Introduction
"Hot Standby Routing Protocol" is a "First Hop Redundancy Protocol"... Take a second on that one.
You back? Good. What is FHRP or HSRP then and why is it important? We firstly need to understand what a failure domain is. Simply put...
If one thing fails how many other things are affected by it?
When you know how many things are impacted, you have determined the size of your failure domain. At the CCNA level you have probably been building simple local area networks. That consist of a router and maybe a couple switches. The router will likely be playing the key role of a Default Gateway (DG).
The default gateway is vital to inter network communication. PCs in a local area, always need a DG to be able to communicate with other networks. Without one it just doesn't work.
We can take a quick recap on how this all works. It focusses on the Layer 2 and Layer 3 addressing systems.
When PC-A wants to send a message to PC-B. It first does a quick check.
Is PC-B in the same IP network as me?
In this case the answer is Yes. So, PC-A will send out an ARP broadcast message hoping to discover the MAC address of :BB:BB.
When PC-A wants to send a message to PC-Z. It does the same check.
Is PC-Z in the same IP network as me?
The answer in this case is no. PC-A could try an ARP broadcast, but it would be pointless because a router exists between the two networks. Broadcast messages do not get flooded out of a router (like a switch) It is either processed or dropped. So, we won't waste our time with that.
But what can PC-A do? This is exactly where the default gateway comes in handy.
We can send our message to the routers MAC address. But still leave the end destination address as PC-Z (10.0.0.10)
So, what happens when our default gateway goes down? We lose access to all other networks. Let's install a second router... But there is an administrative problem.
We can only configure a single Default Gateway on end devices. So which router should we use R1 or R2?
The answer is both, and neither. HSRP creates a virtual router with a virtual IP address and virtual MAC address that each router uses, but only the Active router will be responsible, the standby router monitors the active router, if it stops getting replies it assumes the active route role.
What is cool about this process is the fact that the end device is none the wiser as to which router it is using. Only upon investigation would you notice that something is happening, by investigating a traceroute (which we will do in this lab).
Instructions
In this lab (Download lab pack here) we will configure HSRP on the routers in this topology, although everything above the LAN is preconfigured, the LAN itself will need to be configured entirely in the following steps
Pre-HSRP
Configure R1 and R2 with unique IP addresses
Configure PC-A with R1 address as Default Gateway
Verify that R1, R2 and ISP-R loopback are reachable
Shutdown R1 and test
Verify what is happening according to the PCs and Switches
HSRP-configuration
Configure R1 and R2 with Virtual standby address
Configure PC-A with Virtual IP address as Default Gateway
Verify that R1 and R2 are reachable
Shutdown R1 and test and verify
Verify what is happening according to the PCs and Switches
Topology
IP Table
Device | Interface | Address |
R1 | G0/0/0 | 192.168.10.1/24 |
R1 | G0/0/1 | 10.1.3.1/24 |
R2 | G0/0/0 | 192.168.10.2/24 |
R2 | G0/0/1 | 10.2.3.2/24 |
PC-A | Eth0 | 192.168.10.10/24 |
Virtual Router | HSRP | 192.168.10.254 |
ISP-R | Lo9 | 199.199.199.199/32 |
**NOTE - Packet Tracer will use GigabitEthernet 0/0/0 and G0/0/1 interfaces. CML will use G0/0 and G0/1
Activity (Pre-HSRP)
Let's get into it. First, we need to configure the routers LAN side interfaces.
Part 1 - Configure R1 and R2 with unique IP addresses
R1>enable
R1#conf t
R1(config)#interface g0/0/0
R1(config-if)# description R1-LAN-INTERFACE
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no shut
R1(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
R1(config-if)#R2> enable
R2# conf t
R2(config)#int g0/0/0
R2(config-if)#desc R2-LAN-INTERFACE
R2(config-if)#ip add 192.168.10.2 255.255.255.0
R2(config-if)#no shutPart 2 - Configure PC-A with R1 address as Default Gateway
In packet tracer this can be done by the Desktop GUI
In CML it is a little different. You will need to access the /etc/network/interfaces file using Vi or Nano. (I'm a fan of vi).
View content of the file
PC-A:~$ cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
hostname localhost
PC-A:~$Gain editing access to the file
PC-A:~$ sudo vi /etc/network/interfacesEditing the File.
First, using your cursor move to the iface eth0 inet line.
Press "i" to insert, use backspace to delete "dhcp" and replace with "static".
After that press enter and input the following lines so that it looks like below.
iface eth0 inet static
address 192.168.10.10/24
gateway 192.168.10.1
hostname PC-ATo ESCAPE out of Vi. Press the "esc" key (if you are unsure, hammer it like 100 times).
Then enter the following
:wq!Well done you have done what most can't.
You can restart the network service and check to make sure it all stuck.
PC-A:~$ sudo service networking restart
PC-A:~$ cat /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.10.10/24
gateway 192.168.10.1
hostname PC-A
PC-A:~$
PC-A:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:00:3D:E3
inet addr:192.168.10.10 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe00:3de3/64 Scope:Link
--[Output omitted]--
PC-A:~$
PC-A:~$ ip r
default via 192.168.10.1 dev eth0 metric 1
192.168.10.0/24 dev eth0 scope link src 192.168.10.10
Part 3 - Verify that R1, R2 and web server are reachable
For the time being this can be done with a simple ping and trace route from PC-A.
C:\> ping 192.168.10.1
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255C:\> ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255C:\> ping 199.199.199.199
Reply from 199.199.199.199: bytes=32 time<1ms TTL=254
Reply from 199.199.199.199: bytes=32 time=1ms TTL=254
Reply from 199.199.199.199: bytes=32 time<1ms TTL=254
Reply from 199.199.199.199: bytes=32 time<1ms TTL=254
C:\>tracert 199.199.199.199
Tracing route to 199.199.199.199 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.10.1
2 0 ms 0 ms 0 ms 199.199.199.199 [10.1.3.3 on CML]
Trace complete.Part 4 - Shutdown R1 and test
It is important at this point to save you configuration on R1 as you are about to shut it down.
R1#
R1# copy running-config startup-config
Destination filename [startup-config]? /Press Enter
Building configuration...
[OK]
R1#Once done, power it down. and try the same set of pings and trace route commands. You should be able to anticipate the results.
C:\>ping 192.168.10.1
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping to R1 fails as it is off.
C:\>ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255Ping to R2 is successful as it is up and running.
C:\>ping 199.199.199.199
Request timed out.
Request timed out.
Request timed out.
Request timed out.C:\>tracert 199.199.199.199
Tracing route to 199.199.199.199 over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
----- [ output omitted] -----
30 * * * Request timed out.
Trace complete.
C:\>Ping and trace fail as the PCS wants to send them to its default gateway (R1) which is down.
At this stage you can power R1 back on. as we will need it.
Activity (HSRP)
Part 1 - Configure R1 and R2 with Virtual standby address
Complete the following on both router LAN interfaces. We can also configure both the priority and pre-empt command
Priority is a value between 0-255, by default this is set at 100. The higher the number we set the more likely the router will become the active router in the HSRP domain. We want R1 to be active, so we increase it.
Pre-empt is more about taking back control as active router. In this instance we will shut R1 down and R2 will become active.
When R1 comes back online, by default it won't become active again even though it has a higher priority. Afterall why cause another minor outage if you don't need to?
The pre-empt command can be used to force R1 to take back over as Active router.
R1> en
R1# conf t
R1(config)# int g0/0/0
R1(config-if)# standby 10 ip 192.168.10.254
R1(config-if)# standby 10 priority 200
R1(config-if)# standby 10 preempt
%HSRP-6-STATECHANGE: GigabitEthernet0/0/0 Grp 10 state Speak -> Standby
%HSRP-6-STATECHANGE: GigabitEthernet0/0/0 Grp 10 state Standby -> Active
R1(config-if)# end
R1# copy running-config startup-configR2> en
R2# conf t
R2(config)# int g0/0/0
R2(config-if)# standby 10 ip 192.168.10.254
R2(config-if)# standby 10 priority 150
R2(config-if)#Note* - We are using standby group number 10. this isn't required (can be removed entirely) if you only have 1 VLAN where HSRP is in use. If you are using VLANs however it is good to make the standby number match the VLAN ID.
Part 2 - Configure PC-A with Virtual IP address as Default Gateway
Now change the gateway address on the PC to be the virtual IP address.
On CLM you will need to use Vi again.
PC-A:~$ sudo vi /etc/network/interfacesiface eth0 inet static
address 192.168.10.10/24
gateway 192.168.10.254
hostname PC-A:wq!PC-A:~$ sudo service networking restart
PC-A:~$ cat /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.10.10/24
gateway 192.168.10.254
hostname PC-A
PC-A:~$
PC-A:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:00:3D:E3
inet addr:192.168.10.10 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe00:3de3/64 Scope:Link
--[Output omitted]--
PC-A:~$
PC-A:~$ ip r
default via 192.168.10.254 dev eth0 metric 1
192.168.10.0/24 dev eth0 scope link src 192.168.10.10Part 3 - Verify that R1 and R2 are reachable
Much like before we want to ping all the addresses, but this time we will include the new virtual IP address as well.
C:\> ping 192.168.10.1
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
--C:\> ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time=3ms TTL=255
--C:\> ping 192.168.10.254
Reply from 192.168.10.254: bytes=32 time<1ms TTL=255
Reply from 192.168.10.254: bytes=32 time<1ms TTL=255
--C:\> ping 199.199.199.199
Reply from 199.199.199.199: bytes=32 time<1ms TTL=254
Reply from 199.199.199.199: bytes=32 time<1ms TTL=254
--
C:\> tracert 199.199.199.199
Tracing route to 199.199.199.199 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.10.1
2 * 0 ms 0 ms 199.199.199.199 [10.1.3.3 on CML]
Trace complete.All these results should be expected. but it is good to note at this point the first hop address in the traceroute. 192.168.10.1
Part 4 - Shutdown R1 and test and verify
At this stage we can run the same test as before conducting different pings and traceroutes to see what the result it.
C:\>ping 192.168.10.1
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping to R1 fails as it is off.
C:\>ping 192.168.10.2
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255
Reply from 192.168.10.2: bytes=32 time<1ms TTL=255Ping to R2 is successful as it is up and running.
C:\>ping 199.199.199.199
Reply from 199.199.199.199: bytes=32 time<1ms TTL=255
Reply from 199.199.199.199: bytes=32 time<1ms TTL=255
Reply from 199.199.199.199: bytes=32 time<1ms TTL=255
Reply from 199.199.199.199: bytes=32 time<1ms TTL=255C:\> tracert 199.199.199.199
Tracing route to 199.199.199.199 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.10.2
2 * 0 ms 0 ms 199.199.199.199 [10.2.3.3 on CML]
Trace complete.Ping and trace are successful as data is now routed through R2.
Part 5 - Verify what is happening according to the PCs and Switches
The whole process works at this point, but it is good to understand what is happening where on the devices that are not routers.
It all comes down to MAC addressing. Which means there are 2 very interesting table that we will want to look at. The ARP table on the PC and the CAM table (also called MAC table) on the switch.
The PCs ARP table should hopefully at this stage make sense to you. It contains at least 3 IP-MAC address mappings. We can see the R1 and R2 physical addresses and the Virtual Address of HSPR
When the frame is packaged up to the default gateway. it will have the destination MAC address of the 192.168.10.254 address.
C:\>arp -a
Internet Address Physical Address Type
192.168.10.1 000a.f36b.7601 dynamic
192.168.10.2 000d.bd57.9501 dynamic
192.168.10.254 0000.0c07.ac0a dynamic
C:\>This means the PC is in the dark regarding what is happening to R1 (shutdown) other than the ARP entry eventually aging out. So, the PC is doing nothing different when R1 goes down and R2 takes over.
The magic happens on the switches.
While R1 is down the switch will have an entry for the Virtual Mac address in its CAM table detailing the direction towards R2.
**Note - Rather irritatingly this doesn't occur on packet tracer unless you ping the virtual IP 192.168.10.254 directly from both switches
S1# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0000.0c07.ac0a DYNAMIC f0/1
1 5254.0002.7575 DYNAMIC f0/1
Total Mac Addresses for this criterion: 2
S1#When R1 is back up. The path changes to point to R1
S1# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0000.0c07.ac0a DYNAMIC f0/0
1 5254.0002.7575 DYNAMIC f0/1
1 5254.0004.f213 DYNAMIC f0/1
1 5254.0017.e67e DYNAMIC f0/0
Total Mac Addresses for this criterion: 4
S1#Other Verifications
On packet tracer there is very limited options for show standby commands.
You can display a summary of all important information.
R1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0/0 10 200 P Active local 192.168.10.2 192.168.10.254
R1#Alternatively get a more detailed view of all the above information
R1# show standby
GigabitEthernet0/0/0 - Group 10
State is Active
1 state change, last state change 00:01:39
Virtual IP address is 192.168.10.254
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.720 secs
Preemption enabled
Active router is local
Standby router is 192.168.10.2, priority 150 (expires in 10.288 sec)
Priority 200 (configured 200)
Group name is "hsrp-Gi0/0/0-10" (default)
R1#In CML (or real life) there are a couple other useful things that can be achieved. For example, display all HSRP neighbors.
R1# show standby neighbors
HSRP neighbors on GigabitEthernet0/0
192.168.10.2
No active groups
Standby groups: 10
R1#You are also able to use pipes and gain more specific output from any of the above commands.
R1# show standby | include MAC
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
R1#!!! Bonus Round !!!
A great option with HSRP is that it can be used to load balance traffic if different VLANs are in use. For example, data from VLAN 10 can go via R1 and data from VLAN 20 can go via R2.
Below are the commands for R1 in such a scenario.
R1> en
R1# conf t
R1(config)# int g0/0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config-subif)# standby 10 ip 192.168.10.254
R1(config-subif)# standby 10 priority 200
R1(config-subif)# standby 10 preempt
R1(config-subif)# exit
R1(config)#
R1(config)# int g0/0/0.20
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
R1(config-subif)# standby 20 ip 192.168.20.254
R1(config-subif)# standby 20 priority 150
R1(config-subif)# exit
R1(config)# int g0/0/0
R1(config-if)# no shut
R1(config-if)#end
R1#
Can you create the config for R2?
Comments