Network Robustness

A robust network can withstand outages and keep applications running smoothly.

Router redundancy on LAN segments is required to maintain communication in the event of a router failure. Hosts on the IPv4 LAN, however, are very likely to rely on a single default router to communicate to hosts on a remote segment. If the default router fails, the host is not informed, and therefore sends traffic to a black hole. Router redundancy protocols, such as the Virtual Router Redundancy Protocol (VRRP) and Cisco's Hot Standby Routing Protocol (HSRP), alleviate this problem. Both protocols enable multiple routers to share a single IP address. Therefore, when hosts are configured with the IP address of the default gateway, the shared address is used. One of the routers sharing the address is active. If the active router fails, a backup resumes receiving and sending traffic. Hosts have no knowledge of the failure, or even that multiple routers are forwarding its traffic off the LAN segment. VRRP is an open standard based on Cisco's HSRP. Cisco IOS Software does not support VRRP, so this book does not discuss it. HSRP is further discussed in the following section.

HSRP

HSRP allows multiple routers on a single LAN (Ethernet, Token Ring, FDDI) or ISL-encapsulated VLAN to share an IP and MAC address. A group of routers is configured as an HSRP group. Each router in the group is configured with the group IP address and a priority. One router is active and accepts all packets being forwarded to the group IP/MAC address. If the active router fails, another router in the group becomes active and begins accepting the packets.

The router with the highest priority is considered active. The default priority is 100. If more than one router has the same priority, the one with the numerically highest IP address on the HSRP interface is active. The router with the second-highest priority is the standby router. It becomes active if the active router fails to advertise its presence or begins advertising a lower priority. Figure 9-4 illustrates HSRP.

Router Monet is configured with an interface IP address 172.16.1.100 and an HSRP group 1 IP address 172.16.1.201. Router Monet advertises an HSRP priority, for HSRP group 1, as 120. This is higher than the default priority of Picasso. Monet, therefore, is the active router for group 1. When Wks1 wants to send a packet toward its default gateway, it ARPs for the HSRP group 1 address. Monet responds with the HSRP group 1 MAC address. Wks1 then sends its packets to the HSRP group 1 MAC address, which Monet accepts.

The routers in an HSRP group exchange multicast hello packets, advertising priorities. The hello messages are exchanged over the link for which the HSRP group is configured. The routers send hello messages, by default, every 3 seconds. If the active router fails to send a hello within a configurable period of time, called the holdtime (the default holdtime is every 10 seconds), the standby router with the highest priority becomes active and begins accepting the packets destined to the group's MAC address.

Multigroup HSRP

Multigroup HSRP (MHSRP) enables an interface to be configured with multiple HSRP groups. You use MHSRP when you want to distribute the active router functionality among multiple routers on the same LAN. Some end nodes default route to the IP address of one group; other nodes default route to the IP address of a second group. If either default router fails, the other resumes the packet forwarding. MHSRP is not supported on Ethernet interfaces that are not allowed to be associated with multiple MAC addresses. (Those routers that use Lance Ethernet hardware [1000, 2500, 3000, and 4000] do not support multiple groups on a single Ethernet.) Ethernet and FDDI support up to 255 MHSRP groups. Token Ring supports up to three groups (group numbers 0, 1, 2). MHSRP is supported over Inter-Switch Link (ISL) encapsulation. Figure 9-5 illustrates MHSRP.

In Figure 9-5, Monet is the active router for group 1; Picasso is the active router for group 2. Wks1 defaults to 172.16.1.201, group 1; Wks2 defaults to 172.16.1.202, group 2. If Monet stops receiving the HSRP hello messages for group 2, Monet becomes the active router for group 2 in addition to group 1.

Configuring HSRP

To enable HSRP, enter the following interface subcommand:

  standby  [  group-number  ]  ip  [  ip-address  [  secondary  ]] 

You must specify the IP address on at least one router in the HSRP group. If you do not specify the IP address on a router, the address is learned via HSRP hello messages.

The following commands affect how the router participates in HSRP:

  standby  [  group-number  ]  timers   hellotime holdtime   standby  [  group-number  ]  priority   priority  [  preempt  [  delay   delay  ]]  standby  [  group-number  ] [  priority   priority  ]  preempt  [  delay   delay  ]  standby  [  group-number  ]  track   type number  [  interface-priority  ]  standby  [  group-number  ]  authentication   string   standby use-bia  [  scope interface  ] 

The timers command modifies the time between hello packets and the maximum elapsed time before a standby router considers the active router dead. The default hello time is 3 seconds. The default holdtime is 10 seconds.

The priority and preempt command modifies the HSRP router's priority. preempt enables the router with the highest priority to take over the active role, even if the current active router is not having problems. The delay option causes the router to postpone preempting the active role for the specified number of seconds before becoming active. The range is from 0 to 3600 seconds. The default is 0.

A router's LAN interface may be active, and the router itself is operating fine, but the interfaces used to forward packets out of the router may have failed. In this case, packets forwarded to the router have to be redirected back to the other router, as illustrated in Figure 9-6.

The workstation sends a packet toward its default gateway, which is the active router, Monet. Monet's outbound interfaces have both failed. Monet consults its routing table and forwards the packets back onto the Ethernet and to Picasso for further forwarding.

The track command enables HSRP to track the state of outbound interfaces, causing the router to lower its priority and possibly transition out of its active state if the interface fails. When the tracked interface fails, the router changes the priority it is advertising. If the new priority is lower than a standby router's priority, and the standby router is configured to preempt an active router with a lower priority, the standby router becomes active for the group. The router's priority for the group is decremented by the amount specified in the interface-priority field. The default value is 10. Multiple interfaces can be tracked. If more than one interface is tracked, and each is configured with an interface-priority value, when more than one interface fails, the decremented priority amount is cumulative. If no interface-priority value is set on tracked interfaces, and more than one goes down, the priority value is decremented by the default 10 but is not cumulative.

The authentication command enables the routers to include an authentication string in the HSRP messages. You must configure all routers in a group with the same authentication string, or no string at all. The first router enabled with HSRP becomes active. If the authentication strings on subsequently activated routers do not match, the newly activated routers remain in a learning state. No router becomes the standby router.

Example 9-48 shows the HSRP configurations from routers Monet and Picasso, illustrated in Figure 9-7 (single-group HSRP).

Example 9-48 HSRP Configurations for Routers Monet and Picasso in Figure 9-7

  Router Monet   interface Ethernet 1   ip address 172.16.1.100 255.255.255.0   standby 1 priority 120 preempt delay 10   standby 1 authentication secret   standby 1 ip 172.16.1.201   ______________________________________________________________________________________   Router Picasso   interface Ethernet 0   ip address 172.16.1.101 255.255.255.0   standby 1 authentication secret   standby 1 ip  

Picasso learns the IP address and timers from the HSRP function.

The output from the show standby command on Picasso in Example 9-49 shows the learned information.

Notice that Picasso's state is Standby, with priority 100. The active router address is 172.16.1.100, Monet. The HSRP address is 172.16.1.201. The HSRP MAC address that is associated with this address is 0000.0c07.ac01.

Example 9-49 show standby Command Output Shows the IP Address and Timer Information Picasso Learns from the HSRP Function

 Picasso#  show standby  Ethernet0 - Group 1  Local state is Standby, priority 100  Hellotime 3 holdtime 10   Next hello sent in 00:00:00.340   Hot standby IP address is 172.16.1.201  Active router is 172.16.1.100 expires in 00:00:10  Standby router is local  Standby virtual mac address is 0000.0c07.ac01  4 state changes, last state change 00:02:57 

Pings to the HSRP address from a workstation in Example 9-50 illustrate the failure of the active router and recovery by the standby router.

Example 9-50 Pings to the HSRP Address Indicate Active Router Failure and Standby Router Recovery

 ObiWan:~#  ping 172.16.1.201  PING 172.16.1.201 (172.16.1.201): 56 data bytes 64 bytes from 172.16.1.201: icmp_seq=0 ttl=255 time=5.7 ms 64 bytes from 172.16.1.201: icmp_seq=1 ttl=255 time=3.5 ms 64 bytes from 172.16.1.201: icmp_seq=2 ttl=255 time=3.5 ms 64 bytes from 172.16.1.201: icmp_seq=3 ttl=255 time=3.5 ms 64 bytes from 172.16.1.201: icmp_seq=4 ttl=255 time=3.5 ms 64 bytes from 172.16.1.201: icmp_seq=5 ttl=255 time=3.4 ms 64 bytes from 172.16.1.201: icmp_seq=6 ttl=255 time=3.5 ms  64 bytes from 172.16.1.201: icmp_seq=17 ttl=255 time=3.5 ms  64 bytes from 172.16.1.201: icmp_seq=18 ttl=255 time=3.5 ms 64 bytes from 172.16.1.201: icmp_seq=19 ttl=255 time=3.5 ms 64 bytes from 172.16.1.201: icmp_seq=20 ttl=255 time=3.4 ms 64 bytes from 172.16.1.201: icmp_seq=21 ttl=255 time=3.4 ms 

The workstation is sending pings every second. Packets 1 “6 succeeded. Packets 7 “16 failed. As you can see, it took 10 “11 seconds for the standby router to begin accepting packets for the HSRP MAC address. The standby router stopped receiving hello messages from the active router when its LAN interface failed. It waits for its hold period of 10 seconds and then begins accepting packets.

The additions to the configuration illustrated in Example 9-51 enable HSRP interface tracking on Monet. Figure 9-8 illustrates the benefits of HSRP interface tracking. Monet's Serial 1 and Ethernet 0 lead to remote resources, which are also accessible via Picasso. The design goal is to allow workstations on the LAN to default route to Monet, as long as one or more outbound interfaces (Serial 1 and Ethernet 0) are up. If both fail, the workstations default to Picasso instead.

Example 9-51 Enabling HSRP Interface Tracking on Router Monet

  Monet   interface Ethernet1   standby 1 track Ethernet0 15   standby 1 track Serial1 15   ____________________________________________________________________________________________________________   Picasso   interface Ethernet0   standby 1 priority 100 preempt delay 10  

Note that Monet is tracking both Serial 1 and Ethernet 0. If only one tracked interface goes down, Monet's priority is 105, still higher than Picasso's, so Monet continues to be active. If both interfaces fail, Monet begins advertising its priority as 90 rather than 120. After waiting the preempt delay time, Picasso sends an HSRP coup message, indicating to Monet that it is taking over as the active router. Monet resigns as active router and listens for other HSRP messages to determine whether it is to become the standby router. You must add the preempt statement to Picasso's HSRP configuration to enable the takeover. When one of Monet's interfaces becomes active again, its priority rises to 105. Monet has preempt and delay configured, so Monet waits 10 seconds before taking over as the active router for group 1.

Configuring MHSRP

Figure 9-9 illustrates Multigroup HSRP.

The configurations in Example 9-52 are for MHSRP on routers Monet and Picasso.

Example 9-52 Configuring MHSRP on Routers Monet and Picasso

  Router Monet   interface Ethernet 1   ip address 172.16.1.100 255.255.255.0   standby 1 priority 120 preempt delay 10   standby 1 authentication secret   standby 1 ip 172.16.1.201   standby 2 authentication secret   standby 2 ip   ____________________________________________________________________________________________________________   Router Picasso   interface Ethernet 0   ip address 172.16.1.101 255.255.255.0   standby 1 authentication secret   standby 1 ip   standby 2 priority 120 preempt delay 10   standby 2 authentication secret   standby 2 ip 172.16.1.202  

Monet is the active router for group 1, with HSRP IP address 172.16.1.201; Picasso is the active router for group 2, with HSRP IP address 172.16.1.202. To achieve load balancing, configure half the workstations on the LAN with default gateway 172.16.1.201 and the other half with default gateway 172.16.1.202.