Ccnp studies configuring hsrp


Published on

Ccnp studies configuring hsrp, Cisco CCNP, configuring hsrp

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ccnp studies configuring hsrp

  1. 1. CCNP Studies: Configuring HSRPPart OneHere I want to share some of my findings as I lab and demystify the various examtopics. I hope we can create some discussion in comments with those of you who arealso pursuing the CCNP, and I encourage the old hands to dive in, too. HSRP is on thecards today, and I’m going to break it into two parts. I’ll tackle part one today: asingle VLAN configuration. In part two, we’ll optimize the design by adding someload balancing.Ready? Let’s go!Hot Standby Router Protocol (HSRP) developed by Cisco is used to provide layer 3gateway redundancy. Commonly found at the distribution layer, HSRP uses a virtualIP and MAC address which a backup gateway will take control of in the event offailure. HSRP uses one Active and one Standby router. The virtual IP address isconfigured on both the Active and the Standby. There is only one virtual IP addressand virtual MAC per HSRP group.TimersHSRP sends hellos to multicast address (the “all routers” multicast address)every 3 seconds by default. The dead timer is 10 seconds by default. Both timers canbe tuned in milliseconds to ensure fast failover. If the Standby router stops seeinghello packets from the Active it will assume it is down and will take over as the Activerouter. Timers on all routers must match.HSRP requires layer 2 connectivity between routers.HSRP State MachineHSRP is a state machine consisting of these five states:Initial: HSRP doesn’t run. This state is seen when an interface comes upListen: listens for hellos, knows the virtual IPSpeak: sends hellos and participates in the electionStandby: candidate for next active routerActive: currently forwards packets sent to the virtual IPLet’s take a look at the topology we’ll be working with:
  2. 2. We will be configuring HSRP for VLAN 50. An HSRP group number needs to bedefined on the SVI for VLAN 50. Make sure VLAN 50 exists on the devices first. Thegroup number (1 in the example below) is only significant to the interface, but it’s agood idea to use different numbers if you have a more complex topology withmultiple VLANs. There can be only one Active and one Standby router per HSRPgroup. The Standby router will only step in if the Active fails. It’s important that theHSRP Active router is also the spanning tree root in order to avoid suboptimal paths.In this topology, we want DSW1 to be our Active router, and SW1 and SW2 shouldforward traffic directly to it. If spanning tree wasn’t configured to match the HSRPtopology, then DSW2 could be the root switch. Traffic would flow via DSW2 to DSW1– not what we want!Here’s the first part of the configuration:interface Vlan50ip address 1 ip configure the VLAN 50 interface and then initiate HSRP specifying the virtual IPaddress uses a combo of virtual IP and virtual MAC address. The MAC uses the format:0000.0C07.ACXX (XX being the group number in hexadecimal). The virtual IP andMAC will be used by the Standby router if the Active router fails.Virtual IP address is virtual MAC address is 0000.0c07.ac01PriorityWe want to ensure DSW1 is always the Active router when the network is stable, sowe need to configure the priorities of DSW1 and DSW2. There are two things toconfigure here – priority and preemption.
  3. 3. The default HSRP priority is 100, which won’t appear in the configuration. We’ll setthe priority of DSW1 to 150 (Range 0-255).DSW1(config-if)#standby 1 priority 150PreemptAn HSRP router won’t attempt to become the active router when introduced to anexisting topology, even if it has a higher priority. We want DSW1 to always be theActive router if it is up and the topology is stable so we need to turn on “preempt.”Preempt will cause the router to initiate an election if it has a higher priority. Ifpriorities are equal, the router with the highest IP address will win an election.DSW1(config-if)#standby 1 preemptIf DSW1’s uplink to the core fails then comes back online, we want to ensure ourrouting protocol has completely converged prior to DSW1 assuming the Active roleagain. We can configure a preempt delay to allow time for this to happen.DSW1(config-if)#standby 1 preempt delay minimum 60Tuning the timersNow let’s tune the timers from their defaults. As I mentioned earlier, HSRP timers canbe set in seconds or milliseconds. We’re aiming for fast convergence here so we’ll sethellos at 200 and the dead timer at 600 milliseconds.DSW1(config-if)#standby 1 timers msec 200 msec 600That’s DSW1 configured, onto DSW2:interface Vlan50ip address 1 ip
  4. 4. standby 1 timers msec 200 msec 600standby 1 priority 110endDSW2’s priority is set at 110 in order to help guarantee the topology. A third routercould be added into the mix at a later stage, potentially leaving us with two routersholding priorities of 100 so it’s best to configure priority on the Standby.Okay, we’re in business! Let’s verify the config:DSW1 has a priority of 150 and is configured to Preempt (P). The Active columnshows “local”, indicating DSW1 is the Active router and DSW2 ( is theStandby.Here’s the output from DSW2:
  5. 5. Interface trackingSo, what we have implemented now will handle a failure if DSW1 dies completely,but what we need to do is put some tests in place so DSW2 takes over if DSW1’suplink to the core fails.HSRP interface tracking will be used and if one of the uplinks goes down (determinedby line protocol status) DSW1’s priority will be decremented by 50 causing DSW2 totake over as the Active router.DSW1(config-if)#standby 1 track fa0/24 50Hang on, what’s missing here? DSW2 needs preempt enabled so it can assume Active
  6. 6. status once it seems DSW1’s priority drop to 100.DSW2(config-if)#standby 1 preemptNow the Ethernet cable from fa0/24 is pulled to test the failover.Boom! There you have it, HSRP configured to serve one VLAN with tuned timers andinterface tracking. Watch out for my next post where we’ll explore a more complexHSRP topology with some added load balancing.---Original file from TwoWelcome back! Today, we’ll continue with HSRP, working with a slightly morecomplex topology. If you haven’t read part one yet, you can find it here.We’re going to create a few more VLANs, and the design will be modified to add insome load balancing. Our HSRP router DSW2 is exactly the same device as DSW1, butit’s in Standby mode and could be better utilized in a larger topology. By having someof our VLAN traffic route through DSW2, we can make better use of networkresources while maintaining a redundant and predictable solution. Our layer twotopology plays a big part in our design, as we want to make sure we have as manylinks as possible in a forwarding state while ensuring loop-free connectivity. Let’s takea look at the left-hand side of the original topology from a layer two perspective.
  7. 7. You can see that our uplink to DSW2 is blocking to avoid a loop, which is normalspanning tree behavior. However, what would be better is if we minimize the role ofspanning tree by making the link between DSW1 and DSW2 layer three instead oflayer two (let’s face it, spanning tree can be the devil). By doing this, both uplinksfrom the access layer to DSW1 and DSW2 will be forwarding (though our VLAN 50traffic will always take the path through DSW1). There won’t be a loop at layer twoproviding we implement some controls on what VLANs are allowed on certain trunks,and convergence time will be reduced as there won’t be a fight over who and whatport is forwarding in the event of a topology change.Cisco on best practice for optimal convergence“Only use L2 looped topologies if it cannot be avoided. In general practice, the mostdeterministic and best-performing networks in terms of convergence, reliability, andmanageability are free from L2 loops and do not require STP to resolve convergenceevents under normal conditions. However, STP should be enabled to protect againstunexpected loops on the access or user-facing interfaces.” See: Campus Network forHigh Availability Design GuideA word on asymmetric routingIn order for the topology to be redundant, both DSW1 and DSW2 need to advertisethe VLAN 50 subnet into the core. This will provide two equal cost return paths fortraffic by default. On the return path in this scenario, some of the traffic would flowfrom the core to DSW1, and then to SW1, and some traffic would flow via DSW2. Thisis known as asymmetric routing, when traffic is routed back via a different path tothe one it was sent on. (Access to Core traffic will always flow via DSW1 unless DSW2becomes the Active HSRP router.) Depending on what packets you’re pushing aroundthe network, you may want to configure a more predictable return path asasymmetric routing can cause problems in some environments. Having a morepredictable path will make troubleshooting easier too. You can do this by tuning yourrouting protocol’s metric so that the route to VLAN 50 via DSW1 is preferred.Let’s take a look at the design of our new topology for VLAN 50:
  8. 8. Both uplinks from SW1 are forwarding from a spanning tree perspective (see moredetail below on VLAN control).We’ve added the layer three link between the distribution switches which has takena much desired chunk out of spanning tree’s influence on the network. This alsomeans that hellos between the two HSRP routers will pass via the access layer due tothe layer two HSRP connectivity requirements. This isn’t a problem based on ourconfiguration, but it would pay to review your design based on access layerswitch inter-connectivity.The full topology
  9. 9. Okay, so let’s look at the larger topology with a few more VLANs. In order to moreefficiently use the hardware we’ll add load balancing by configuring VLANs 20 and 50to use DSW1 as a gateway by making it the Active HSRP router and RSTP root forthose VLANs. On the right hand side of the topology we’ll configure VLANs 80 and100 on SW2 to use DSW2, making DSW2 the Active HSRP Router and RSTP root.Configuration of DSW1interface Vlan20ip address 20 ip 20 timers msec 200 msec 600standby 20 priority 150standby 20 preempt delay minimum 60!interface Vlan50ip address 50 ip 50 timers msec 200 msec 600standby 50 priority 150standby 50 preempt delay minimum 60!interface Vlan80ip address priority 110standby 80 ip 80 timers msec 200 msec 600standby 80 priority 110standby 80 preempt delay minimum 60!interface Vlan100ip address 100 ip 100 timers msec 200 msec 600standby 100 priority 110standby 100 preempt delay minimum 60!You’ll notice the standby numbers have been set to match the VLAN numbers forease of management. The preempt delay has been kept at 60 but Ciscorecommends timing the switch boot time and setting the delay value accordingly. Youcan reach more about this in the High Availability Design Guide I linked to above.Configuration of DSW2interface Vlan20ip address
  10. 10. standby 20 ip 20 timers msec 200 msec 600standby 20 priority 110standby 20 preempt delay minimum 60!interface Vlan50ip address 50 ip 50 timers msec 200 msec 600standby 50 priority 110standby 50 preempt delay minimum 60!interface Vlan80ip address 80 ip 80 timers msec 200 msec 600standby 80 priority 150standby 80 preempt delay minimum 60!interface Vlan100ip address 100 ip 100 timers msec 200 msec 600standby 100 priority 150standby 100 preempt delay minimum 60!VerificationLooking good, but there’s just one more thing to take care of to cement the paths atlayer two. If the link between SW1 and DSW1 goes down we want DSW2 to becomethe RSTP root, otherwise traffic could flow through SW2 at the Access layer on theright to get to DSW1. This is what could happen:
  11. 11. To avoid this issue, we need to remove certain VLANs from trunks that don’t need tocarry them. The trunk between DSW2 and SW2 shouldn’t carry traffic for VLAN 20 or50, so we’ll remove it on DSW2:Likewise on DSW1, we remove VLANs 80 and 100 from the trunk to SW1:AuthenticationFinally, we’ll turn on MD5 authentication. Think back to when you last configuredEIGRP authentication, because we’re going to make use of the key chain system.This configuration needs to be repeated for each VLAN on DSW1 and DSW2. You’reable to make use of the accept-lifetime and send-lifetime parameters under the keychain configuration. If you don’t have HSRP authentication configured for one of theVLANs on the other switch you’ll see:Great, we’re done for this post! But remember that you need to tune RSTP and
  12. 12. routing protocol timers so they’re all in sync with HSRP, then convergence andre-convergence will be seamless. Interface or object tracking should also beconfigured to decrements links and change Active/Standby router accordingly. Thereare many ways you can adjust your design for different business requirements so getcreative!To be continued: Cisco and Networking Tutorials and Tips you can visit: