Why FHRP?
A reliable network must address the following characteristics: High Availability and Fault Tolerance, Scalability, Security, and QoS.
For a fault-tolerant network we must address the single of points of failures. A reliable network provides redundancy by implementing a packet-switched network wherein each packets could take a different path to the destination. Not that with circuit-switched networks, it is not possible once the dedicated circuit established.
Let’s back to the topic, FHRP provides gateway redundancy for hosts at layer 3. End devices typically configured with s static default gateway. If that gateway (router) fails or disconnected, the host loses the outside connectivity.
One solution is to have two gateways for the hosts, then assign default gateway for some of the hosts the IP address of gateway-1, and for the other, the IP address of the gateway-2.
Another way is to share a virtual IP (VIP) amongst those gateways so that the hosts see them as a single gateway. For example, let’s share .3 as a VIP between the two gateways (.1 and .2). There are several protocols that are available under the umbrella of FHRP to allow sharing an IP address between different gateways. Those protocols include:
- ICMP Router Discovery Protocol (IRDP) – Not supported
- Legacy FHRP Solution
- Hot Standby Router Protocol (HSRP) – Cisco origin
- HSRPv1: IPv4
- HSRPv2: IPv4 and IPv6
- Virtual Router Redundancy Protocol (VRRP)
- VRRPv2 (RFC 2338): IPv4
- VRRPv3 (RFC 5798): IPv4 and IPv6
- Gateway Load Balancing Protocol (GLBP) – Cisco origin – Not supported with NX-OS anymore
- GLBP
- GLBP for IPv6
FHRP: Hot Standby Router Protocol (HSRP)
HSRP is an active/standby model wherein the HSRP active router replies to the ARP request for the VIP for that VLAN. HSRP determines the role of the active and standby during the election process. By default, HSRP elects the numerically highest IPv4 address as the active router. However, you can control the priority using priority command. The default HSRP priority is 100 and the value can be in the range of 0-255. The highest priority becomes the active router.
When the active device fails, the standby device takes over.
When the former active router comes back online, it remains standby router even if it still has higher priority. To force a new HSRP election process to take place when a better router comes online, we need to allow preemption by using standby preempt command. This is only effective when the active router has higher priority (not higher IPv4 address).
HSRP States
Both HSRP routers send hello packets using UDP port 1985 to the HSRP group multicast address every 3 seconds. The standby router becomes active if it does not receive any Hello after 10 seconds.
| HSRP State | Comment |
|---|---|
| Initial | Interface becomes up/up; or after a configuration change. |
| Learn | The router does not know the VIP. It waits for the Hello message. |
| Listen | The router knows the VIP. It listens for VIP. |
| Speak | The router sends periodic hello message and participates in election process. |
| Standby | Router monitors the hello messages from the active router. |
| Active | The router becomes active router. |
HSRP Versions
The routers in the same HSRP group must use the same version. Note that, the HSRP group number is not included in the hsrp version command. It sets the version for all HSRP messages sent out that interface.
| Feature | Version 1 | Version 2 |
|---|---|---|
| IPv6 Support | Nope | YES |
| Range of group numbers | 0 – 255 | 0 – 4095 |
| vMAC (xx or xxx is the group number in hex) | 0000.0C07.ACxx | 0000.0C9F.Fxxx |
| Multicast address used for hello messages | 224.0.0.2 | 224.0.0.102 FF02::66 |
Here is a sample of how we configure HSRP on NX-OS:
N9K01# configure terminal
N9K01(config)# feature hsrp
N9K01(config)# interface ethernet 1/1
N9K01(config-if)# no shutdown
N9K01(config-if)# no switchport
N9K01(config-if)# ip address 192.168.1.252/24
N9K01(config-if)# hsrp version 2
N9K01(config-if)# hsrp 1 ! Define the HSRP Group 1. We tend to match it with VID
N9K01(config-if-hsrp)# ip 192.168.1.254 ! Define the VIP
N9K01(config-if-hsrp)# priority 200
N9K01(config-if-hsrp)# preempt
N9K01(config-if-hsrp)# authentication md5 key-string SMENODEPASSFHRP: Virtual Router Redundancy Protocol (VRRP)
Virtual Router Redundancy Protocol is the standard-based alternative to HSRP. VRRP sends its advertisements to the multicast destination address 224.0.0.18 using IP protocol 112 every 1 second by default. The active router to respond to the VIP is called master router and all other routers are known as backup routers. VRRP uses 0000.5E00.01xx (xx is the VRRP group number) as the vMAC. VRRP enables preemption by default.
| Feature | Version 2 | Version 3 |
|---|---|---|
| IPv6 Support | Nope | YESSS |
| Configurable range of group numbers | 1 – 254 | 1 – 254 |
| vMAC (xx or xxx is the group number in hex) | 0000.5E00.01xx | 0000.5E00.01xx |
| Multicast address used for hello messages | 224.0.0.18 | 224.0.0.18 FF02::12 |
Next comes the VRRP sample configuration:
N9K01# configure terminal
N9K01(config)# feature vrrp
N9K01(config)# interface ethernet 1/1
N9K01(config-if)# no shutdown
N9K01(config-if)# no switchport
N9K01(config-if)# ip address 192.168.1.252/24
N9K01(config-if)# vrrp 1
N9K01(config-if-vrrp)# address 192.168.1.254
N9K01(config-if-vrrp)# priority 200
N9K01(config-if-vrrp)# preempt
N9K01(config-if-vrrp)# authentication text SMENODETracking
So far, we have addressed the link or router failure. But consider the situation that ISP-facing interface goes down or even ISP-facing interface stays up, but you cannot reach the Internet through that path. To address these types failures we can leverage tracking and then attach it to our FHRP configuration.
Interface tracking sample configuration:
N9K01# configure terminal
N9K01(config)# track 1 interface ethernet 1/2 line-protocolObject tracking sample configuration:
N9K01# configure terminal
N9K01(config)# feature sla sender
N9K01(config)# ip sla 1
N9K01(config-ip-sla)# icmp-echo 8.8.8.8
N9K01(config-ip-sla-echo)# threshold 50
N9K01(config-ip-sla-echo)# timeout 150
N9K01(config-ip-sla-echo)# frequency 2
N9K01(config)# track 1 ip sla 1 reachabilityLet’s attach the track to the HSRP
N9K01# configure terminal
N9K01(config)# interface ethernet 1/1
N9K01(config-if)# hsrp 1
N9K01(config-if-hsrp)# track 1 decrement 150Workshop 1: HSRP
In this scenario, we are going to configure HSRP between E1/1s on each of those N9K01 and N9K02. You might say we still have a single point of failure in Layer 2 where we have N5K01. But addressing that L2 failure is out of the scope of this topic and we will discuss that later in vPC.
Configuration
N9K01:
feature hsrp
interface ethernet 1/1
no shutdown
no switchport
ip address 192.168.1.252/24
hsrp version 2
hsrp 1
ip 192.168.1.254
preempt
priority 200
authentication md5 key-string SMENODEPASS
interface ethernet 1/2
no shutdown
no switchport
ip address 10.10.10.0/31
feature eigrp
router eigrp 1
router-id 1.1.1.1
interface ethernet 1/1-2
ip router eigrp 1
feature sla sender
ip sla 1
icmp-echo 8.8.8.8
threshold 50
timeout 150
frequency 2
exit
track 1 ip sla 1 reachability
exit
interface ethernet 1/1
hsrp 1
track 1 decrement 150N9K02:
feature hsrp
interface ethernet 1/1
no shutdown
no switchport
ip address 192.168.1.253/24
hsrp version 2
hsrp 1
ip 192.168.1.254
preempt
priority 200
authentication md5 key-string SMENODEPASS
interface ethernet 1/2
no shutdown
no switchport
ip address 10.10.11.0/31
feature eigrp
router eigrp 1
router-id 2.2.2.2
interface ethernet 1/1-2
ip router eigrp 1
INET (CSR):
interface GigabitEthernet1
no shutdown
ip address 10.10.10.1 255.255.255.254
interface GigabitEthernet2
ip address 10.10.11.1 255.255.255.254
no shutdown
interface loopback 1
ip address 8.8.8.8 255.255.255.255
router eigrp 1
network 0.0.0.0
eigrp router-id 8.8.8.8SRV01:
SRV02:
Verification
N9K01# show hsrp brief
*:IPv6 group #:group belongs to a bundle
P indicates configured to preempt.
|
Interface Grp Prio P State Active addr Standby addr Group addr
Eth1/1 1 50 P Standby 192.168.1.253 local 192.168.1.2
54 (conf)
N9K02# show hsrp brief
*:IPv6 group #:group belongs to a bundle
P indicates configured to preempt.
|
Interface Grp Prio P State Active addr Standby addr Group addr
Eth1/1 1 200 P Active local 192.168.1.252 192.168.1.2
54 (conf)Workshop 2: VRRP
In this workshop, we are going to work on the same exact scenario with workshop 1, but this time with VRRP configuration. Note that CSR, SRV01, and SRV02 configurations are also identical to workshop 1:
Configuration
N9K01:
feature vrrp
interface ethernet 1/1
no shutdown
no switchport
ip address 192.168.1.252/24
vrrp 1
address 192.168.1.254
preempt
priority 200
authentication text SMENODE
interface ethernet 1/2
no shutdown
no switchport
ip address 10.10.10.0/31
feature eigrp
router eigrp 1
router-id 1.1.1.1
interface ethernet 1/1-2
ip router eigrp 1
feature sla sender
ip sla 1
icmp-echo 8.8.8.8
threshold 50
timeout 150
frequency 2
exit
track 1 ip sla 1 reachability
exit
interface ethernet 1/1
vrrp 1
track 1 decrement 150N9K02:
feature vrrp
interface ethernet 1/1
no shutdown
no switchport
ip address 192.168.1.253/24
vrrp 1
ip 192.168.1.254
preempt
authentication text SMENODE
interface ethernet 1/2
no shutdown
no switchport
ip address 10.10.11.0/31
feature eigrp
router eigrp 1
router-id 2.2.2.2
interface ethernet 1/1-2
ip router eigrp 1
INET (CSR):
interface GigabitEthernet1
no shutdown
ip address 10.10.10.1 255.255.255.254
interface GigabitEthernet2
ip address 10.10.11.1 255.255.255.254
no shutdown
interface loopback 1
ip address 8.8.8.8 255.255.255.255
router eigrp 1
network 0.0.0.0
eigrp router-id 8.8.8.8SRV01:
SRV02:
Verification
N9K01# show vrrp
Interface VR IpVersion Pri Time Pre State VR IP addr
---------------------------------------------------------------
Ethernet1/1 1 IPV4 200 1 s Y Init 192.168.1.254
N9K02# show vrrp
Interface VR IpVersion Pri Time Pre State VR IP addr
---------------------------------------------------------------
Ethernet1/1 1 IPV4 100 1 s Y Init
