first hop redundancy protocols in ipv6 hsrp + glbp
DESCRIPTION
First Hop Redundancy Protocols in IPv6 HSRP + GLBP. More details...TRANSCRIPT
http://www.router-switch.com/First Hop Redundancy Protocols in IPv6: HSRP + GLBPCurrently Cisco has support for Hot Standby Router Protocol (HSRP) and Gateway Load Balancing (GLBP) in IPv6. There is an RFC5798 for Virtual Router Redundancy Protocol (VRRP), but checking the Doc CD for this up to IOS 15.2M&T in the IPv6 configuration guide, I did not see it.
This post will only be covering HSRP and GLBP operations, but we need to cover some basic operations of IPv6 Neighbor Discovery (ND) before we get into FHRPs.
By default, IPv6 will use Router Advertisement (RA) to announce the presence of a router on a segment and use the Default Router Preference (DRP) options inside ND to determine the default gateway used.
IPv6 has a built in redundancy mechanism inside ND called Neighbor Unreachability Detection (NUD) using the Neighbor Solicitation (NS) and Neighbor Advertisement (NA) to detect the failure. Reading RFC 5798, the most aggressive timers will only achieve failover within 5 seconds, which would significantly increase the overhead of ND traffic in a real world network of say 254 hosts in most common IPv4 VLAN designs with a /24 subnet. There is a good post onpacketlife.netthat shows this down to about 1 second by adjusting the Router Advertisement (RA) lifetime and Router Advertisement interval for more detailed information.
So now that we know that IPv6 uses ND and has a mechanism for detecting default routers and failover, why do we need FHRPs? Well this post is not here to debate the why of this, but to look at the how with some packet captures. But I would think that FHRPs are there for the same reason we have so many protocols that sort of overlap: we are always looking for a better mouse trap. And in limited testing, relying on ND for default router and failover does not scale to provide the predictable and reliable configurations that the FHRPs do. For example, I found no preempt capabilities for the default router election. I will also make a nod to IPv6 security and mention that NUD has no authentication mechanism. Authentication can be accomplished using Secure Neighbor Discovery (SeND), but is out of the scope of this post.
Now back to FHRPs, lets do what we do and mock up a very basic FHRP network on a LAN segment, and take a look at afewconfiguration parameters. Well start with HSRP, then GLBP, as well as some packet captures with Wireshark and discusssomeof the differences between the IPv4 and IPv6 versions of each.
The very basic FHRP network will use HOST1, R1, and R2 on the LAN for the FHRP and a WAN router with serial interfaces for tracking and failover scenarios.
BASIC FHRP NETWORK DIAGRAM
Hot Standby Router Protocol (HSRP)First step to configure HSRP for IPv6 is to enable HSRP version 2 to support IPv6: standby version 2. After that, the standby commands are pretty much the same as with IPv4 creating groups and adding tracking and preemption capabilities.
After configuration of HSRP and the Active -> Standby negotiation is complete, the Active HSRP router will send the RAs, and the IPv6 hosts will use the new link local address that is auto configured with the command standby 1 ipv6 autoconfig. This can be seen on HOST1 in the output of the show ipv6 int f0/0.HOST1#sh ipv6 int f0/0FastEthernet0/0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::233:33FF:FE33:3333No Virtual link-local address(es):Global unicast address(es):2001:DB8:1212::3, subnet is 2001:DB8:1212::/64Joined group address(es):FF02::1FF02::1:FF00:3FF02::1:FF33:3333MTU is 1500 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledICMP unreachables are sentND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsDefault router is FE80::5:73FF:FEA0:1 on FastEthernet0/0
The R1 and R2HSRP groups will communicate over multicast address FF02::66.R1#sh ipv6 int f0/0 | b JoinedJoined group address(es):FF02::1FF02::2FF02::66FF02::1:FF00:1FF02::1:FF11:1111R2#sh ipv6 int f0/0 | b JoinedJoined group address(es):FF02::1FF02::2FF02::66FF02::1:FF00:2FF02::1:FF22:2222
HSRP INTERFACE ROUTER CONFIGURATIONSand SHOW COMMANDSR1#sh run int f0/0interface FastEthernet0/0mac-address 0011.1111.1111ipv6 address 2001:DB8:1212::1/64standby version 2standby 1 ipv6 autoconfigstandby 1 priority 200standby 1 preemptstandby 1 track Serial0/0R2#sh run int f0/0interface FastEthernet0/0mac-address 0022.2222.2222ipv6 address 2001:DB8:1212::2/64standby version 2standby 1 ipv6 autoconfigstandby 1 preemptstandby 1 track Serial0/1R1#sh standbyFastEthernet0/0 Group 1 (version 2)State is Active7 state changes, last state change 00:02:15Virtual IP address is FE80::5:73FF:FEA0:1Active virtual MAC address is 0005.73a0.0001Local virtual MAC address is 0005.73a0.0001 (v2 IPv6 default)Hello time 3 sec, hold time 10 secNext hello sent in 2.432 secsPreemption enabledActive router is localStandby router is FE80::222:22FF:FE22:2222, priority 100 (expires in 7.388 sec)Priority 200 (configured 200)Track interface Serial0/0 state Up decrement 10Group name is hsrp-Fa0/0-1 (default)R2#sh standbyFastEthernet0/0 Group 1 (version 2)State is Standby7 state changes, last state change 00:02:27Virtual IP address is FE80::5:73FF:FEA0:1Active virtual MAC address is 0005.73a0.0001Local virtual MAC address is 0005.73a0.0001 (v2 IPv6 default)Hello time 3 sec, hold time 10 secNext hello sent in 2.008 secsPreemption enabledActive router is FE80::211:11FF:FE11:1111, priority 200 (expires in 8.060 sec)MAC address is 0011.1111.1111Standby router is localPriority 100 (default 100)Track interface Serial0/1 state Up decrement 10Group name is hsrp-Fa0/0-1 (default)
HSRP SUMMARYIPv4 HSRPv1 UDP port 1985 224.0.0.2 MAC address 0000.0C07.ACxy, where xy is the HSRP group number in hexadecimal HSRPv2 UDP port 1985 224.0.0.102 MAC address range 0000.0C9F.F000 to 0000.0C9F.FFFFIPv6 HSRPv2 UDP port 2029 FF02::66 MAC 0005.73A0.000 0005.73A0.0FFF (4096 addresses) RAs sent from active HSRP router
Wireshark screen captures and/orview online with CloudSharkR1 HSRP Active
R2 HSRP Standby (Passive)
R1 HSRP RA to set Default Router on HOST1
Gateway Load Balancing (GLBP)GLBP only takes one command on the interface to put it into action: glbp 1 ipv6 FE80::100. We will just stick with this basic configuration and use the defaults, as we are only intrested in seeing the protocol work not tweak it for max performance.
GLBPSHOW COMMANDR1#sh glbpFastEthernet0/0 Group 1State is Active2 state changes, last state change 00:22:41Virtual IP address is FE80::100Hello time 3 sec, hold time 10 secNext hello sent in 0.736 secsRedirect time 600 sec, forwarder timeout 14400 secPreemption disabledActive is localStandby is FE80::222:22FF:FE22:2222, priority 100 (expires in 8.692 sec)Priority 100 (default)Weighting 100 (default 100), thresholds: lower 1, upper 100Load balancing: round-robinGroup members:0011.1111.1111 (FE80::211:11FF:FE11:1111) local0022.2222.2222 (FE80::222:22FF:FE22:2222)There are 2 forwarders (1 active)Forwarder 1State is Active1 state change, last state change 00:22:31MAC address is 0007.b400.0101 (default)Owner ID is 0011.1111.1111Redirection enabledPreemption enabled, min delay 30 secActive is local, weighting 100Client selection count: 2Forwarder 2State is ListenMAC address is 0007.b400.0102 (learnt)Owner ID is 0022.2222.2222Redirection enabled, 597.516 sec remaining (maximum 600 sec)Time to live: 14397.516 sec (maximum 14400 sec)Preemption enabled, min delay 30 secActive is FE80::222:22FF:FE22:2222 (primary), weighting 100 (expires in 7.512 sec)Client selection count: 2R2#sh glbpFastEthernet0/0 Group 1State is Standby1 state change, last state change 00:23:17Virtual IP address is FE80::100Hello time 3 sec, hold time 10 secNext hello sent in 0.652 secsRedirect time 600 sec, forwarder timeout 14400 secPreemption disabledActive is FE80::211:11FF:FE11:1111, priority 100 (expires in 9.696 sec)Standby is localPriority 100 (default)Weighting 100 (default 100), thresholds: lower 1, upper 100Load balancing: round-robinGroup members:0011.1111.1111 (FE80::211:11FF:FE11:1111)0022.2222.2222 (FE80::222:22FF:FE22:2222) localThere are 2 forwarders (1 active)Forwarder 1State is ListenMAC address is 0007.b400.0101 (learnt)Owner ID is 0011.1111.1111Time to live: 14399.688 sec (maximum 14400 sec)Preemption enabled, min delay 30 secActive is FE80::211:11FF:FE11:1111 (primary), weighting 100 (expires in 8.960 sec)Forwarder 2State is Active1 state change, last state change 00:23:15MAC address is 0007.b400.0102 (default)Owner ID is 0022.2222.2222Preemption enabled, min delay 30 secActive is local, weighting 100
Lets take a look at GLBP in action, using the default load balancing of round-robin. Host1 will send 1 ping packet, at that point ND will occur for the default router of FE80::100 which was set as the GLBP virutal ipv6 address on the interface glbp 1 ipv6 FE80::100. First packet will be sent with MAC of Forwarder 1 on R1 and the second packet, after we clear ipv6 neighbors, will be sent with the MAC of Forwarder 2 on R2 because of the default load balancing configuration of round-robin.HOST1#sh ipv6 int f0/0 | i routerDefault router is FE80::100 on FastEthernet0/0HOST1#sh ipv6 neighborsHOST1#ping 4444::4 r 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 4444::4, timeout is 2 seconds:!Success rate is 100 percent (1/1), round-trip min/avg/max = 92/92/92 msHOST1#ICMPv6-ND: DELETE -> INCMP: FE80::100ICMPv6-ND: Sending NS for FE80::100 on FastEthernet0/0ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100ICMPv6-ND: Neighbour FE80::100 on FastEthernet0/0 : LLA 0007.b400.0101ICMPv6-ND: INCMP -> REACH: FE80::100ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100ICMPv6-ND: Received RA from FE80::100 on FastEthernet0/0HOST1#sh ipv6 neighbors fe80::100IPv6 Address Age Link-layer Addr State InterfaceFE80::100 1 0007.b400.0101 STALE Fa0/0
HOST1#clear ipv6 neighborsICMPv6-ND: STALE -> DELETE: FE80::222:22FF:FE22:2222ICMPv6-ND: STALE -> DELETE: FE80::211:11FF:FE11:1111ICMPv6-ND: STALE -> DELETE: FE80::100HOST1#sh ipv6 neighbors fe80::100HOST1#ping 4444::4 r 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 4444::4, timeout is 2 seconds:!Success rate is 100 percent (1/1), round-trip min/avg/max = 88/88/88 msHOST1#ICMPv6-ND: DELETE -> INCMP: FE80::100ICMPv6-ND: Sending NS for FE80::100 on FastEthernet0/0ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100ICMPv6-ND: NA has no link-layer optionICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100ICMPv6-ND: Neighbour FE80::100 on FastEthernet0/0 : LLA 0007.b400.0102ICMPv6-ND: INCMP -> REACH: FE80::100HOST1#sh ipv6 int f0/0 | i routerDefault router is FE80::100 on FastEthernet0/0HOST1#sh ipv6 neighbors fe80::100HOST1#sh ipv6 neighbors fe80::100IPv6 Address Age Link-layer Addr State InterfaceFE80::100 0 0007.b400.0102 STALE Fa0/0
GLBP SUMMARYIPv4 multicast address 224.0.0.102, UDP port 3222 multiple virtual MAC addresses starting with 0007.b400.0101IPv6 multicast address FF02::66, UDP port 3222 multiple virtual MAC addresses starting with 0007.b400.0101
Wiresharkcapturesview online with CloudShark
WRAP UPQuick conculsion seems they changed more in HSRP than GLBP to get it ready and working with IPv6. The devil is in the details of IPv6 ICMPv6 Neighbor Discovery as you will see the more you dig into IPv6.
More Related Readings:Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBPHow to Configure GLBP in Cisco IOS Routers?How to Configure GLBP?GLBP Overview and FeaturesGLBP & GLBP Basic Configuration