rfc2281 HSRP

HSRP(Hot Standby Router Protocol)
a Cisco-proprietary protocol
developed to allow several layer 3 device to appear as a single gateway IP address
ps:
RFC 2281 describes this protocol in more detail

優點
provides redundancy and load balancing
allows one router to automatically assume the function of the second router if the second router fails

HSRP group 
each of the routers that provides redundancy for a given gateway address(standby ip) is assigned to a common HSRP group
ps:
An HSRP group can be assigned an arbitrary group number, from 0-255

however,most Catalyst switches support only up to 16 unique HSRP group numbers.

HSRP role
One router is elected as the primary, or active, HSRP router(the highest priority) 
another is elected as the standby HSRP router(the second-highest priority) 
and all the others remain in the listen HSRP state

HSRP election
1. based on a priority value (0-255) that is configured on each router in the group.
2. By default, the priority is 100.
ps:
If priority is equal , the router with the highest IP address on the HSRP interface becomes the active router.

ps:
priority=0時不參加election

HSRP status 
Devices participating in HSRP must progress their interfaces through the following state sequence:
1. Disabled
2. Init
This is the state from which the routers begin the HSRP process.
This state indicates that HSRP is not running.
It is entered via a configuration change or when an interface first comes up.

3. Listen
The router knows the virtual IP address, but is neither the active router nor the standby router.
It listens for hello messages from those routers.
Routers other than the active and standby router remain in the listen state.
4. Speak
The state sends periodic hello messages
the state is actively participating in the election of the active or standby router.

A router cannot enter Speak state unless it has the virtual IP address.
5. Standby
The state sends periodic hello messages
The state is a candidate to become the next active router
Only the standby router monitors the hello messages from the active router
6. Active
The router sends periodic hello messages.
The router becomes the active router for the group
The router is currently forwarding packets that are sent to the group virtual MAC address.

hello messages
1
Only the standby router monitors the hello messages from the active router. By default
2.
The routers exchange HSRP hello messages at regular intervals so that they can remain aware of each other's existence and that of the active router
ps:
By default, hellos are sent every 3 seconds.

3.
If hellos are missed for the duration of the holdtime timer(default 10 seconds, or 3 times the hello timer), the active router is presumed to be down.The standby router is then clear to assume the active role.
ps:
HSRP sends its hello messages to the multicast destination 224.0.0.2 ("all routers") using UDP port 1985.


HSRP group interface IP address
1. Each router in an HSRP group has its own unique IP address assigned to an interface
2. This address is used for all routing protocol and management traffic initiated by or destined to the router

virtual router address
1. each router has a "common gateway IP address",which is kept alive by HSRP,
This address also is referred to as the virtual router address/HSRP address/standby address
2. Clients can point to that "virtual router address" as their default gateway,knowing that a router always keeps that address active
3. For the "virtual router address", HSRP defines a special MAC address of the form 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value
ex:HSRP Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10, and so on
ex:
0000.0c07.ac11 = HSRP group 17 , because 11(16)=17(10)

ps:
the actual interface address and the virtual (standby) address must be configured to be in the
same IP subnet.

..................................................................................................................


assign the HSRP address
(config)#interafcae < interface >
interface可以指定SVI,etherchannel,routed port
(config-if)# standby < group> ip < ip-address [secondary]>

[secondary] provide a redundant secondary gateway address by HSRP
ps:一個介面可以設定多個group

To set the priority
(config-if)# standby < group> priority < 0-255>
ps:(config-if)#no standby priority ,assigns a priority of 100 to the router
ex:
set the HSRP priority to 200:
Switch(config-if)# standby 1 priority 200

ex:
假設有1個switch連接l3device_a和l3device_b,
在vlan50下,l3device_a有一VIP為192.168.1.11,l3device_b有一VIP為192.168.1.12
該網路下設備使用HSRP的虛擬閘道,ip為192.168.1.1 
相關設定如下
l3device_a的設定如下
l3device_a(config)# interface vlan 50
l3device_a(config-if)# ip address 192.168.1.11 255.255.255.0
l3device_a(config-if)# standby 1 ip 192.168.1.1
l3device_a(config-if)# standby 1 priority 200
l3device_b的設定如下
l3device_b(config)# interface vlan 50
l3device_b(config-if)# ip address 192.168.1.12 255.255.255.0
l3device_b(config-if)# standby 1 ip 192.168.1.1
由於l3device_b的priority預設為100,比l3device_a的低,
因此l3device_a為active router,而l3device_b為standby router

...................................

HSRP其他設定


preempt
立即將priority高的router變成active
 
ps:建議設定
ps:
the active router fails and the standby router becomes active, 
if it is restored,default
1. the original active router cannot immediately become active
2. it cannot become active again until the current active router fails. even if its priority is higher than that of the active router


to configure a router to preempt or immediately take over the active role
(config-if)# standby < group> preempt [delay [minimum < sec >] [reload < sec>]]
By default, the local router immediately can preempt another router that has the active role.
To delay the preemption, use the delay keyword
[minimum < sec >] :
to force the router to wait for seconds (0-3600 sec) before attempting to overthrow an active router with a lower priority

[reload < sec >] :
to force the router to wait for seconds (0-3600 seconds) after it has been reloaded or restarted

.....

interface tracking
When a specific interface is tracked,
HSRP reduces the router's priority by a configurable amount as soon as the interface goes down
If more than one interface is tracked, the priority is reduced even more with each failed interface
The priority is incremented by the same amount as interfaces come back up

To configure interface tracking
Switch(config-if)# standby < group> track < interface> [decrementvalue]
[decrementvalue] By default, the decrementvalue for an interface is 10

ps:interface tracking does not involve the state of the HSRP interface itself
ex:
當gi0/7 down就將priority扣掉50
Switch(config)#interface vlan 10
Switch(config-if)#standby 1 track GigabitEthernet 0/7 50

...

TIMER
調整收斂速度

To set the timer
Switch(config-if)# standby < group> timers [msec] < hello> [msec] < holdtime>
各參數說明如下
[msec]
使用milliseconds為單位 ,by default is in seconds
< hello>
to range from 1 to 254 seconds or from 15 to 999 milliseconds
ps:decreasing the hello time allows a router failure to be detected more quickly
< holdtime>
The holdtime always should be at least three times the hello timer and can range from 1 to 255 seconds or 50 to 3000 milliseconds.
ps:
建議Holdtime時間為3倍的Hello
ex:
to set the hello time at 100 milliseconds and the holdtime to 300 milliseconds:
Switch(config-if)# standby 1 timers msec 100 msec 300

...

authentication method
1. to prevent unexpected devices from spoofing or participating in HSRP
2. All routers in the same standby group must have an identical authentication method and key
3. support either plain-text or MD5 authentication

Plain-Text HSRP Authentication
Switch(config-if)# standby < group> authentication < string>
string預設為cisco

MD5 Authentication
Switch(config-if)# standby < group> authentication md5 key-string [0 | 7] < string>
By default, the key string (up to 64 characters) is given as plain text ,效果就和指定[0]一樣
ps:
After the key string is entered, it is shown as an encrypted value in the switch configuration.
You also can copy and paste an encrypted key string value into this command by preceding the string with the 7 keyword.

ps:
define an MD5 key string as a key on a key chain
優點:more flexible, enabling you to define more than one key on the switch
Switch(config)# key chain < chain-name>
< chain-name>新增一個key chain,並命令
Switch(config-keychain)# key < key-number>
< key-number> a arbitrary index, but keys are tried in sequential order
Switch(config-keychain-key)# key-string [0 | 7] < string >
Switch(config)# interface < interface >
Switch(config-if)# standby < group > authentication md5 key-chain < chain-name>

...............................................

Load Balancing with HSRP
The trick is to use two HSRP groups:
1
One group: assigns an active router to one switch.
The other group: assigns another active router to the other switch.
2
to make each switch function as the standby router for its partner's HSRP group
3
each router is active for one group and standby for the other group.
ps:
In this way, two different virtual router or gateway addresses can be used simultaneously
ps:
Load balancing traffic across two uplinks to two HSRP routers with a single HSRP group is not possible

clients configure(Manual)
The clients also must have their default gateway addresses configured as one of the two virtual HSRP group addresses.

ex:
假設有1個switch連接l3device_a和l3device_b,並讓網路可以loadbalance,設定HSRP設定如下
l3device_a的設定如下
l3device_a(config)# interface vlan 50
l3device_a(config-if)# ip address 192.168.1.10 255.255.255.0
l3device_a(config-if)# standby 1 priority 200
l3device_a(config-if)# standby 1 preempt
l3device_a(config-if)# standby 1 ip 192.168.1.1
l3device_a(config-if)# standby 1 authentication MyKey
l3device_a(config-if)# standby 2 priority 100
l3device_a(config-if)# standby 2 ip 192.168.1.2
l3device_a(config-if)# standby 2 authentication MyKey
l3device_b的設定如下
l3device_b(config)# interface vlan 50
l3device_b(config-if)# ip address 192.168.1.11 255.255.255.0
l3device_b(config-if)# standby 1 priority 100
l3device_b(config-if)# standby 1 ip 192.168.1.1
l3device_b(config-if)# standby 1 authentication MyKey
l3device_b(config-if)# standby 2 priority 200
l3device_b(config-if)# standby 2 preempt
l3device_b(config-if)# standby 2 ip 192.168.1.2
l3device_b(config-if)# standby 2 authentication MyKey
clients設定如下
將一部份pc的gateway設成hsrp group1的ip(192.168.1.1)
和另一部份pc設成hsrp group2的ip(192.168.1.2)

............................................................


display information about the status
#show standby [brief] [vlan < vlan-id> | interface ]
ps:
以show standby vlan 50 brief為例,輸出畫面如下
Interface Grp Prio P State Active addr Standby addr Group addr
Vl50 1 200 P Active local 192.168.1.11 192.168.1.1
Vl50 2 100 Standby 192.168.1.11 local 192.168.1.2
ps:
show standby vlan 50為例,輸出畫面如下
Vlan50 - Group 1
 Local state is Active, priority 200, may preempt
 Hellotime 3 sec, holdtime 10 sec
 Next hello sent in 2.248
 Virtual IP address is 192.168.1.1 configured
 Active router is local
 Standby router is 192.168.1.11 expires in 9.860
 Virtual mac address is 0000.0c07.ac01
 Authentication text "MyKey"
 2 state changes, last state change 00:11:58
 IP redundancy name is "hsrp-Vl50-1" (default)
Vlan50 - Group 2
 Local state is Standby, priority 100
 Hellotime 3 sec, holdtime 10 sec
 Next hello sent in 1.302
 Virtual IP address is 192.168.1.2 configured
 Active router is 192.168.1.11, priority 200 expires in 7.812
 Standby router is local
 Authentication text "MyKey"
 4 state changes, last state change 00:10:04
 IP redundancy name is "hsrp-Vl50-2" (default)
ps:
以show standby為例,輸出畫面如下
Ethernet0/1 - Group 1
State is Active
2 state changes, last state change 00:30:59
Virtual IP address is 10.1.0.20
Secondary virtual IP address 10.1.0.21
Active virtual MAC address is 0004.4d82.7981
Local virtual MAC address is 0004.4d82.7981 (bia)
Hello time 4 sec, hold time 12 sec
Next hello sent in 1.412 secs
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is local
Standby router is 10.1.0.6, priority 75 (expires in 9.184 sec)
Priority 95 (configured 120)
Tracking 2 objects, 0 up
Down Interface Ethernet0/2, pri 15
Down Interface Ethernet0/3
IP redundancy name is "HSRP1", advertisement interval is 34 sec

 

啟用debug模式
Switch#debug standby
Hello out ip 表示該ip送出hello封包
Hello in ip 表示該ip接收hello封包

ex:
Vl5 Hello out 172.16.60.250 Active pri 100 ip 172.16.60.254
在vlan5,172.16.60.250送出hello封包,並宣告為active狀態且pri=100,目前standby ip=172.16.60.254

ps:
畫面大致如下
*Mar 8 20:34:10.221: SB11: Vl11 Init: a/HSRP enabled
*Mar 8 20:34:10.221: SB11: Vl11 Init -> Listen
*Mar 8 20:34:20.221: SB11: Vl11 Listen: c/Active timer expired (unknown)
*Mar 8 20:34:20.221: SB11: Vl11 Listen -> Speak
*Mar 8 20:34:20.221: SB11: Vl11 Hello out 172.16.11.111 Speak pri 100 ip 172.16.11.115
*Mar 8 20:34:30.221: SB11: Vl11 Speak: d/Standby timer expired (unknown)
*Mar 8 20:34:30.221: SB11: Vl11 Standby router is local
*Mar 8 20:34:30.221: SB11: Vl11 Speak -> Standby
*Mar 8 20:34:30.221: SB11: Vl11 Hello out 172.16.11.111 Standby pri 100 ip 172.16.11.115
*Mar 8 20:34:30.221: SB11: Vl11 Standby: c/Active timer expired (unknown)
*Mar 8 20:34:30.221: SB11: Vl11 Active router is local
*Mar 8 20:34:30.221: SB11: Vl11 Standby router is unknown, was local
*Mar 8 20:34:30.221: SB11: Vl11 Standby -> Active
*Mar 8 20:34:30.221: %STANDBY-6-STATECHANGE: Vlan11 Group 11 state Standby -> Active
*Mar 8 20:34:30.221: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
說明:router with IP address 172.16.1.111 initializes and negotiates for the role of active router.
The final active router is 172.16.11.111,and 172.16.1.115 is the virtual HSRP IP address.
ps:
發生錯誤時畫面大致如下
1d18h: SB6: Vl6 Hello out 172.16.63.252 Active pri 100 ip 172.16.63.254
1d18h: SB6: Vl6 Hello out 172.16.11.252 Active pri 110 ip 172.16.11.254
1d18h: SB7: Vl7 Hello out 172.16.12.252 Standby pri 100 ip 172.16.12.254
1d18h: SB8: Vl8 Hello out 172.16.13.252 Active pri 110 ip 172.16.13.254
1d18h: SB14: Vl14 Hello out 172.16.19.252 Active pri 110 ip 172.16.19.254
1d18h: SB2: Vl2 Hello out 172.16.0.2 Active pri 110 ip 172.16.0.254
1d18h: SB62: Vl62 Hello out 172.16.62.252 Active pri 110 ip 172.16.62.254

2011-09-12 16:57:40發表 2013-08-22 22:10:23修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3

Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net