First Hop Redundancy Protocols

4.5.a i HSRP, GLBP, VRRP

HSRP

Hot Standby Router Protocol

General information on “HSRP”:

• Cisco proprietary protocol
• HSRP is defined in RFC 2281
• HSRP group contains 1 active, 1 standby and optionally 1 or more additional (OTHER) backup routers
• All HSRP group members share the same virtual IP and virtual MAC address
• The HSRP group standby router is fully booted, initialized and ready to take over the active role
• Additional (OTHER) routers are neither active or standby, but OTHER routers (in state LISTEN)
• Additional (OTHER/LISTEN) routers are fully booted, initialized and ready to take over the active/standby role if both routers fail
• With preemption enabled, the previous active router will become the active one again when it comes back online, if it has a higher priority than the current active router
• Pseudo Load Balancing can be done by putting one router in several groups where it is the active one as well as the standby one depending on the group
• HSRP group numbers are only locally significant (on each VLAN), eg. several different VLAN Interfaces can have the same HSRP group number

HSRP active router election:

1. Priority (100 is default, higher is better), on tie…
2. Highest IP address (any interface)

HSRP active router tasks:

• Responds to default gateway ARP requests with the virtual router MAC address
• Assumes active forwarding of packets for the virtual router
• Sends HELLO messages
• Knows the virtual router IP address

HSRP standby router tasks:

• Sends HELLO messages
• Listens for periodic HELLO messages
• If it doesn’t receive HELLO message from the active router it will make himself active

HSRPv1 virtual MAC address:

• The HSRPv1 virtual MAC address format is 0000.0C07.ACxx
• xx stands for the HSRPv1 group number (in hex)

HSRPv2 virtual MAC address:

• The HSRPv2 virtual MAC address format is 0000.0C9F.Fxx
• xxx stands for the HSRPv2 group number (in hex)

HSRP possible states:

• DISABLED: Similar to STP disabled port state.
• INIT: The state when HSRP is enabled first time. HSRP is not running at this point.
• LISTEN: This routers knows the virtual IP address, is neither the active or standby router and listens to HELLO packets.
• SPEAK: The router sends HELLO packets and participates in the active/standby election process.
• STANDBY: The router is elected as standby router, can become the active router if needed and continues sending HELLO packets.
• ACTIVE: The router is elected as active router, is forwarding packets and continues sending HELLO packets.

HSRP failover process:

1. The standby router stops seeing/receiving HELLO messages from the active (forwarding) router
2. The standby router overtakes the role of the active (forwarding) router
3. There’s no disruption to end devices since all HSRP group members share the same virtual IP and MAC address

HSRP interface tracking:

• HSRP can dynamically change the router priority based on the state of a monitored/tracked interface/object
• HSRP interface/object tracking default decrement value is 10, but can also be modified
• If a tracked object goes down, the priority decrements
• If a tracked object comes back up, the priority increments

HSRP authentication:

• Authentication can either be plaintext or MD5 hashed
• Authentication key can either be a key-string (password) or key chain (must be configured globally first)
• Authentication settings must match on all participating routers

HSRP default values:

• Version: 1
• Priority: 100
• Hello time: 3 seconds
• Hold time: 10 seconds

HSRP v1 vs. v2:

• Version 1:
  • Support for IPv4
  • Group numbers from 0-255
  • Virtual MAC address is 0000.0C07.ACxx (xx = group number)
  • Multicast address is 224.0.0.2 on udp/1985
  • HELLO messages are different
  • Doesn’t work together with v2
• Version 2:
  • Support for IPv6
  • Group numbers from 0-4095
  • Virtual MAC address is 0000.0C9F.Fxxx (xxx = group number)
  • Multicast address is 224.0.0.102 on udp/2029
  • HELLO messages are different
  • Doesn’t work together with v1

“HSRP” CLI configuration commands:

## Basic HSRP configuration
Switch(config)# interface <if>
Switch(config-if)# standby <group-nr> ip <virtual-ip>

## HSRP configuration fine-tuning
Switch(config-if)# standby <group-nr> priority <priority>
Switch(config-if)# standby <group-nr> preemt
Switch(config-if)# standby <group-nr> track <if> <priority-decrement>
Switch(config-if)# standby <group-nr> timers <hello> <hold>
Switch(config-if)# standby <group-nr> authentication text <key>
Switch(config-if)# standby <group-nr> authentication md5 <key>
Switch(config-if)# standby version <1-or-2>

“HSRP” CLI show commands:

## Showing detailed HSRP configuration parameters
Switch# show standby

## Showing compact HSRP configuration parameters
Switch# show standby brief

VRRP

Virtual Router Redundancy Protocol

General information on “VRRP”:

• Open Standard
• VRRP is defined in RFC 2338
• Works very much like HSRP
• VRRP advertisements will be sent to the multicast address 224.0.0.18 on ip/112
• Pseudo Load Balancing can be done by putting one router in several groups where it is the active one as well as the standby one depending on the group
• On Cisco devices only(!) the timers can be set to milliseconds
• The virtual IP address can be the same as the real IP address of one of the group members

VRRP differences to HSRP:

• HSRP active router = VRRP master router
• HSRP standby router = VRRP backup router
• Preemption is enabled by default
• Interface tracking is configured differently (first globally define a trackable object, then assign it to VRRP)

VRRP virtual MAC address:

• The VRRP virtual MAC address format is 0000.5E00.01xx
• xx stands for the VRRP group number (in hex)

VRRP default values:

• Priority: 100
• Hello time: 1 seconds
• Hold time: 3.6 seconds
• Preempt enabled by default

VRRP interface tracking:

• VRRP can dynamically change the router priority based on the state of a monitored/tracked interface/object
• VRRP interface/object tracking default decrement value is 10, but can also be modified
• If a tracked object goes down, the priority decrements
• If a tracked object comes back up, the priority increments

VRRP authentication:

• Authentication can either be plaintext or MD5 hashed
• Authentication key can either be a key-string (password) or key chain (must be configured globally first)
• Authentication settings must match on all participating routers

“VRRP” CLI configuration commands:

## Basic VRRP configuration
Switch(config)# interface <if>
Switch(config-if)# vrrp <group-nr> ip <virtual-ip>

## VRRP configuration fine-tuning
Switch(config-if)# vrrp <group-nr> priority <priority>
Switch(config-if)# vrrp <group-nr> authentication <key>
Switch(config-if)# vrrp <group-nr> authentication md5 key-string <key>
Switch(config-if)# vrrp <group-nr> authentication md5 key-chain <key-chain>

## VRRP interface tracking configuration
Switch(config)# track <id> interface <if> line-protocol

Switch(config)# interface <if>
Switch(config-if)# vrrp <group-nr> track <track-id> decrement <priority-decrement>

“VRRP” CLI show commands:

## Showing detailed VRRP configuration parameters
Switch# show vrrp

## Showing compact VRRP configuration parameters
Switch# show vrrp brief

GLBP

Gateway Load Balancing Protocol

General information on “GLBP”:

• Cisco proprietary protocol
• Every router in a GLBP group handles some load (by default)
• The round-robin algorithm is used for that (by default)
• Like HSRP and VRRP, all routers in a GLBP group act as a single logical gateway
• GLBP HELLO packets will be sent to the multicast address 224.0.0.102 on udp/3222
• A GLBP group can contain up to 4 AVFs (Active Virtual Forwarders)
• ARP responses are answered with virtual MAC address assigned to the AVFs by the AVG
• Timers set on the AVG are synchronized with all AVF in the group
• All GLBP peers exchange HELLO messages to determine its members status

GLBP virtual MAC address:

• The GLBP virtual MAC address format is 0007.B400.XXYY
• XX stands for the GLBP group number
• YY stands for the AVF number

GLBP specific definitions:

• Active Virtual Gateway (AVG):
  • The AVG is the “master” of the GLBP group and controls virtual MAC address assignment as well as the load-balancing algorithm
  • The AVG is also an AVF at the same time
  • There is 1 active and 1 standby AVG
  • The router with the highest GLBP priority becomes the AVG
  • If all routers have the same GLBP priority, the router with the highest IP address becomes the AVG
  • If the AVG fails, the standby AVG takes over (chosen just like the default AVG)
  • The AVG defines the timers and load balancing method for the whole group
• Active Virtual Forwarder (AVF):
  • The AVFs forward the traffic
  • When running the show glbp brief command, the local router always shows as ACTIVE while the others show as LISTEN, but all are actually working
  • If an AVF fails, another router overtakes the virtual MAC address from the failed AVF
  • When running the show glbp command the router who took the AVF over will be shown as secondary
  • When the failed AVF comes back online it will automatically takeover the AVF role and the previously assigned MAC address again
  • Example: If there are two AVF and one of them fails, the other will overtake the MAC address and function of the failed AVF

GLBP default values:

• Hello time: 3 seconds (can be between 1sec and 60sec)
• Hold time: 10 seconds (can be up to 180sec)
• Priority: 100 (can be between 1 and 255)

GLBP Weighting:

• Weighting can be used to give up/resume an AVF role (done with interface tracking)
• Default maximum weight value is 100
• When a tracked interface goes down the weighting gets decremented by a defined value
• High/Low thresholds are used to revoke/resume AVF function
• Weighting can also be used in conjunction with the load balancing method weighting

GLBP Load Balancing methods:

• Round robin (default): Load gets evenly distributed. Each new ARP request is received by the next available MAC address.
• Weighting: Works in conjunction with the interface weight value (100 is default). Determines the proportion of traffic that this interface should process. Each new ARP request is received by the next available MAC address.
• Host dependent: Every host will always receive the ARP reply by the same virtual MAC address and traffic gets always forwarded by the same AVF.

GLBP authentication:

• Authentication can either be plaintext or MD5 hashed
• Authentication key can either be a key-string (password) or key chain (must be configured globally first)
• Authentication settings must match on all participating routers

“GLBP” CLI configuration commands:

## Basic GLBP configuration
Switch(config)# interface <if>
Switch(config-if)# glbp <group-nr> ip <virtual-ip>

## GLBP configuration fine-tuning
Switch(config-if)# glbp <group-nr> priority <priority>
Switch(config-if)# glbp <group-nr> preempt
Switch(config-if)# glbp <group-nr> name <group-name>

## GLBP interface tracking configuration
Switch(config)# track <id> interface <if> line-protocol
Switch(config-if)# glbp <group-nr> weighting <maximum> lower <low> upper <up>
Switch(config-if)# glbp <group-nr> weighting track <track-id> decrement <priority-decrement>

## GLBP load-balancing method configuration
Switch(config-if)# glbp 1 load-balancing <method>

## GLBP authentication configuration
Switch(config-if)# glbp <group-nr> authentication text <key>
Switch(config-if)# glbp <group-nr> authentication md5 key-string <key>
Switch(config-if)# glbp <group-nr> authentication md5 key-chain <key-chain>

“GLBP” CLI show commands:

## Showing detailed GLBP configuration parameters
Switch# show glbp

## Showing compact GLBP configuration parameters
Switch# show glbp brief

4.5.a ii Redundancy using IPv6 RS/RA

General information on “Redundancy using IPv6 RS/RA”:

• Another way to implement (pseudo-)redundancy is to work with the RA default router-preference value, the RA advertisement and RA lifetime values
• The problem is that features like NUD (Neighbor Unreachable Detection) rely heavily on the client-side implementation
• Therefor redundancy using FHRPs is recommended
• When using a FHRP with IPv6, the RA will propagate the virtual link-local address instead of the physical link-local address of the interface
• FHRP compatibility with IPv6:
  • HSRP: Version 2 needed (v1 enabled by default)
  • VRRP: Version 3 needed (v2 enabled by default)
  • GLBP: IPv4/IPv6 support enabled by default

“Redundancy using IPv6 RS/RA” CLI configuration commands:

## Modifying the RA default router preference
Router(config)# interface <if>
Router(config-if)# ipv6 nd router-preference [high | medium | low]

## Modifying the RA advertisement interval
Router(config)# interface <if>
Router(config-if)# ipv6 nd ra interval <seconds>

## Modifying the RA lifetime value
Router(config)# interface <if>
Router(config-if)# ipv6 nd ra lifetime <seconds>