FHRP Overview
First Hop Redundancy Protocol Overview
- Used to provide default gateway resiliency for end-hosts
- Uses Virtual IP address/MAC address
- Resilient gateways use the same virtual IP address
- Only 1 router responds to ARP requests for VIP
- Response contains virtual MAC address
- If a active gateway fails, backup gateway becomes active
- Keeps track of peers using Keepalive protocol
- Need to keep track of northbound links
- Uses object tracking, connected to priority value
Hot Standby Routing Protocol (HSRP)
Hot Standby Routing Protocol (HSRP)
- Cisco Proprietary
- Topology Roles
- One Active Gateway
- One Standby Gateway
- One Virtual Gateway
- IP/MAC address pair
- Logical device running on Active Gateway
- Other devices
- Control traffic sent to UDP/1985
- See HSRP Versions section for IP address destination
- Supports Bidirectional Forwarding Detection
- HSRP active router and STP root should be configured on same switch
- Enabled at interface level
(config-if)#standby ip <virtual IP gateway>
[_/su_spoiler]
HSRP Groups
- Default group 0
- 16 groups maximum
- Group ID included in Virtual MAC address
- 0000.0C07.ACXX
- XX = group number
- Command:
- (config-if)#standby <group-id> ip <virtual IP gateway>
[_/su_spoiler]
HSRP Pre-emption
- Pre-emption disabled by default
- No pre-emption means active gateway doesn't change even if priority higher on different gateway
- Only changes based on timers if active gateway fails
- Can be changed manually
- Command:
- (config-if)#standby <group-id> preempt [delay minumum <0-3600 seconds>]
- Can delay the pre-emption for a minimum wait time
[_/su_spoiler]
HSRP Priorities
- Used to define active gateway
- Default priority 100
- Value of 0 to 255
- Higher priority preferred
- Command:
- (config-if)#standby <group-id> priority <0-255>
- If the priority is the same, the highest configured IP address will become active
[_/su_spoiler]
HSRP Authentication
- MD5 and clear text supported
- Clear text
- Default setting
- Maximum 8 characters
- Default password is 'cisco'
- Command:
- (config-if)#standby <group-id> authentication <key string>
- (config-if)#standby <group-id> authentication text <key-string>
- MD5 (only supported on Version 2)
- Key-chains are supported
- Maximum 64 characters
- Can enter key-string manually
- Command:
- (config-if)#standby <group-id> authentication md5 key-string <key-string>
- (config-if)#standby <group-id> authentication md5 key-chain <key-chain-name>
[_/su_spoiler]
HSRP States
- INITIAL
- Starting state
- State after config change or interface up
- LISTEN
- Router knows Virtual IP address
- Listens for Hello messages
- SPEAK
- Sends periodic Hello messages
- Actively participates in election of standby or active router
- STANDBY
- Sends periodic Hello messages
- Candidate for next active router
- ACTIVE
- Sends periodic Hello messages
- Forwarding packets
[_/su_spoiler]
HSRP Timers
- Hello
- Hold
- Can be configured manually
- Command:
- (config-if)#standby <group-id> timers <hello time (secs)> <hold time (secs)>
- Pre-empt delay timer so preemption occurs after the switch has fully rebooted and established network
[_/su_spoiler]
HSRP Versions
- HSRPv1:
- Default version
- Virtual MAC address 0000.0C07.AC##
- Hello packets sent to multicast address 224.0.0.2
- Group number from 0 to 255
- HSRPv2:
- Cisco IOS 12.2(46)SE and later
- Virtual MAC address 0000.0C9F.F###
- Hello packets sent to 224.0.0.102
- Doesn't overlap with ALL ROUTERS address (224.0.0.2)
- Group number from 0 to 4096
- Supports IPv6
- Command
- (config-if)#standby version 2
- HSRPv1 and HSRPv2 have different packet formats
- Configure all devices in same HSRP group to same version
[_/su_spoiler]
HSRP Tracking
- Make default gateway relate to northbound connection
- Default decrement on tracked interface is 10
- Can be adjusted manually
- Command:
- (config-if)#standby <group-id> track <track number> decrement <priority decrement value>
- Can track interface or object
- (config)#track <#> interface <interface>
- Line protocol/IP routing
- (config)#track <#> ip route <network> <mask>
- Network reachability
- (config)#track <#> list <#>
- Define complex conditions
- Verity parameters such as IPSLA
[_/su_spoiler]
Virtual Router Redundancy Protocol (VRRP)
Virtual Router Redundancy Protocol (VRRP)
- Open Standard
- Topology Roles:
- One Active Gateway
- Master Router
- Forwards traffic
- Several Standby Gateways
- Backup Routers
- Ready to take over the role of Master Router
- Creates "Virtual Routers"
- Consist of 1 or more routers
- Can use the real IP address of an interface on a router
- The router with that IP address becomes the Master
- In a failure scenario, Backup router in the VRRP group takes over that IP address
- If a Virtual IP address is used, the Master is the router with the highest priority
- Uses IP Protocol 112
- Traffic sent to multicast address 224.0.0.18
- Only Master Router sends VRRP advertisements
[_/su_spoiler]
VRRP Groups
- VRRP supports up to 255 groups on a single interface
- Group ID included in Virtual MAC address
- Virtual MAC address is 0000.5E00.01.XX
- XX = VRRP group number
- Command:
- (config-if)# vrrp <group-id> ip <virtual-ip>
[_/su_spoiler]
VRRP Pre-emption
- Pre-emption enabled by default
- Ability to pre-empt takeover for a virtual router master with a higher priority router
- Can change pre-empt delay wait time manually
- Command:
- (config-if)#vrrp <group-id> preempt [delay minimum <seconds>]
[_/su_spoiler]
VRRP Priorities
- Default is 100
- Master Router is 255 (if using real IP address)
- Backup router ranges from 1 to 254
- Higher priority is preferred
- Priority of 0 indicates current master has stopped participating in VRRP
- Command:
- (config-if)#vrrp <group-id> priority <0-254>
[_/su_spoiler]
VRRP Authentication
- VRRP supports 3 authentication methods
- No Authentication
- Plaintext
- Command:
- (config-if)#vrrp <group-id> authentication text <password>
- MD5
- Can be a Key-String or Key-Chain
- Key String
- Up to 64 characters
- Command:
- (config-if)#vrrp <group-id> authentication md5 key-string <password>
- Key-Chain
- Up to 80 characters
- Command:
- (config-if)#vrrp <group-id> authentication md5 key-chain <key-chain-name>
[_/su_spoiler]
VRRP Timers
- All routers in the group must have the same time interval values
- Hello
- Hold (Master down)
- 3 x advertisement interval + skew time
- Skew time
- 256-priority/256 in ms
- e.g. 256-100/256 = 0.609375ms
- Default time value is in seconds unless msec is specified
- Command:
- (config-if)#vrrp <group-id> timers advertise <time value> [msec]
- Backup routers can be configured to learn the time values from the master
- Command:
- (config-if)#vrrp <group-id> timers learn
[_/su_spoiler]
VRRP Versions
- VRRPv3 supports IPv6
- Globally enabled
- Command:
- (config)#fhrp version vrrp v3
[_/su_spoiler]
VRRP Tracking
- Can only track objects
- Can align tracking with router priorities
- Can effect the way northbound traffic is sent
- Command:
- (config-if)#vrrp <group-id> track <track number> decrement <priority decrement>
[_/su_spoiler]
Gateway Load Balancing Protocol (GLBP)
Gateway Load Balancing Protocol (GLBP)
- Cisco Proprietary
- Single Virtual IP and multiple Virtual MAC addresses
- Virtual IP address can be interface address
- Automatic re-routing in event of failure
- Can perform active/active load balancing
- All devices can be active and forwarding traffic
- Traffic can be load-balanced equally or unequally
- In environments where VLANs span multiple switches, HSRP is recommended FHRP
- The Active Gateway should be the Root Brindge for VLAN FHRP configured
- Control traffic sent to multicast address 224.0.0.102
- Same address as HSRPv2
- UDP/3222
- Similar to other FHRPs, GLBP is enabled at interface level
- Command:
- (config-if)#glbp ip <virtual ip gateway>
[_/su_spoiler]
GLBP Roles
- 2 roles defined for GLBP:
- AVG - Active Virtual Gateway
- Only 1 elected for the group
- Election based on priorities similar to HSRP
- Other members provide backup AVG in event of failure
- Responsible for assigning virtual MAC to each member of the group
- By default AVG is only AVF
- All others devices are standby
- Responds to client ARPs, requesting Virtual IP address of gateway
- AVF - Active Virtual Forwarder
- Assigned virtual MAC address by AVG
- Each AVF forwards packets sent to the virtual MAC of that AVF
[_/su_spoiler]
GLBP Groups
- A GLBP group can have up to 4 group members (AVFs)
- Any member in the group serves as a backup
- Supports up to 1024 GLBP groups on each physical interface
- Command:
- (config-if)#glbp <group-id> ip <virtual ip gateway>
- Virtual MAC address:
- 0007.b4XX.XXXX
- X consists of:
- 6 bits are set to 0
- 10 bits are set to the group number
- 8 bits for the virtual forwarder number
[_/su_spoiler]
GLBP Pre-emption
- Supports pre-emption of AVG role
- Pre-emption disabled by default
- Command:
- (config-if)#glbp <group-id> forwarder preempt [delay <seconds>]
[_/su_spoiler]
GLBP Priorities
- Used for election of AVG
- Highest priority is elected AVG
- Default priority is 100
- Value of 1 to 255
- If priority is the same, highest configured IP address will become AVG
- Command:
- (config-if)#glbp <group-id> priority <0-255>
[_/su_spoiler]
GLBP Load Balancing
- Load balancing can be configured as one of the following 3 options:
- Weighted Load Balancing
- Host-dependant Load Balancing
- Round-Robin Load Balancing
- Command:
- (config-if)#glbp <group-id> load-balancing <weighted | host-dependant | round-robin>
- If no load balancing option is selected, AVG responds to ARP requests with its own vMAC address
- Performs same functionality as HSRP
- Weighted Load Balancing
- AVF uses weighting to determine load balancing ratio of how many clients forward to it
- Set different load-balancing ratios
- Default weight = 100
- Can set initial weight values and thresholds
- Track interface states and set decrement values
- Weighting provides more flexibility than HSRP and VRRP
- When AVF router weighting threshold drops below specified value, the router will no longer be an AVF
- When weighting rises above a specified threshold value, forwarding will resume
-
- Command:
- (config-if)#glbp <group-id> weighting <weight> [lower <lower threshold> upper <higher threshold>]
- Host-dependant load balancing
- Per Host vMAC
- Client always directed towards the same AVF
- RoundRobin load balancing
- ARP request vMAC
- AVFs assigned to clients in round-robin style
[_/su_spoiler]
GLBP Authentication
- Same configuration as HSRP and VRRP
- Supports Cleartext and MD5 authentication
[_/su_spoiler]
GLBP Timers
- Hello
- Default is 3 seconds
- Range is 50ms to 60 seconds
- Hold Time
- Determines if action required to take over the AVG or virtual forwarder
- Must be greater than 3 times the Hello timer
- Default 10 seconds
- Range 1 to 180 seconds
- Redirect Time
- Time in which AVG redirects client to AVF
- Learned from AVG or manual configuration
- Default 5 minutes
- Range 1 second to 60 minutes
- Secondary Hold Time
- Time in which SVF remains valid after AVF fails
- SVF removed once timer expires and load-balancing recalculated to forward to remaining forwarders
- Should be longer than the ARP cache age of client
- Learned from AVG or configured manually
- Default 1 hour
- Range 40 minutes to 18 hours
- Timers can be configured manually
- Command:
- (config-if)#glbp <group-id> timers [msec] <hello time> [msec] <hold time>
- (config-if)#glbp <group-id> timers redirec <redirec time> <timeout>
[_/su_spoiler]
GLBP Tracking
- GLBP can also perform IP SLA tracking
- Can base weights on tracking output
- Default decrement on tracked objects is 10
- Can be configured manually
- Command:
- (config-if)#glbp <group-id> track <track id> decrement <weight decrement value>
[_/su_spoiler]
