TSHOOT – HSRP, VRRP, and GLBP First Hop Redundancy Protocol review and troubleshooting!

Standby_Group_Basic

Will cover the three FHRP’s for the CCNP R/S in the article, review some very basics of each protocol, and jump into commands to troubleshoot them on TSHOOT day!

HSRP (Hot Standby Router Protocol) Review and Troubleshooting

Review

  • HSRP is Cisco Propriety
  • HSRP works on both Layer 3 switches and Cisco Routers
  • Hello 3 sec / Dead 10 seconds (3 Hellos) by default
  • Preemtion DISABLED by Default
  • HSRP uses a Virtual IP Only, cannot be same as Physical or Logical interface IP
  • HSRP uses one Active Router, all other routers in Router Group are Standby Routers
  • Active Router handles all ARP Requests and Traffic forwarding, Standby does nothing but wait to become Active
  • “Coup” syslog message is sent by a Standby Router to the Active Router when it is taking over via Preemption as the Active Router role

Troubleshooting

Some initial questions to note that can be found with “sh standby brief” are:

  • Which router is the active router?
  • Which routers have preemption enabled?
  • What is the Virtual IP?
  • What is the Virtual MAC Address?
  • Do any Routers in the Router Group have interface or object tracking enabled?

Verifying correct virtual MAC address

The virtual MAC address is made up of the well-known HSRP MAC of 0000.0c07.acXX where XX is the HEX value of the VLAN #, it is only two character long in the MAC because it only supports the non-extended range of VLAN (where GLBP supports extended VLANs and supports a longer Hex value)

Side note – HSRPv2 allows for 3 Hex characters, allowing extended VLAN support

Make sure it is on the correct virtual MAC / VLAN, confirm the well known MAC address Hex vlaue matches the VLAN it is serving, like 0000.0c07.ac0a for VLAN 10.

Verifying and troubleshooting tracking

Tracking parameters are show in “sh standby brief” output, which will show what is being tracking and the decrement value (value the priority will be dropped by) if the tracking parameter is met. “Show tracking” to review tracking objects used for this.

HSRP Troubleshooting and Verification commands

  • “sh standby” – Gives full HSRP Router Group(s) information
  • “sh standby brief” – Shows info for all routers in Router Group
  • “sh tracking” – Shows tracking parameters if set for preemption
  • “sh run (int)” – Shows HSRP related configs in running config on interface
  • “sh ip int bri” – Used to determine if a “tracked” interface is down
  • “arp -a” – For PC, used to verify gateway MAC address
  • “ipconfig /all” – For PC, shows default gateway IP Address
  • “ping (gateway)” – For PC, confirms Active Router is correct and reachable
  • “tracert (remote IP)” – For PC, confirms first hop is correct IP for Active Router
  • “debug standby terse” – Shows HSRP state changes (Standby, Listen, Speak, etc)

Its important to know you can tell which Router is the Active Router that forwards traffic both from the switch by reviewing the “sh standby (…)” commands, and from the Host with “arp -a” and “tracert” commands, as either of those scenarios may come up in the exam room or the real world.

Another issue may be that traffic is taking the incorrect switch, which may be due to it being in a different Router Group (different IP or different VLAN [which different VLAN = different Virtual MAC because of how its created]), also whether preemption / tracking is configured in a way that the incorrect Router is becoming the Active Router.

I would think the most likely issues that would be seen on an exam would be something with the Priority being off, whether set statically incorrect, or being decremented with Preemption enabled by a tracking object or interface, for example it may be as easy as issuing a “no shut” on a tracked interface to increment Priority back up to allow the correct router to become the Active Router for the Topology.

One tricky setting here is Preemption, as a Router may have a higher Priority, but it will remain a Standby Router if Preemption isn’t enabled!

The “debug standby terse” command will also help to confirm if another Router is in the same Router Group, sending Hello’s every 3 seconds, because if it isn’t there is an issue.

Another consideration is on the host itself, as the Router Group may be configured completely correct, but the Host itself has the incorrect Default Gateway set, so do not make the mistake of focusing all your attention on the switches!

There is a lot to look for when troubleshooting HSRP, but on exam day, I would expect Cisco to focus on the detail of all things Priority like Preemption, Tracking, etc.

For a complete overview of configuration / troubleshooting, you can use the “search” function to search HSRP for all posts, however this one post covers a lot of ground:

HSRP overview of configuration and some misc gotchas!

VRRP (Virtual Router Redundancy Protocol) review and troubleshooting

This is basically the open industry / IETF standard of HSRP, so similar that the commands are the same as HSRP, so the main differences will be listed here which are very few:

  • VRRP is non-Cisco Proprietary (only non-Cisco Proprietary FHRP)
  • VRRP Preemption enabled by default (only FHRP with Preempt enabled by default)
  • Router Groups have a single “Virtual Router Master” and all other Routers in the group are “Virtual Router Backups” waiting to become the “Master”
  • VRRP can use a physical interface IP address the Virtual Router Gateway IP Address, where HSRP has to use an unassigned LAN IP for the Virtual Router Gateway IP

The Virtual VRRP IP Address can (and probably will be) the same IP as a used IP like a physical or SVI interface, otherwise all other default values and operations are the same.

It is so similar that “hsrp” can be swapped out for “vrrp” in verification commands “sh vrrp (brief)” and “sh vrrp (int)” to verify correct IP Addresses / groups / etc.

The well known MAC for VRRP is 0000.5e00.01XX where XX is the Hex value for the VLAN #, so if associated to VLAN 20, it would be 0000.5e00.0114

A quick review of things you will want to verify when troubleshooting VRRP:

  • Which router is the Virtual Router Master?
  • How was the Virtual Router Master chosen? (Highest Priority, MAC, etc)
  • Which routers have Preemption Enabled / Disabled?
  • What is the IP Address of the Virtual Router Master?
  • What is the Virtual MAC Address in use for the Router Group?
  • Is object tracking enabled, and what is it set for? (“sh tracking”)

To get a snapshot of Router Group information “sh vrrp brief” can be used to ID Master / Backup routers and their VLAN / IP Address, and “sh vrrp” will show you the whole ball of wax, including Preemption info / Tracking info / Priority / Decrement # / MAC / etc.

For more information on VRRP, use the search function to find posts, otherwise use this link to find a good overview of configuration and verification output:

VRRP Overview, configuration, and verification!

However a lot of the troubleshooting will be similar to HSRP, it will just need to be recognized that Preemption is enabled, and the IP can either be a shared IP with an interface OR an unused LAN IP address.

GLBP (Gateway Load-Balancing Protocol) review and troubleshooting

With GLBP there is one AVG (Active Virtual Gateway) and up to four AVF (Active Virtual Forward) Routers, of which the AVG is one of the four AVF’s however only the AVG handles ARP requests and handles assigning the Virtual MAC Addresses of the AVFs to Hosts when responding to the ARP depending on the Load-Balancing used (Round-Robin used by default).

The load-balancing used can be changed with “glbp (group #) load-balancing (type)” command, using either host-dependent or weighted to determine the load-balancing. Those are very different ways from Round Robin of assigning hosts / gateways, and the post for GLBP would need to be fully read and understood to know what to look for in the configuration.

Some quick review of high level GLBP conepts:

  • GLBP is non-Cisco Proprietary
  • Hello 3sec / Dead timers 10sec (3 Hellos missed)
  • GLBP Preemption is disabled by default
  • The AVG (Active Virtual Gateway) is one of the 4 maximum Routers in a GLBP Router Group that handles assigning Virtual MAC Addresses, directing data flows to routers, and also functions as an AVF (Active Virtual Forwarder)
  • Election of AVG is highest priority (consider preemption) then highest IP Address configured on the GLBP enabled Router eligible to forward

GLBP MAC address is 0007.b400.XXxx where XX is the GLBP Group # and xx is the VRF # (01, 02, etc in the # that they joined the GLBP group via high priority / IP).

Weighting is also a tricky aspect that needs separate attention

GLBP Tracking affects the “Weighting” of a GLBP Router if tracking conditions are met, which is configured with the “glbp x weight # lower # upper” to define the thresholds that a tracking # can decrement / increment the weight to, so that it may either be removed or re-added to the Router Group.

This is one thing to watch for on exam day, as a tracking decrement can bring a value down to the exact threshold # (or up to it), but unless the tracking is configured to drop below the configured threshold or go back above the upper threshold it will not have any effect on the operation of the router!

Tracking does NOT effect Priority with GLBP, it ONLY affects Weight, which will remove the Router as an AVF if the lower threshold is broken and will only rejoin once the Upper threshold # is exceeded by way of manual configuration or tracking changes!

“sh glbp #” to view the full output including current weight / thresholds / tracking / etc!

A quick review of things to verify with GLBP to begin troubleshooting:

  • Which router is the AVG? (“sh glbp brief”)
  • Which routers are the AVFs? (also “sh glbp brief”)
  • How was the AVG chosen? (“sh glbp”)
  • Which routers are configured with Preemption? (“sh glbp”)
  • What is the IP address of the Virtual Router? (“sh glbp”)
  • What are the AVFs MAC addresses? (“sh glbp (brief)”)
  • Is object tracking on? What are its parameters?

With GLBP it is a bit trickier to troubleshoot than the first two protocols, because of the weight system used, and tracking is used to decrement from the weight instead of priority which will remove the Router as an AVF for the Router Group if it meets certain thresholds.

Troubleshooting GLBP configurations is beyond what I will cover here outside of those commands for exam day and initial info to gather, but I would suggest looking at this post to review GLBP in detail for TSHOOT exam day preparation:

GLBP covered in detail!

That is all I have for the FHRP’s for the TSHOOT exam!

I am officially on vacation for the holiday weekend, back to the grind early next week, with more TSHOOT notes as I march towards the final exam! đŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s