first hop redundancy protocols - willkommen bei … · first hop redundancy protocols hsrp – vrrp...

HP IT-Symposium 2006

1www.decus.de

© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

First HopRedundancyProtocols

HSRP – VRRP - GLBP DECUS 15.-19. May 2006

Eva HeinoldHP Global Networks Competency CenterCCCSC Mü[email protected]

May 17, 2006 2

Why use first hop redundancyProtocols?

• Host/Client needs to find where to forward Packets, ifdestination Address is not on same LAN

• 1. Default gatewayStatic config, fails if Gateway becomes unavailable event though anotherRouter would still be around

• 2. Proxy ARPLong or no Host timeouts will prevent quick detection. The host will continue to attempt to send traffic to the router which originally sent the proxy ARP reply.

• 3. ICMP Router Discover Protocol (IRDP)Allows a host to quickly adapt to changes in network topology. However, only a very small number of hosts have implementations of IRDP.

• 4. RIP Some IP hosts use RIP to discover routers. These hosts will adapt to topologchanges as RIP converges. However, only a very small number of hosts run RIP


2www.decus.de

May 17, 2006 3

First Hop Redundancy Protocols

• Hot Standby Router Protocol (HSRP)−Cisco informational RFC 2281 ( March 1998)

• Virtual Router Redundancy Protocol (VRRP)− IETF Standard RFC 3768 (April 2004) obsoletes RFC

2338 (1998)

• Gateway Load Balancing Protocol (GLBP)−Cisco designed, load sharing, patent pending

May 17, 2006 4

Availability• HSRP IOS 10.0 • VRRP IOS 12.0(18)ST−Procurve 93xx/63xx FW 05.0.84

• VRRP V2 IOS 12.4−Procurve 5400zl/3500yl

• GLBP IOS 12.2(14)S− Cisco 1700 series, Cisco 2600 series, Cisco 3620, Cisco 3631, Cisco 3640, Cisco 3660, Cisco

3725, Cisco 3745, Cisco 7100 series, Cisco 7200 series, Cisco 7400 series, Cisco 7500 series


3www.decus.de

May 17, 2006 5

HSRP• A group of routers function as one virtual router by

sharing ONE virtual IP address and ONE virtual MAC address

• One (Active) router performs packet forwarding for local hosts

• The rest of the routers provide “hot standby” in case the active router fails

• Standby routers stay idle as far as packet forwarding from the client side is concerned

May 17, 2006 6

First Hop Redundancy with HSRP

Gateway Routers

HSRP ACTIVE HSRP STANDBY HSRP LISTEN

Clients

R1R1 R2R2 R3R3

R1—Active, Forwarding Traffic; R2, R3—Hot Standby, IdleR1—Active, Forwarding Traffic; R2, R3—Hot Standby, Idle

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.0c07ac00

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:

IP: 10.0.0.252MAC: 0000.0cde.f123vIP:vMAC:

IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0000.0c07.ac00



CL1 CL2 CL3


4www.decus.de

May 17, 2006 7

HSRP Addressing

• HSRP uses the following MAC address on all media except TokenRing− 0000.0c07.ac** (where ** is the HSRP group number)

• Token Ring interfaces use functional addresses for the HSRP MAC address.− c000.0001.0000 (group 0)− c000.0002.0000 (group 1)− c000.0004.0000 (group 2)

• Some Ethernet controllers can only support a single unicast MAC− Standby use-bia− (Use authentication to support more than one group (textstring only))

Maximum HSRP Groups− Ethernet: 256 per router. FDDI: 256 per router. Token Ring: 3 per router

May 17, 2006 8

HSRP defaults• Default HSRP group 0• Priority 100, higher IP address wins• Tracking – reduce Prio by 10, if interface drops• The HSRP hellotime timer defaults to 3 and the holdtime timer

defaults to 10. • The destination address of HSRP hello packets is the all

routers multicast address (224.0.0.2). • HSRP runs on UDP port 1985.• Preemption disabled


5www.decus.de

May 17, 2006 9

Failure of Uplink to Core and Layer 3 link will black hole traffic…Use HSRP Tracking with Preempt option

Access

Tracking Avoids Black Holes

Layer 3Layer 3Distribution

Tracked

0/1

Core

May 17, 2006 10

HSRP Load Sharing – TrackingExample

−

interface Ethernet0 ip address 171.16.6.6 255.255.255.0 standby 1 preempt standby 1 ip 171.16.6.100 standby 1 track Serial0 standby 1 priority 95 standby 2 preempt standby 2 ip 171.16.6.200 standby 2 track serial 0

interface Ethernet0 ip address 171.16.6.5 255.255.255.0 standby 1 preempt standby 1 ip 171.16.6.100 standby 1 track Serial0 standby 2 preempt standby 2 ip 171.16.6.200 standby 2 track serial 0 standby 2 priority 95

Primary Router for HSRP group 1

Primary Router for HSRP group 2


6www.decus.de

May 17, 2006 11

HSRP Packet

Authentication Data

Authentication Data

Virtual IP Address

Version Opcode State Hellotime

Holdtime Priority Group Reserved

Opcode (0 - hello, 1 - coup, 2 - resign). State (0 - initial, 1 - learn, 2 - listen, 4 - speak, 8 - standby, 16 – active)Hellotime ( 3 sec default)Holdtime (10 sec default)Priority (100 default)Group (standby group number)Authentication Data (clear-text, eight character password)Virtual IP Address

May 17, 2006 12

HSRP Troubleshooting

• Sho ip interface brief• Sho standby

− Vlan10 - Group 10 − Local state is Active, priority 110, may preempt − Hellotime 3 holdtime 10 Next hello sent in 00:00:00.216 − Hot standby IP address is 192.168.10.100 configured − Active router is local Standby router is 192.168.10.2 expires in 00:00:08 − Standby virtual mac address is 0000.0c07.ac0a − 8 state changes, last state change 00:18:04

• #debug ethernet-controller address • #debug standby


7www.decus.de

May 17, 2006 13

VRRP• Very similar to HSRP - The IANA assigned VRRP the IP

protocol number 112.• A group of routers function as one virtual router by

sharing ONE virtual IP address and ONE virtual MAC address

• One (master) router performs packet forwarding for local hosts

• VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements

• The rest of the routers act as “back up” in case the master router fails

• Backup routers stay idle as far as packet forwarding from the client side is concerned

May 17, 2006 14

First Hop Redundancy with VRRP

VRRP ACTIVE VRRP BACKUP VRRP BACKUP

Clients

R1—Master, forwarding traffic; R2, R3—backupR1—Master, forwarding traffic; R2, R3—backup

IP: 10.0.0.10MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.5e00.0100

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:

IP: 10.0.0.252MAC: 0000.0cde.f123vIP:vMAC:

IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0000.5e00.0100



Gateway RoutersR1R1 R2R2 R3R3

CL1 CL2 CL3


8www.decus.de

May 17, 2006 15

VRRP Config for multiple Groups

Router Binterface ethernet 1/0ip address 10.1.0.1 255.0.0.0vrrp 1 priority 100vrrp 1 authentication ciscovrrp 1 timers advertise 3vrrp 1 timers learnvrrp 1 ip 10.1.0.2vrrp 5 priority 200vrrp 5 timers advertise 30vrrp 5 timers learnvrrp 5 ip 10.1.0.1vrrp 100 timers learnno vrrp 100 preemptvrrp 100 ip 10.1.0.100no shutdown

Router Ainterface ethernet 1/0ip address 10.1.0.2 255.0.0.0vrrp 1 priority 120vrrp 1 authentication ciscovrrp 1 timers advertise 3vrrp 1 timers learnvrrp 1 ip 10.1.0.2vrrp 5 priority 100vrrp 5 timers advertise 30vrrp 5 timers learnvrrp 5 ip 10.1.0.1vrrp 100 timers learnno vrrp 100 preemptvrrp 100 ip 10.1.0.100no shutdown

Different Defaultspreemption is default; disable possibleadvertise timer only 1 second defaultAuthentication supports not only string, but also md5(V1 only)

Tracking possible as with HSRP

May 17, 2006 16

VRRP – Tracking of interfaces• track 1 interface Serial0/1 line-protocol • ! interface Ethernet1/0 − ip address 12.0.0.1 255.0.0.0 − vrrp 1 ip 12.0.0.2 − vrrp 1 priority 120 − vrrp 1 track 1 decrement 15


9www.decus.de

May 17, 2006 17

VRRP Addressing• The virtual router MAC address associated with a virtual router is an

IEEE 802 MAC Address in the following format: • 00-00-5E-00-01-{VRID} (in hex in internet standard bit-order) • The first three octets are derived from the IANA• The next two octets (00-01) indicate the address block assigned to

the VRRP protocol. • {VRID} is the VRRP Virtual Router Identifier. This mapping provides

for up to 255 VRRP routers on a network. • VRID Token Ring Functional Address • 1 03-00-02-00-00-00 • 2 03-00-04-00-00-00 • 3 03-00-08-00-00-00 • 4 03-00-10-00-00-00 • 5 03-00-20-00-00-00 • 6 03-00-40-00-00-00 • 7 03-00-80-00-00-00 • 8 03-00-00-01-00-00 • 9 03-00-00-02-00-00 • 10 03-00-00-04-00-00 • 11 03-00-00-08-00-00

May 17, 2006 18

VRRP Packet

IP Address(1)

…..

IP Address(n)

Authentication Data (1)

Authentication Data (2)

Version Type Virt. Router ID Priority IP address count

Auth Type Adver Int. Checksum


10www.decus.de

May 17, 2006 19

Troubleshooting VRRP

• Router# show vrrp (brief) • Router# show vrrp interface• Router# show track

− Track 1 Interface Serial0/1 line-protocol Line protocol is Down (hw down) − 1 change, last change 00:06:53 Tracked by: VRRP Ethernet1/0 1

• Router# debug vrrp packets− May 22 18:51:09.222: VRRP: Grp 1 Advertisement priority 105, ipaddr 10.18.0.3− May 22 18:51:12.222: VRRP: Grp 1 Advertisement priority 105, ipaddr 10.18.0.3

• Router# debug vrrp all (includes errors, events and state)− All Routers in a VR group MUST have the same configuration− bad advertisement received counter increases, if wrong configured

May 17, 2006 20

• Allow automatic selection and use of multiple, available gateways to destination

• Provide automatic detection and re-routing in the event of failure to any gateway

Fully Utilize Resources (Available Bandwidth) without Administrative Burden

Gateway Load Balancing ProtocolGateway Load Balancing Protocol


11www.decus.de

May 17, 2006 21

First Hop Redundancy with GLBP

GLBP AVG/AVF,SVF GLBP AVF,SVF GLBP AVF,SVF

Clients

R1—AVG; R1, R2, R3 All Forward TrafficR1—AVG; R1, R2, R3 All Forward Traffic

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0007.b400.0101

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP: 10.0.0.10vMAC: 0007.b400.0102

IP: 10.0.0.252MAC: 0000.0cde.f123vIP: 10.0.0.10vMAC: 0007.b400.0103

IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0007.B400.0101



Gateway RoutersR1R1 R2R2 R3R3

CL1 CL2 CL3

May 17, 2006 22

GLBP

• Group of routers function as one virtual router − by sharing one virtual IP address − using multiple virtual MAC addresses for traffic forwarding

• Traffic is shared over multiple upstream links− improving throughput and reducing congestion when no

failure state exists• Traffic from a single common subnet−Goes through multiple redundant gateways − using a single virtual IP address


12www.decus.de

May 17, 2006 23

GLBP• Members of a GLBP group elect one gateway to be

the active virtual gateway (AVG) for that group • A GLBP group allows up to four virtual MAC

addresses per group. −The AVG is responsible for assigning the virtual MAC

addresses to each member of the group−Each member is the primary virtual forwarder for his

virtual MAC address• Other members of the GLBP group learn the virtual

MAC addresses from hello messages. −A virtual forwarder that has learned the virtual MAC

address from other members is referred to as a secondary virtual forwarder.

• GLBP supports up to 1024 virtual routers (GLBP groups)

May 17, 2006 24

GLBP Addressing

−GLBP will use the following multicast destination for packets sent to all GLBP group members:• 224.0.0.102, UDP port 3222

−Virtual MAC addresses will be of the form:• 0007.b4yy.yyyy• where yy.yyyy equals the lower 24 bits;• these bits consist of 6 zero bits, • 10 bits that correspond to the GLBP group number, • 8 bits that correspond to the virtual forwarder number• 0007.b4 0 0 0 1 0 2 last 24 bits

= 0000 0000 0000 0001 0000 0010 = GLBP group 1, forwarder 2


13www.decus.de

May 17, 2006 25

GLBP Configuration

• interface fastethernet 0/0 − ip address 10.21.8.32 255.255.255.0 − glbp 10 ip 10.21.8.10 - this enables GLBP− glbp 10 authentication text stringxyz− glbp 10 forwarder preempt delay minimum 60 − glbp 10 load-balancing host-dependent host-dependent |round-robin | weighted

− glbp 10 preempt delay minimum 60 − glbp 10 priority 254 − glbp 10 timers 5 18 − glbp 10 timers redirect 600 7200

May 17, 2006 26

GLBP Weighting and tracking Example

• track 2 interface POS 6/0 ip routing • interface fastethernet 0/0 • glbp 10 weighting 110 lower 95 upper 105 • glbp 10 weighting track 2 decrement 5


14www.decus.de

May 17, 2006 27

GLBP Troubleshooting

• Router# show glbp 10 • debug condition glbp• debug glbp errors• debug glbp events• debug glbp packets• debug glbp terse

May 17, 2006 28

GLBP Troubleshooting

• Router# show glbp brief• Interface Grp Fwd Pri State Address Active router Standby router• Fa0/0 10 - 254 Active 10.21.8.10 local unknown• Fa0/0 10 1 7 Active 0007.b400.0101 local -

• Router# debug glbp packets hello• GLBP Packets debugging is on• (Hello)• 1d19h: GLBP: Fa0/0 Grp 10 Hello out 10.21.8.32 VG Active pri 254 vIP 10.21.8.10 1• 1d19h: GLBP: Fa0/0 Grp 10 Hello out 10.21.8.32 VG Active pri 254 vIP 10.21.8.10 1• 1d19h: GLBP: Fa0/0 Grp 10 Hello out 10.21.8.32 VG Active pri 254 vIP 10.21.8.10 1


15www.decus.de

May 17, 2006 29

Tracking Gotcha

Core

Distribution

Access

• Install a Layer 3 link between Distribution Switches to get routed around a Layer 2 up but Layer 3 down condition on distribution

• Better alternative—Dual attach distribution to Core

HSRP Active HSRP Standby

HSRP Trackingunreliable

Layer 2 UP butLayer 3 down

L3 LinkL3 Link

Enhanced Object Tracking (12.2(15)T)

• Previously, HSRP allowed tracking of interface line protocol state− If the link failed, the HSRP Priority was reduced− Another HSRP router with a higher priority could

then takeover

• Enhanced Object Tracking separates the tracking mechanism from HSRP and creates a new subsystem

• HSRP, GLBP, VRRP are clients and act if the state of an object changes


16www.decus.de

May 17, 2006 31

What Can I Track?

• Interface “line-protocol” state− This is the same as HSRP tracking operation in prior releases; The

tracking process is configured to track the line-protocol state of the interface

• Interface “routing” state− A tracked IP routing object is considered up when the platform is routing

IP, the interface line-protocol is up, and IP routing is enabled and active on the interface

• State of an IP route (reachability)− A tracked IP route object is considered up and reachable when

a routing table entry exists for the route and the route is not inaccessible

• IP route metric threshold− Tracks the scaled metric value of an IP route to determine if it is above or

below a threshold− Scaled metric values 0-255 (255 not accessible)

More Objects over Time

May 17, 2006 32

Summary• GLBP offers the most effective solution• Is available only with 12.2 and higher• VRRP is the only standard protocol


17www.decus.de

May 17, 2006 33

• Questions????


18www.decus.de

May 17, 2006 35

HSRP Standby IP Address Is Reported as a Duplicate IP Address

• Oct 12 13:15:41: %STANDBY-3-DUPADDR: Duplicate address 10.25.0.1 on Vlan25, sourced by 0000.0c07.ac19

• Oct 13 16:25:41: %STANDBY-3-DUPADDR: Duplicate address 10.25.0.1 on Vlan25, sourced by 0000.0c07.ac19

• not necessarily an HSRP problem• Spanning Tree Protocol (STP) loop or router/switch

configuration issue is more likely• Momentary STP loops• EtherChannel configuration issues• Duplicated frames

• duplicate HSRP packet is ignored, so HSRP continues to operate, however bad performance has to be expected

May 17, 2006 36

HSRP State Continuously Changes (Active, Standby, Speak)

• Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Standby -> Active• Jan 9 08:00:56.011: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Active -> Speak• Jan 9 08:01:03.011: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Speak -> Standby• Jan 9 08:01:29.427: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Standby -> Active• Jan 9 08:01:36.808: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Active -> Speak

• standby HSRP router did not receive three successive HSRP hellos− Physical Layer Problems − excessive network traffic caused by Spanning Tree Issues.


19www.decus.de

May 17, 2006 37

HSRP Does Not Recognize Peer

• Vlan8 - Group 8− Local state is Active, priority 110, may preempt− Hellotime 3 holdtime 10− Next hello sent in 00:00:01.168− Hot standby IP address is 10.1.2.2 configured− Active router is local− Standby router is unknown expired− Standby virtual mac address is 0000.0c07.ac08− 5 state changes, last state change 00:05:03

• Active HSRP router did not receive three successive HSRP hellos− Physical Layer Problems − excessive network traffic caused by Spanning Tree Issues.

May 17, 2006 38

HSRP State Changes and Switch Reports

• 2005 Jan 03 14:18:43 %SYS-4-P2_WARN: 1/Host 00:00:0c:14:9d:08 is flapping between port 2/4 and port 2/3

• If the MAC address move between two ports that is reported is the HSRP virtual MAC address, the problem is most likely an issue inwhich both HSRP routers go into the active state.

• If the MAC address that is reported is not the HSRP virtual MAC address, the issue can indicate the loop, duplication, or reflection of packets in the network.− Physical Layer Problems − excessive network traffic caused by Spanning Tree Issues.


20www.decus.de

May 17, 2006 39

HSRP State Changes and Switch Reports• *Mar 9 14:51:12: %RTD-1-ADDR_FLAP: Fast Ethernet 0/7 relearning 21 addrs per min• *Mar 9 14:52:12: %RTD-1-ADDR_FLAP: Fast Ethernet 0/7 relearning 22 addrs per min• *Mar 9 14:53:12: %RTD-1-ADDR_FLAP: Fast Ethernet 0/7 relearning 20 addrs per min

• MAC address moves consistently between different ports. − only applicable on the Catalyst 2900XL and 3500XL switches. − can indicate that two or more HSRP routers have become active. − STP loop, duplicated frames, or reflected packets.

•

• switch#debug ethernet-controller address• Ethernet Controller Addresses debugging is on l• *Mar 9 08:06:06: Add address 0000.0c07.ac02, on port 35 vlan 2• *Mar 9 08:06:06: 0000.0c07.ac02 has moved from port 6 to port 35 in vlan 2• *Mar 9 08:06:07: Add address 0000.0c07.ac02, on port 6 vlan 2• *Mar 9 08:06:07: 0000.0c07.ac02 has moved from port 35 to port 6 in vlan 2• CSCdp81680 —Incorrect RTD-1-ADDR_FLAP message• CSCds27100 and CSCdr30113 —FastEtherChannel issues cause RTD-1-ADDR_FLAP

May 17, 2006 40

HSRP State Changes and Switch Reports MLS-TOO-MANY-MOVES in Syslog

• 05/13/2005,08:55:10:MLS-4:Too many moves, stop MLS for 5 sec! (20000000)• 05/13/2005,08:55:15:MLS-4:Resume MLS after detecting too many moves• MAC address is learned on two different ports. • only reported on Catalyst 5500/5000 switches. • mls notification command provides a table address (TA) value. • show looktable TA-value command returns a possible MAC address that

you can trace to the root of the problem.


21www.decus.de

May 17, 2006 41

HSRP Intermittent State Changes on Multicast Stub Network

• no load balancing for multicast traffic on LANs.• All multicast traffic always visible by every router• each multicast packet must be analyzed individually.• High Multicast traffic causes therefore High CPU load on

routers not able to handle this in HW• High CPU load can cause HSRP packet losses• Enable HW access lists on non DR routers

− access-list 100 permit ip A.B.C.0 0.0.0.255 any− access-list 100 permit ip A.B.D.0 0.0.0.255 any− access-list 100 permit ip any 224.0.0.0 0.0.0.255− access-list 100 permit ip any 224.0.1.0 0.0.0.255− access-list 100 deny ip any 224.0.0.0 15.255.255.255

All multicast traffic is always visible by every router

first hop redundancy protocols - willkommen bei … · first hop redundancy protocols hsrp – vrrp...

Documents