Fundamentals and Details for exam day
GLBP is the final FHRP to be reviewed among the three, and is the only one that is truly made to load balance evenly among Group members, by the use of round Robin where ARP requests cycle in order from Switch 1 – Switch 4 and back to Switch 1 again as its default load balancing method.
GLBP is not friendly to multi-vendor environments, as it is Cisco Proprietary.
GLBP elects what is called an AVG (Active Virtual Gateway) that contains the Virtual MAC Address assigned for all the routers in the group, or AVF (Active Virtual Forwarders) much alike how HSRP and VRRP both have a Virtual Router MAC address.
The well known MAC for GLBP is 0007.b400.XXYY where XX is the GLBP Group # and the YY is the AVF #, both in Hex format so study up on Hex conversion!
The maximum # of Routers in a GLBP Group is 4.
The AVG is elected by order of highest GLBP Priority value, which is 100 by default, and if all Priority values are default then the highest IP Address on a router wins the election.
The AVG assigns Virtual MAC Addresses to the AVFs in the group, and is responsible for forwarding packets to those Virtual MAC Addresses. A secondary / backup AVG is designated during the election to step in if the AVG fails, and all other router group members are potential backup AVGs if needed.
The AVG is also an AVF for the GLBP group as indicated in “show …” output below, but there will only ever be one AVG in a GLBP group at a time.
To manually set a Primary / Secondary AVG, the Priority value needs to be increased for both routers, highest IP can work but it is better to use Priority in case of IP changes.
GLBP uses the same Virtual Router concept as the other FHRPs, however the hosts do not need to point to different Virtual Router IP’s to achieve load-balancing, as all routers are actively participating in the forwarding of traffic.
If the AVG were to fail, Multicast Hellos are sent to Multicast IP addy 224.0.0.102 to elect a new AVG / Backup, and if an AVF fails these same Hellos are used to find an available AVF to take over forwarding data for that group router – much more on that later.
Round-Robin is the default load balancing method between Group routers, however “Weight Assignments” can be configured, which make the higher weighted routers more heavily used for connection requests. There is also “Host Dependent Load Balancing” that can be configured if a host for some reason needs its ARP to go to the same Virtual MAC address every time, though that may not be covered here.
Preemption is disabled by default, and both weight and Priority of GLBP routers is 100 by default, so the highest IP address on a router will win the AVG election by default.
The Fun Part (Labbing)
The Topology being configured will be the same as the top of the page, the switches will be .101 / .102 / .103 corresponding to their SW#, and two Hosts (routers) are plugged into SW1 which should be the AVG once Priority value is configured a bit higher.
And away we go!
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int vlan 1
SW1(config-if)#glbp ?
<0-1023> Group number
SW1(config-if)#glbp
First thing I noticed, GLBP DOES make you enter a group #, whereas HSRP / VRRP DO NOT require a group number, only a Virtual IP to begin running!
So on I go:
SW1(config-if)#glbp 1 ip ?
A.B.C.D Virtual IP address
<cr>
SW1(config-if)#glbp 1 ip
%GLBP is not supported by the switch stack
SW1(config-if)#glbp 1 ip 10.0.0.100
%GLBP is not supported by the switch stack
You have GOT to be kidding me!!! *#@&rg*fgburyv*@!!@*#!!!!!!!
So even though I cannot actually create the lab / demonstrate output, I will review the commands I can at least see from the first config screen, as apparently 3750 model MLS switches will let you SEE the top level commands but not configure GLBP. GAH.
IN THE ABSENCE OF BEING ABLE TO CONFIGURE GLBP IN MY 3750 LAB
I’ve taken the following output from Cisco.com (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-glbp.html), so this is not from my actual lab but for reference to the commands demonstrated:
Device# show glbp 10 GigabitEthernet0/0/0 - Group 10 State is Active 2 state changes, last state change 23:50:33 Virtual IP address is 10.21.8.10 Hello time 5 sec, hold time 18 sec Next hello sent in 4.300 secs Redirect time 600 sec, forwarder time-out 7200 sec Authentication text "stringabc" Preemption enabled, min delay 60 sec Active is local Standby is unknown Priority 254 (configured) Weighting 105 (configured 110), thresholds: lower 95, upper 105 Track object 2 state Down decrement 5 Load balancing: host-dependent There is 1 forwarder (1 active) Forwarder 1 State is Active 1 state change, last state change 23:50:15 MAC address is 0007.b400.0101 (default) Owner ID is 0005.0050.6c08 Redirection enabled Preemption enabled, min delay 60 sec Active is local, weighting 105
This output appears to have every option in the GLBP configurations set to non-default settings, so I’ll go through what WOULD have made this configuration.
One thing to note, I’ve highlighted in blue / made Bold / Underlined the point in this output where it stops referring to AVG configs – Everything above the “There is # Forwarder” line is regarding the AVG settings!
First a quick look at the options:
SW1(config-if)#glbp 10 ?
authentication Authentication method
client-cache Client cache
forwarder Forwarder configuration
ip Enable group and set virtual IP address
load-balancing Load balancing method
name Redundancy name
preempt Overthrow lower priority designated routers
priority Priority level
timers Adjust GLBP timers
weighting Gateway weighting and tracking
SW1(config-if)#glbp 10
Couple of quick side notes here regarding that chunk of output:
- Under forwarder information, “State is Active” means the local device is the AVG, any non-AVG routers would show “State is Listen” or possibly “State is Speak” if there is some sort of election happening
- The “MAC Address” under Forwarder 1 info is the Virtual MAC addy, the “Owner ID” below it is the routers actual MAC Address
- “Standby is unknown” in this output is because there is only 1 configured group member in this output, and to note a Standby / Secondary “Unknown” can also mean there is an active election / failover happening and the Secondary is being determined by the GLBP group
Virtual Router IP:
SW1(config-if)#glbp 10 ip 10.21.8.10
GLBP Hello / Hold Timer Configuration (default is Hello 3, Hold 10):
SW1(config-if)#glbp 10 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify timeout values for failed forwarders
SW1(config-if)#glbp 10 timers 5 ?
<6-180> Hold time in seconds
msec Specify hold time in milliseconds
SW1(config-if)#glbp 10 timers 5 18 ?
<cr>
SW1(config-if)#glbp 10 timers 5 18
GLBP Redirect / Timeout Timer configuration:
SW1(config-if)#glbp 10 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify timeout values for failed forwarders
SW1(config-if)#glbp 10 timers redirect ?
<0-3600> Interval in seconds to redirect to failed forwarders
SW1(config-if)#glbp 10 timers redirect 2400 ?
<3000-64800> Timeout interval in seconds for failed forwarders
SW1(config-if)#glbp 10 timers redirect 2400 36000 ?
<cr>
SW1(config-if)#glbp 10 timers redirect 2400 36000
**** Very important concept below! *****
Redirect timers show above have two very important values to understand as explained below, they have to do specifically with an AVF Failing:
The first value (Redirect) indicates how long the AVG will respond to ARP requests for a Virtual MAC of a Down / Failed AVF, before it removes that assigned Virtual MAC from its Forwarders table.
So just as it sounds, this is the time traffic will be redirected for that AVF to another AVF, and once it expires the AVG considers it in an inactive or “Unknown” state.
The second value (Timeout) is how long the AVG will allow the router to remain inactive in the group before the entire group flushes that router members information from its Forwarder table, and it is removed entirely from the group (as opposed to just being inactive / unknown).
If you see any Forwarders in the “show glbp” outputs Redirection or Timeout timers dropping far below its configured value or the defaults (Redirect 600 Timeout 14400), then the host is most likely failing.
Another excellent way to tell can be shown via a screen snip I found out on the internet:
In this output you can see router 172.16.23.3 is handling traffic for both Virtual MACs ending in .0101 and .0102 (Fwd #’s 1 and 2), and the Standby is showing as “Unknown” because the router that failed was the Standby, and the only other group member is currently busy handling two work loads.
The “Active” state can be very confusing, but one easy way to look at it, is if you see Active twice in the brief output, you are on the AVG router. This is because every separate router will show itself in an “Active” state in the “sh glbp brief” output, but the top line may say Listen / Speak / Standby indicating how the router views itself in the overview of the GLBP Group.
The “Active Router” column will be the IP handling traffic for the Virtual MAC / Forwarder indicated to the left, in the above example it shows Fwd #3 is “local” so its the one we are on and of course we see the .3 router handling a failover from Fwd # 1.
While looking at the output for “sh glbp brief” it is a good time to review the values:
- Going down the device list there is 4 lines of info, but only 3 routers in the group, this is because the top line will always show the local routers GLBP information as it sees itself in the network. This is why it is the only line that lists a Priority value, and does not have a Fwd #, because its basically informational.
- If the local router you are on is the AVG, it will show State as “Active” twice, once for the AVG information on the top line, and again under its own Fwd # line
- If the local router is NOT the AVG, you will see this top line in another “State” such as Listen / Speak (if election is happening) / Standby as can actually be seen here:
^^^ From this output we can tell we are on Fwd # 3, which shows in its top line that it is the Standby router for the GLBP group as shown under “State” and “local” below the Standby column, however it also shows “Active” state on its line in the Fwd Table because it is an Active AVF and its IP address shows “local” in the Fwd # 3 line because that is the router we are logged onto.
- Looking at the columns the Interface Column shows what interface GLBP is configured on, the GLBP Group #, the Forwarder #, Priority #, “State” of that Forwarder, the Forwarders Virtual MAC, the actual IP Address of the router handling traffic for the Virtual MAC
When talking about Forwarders and Forwarder #’s, it is best illustrated in a screen snip I found on the internet of “sh glbp” with several AVF routers, shown here:
Some things to note from this output as well:
- Its cut off at the top, but it shows there are 3 Forwarders (1 Active), the # of Forwarders is the # of routers in your group, and the 1 Active is your local Active AVF router (in this case Forwarder 1 is our 1 Active in that output)
- Each Forwarder # will show Active locally under its own #, and listen on all other Forward #’s in this output, indicating that it is an Active AVF
- The Virtual MAC and Actual MAC (Owner ID) can be seen, Redirection and Timeout timer information for each Forwarder, preemption can be verified here, and the Active IP Address for that Forwarder at the bottom line along with its Weight value (Forwarder 3 had its bottom line with Active IP info cut off in the screen snip)
- Again, DO NOTE, every individual router will show its own Forwarder # as “State is Active” because it is an Active AVF – All other Forwarders will be in another State with the IP Address handling its traffic on its bottom line. This is seen on Forwarder 2 on the bottom line, showing “Active is 172.16.23.2 (primary)”, as that is its local IP
And I think that is about it for “sh glbp” and “sh glbp brief, back to configuration!
Setting Key-String Authentication:
SW1(config-if)#glbp 10 authentication ?
md5 MD5 authentication
text Plain text authentication
SW1(config-if)#glbp 10 authentication md5 ?
key-chain MD5 key-chain authentication
key-string MD5 keyed authentication
SW1(config-if)#glbp 10 authentication md5 key-string ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies a HIDDEN key will follow
WORD MD5 authentication key (100 chars max)
SW1(config-if)#glbp 10 authentication md5 key-string stingabc
GLBP Priority configuration:
SW1(config-if)#glbp 10 priority ?
<1-255> Priority value
SW1(config-if)#glbp 10 priority 254 ?
<cr>
Remember that Preemption is disabled by default, so changing the Priority value will have no result if Preemption is not manually turned on for GLBP!
Enabling Preemption:
SW1(config-if)#glbp 10 preempt ?
delay Wait before preempting
<cr>
SW1(config-if)#glbp 10 preempt
Tracking Object configuration for Interface Tracking:
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#track ?
<1-1000> Tracked object
resolution Tracking resolution parameters
timer Polling interval timers
SW1(config)#track 1 ?
interface Select an interface to track
ip IP protocol
list Group objects in a list
SW1(config)#track 1 int fa1/0/1 ?
ip IP parameters
line-protocol Track interface line-protocol
SW1(config)#track 1 int fa1/0/1 line-proto ?
<cr>
SW1(config)#track 1 int fa1/0/1 line-proto
Configuring interface with weight thresholds:
SW1(config-if)#glbp 1 weighting ?
<1-254> Weighting maximum value
track Interface tracking
SW1(config-if)#glbp 1 weighting 100 ?
lower Weighting lower threshold
upper Weighting upper threshold
<cr>
SW1(config-if)#glbp 1 weighting 100 lower ?
<1-99> Weighting lower threshold value
SW1(config-if)#glbp 1 weighting 100 lower 95 ?
upper Weighting upper threshold
<cr>
SW1(config-if)#glbp 1 weighting 100 lower 95 upper ?
<95-100> Weighting upper threshold value
SW1(config-if)#glbp 1 weighting 100 lower 95 upper 100
This is configured on the interface configured for GLBP, essentially what this is saying is our weight is “100”, the minimum acceptable threshold to lowering that weight is 95, and our upper threshold cannot exceed the weight itself so it is set to 100.
Next, we tie the tracking object into the weight, and if int Fa1/0/1’s line protocol goes down, it will decrement the weight by its default decrement of 10 which will remove this router as an Active AVF router.
Interface tracking configuration (after thresholds and tracking object configured):
SW1(config-if)#glbp 1 weighting ?
<1-254> Weighting maximum value
track Interface tracking
SW1(config-if)#glbp 1 weighting track ?
<1-1000> Tracked object
SW1(config-if)#glbp 1 weighting track 1 ?
decrement Weighting decrement
<cr>
SW1(config-if)#glbp 1 weighting track 1 decrement ?
<1-255> Decrement value
SW1(config-if)#glbp 1 weighting track 1
decrement Weighting decrement
<cr>
SW1(config-if)#glbp 1 weighting track 1
I only wanted to demonstrate you can manually configure a different decrement value for interface tracking, but with the default at 10, as long as you make the min threshold no more the minus 9 from your weight value, then your tracking will work!
To verify tracking is configured with “show glbp”:
Once the interface goes down, another AVF must take over for this Forwarder as it is removed as an AVF until the interface comes back up, and this also triggers the Redirect / Timeout timers to start counting down to kick the switch out of the group.
Load-Balancing method configuration:
SW1(config-if)#glbp 10 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin Load balance equally using each forwarder in turn
weighted Load balance in proportion to forwarder weighting
<cr>
SW1(config-if)#glbp 10 load-balancing host-dependent ?
<cr>
SW1(config-if)#glbp 10 load-balancing weighted ?
<cr>
SW1(config-if)#glbp 10 load-balancing round-robin ?
<cr>
I am not sure if the exam will test on configuring or knowledge of configuring different load balancing methods, however I believe the GLBP horse has been beaten to death in this post, so next up will be a huge series of Switch Security posts and then exam day!
The DEVNET GRIND! 