Archive for the ‘FHRP’ Category
Put together a quick video about configuring HSRP and many of its features: Tracking, Preemption, tweaking timers, changing priorities, and more.
Let me know what you guys think, this is the first video and I am still looking at different recording software or just different styles in general. You’ll be seeing more of these videos as time goes on!
I covered VRRP a few weeks back, which is a vendor neutral FHRP, but now let’s take a look at HSRP which is more or less a Cisco proprietary version of VRRP.
With the exception of the standby keyword this configuration is almost identical to our previous VRRP configuration, and the joy of this is the fact these commands pretty much mean and do the same thing. Standby 1 specifies our HSRP group ID or instance, Standby 1 ip 192.168.1.254 is the HSRP virtual address. Standby 1 timers 2 7 specifies how often HSRP will send out hello packets every 2 seconds in this case and if hello packets are not received within 7 seconds that HSRP speaker is removed from the HSRP group. Standby 1 priority 110 sets this device’s priority within the HSRP group the default priority is 100, and the device with the higher priority is the device that will be the HSRP active router. Standby 1 preempt delay minimum 15 tells this router to take the role of the active router if it were a standby router or if the router has a higher priority and is entered into a group, it also tells the router to wait 15 seconds before taking back the role of the active router. Those 15 seconds should provide enough time for the router to accept any routing updates from its neighbors and have a fully converged routing table so it does not blackhole traffic when it becomes the active HSRP router again. Standby 1 track 1 decrement 100 tells the router to decrement the HSRP priority by 100 if the tracking status of tracking object 1 goes down, and tracking object 1 is configured to track the line protocol of fastethernet0/1/0.
You can issue the show standby command to verify all the HSRP configurations on the router. Just reading this output will tell you everything you need to know about the HSRP configuration, from this you can verify the following:
- What interface is in which HSRP Group
- State of this particular device in the HSRP group
- The Virtual MAC and IP address
- Unless manually configured the MAC will always start with 0000.0c07.acXX - Where XX is the group ID (Remember MAC addresses are in hex format)
- Hello & holddown timers
- Who the active and standby routers are
- Priorities of the active and standby routers
- Any tracking parameters configured on the HSRP group
Above is some debug output of the a standby router becoming the active router, from the above output you see the last hello packet received was 19:31:21, and at 19:31:28, 7 seconds later the holdtime expires and the local router becomes the active router.
Then I connected the original active router back into the network, and you can see the coup message received from 192.168.1.1 stating it has a higher priority, the coup message is what tells the current active router that another router has joined the group with a higher priority and it’s assuming the role of the new active router.
First hop redundancy protocols are important to any network, after all why should any carefully designed network be dependent on any single IP address or any single device for that matter? A FHRP allows us to make the default gateway for any subnet a virtual address that can float between multiple physical devices. However some of our FHRP choices are Cisco proprietary (IE: HSRP & GLBP), and recently I had to setup a FHRP between a Cisco router and Red Hat box, so VRRP was my FHRP of choice.
Now the configuration for VRRP for the Cisco side:
The VRRP 5 commands are what makes this happen. VRRP 5 is the VRRP group (and the router ID) this instance belongs to, next we have VRRP 5 IP 10.0.1.1 this where we specify the virtual IP address. This is going to the IP Address we want to ensure is available to our clients such as a default gateway. The VRRP 5 timers learn command tells this router to learn the VRRP advertisement timers from the master router. Next we have the VRRP 5 preempt delay minimum 60 this specifies a set of time in seconds before the master role is taken back.
Delaying the preempt may not appear to be inviting at first but it is useful. Let’s say the master comes back online and it resumes the role of the default gateway before it has had time to re-converge it’s routing table, well the VRRP master is now going to black hole traffic until your routing protocol re-converges.
Next we have VRRP 5 priority 150 this allows us to specify the priority of each router to control who will be the master router and who will be the backup router. The device with the highest priority is the device that will be the master router for VRRP. The final line in this configuration is the VRRP 5 track 1 decrement 100 command, this allows us to tie some type of tracking or IP SLA monitoring into the VRRP configuration. This way if the IP SLA or tracking mechanism goes down the VRRP priority will automatically be decremented ensuring this device will not be the master. After all, if the master VRRP router looses connectivity to the rest of the network due to an interface failure or link failure we don’t want it to be the master router anymore.
Let’s also go a step further an think about the preempt delay we spoke about earlier, lets say we set the preempt delay to 60 seconds and we are tracking the outside interface the preempt delay will make sure the outgoing interface is stable for at least 60 seconds before taking back its master role, now that preempt delay isn’t looking so bad now is it?
Now let’s verify our VRRP configuration using the show vrrp command:
This will show the current state of this router in the VRRP process, that state will either be Init, backup, or master. The Init state just mean VRRP is not running or is starting up. Next we see the virtual IP and the virtual MAC address, a VRRP virtual MAC address will start with 00:00:5E:00:01:XX where XX is going to be the Virtual Router ID (or VRRP process ID) Then we will see the preemption settings and our advertisement intervals. So the Show VRRP command provides us a nice summary of our VRRP configuration.
Now let’s check out some debug logs for VRRP:
The first message in there states the router received an advertisement with a priority of 150 from IP 10.0.1.92, then the VRRP event states that this priority is higher or equal to it’s own priority, the next advertisement has a priority of 0, and then the Master down timer expires, which causes the this router to become the master. The last few VRRP message show advertisements going with checksums, which is normal for VRRP operations.
I also figured I would show a VRRP Packet:
From here we can see the VRRP version currently running on the router. This will also show us the Virtual Router ID, and the IP address we are advertising along with the priority of the 10.0.1.92 host. Also check out the Layer 2 information Wireshark identifies that the MAC address is associated with VRRP and knows the Router ID is 5. Now check out the Layer 3 IP destination, it’s 220.127.116.11 so these advertisements are sent out via Multicast to all VRRP routers on this LAN.
More information on VRRP can be found in RFC 3768, note this RFC is for VRRPv2. RFC 5798 covers VRRPv3, but this post covers VRRPv2 running on Cisco routers. Cisco also has few articles to go over the configuration: VRRP & Configuring VRRP