FHRPs

Wanted to jot down some bullet point style notes as to the differences between the 3 FHRP’s that you will see on exam day for SWITCH, and a few things you may also see on ROUTE at the bottom for Authentication and creating “Tracking objects” to increment and decrement values of the different Priority #’s for each Protocol.

Refer to the bottom of the page for the CLI output for Configuration, Verification, and Misc errors that might be seen on Exam day!

For full information on any of these protocols, I have full blog posts on all 3 FHRPs, though my switches weren’t recognizing GLBP commands, so I could not fully lab it.

Without further ado, the first FHRP to review – HSRP (Hot Router Standby Protocol)

  • Basics and default values:
  • Multicast HSRP traffic to 224.0.0.2(ver1) or 224.0.0.102(ver2) via UDP 1985
  • Cisco Proprietary
  • Hello every 3 seconds / Holdtime 10 seconds
  • Priority 100
  • Preemption disabled
  • Highest Priority then Highest IP Address of HSRP Interface wins Active/Standby role
  • HSRP unique MAC 0000.0c07.acXX where XX is the Group #
  • 16 Maximum HSRP Ground on a single switch
  • Authentication = Plain text or md5 (key-chain or key-string)
  • Key-Chain must be made separate like Track Object, key-string is an md5 encrypted string of plain text you enter in the command (demonstrated bottom of page)
  • Active / Standby, Active handles all traffic, Standby waits to take over, both send Hellos to 224.0.0.2 / 224.0.0.102 and other Group Members “Listen” to take over if needed as the Active or Standby Router
  • Active Router Hellos include Virtual MAC, Standby Hellos includes it physical MAC
  • Hosts must have Default Gateways configured to Virtual IP statically or via DHCP
  • Multiple HSRP (MHRSP) is needed for load balancing, and hosts must have their default gateways pointed at the different Virtual IPs of the HSRP groups
  • HSRP States explained:
  • Disabled – HSRP not enabled / running, goes to this state when “no standby …” issued on HSRP enabled interface to turn it off
  • Init – Starting HSRP, not yet Learning or Listening
  • Learn = When an HSRP router is enabled with simply a group # via “standby #” it will stay in this state until it hears a Hello from a match group # member to “learn” its Virtual IP and Virtual MAC Address, and will join the group and transition to another HSRP state based on settings of the Router Group
  • Listen = Listening to Hello’s from Active and Standby Routers to transition to Active or Standby if needed
  • Speak = Only Active and Standby will be in ‘Speak’ mode, sending Hellos to 224.0.0.2 that all other Router Group members are listening on, if 3 Hellos missed (10sec Holdtime) election of new Active / Standby Router triggered
  • Misc commands to change settings in HSRP:
  • “standby # ip” on interface, enables HSRP
  • “standby # ip x.x.x.x” enables HSRP and defines Virtual IP to be used
  • “standby # authentication (word/text/md5[key-chain/key-string]) (key-chain name / key-string word” – Key-Chain must match (case sensitive) an existing key-chain, key-string is just plain text entered in the command, no extra config needed
  • “standby # preemption” enables preemption (taking over Active/Standby role)
  • “standby # priority #(0-255)” Higher Priority = Preferred for Active/Standby role
  • “standby # track (track object #) (decrement / shutdown) (# 0-255)” if decrement is chosen enter # value to decrement the Priority by, if shutdown is chosen shuts down the group on this Router within the Router Group – 2 different track actions!
  • “show standby (brief)” – Shows all HSRP group #’s and details

One thing to note with Authentication is that the “key-chain” is a separately configured object as a sub-command from “standby # auth md5 …” config, whereas using “key-string” does not refer to a key-string inside of a key-chain, it is just entering plain text.

These demonstration will be at the bottom of this post for configuration / behaviors!

The next FHRP to review – VRRP (Virtual Router Redundancy Protocol)

VRRP is the IEEE’s answer to Cisco’s Proprietary HSRP, the configuration is almost exactly the same syntax wise (replace “standby” with “vrrp” for the most part), and below is basically just the differences from HSRP bullet point style:

  •  VRRP is an IEEE open standard, only non-Cisco Proprietary FHRP!
  • Multicast VRRP traffic goes to 224.0.0.18 via UDP 112
  • Preemption enabled by default (only FHRP with preempt enabled)
  • 1 Master / All other Routers in VRRP Group are “Backup” Routers
  • Uses Highest Priority #, then highest IP Address to elect Master of group
  • Hellos every 1 second, Holdtime referred to as “Master Down” timer, dynamically changes to about 3.5x the hello, Master Down timer cannot be manually configured
  • Only “Master” Router sends Hellos, all other Backup Routers listen
  • Virtual MAC is 0000.5e00.01XX where XX is the Group # (1-255)
  • Can have up to 255 VRRP groups per “physical interface”
  • Back Routers will not dynamically learn timer changes on Master, must issue command “vrrp # timers learn” on each member to dynamically change timers
  • Preempt can be configured with “delay” timer before becoming Master Router
  • Load-Balances the exact same as HSRP with multiple Router Groups and Hosts pointing to the different Virtual IP’s for their Gateways
  • VRRP Router States:
  • Disabled – Not running / “no vrrp # …” sets it to disabled
  • Init – Starting up / Listening to Hello traffic to determine its role
  • Backup – The immediate state it joins the group as, upgrades to Master if elected
  • Master – Highest Priority or IP Address value, will preempt any current Master
  • VRRP Configuration (differences from HSRP:
  • Substitute “vrrp” for “standby” and almost all commands identical
  • “vrrp # timers (learn/second/msec)” to configure Hello interval, set “learn” configuration if not master, can be configured in milliseconds, CANNOT change Master Down timer as it automatically adjusts with Hello timer
  • “vrrp # auth (word)” No md5 / Key-Chain / Key-String syntax!
  • “vrrp # preempt delay # (in seconds)” delays taking Master Role, starts delay timer once “Master Down” timer expires, this is to prevent role changes if the network is flapping and Hello is configured in msec range

There is quite a few glaring differences from HSRP like with the timers especially, that only one Master exists and all other routers are Backup Routers listening to Hellos, so I encourage anyone not familiar with it to check out my full labs on it (or anywhere else).

Finally quite possibly our favorite FHRP – GLBP (Gateway Load-Balancing Protocol)

This FHRP is quite different from the previous two, as Load-Balancing is its middle name (hahahahaaaaa), where the GLBP Main Router (AVG) assigns gateways at Layer 2 by MAC Address so that all group members can handle equal loads of traffic!

  • GLBP Multicasts to 224.0.0.102 (The same as HSRP ver2) via UDP 3222
  • Cisco Proprietary!
  • Hello every 3 seconds, Holdtime is 10 seconds
  • All Group Members send Hellos so the AVG can detect which members are AVF’s and so it can detect and re-route Host traffic to another AVF if one fails
  • AVG (Active Virtual Gateway) is the Group Leader, which assigns incoming host traffic to GLBP group members based on Round-Robin by default
  • Highest Priority or IP Address becomes AVG for Group
  • Unique Virtual MAC = 0007.b4XX.XXXX where first 4 X’s is GLBP Group #, last 2 X’s are the AVF #
  • Load-Balances by responding to Host ARP replies with the Virtual MAC of an AVF in whichever style of load-balancing is set
  • Maximum # of 4 members total in a GLBP Group including AVG (4 total AVF’s)
  • Traffic flow assignment can be changed by “weighting” configured on AVG
  • Default weight is 100, if set to 400, AVF will get 4x the Hosts assigned to it
  • Traffic flow can also be configured as “Host Dependent” which acts like “mac-address sticky” where host MAC’s are learned and re-assigned to same AVF
  • AVF (Active Virtual Forwarder) is a group member actively handling traffic
  • The AVG itself and other group members are all AVF’s unless they go down
  • Upon AVF failure, AVG re-assigns the connections to another AVF, so it is essentially doing double duty for a set amount of time (default is 4 minutes)

My switches are on a code version that will show the GLBP commands but will not accept them for configuration, so just below I will do a dump of all the GLBP commands, and their sub-command explanation in IOS.

Very important info for exam day highlighted below, timers and weighting!!!

Speaking of which, here is a dump of GLBP configuration (that I cannot configure):

Here I will go through every item in the GLBP configuration, and explain at the bottom the important ones that have some odd values, and note right up front the group # is 0-1023 hence the 4 X’s in the Virtual MAC for GLBP Group #!
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#glbp ?
<0-1023> Group number

SW1(config-if)#glbp 1 ?
authentication Authentication method
client-cache Client cache
forwarder Forwarder configuration
ip Enable group and set virtual IP address
load-balancing Load balancing method
name Redundancy name
preempt Overthrow lower priority designated routers
priority Priority level
timers Adjust GLBP timers
weighting Gateway weighting and tracking

SW1(config-if)#glbp 1 auth ?
md5 MD5 authentication
text Plain text authentication

SW1(config-if)#glbp 1 auth md5 ?
key-chain MD5 key-chain authentication
key-string MD5 keyed authentication

SW1(config-if)#glbp 1 auth md5 key-chain ?
WORD MD5 authentication key-chain

SW1(config-if)#glbp 1 auth md5 key-chain CCNP ?
<cr>

SW1(config-if)#glbp 1 auth md5 key-string ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies a HIDDEN key will follow
WORD MD5 authentication key (100 chars max)

SW1(config-if)#glbp 1 auth md5 key-string CISCO ?
<cr>

SW1(config-if)#glbp 1 auth text ?
WORD Text authentication string

SW1(config-if)#glbp 1 auth text PLAINTEXT ?
<cr>

SW1(config-if)#glbp 1 client-cache ?
maximum Set maximum number of clients

SW1(config-if)#glbp 1 client-cache max ?
<8-2000> Maximum number of cached clients

SW1(config-if)#glbp 1 client-cache max 8 ?
timeout Set cache timeout
<cr>

SW1(config-if)#glbp 1 client-cache max 8 timeout ?
<1-1440> Cache timeout in minutes

SW1(config-if)#glbp 1 client-cache max 8 timeout 1 ?
<cr>

SW1(config-if)#glbp 1 forwarder ?
preempt Overthrow lower priority active forwarders

SW1(config-if)#glbp 1 forwarder preempt ?
delay Wait before preempting
<cr>

SW1(config-if)#glbp 1 forwarder preempt delay ?
minimum Delay at least this long

SW1(config-if)#glbp 1 forwarder preempt delay min ?
<0-3600> Number of seconds for minimum delay

SW1(config-if)#glbp 1 forwarder preempt delay min 3600 ?
<cr>

SW1(config-if)#glbp 1 ip ?
A.B.C.D Virtual IP address
<cr>

SW1(config-if)#glbp 1 ip 10.0.0.10 ?
secondary Make this IP address a secondary address
<cr>

SW1(config-if)#glbp 1 ip 10.0.0.10 secondary ?
<cr>

SW1(config-if)#glbp 1 ip 10.0.0.10 secondary 10.0.0.20 ?
% Unrecognized command
SW1(config-if)#glbp 1 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin Load balance equally using each forwarder in turn
weighted Load balance in proportion to forwarder weighting
<cr>

SW1(config-if)#glbp 1 load-balancing host-dependent ?
<cr>

SW1(config-if)#glbp 1 load-balancing round-robin?
round-robin

SW1(config-if)#glbp 1 load-balancing round-robin ?
<cr>

SW1(config-if)#glbp 1 load-balancing weighted ?
<cr>

SW1(config-if)#glbp 1 name ?
WORD Name string

SW1(config-if)#glbp 1 name DERP ?
<cr>

SW1(config-if)#glbp 1 preempt ?
delay Wait before preempting
<cr>

SW1(config-if)#glbp 1 preempt delay ?
minimum Delay at least this long

SW1(config-if)#glbp 1 preempt delay min ?
<0-3600> Number of seconds for minimum delay

SW1(config-if)#glbp 1 preempt delay min 360 ?
<cr>

SW1(config-if)#glbp 1 priority ?
<1-255> Priority value

SW1(config-if)#glbp 1 priority 255 ?
<cr>

SW1(config-if)#glbp 1 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify timeout values for failed forwarders

SW1(config-if)#glbp 1 timers msec ?
<50-60000> Hello interval in milliseconds

SW1(config-if)#glbp 1 timers msec 50 ?
<1-180> Hold time in seconds
msec Specify hold time in milliseconds

SW1(config-if)#glbp 1 timers msec 50 msec ?
<70-180000> Hold time in milliseconds

SW1(config-if)#glbp 1 timers msec 50 msec 70 ?
<cr>

SW1(config-if)#glbp 1 timers redirect?
redirect

SW1(config-if)#glbp 1 timers redirect ?
<0-3600> Interval in seconds to redirect to failed forwarders

SW1(config-if)#glbp 1 timers redirect 200 ?
<800-64800> Timeout interval in seconds for failed forwarders

SW1(config-if)#glbp 1 timers redirect 200 800 ?
<cr>

SW1(config-if)#glbp 1 weight ?
<1-254> Weighting maximum value
track Interface tracking

SW1(config-if)#glbp 1 weight 200 ?
lower Weighting lower threshold
upper Weighting upper threshold
<cr>

SW1(config-if)#glbp 1 weight 200 lower ?
<1-199> Weighting lower threshold value

SW1(config-if)#glbp 1 weight 200 lower 10 ?
upper Weighting upper threshold
<cr>

SW1(config-if)#glbp 1 weight 200 lower 10 upper ?
<10-200> Weighting upper threshold value

SW1(config-if)#glbp 1 weight 200 lower 10 upper 20 ?
<cr>

SW1(config-if)#glbp 1 weight track ?
<1-1000> Tracked object

SW1(config-if)#glbp 1 weight track 1 ?
decrement Weighting decrement
<cr>

SW1(config-if)#glbp 1 weight track 1 decrement ?
<1-255> Decrement value

SW1(config-if)#glbp 1 weight track 1 decrement 10 ?
<cr>

SW1(config-if)#glbp 1 weight track 1 decrement 10

Highlighted in one big red chunk of text is the “Redirect timers” in which the first value is how long the AVF has to be detected as down (Group Members do not hear Hellos) before the AVG re-assigns its Hosts to another AVF, the second value is how long the second AVF will pull “double duty” before it drops those connections and lets them re-establish / be re-balanced across the remaining 3 group members if the failed AVF is still down.

Weight is highlighted more like regular input with the input highlighted in red and output highlighted in blue, with the <cr> highlighted in pink showing that the weight itself can be adjusted without setting thresholds.

The weighting of GLBP AVF’s is almost like Priority, however it actually effects whether the AVF will be active in the group or not, so this is NEED TO KNOW for exam day!

When setting the threshold for say 100 (default weight), setting the LOWER threshold is saying “If I fall BELOW (not equal to) this value I am leaving the GLBP Group as an AVF until my weight hits ABOVE the upper threshold value” which is shown in the configuration but not fully demonstrated.

On exam day you may see a weight value of 105, and a couple of tracking objects that can decrement it by 10, with a lower threshold of 95 and an upper threshold of 110.

This is a tricky question because a single track object can go down, bringing the weight down to 95, which does not exceed that lower threshold (its right at it but not exceeding) so the AVF will not leave the group. If both track objects go down, it will be below that lower threshold and no longer be an AVF for the GLBP Group.

Now if both those tracking objects were to come back up, your back at 105 and the upper threshold is at 110, so it actually would not join the group as an AVF again unless either the weight is changed, the upper threshold is changed, an additional track obect is changed, the current object track decrement is increased (so when it comes back up it increases that value high enough to exceed the upper threshold #).

I hope that all made sense, because it is crucial to understand for exam day, please find additional resources to read / watch video demos on this if needed for clarity!

Most of the GLBP config is the same as the first two FHRP’s, along with its show commands being the exact same, “show glbp (brief)” for all GLBP instance info!

 

Configuring Track Objects by interface or IP Address:

Tracking by Interface Up/Down status:

SW1(config)#track ?
<1-1000> Tracked object
resolution Tracking resolution parameters
timer Polling interval timers

SW1(config)#track 1 ?
interface Select an interface to track
ip IP protocol
list Group objects in a list

SW1(config)#track 1 int ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Filter Filter interface
Filtergroup Filter Group interface
GigabitEthernet GigabitEthernet IEEE 802.3z
GroupVI Group Virtual interface
Lex Lex interface
Loopback Loopback interface
Port-channel Ethernet Channel of interfaces
Portgroup Portgroup interface
Pos-channel POS Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-TokenRing Virtual TokenRing
Vlan Catalyst Vlans
fcpa Fiber Channel

SW1(config)#track 1 int fa1/0/1 ?
ip IP parameters
line-protocol Track interface line-protocol

SW1(config)#track 1 int fa1/0/1 line ?
<cr>

SW1(config)#track 1 int fa1/0/1 line
SW1(config-track)#?
Tracking instance configuration commands:
default Set a command to its defaults
delay Tracking delay
exit Exit from tracking configuration mode
no Negate a command or set its defaults

SW1(config-track)#exit
SW1(config)#do sh track
Track 1
Interface FastEthernet1/0/1 line-protocol
Line protocol is Down (hw down)
1 change, last change 00:00:12

I wanted to demonstrate that almost any type of interface can be tracked, and once configured you can issue “show track” to see all tracking objects, as seen below when I created a second tracked item.

Tracking by IP Address Availability:

SW1(config)#track 2 ip ?
route IP route
sla IP Service Level Agreement

SW1(config)#track 2 ip route ?
A.B.C.D {/nn || A.B.C.D} Prefix and mask

SW1(config)#track 2 ip route 10.0.0.10 ?
A.B.C.D IP prefix mask

SW1(config)#track 2 ip route 10.0.0.10 255.255.255.255 ?
metric Route metric
reachability Route reachability state

SW1(config)#track 2 ip route 10.0.0.10 255.255.255.255 reachability ?
<cr>

SW1(config)#track 2 ip route 10.0.0.10 255.255.255.255 reachability
SW1(config-track)#?
Tracking instance configuration commands:
default Set a command to its defaults
delay Tracking delay
exit Exit from tracking configuration mode
ip Tracking IP configuration subcommands
no Negate a command or set its defaults

SW1(config-track)#exit

^^^ Note it kicks you into config-track prompt, just exit out of the prompt.

SW1(config)#do sh track
Track 1
Interface FastEthernet1/0/1 line-protocol
Line protocol is Down (hw down) <—– Nothing plugged into Port
1 change, last change 00:04:37
Track 2
IP route 10.0.0.10 255.255.255.255 reachability
Reachability is Down (no route) <—- No “Host Route” to 10.0.0.10 in IP Route Table!!!
1 change, last change 00:00:07
First-hop interface is unknown
SW1(config)#

I did not intend for either of these to show as “Up” in its state, however the IP Route Track object was a genuine derp, as I don’t have a Host Route so I should have entered 10.0.0.10 255.255.255.0 in the IP Tracking Object.

When used with FHRP’s only the # is referenced, but the criteria for decrement of Priority is configured within the Track Object, and verified with “show track” command.

Key-Chain Configuration for Authentication with HSRP and GLBP:

Remember VRRP does NOT use key-chains, key-chains if used are case sensitive, and using the “key-string” option in either HSRP or GLBP Authentication refers to a key-string within a key-chain (it is just an md5 encrypted word entered).

So remember, Key-Strings have absolutely nothing(!) to do with Key-Chains in terms of FHRP Authentication, as Key-Chains have you configure a key-string at the end of them:

Oddly enough, to get started, the command is not “key-chain” but “key chain”:

SW1(config)#
SW1(config)#
SW1(config)#key chain ?
WORD Key-chain name

SW1(config)#key chain CCNP ?
<cr>

SW1(config)#key chain CCNP
SW1(config-keychain)#?
Key-chain configuration commands:
default Set a command to its defaults
exit Exit from key-chain configuration mode
key Configure a key
no Negate a command or set its defaults

SW1(config-keychain)#key ?
<0-2147483647> Key identifier

SW1(config-keychain)#key 20 ?
<cr>

SW1(config-keychain)#key 20
SW1(config-keychain-key)#?
Key-chain key configuration commands:
accept-lifetime Set accept lifetime of key
default Set a command to its defaults
exit Exit from key-chain key configuration mode
key-string Set key string
no Negate a command or set its defaults
send-lifetime Set send lifetime of key

SW1(config-keychain-key)#key-string ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password

SW1(config-keychain-key)#key-string CISCO ?
LINE <cr>

SW1(config-keychain-key)#key-string CISCO
SW1(config-keychain-key)#end
SW1#
*Mar 1 01:29:10.254: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh key chain
Key-chain CCNP:
key 20 — text “CISCO ”   <—- NOTICE THAT NULL SPACE!!!!
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
SW1#

In the “sh key chain” output you can see I left a null space from doing the “?” while making my key, and that is BEGGING for an exam / troubleshooting on a sim type question, so if your authentication is failing check those keys for null spaces.

And that is all I have for review of the FHRP’s for Exam Day!

Again its not conclusive, but I go into deeper dives in other posts, so I figured I’d give kind of an overview or quick pointers for exam day that you may see in question format!