1.1 secondary
% warning: address is not within a subnet on this interface <---- you should configure address within a subnet on a particular interface
R1(config-if)#vrrp 23 ip 10.10.10.100 secondary

You can set VRRP group ip address the same as interface ip address. It cause VRRP priority rise up to 255 (it impossible to set manually priority value higher then 254):

R2#sh vrrp

GigabitEthernet0/0 - Group 23
State is Master
Virtual IP address is 10.10.10.2
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 10.000 sec
Preemption enabled
Priority is 255
Authentication MD5, key-string
Master Router is 10.10.10.2 (local), priority is 255
Master Advertisement interval is 10.000 sec
Master Down interval is 30.003 sec

7. VRRP verification commands

R1#show vrrp ?
  all        Include groups in disabled state
brief      Brief output
interface VRRP interface status and configuration
|          Output modifiers
<cr>

R1#show vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
    Secondary Virtual IP address is 10.10.10.100
    Secondary Virtual IP address is 172.19.1.1 (wrong subnet for this interface)
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)
    Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec

R1#show vrrp interface gi 0/0
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
    Secondary Virtual IP address is 10.10.10.100
    Secondary Virtual IP address is 172.19.1.1 (wrong subnet for this interface)
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)
    Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec

R1#sh vrrp brief
Interface          Grp Pri Time Own Pre State   Master addr     Group addr
Gi0/0              23 160 300023      Y Init    10.10.10.2      10.10.10.10

R1#debug vrrp ?
  all      Debug all VRRP information
auth     VRRP authentication reporting
errors   VRRP error reporting
events   Protocol and Interface events
packets VRRP packet details
state    VRRP state reporting
track    Monitor tracking
<cr>

R1#sh run int gi 0/0 | i vrrp
vrrp 23 description TEST_VRRP_GROUP
vrrp 23 ip 10.10.10.10
vrrp 23 ip 10.10.10.100 secondary
vrrp 23 ip 172.19.1.1 secondary
vrrp 23 timers advertise 100
vrrp 23 timers learn
vrrp 23 preempt delay minimum 200
vrrp 23 priority 250
vrrp 23 authentication md5 key-string myplaintextpass
vrrp 23 track 1 decrement 90