Cisco has expanded upon FHRP (including VRRP) for this version of the exam. The previous version only mentioned HSRP. You will be expected to understand how it works, the differences between each option, and how you can recognize which one is in operation using various show commands. We cover this in great detail in our CCNP ENCOR course.
First Hop Redundancy
You have learned that hosts will typically use DHCP to establish the IP address of the default gateway they should use. Having a single default gateway leaves your network vulnerable in the event that the gateway (router) is no longer available. This can happen if the device or physical interface fails, as shown in Figure 18.1 below:
FIG 18.1 – Single gateway = single point of failure
First Hop Redundancy Protocols (FHRPs) overcome this issue by allowing multiple routers to share a virtual IP and MAC address so that in the event that one device fails, another assumes the role as default gateway instantly. This process is transparent to network hosts. You can see FHRP in action in Figure 18.2 below. The host is sending all traffic to a virtual IP address shared by both gateway routers. Should one go down, the traffic will divert to the standby gateway.
FIG 18.2 – FHRP in operation
Using FHRP isn’t the only option open to you, of course. There are many ways to achieve first hop (workstation-to-router) redundancy. Some of these include:
- Proxy ARP on routers
- Explicit configuration
You learned earlier that Proxy ARP involves a router responding on behalf of a remote client. This happens when a workstation tries to reach a device that is not directly connected on its subnet. The workstation sends an ARP request for the host, and the default router receives this request and realizes that it can service that request (i.e., knows it can reach the client), and responds on behalf of the client using Proxy ARP. The router actually pretends to be the host, so the workstation can encapsulate the frame with the next-hop address and send traffic destined to that specific client to the router. Multiple routers can provide this service on the same subnet, providing a form of redundancy. The drawback of this approach is the number of broadcasts that would be sent on the subnet.
Explicit configuration is the most common way of accomplishing workstation-to-router redundancy because some of the operating systems allow multiple default gateway configuration. The problem with this is the increase in latency while the device is trying to figure out which of the configured gateways is the active one. Another drawback of the explicit configuration of multiple default gateways is that not all operating systems support this feature.
The preferred solution is a technology that does not place any burden on the hosts and that is completely transparent to them. The hosts just need to configure a single default gateway because the entire redundancy configuration is made on the routers. The protocols that can be used to accomplish this are generically called First Hop Redundancy Protocols. You can think of them as standby default gateways, and they include:
- HSRP (Hot Standby Router Protocol)
- GLBP (Gateway Load Balancing Protocol)
- VRRP (Virtual Router Redundancy Protocol)
HSRP is a Cisco proprietary protocol that inspired IEEE to create the open standard protocol VRRP. The functionality of both protocols is almost identical. GLBP, the most recent protocol of the three, is another Cisco proprietary protocol, and it provides more features than both HSRP and VRRP.
HSRP
Hot Standby Router Protocol allows a group of routers (or layer 3 switches) to share one consistent virtual IP and MAC address, even in the event of a gateway device failure. Analyzing Figure 18.3 below, the network has two gateway routers that connect into one layer 2 switch that connects to the network hosts:
FIG 18.3 – Hot Standby Router Protocol
Router 1 has one physical interface address (10.10.10.1), and Router 2 has another physical interface address (10.10.10.2) in the same network. The two routers are configured in an HSRP group, and they present to the clients a virtual default gateway address of 10.10.10.3. This address is configured as the host’s default gateway address, although it is not assigned to any router’s physical interface because it’s just a virtual address.
One of the two routers is the Active device (Router 1 in this example), and it is the one that is actually forwarding traffic for the 10.10.10.3 virtual address. Router 2 is the standby HSRP device. The two routers exchange HSRP Hello messages in order to check on each other’s health status. For instance, if Router 2 no longer hears from Router 1, it realizes that Router 1 is down, and it will take over as the active HSRP device. The default Hello interval is three seconds, and there is a 10-second Dead interval timer.
As mentioned, this process is transparent to the host device, which only sees this:
FIG 18.4 – FHRPs are transparent to networks hosts
Note the virtual MAC address, which we will address shortly.
Although we will cover configuration shortly, now would be a good time to see the Hello intervals displayed with the show standby command. In the example below, I’ve used layer 3 switches (3560 models), which can perform in much the same way as routers do. The output doesn’t relate to any of the figures above.
Sw2#show standby
Vlan172 – Group 100 (version 2)
State is Standby
3 state changes, last state change 00:20:15
Virtual IP address is 172.16.31.254
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0C9F.F064 (v2 default)
Hello time 3 sec, hold time 10 sec
Next Hello sent in 2.113 secs
Preemption disabled
Active router is 172.16.31.1
Standby router is local
Priority 100 (default 100)
Group name is hsrp-Vl1-100 (default)
These devices are transparently providing access for the clients by serving up the virtual default gateway address. When the clients want to send packets to the default gateway, they will send out an ARP request, asking for the MAC address of the configured gateway (10.10.10.3). The ARP request will be broadcast in the network, and the routers who receive this will reply with the MAC address of the primary gateway, as per the HSRP configuration. When the primary gateway router fails, the router(s) will reply with the MAC address of the newly elected HSRP primary device.
HSRP has two versions available. It is doubtful that the CCNA exam will go into detail on this, but version 2 does offer several enhancements over version 1, including millisecond timers instead of whole second timers and improved management and troubleshooting.
HSRPv2 uses a new MAC address range of 0000.0C9F.F000 to 0000.0C9F.FFFF for the virtual gateway address. You can see an example of this in the output above. A partial output from a router running HSRPv1 is shown below. Note the virtual MAC address. This is an important exam topic.
Switch#show standby
FastEthernet0/0 – Group 1
State is Active
8 state changes, last state change 00:13:07
Virtual IP address is 192.168.1.254
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
In HSRPv1, the layer 2 address that is used by the virtual IP address will be a virtual MAC address composed of 0000.0C07.ACxx, where xx is the HSRP group number in hexadecimal value and is based on the respective interface. I mention this because it is a typical type of exam question about HSRP. You can see from the ac01 in the output above that the HSRP group number is 1.
You can influence the HSRP primary gateway election by configuring a higher HSRP priority on the router or switch you want to act as the primary gateway. The default priority value is 100 and can go up to 255. If both routers use the same priority, the election will be won by the router with the higher IP address.
In the output below, Sw1 has been configured with a priority of 105 to force it to become the active gateway. Sw2 has been left at the default of 100. You can see in the show commands below that the IP address for Sw1 is 172.16.31.2, and for Sw2, it’s 172.16.31.1.
Sw1#show standby
Vlan172 – Group 100 (version 2)
State is Active
5 state changes, last state change 00:19:06
Virtual IP address is 172.16.31.254
Active virtual MAC address is 0000.0C9F.0000
Local virtual MAC address is 0000.0C9F.F064 (v2 default)
Hello time 3 sec, hold time 10 sec
Next Hello sent in 2.467 secs
Preemption disabled
Active router is local
Standby router is 172.16.31.2
Priority 105 (configured 105)
Group name is hsrp-Vl1-100 (default)
Sw2#show standby
Vlan172 – Group 100 (version 2)
State is Standby
3 state changes, last state change 00:20:15
Virtual IP address is 172.16.31.254
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0C9F.F064 (v2 default)
Hello time 3 sec, hold time 10 sec
Next Hello sent in 1.75 secs
Preemption disabled
Active router is 172.16.31.1
Priority 100
Group name is hsrp-Vl1-100 (default)
Let’s assume that the primary gateway is configured with HSRP priority 150, and the backup gateway is left with the default HSRP priority 100. If the primary gateway fails, the backup one assumes the role of active gateway. After a while, if the previous active gateway (configured with priority 150) comes up again, it would not assume the role as primary gateway unless it was configured with a feature called HSRP preemption. This feature allows a gateway with higher priority to assume active gateway functionality when a primary gateway is already present in an HSRP group.
In the output below, the HSRP group is 100:
Sw1(config)#int vlan 172
Sw1(config-if)#standby 100 preempt
If you issued the show standby command, you would see that preemption is now enabled:
Next Hello sent in 0.783 secs
Preemption enabled
HSRP message exchange can be authenticated in one of two ways:
- Plain text authentication – not recommended, as the keys are exchanged in plain text
- MD5 authentication – recommended, because of the high level of encryption
HSRP Interface Tracking
HSRP allows administrators to track the status of interfaces on the current active gateway so that when that interface fails, the gateway decrements its priority by a specified value, the default being 10, allowing another gateway to assume the role of active gateway for the HSRP group. This concept is illustrated below in Figure 18.5:
FIG 18.5 – HSRP interface tracking
Referencing Figure 18.5 above, HSRP has been enabled on Switch 1 and Switch 2 for VLAN 150. Based on the current priority configuration, Switch 1, with a priority value of 105, has been elected as the primary switch for this VLAN. Both Switch 1 and Switch 2 are connected to two routers via their Gigabit Ethernet 5/1 interfaces. It is assumed that these two routers peer with other external networks, such as the Internet.
Without HSRP interface tracking, if the Gigabit Ethernet 5/1 interface between Switch 1 and R1 failed, Switch 1 would retain its primary gateway status. It would then have to forward any received packets destined for the Internet, for example, over to Switch 2 using the connection between itself and Switch 2. The packets would be forwarded out via R2 toward their intended destination. This results in a suboptimal traffic path within the network.
HSRP interface tracking allows the administrators to configure HSRP to track the status of an interface and decrement the active gateway priority by either a default value of 10 or a value specified by the administrators. Referencing Figure 18.5, if HSRP interface tracking was configured using the default values on Switch 1, allowing it to track the status of interface Gigabit Ethernet 5/1, and that interface failed, Switch 1 would decrement its priority for the HSRP group by 10, resulting in a priority of 95.
Assuming that Switch 2 was configured to preempt, which is mandatory in this situation, it would realize that it had the higher priority (100 versus 95) and perform a coup, assuming the role of active gateway for this HSRP group.
Configuring HSRP Interface Tracking
In the following output, Switch 1 (a layer 3 switch) is configured to track the state of interface Gigabit Ethernet 5/1, which is connected to an imaginary WAN router. In the event that the state of that interface transitions to down, the gateway will decrement its priority value by 10 (which is the default). The configurations don’t relate to any of the figures so far:
Switch1(config)#interface vlan 172
Switch1(config-if)#standby 1 track GigabitEthernet5/1
This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:
Switch#show standby vlan 172
Vlan172 – Group 1
State is Active
5 state changes, last state change 00:33:22
Virtual IP address is 172.16.31.254
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next Hello sent in 1.085 secs
Preemption enabled
Active router is local
Standby router is 172.16.31.2, priority 100 (expires in 7.616 sec)
Priority 105 (configured 105)
IP redundancy name is “hsrp-Vl172-1” (default)
Priority tracking 1 interfaces or objects, 1 up:
Interface or object Decrement State
GigabitEthernet5/1 10 Up
To configure the gateway to decrement its priority value by 50, for example, the standby [name] track [interface] [decrement value] command can be issued, as shown in the following output:
Switch1(config)#interface vlan 172
Switch1(config-if)#standby 1 track GigabitEthernet5/1 50
This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:
Switch1#show standby vlan 172
Vlan172 – Group 1
State is Active
5 state changes, last state change 00:33:22
Virtual IP address is 172.16.31.254
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next Hello sent in 1.085 secs
Preemption enabled
Active router is local
Standby router is 172.16.31.2, priority 100 (expires in 7.616 sec)
Priority 105 (configured 105)
IP redundancy name is “hsrp-Vl172-1” (default)
Priority tracking 1 interfaces or objects, 1 up:
Interface or object Decrement State
GigabitEthernet5/1 50 Up
You can debug the process with the debug standby command, which I recommend that you try during your labs.
Mini-lab – HSRP Configuration
Referring to the same network presented at the beginning of the HSRP section, Router 1 and Router 2 will act as edge routers toward the external network (you can consider this to be the Internet), and an internal host will be configured to use the HSRP address as the gateway to all external networks. This is a very basic configuration. You will go into more detail on this subject if you progress to the CCNP after passing the CCNA exam. You can swap the PC for a router if you want and use the Fast Ethernet interface.
FIG 18.6 – Mini-lab: HSRP configuration
Start by defining the IP addresses on both routers:
R1(config)#int fa0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#no shut
R2(config)#int fa0/0
R2(config-if)#ip address 10.10.10.2 255.255.255.0
R2(config-if)#no shut
R1#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.!!!!
At this point, you have connectivity between the routers. Proceed with configuring the HSRP virtual IP. This is done using the standby [group_id] ip [virtual_ip_address] command on the interfaces of both routers. Make Router 1 primary, configuring a priority of 120. Router 2 will have the default priority of 100.
R1(config)#int fa0/0
R1(config-if)#standby 1 ip 10.10.10.3
R1(config-if)#standby 1 priority 120
R2(config)#int fa0/0
R2(config-if)#standby 1 ip 10.10.10.3
*Mar 1 00:23:01.071: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -] Active
R2(config-if)#
*Mar 1 00:12:23.859: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -] Standby
Next, authenticate the HSRP peering session using an MD5 password in order to secure the HSRP connection. This isn’t likely to be a CCNA topic but it’s worth knowing.
R1(config)#int fa0/0
R1(config-if)#standby 1 authentication md5 key-string CCNA
R2(config)#int fa0/0
R2(config-if)#standby 1 authentication md5 key-string CCNA
You can also define some additional parameters, such as assigning an HSRP group name and adjusting the timers. By default, HSRP Hello packets are transmitted every three seconds, with a Dead timer of 10 seconds. In addition, enable both routers for preemption.
R1(config)#int fa0/0
R1(config-if)#standby 1 name CCNA
R1(config-if)#standby 1 timers 1 3
R1(config-if)#standby 1 preempt
R2(config)#int fa0/0
R2(config-if)#standby 1 name CCNA
R2(config-if)#standby 1 timers 1 3
R1(config-if)#standby 1 preempt
Next, check the status of the HSRP group on each router:
R1#show standby
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:06:08
Virtual IP address is 10.10.10.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 1 sec, hold time 3 sec
Next Hello sent in 0.524 secs
Authentication MD5, key-string CCNA
Preemption enabled
Active router is local
Standby router is 10.10.10.2, priority 100 (expires in 2.340 sec)
Priority 120 (configured 120)
Group name is CCNA (cfgd)
R2#show standby
FastEthernet0/0 – Group 1
State is Standby
6 state changes, last state change 00:03:59
Virtual IP address is 10.10.10.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 1 sec, hold time 3 sec
Next Hello sent in 0.624 secs
Authentication MD5, key-string CCNA
Preemption enabled
Active router is 10.10.10.1, priority 120 (expires in 2.908 sec)
Standby router is local
Priority 100 (default 100)
Group name is CCNA (cfgd)
At this point, the internal host can use the HSRP virtual address of 10.10.10.3 as the default gateway in order to access external networks.
As a last configuration step, enable interface tracking so that Router 2 will assume primary gateway functionality when Router 1’s uplink fails.
R1(config)#int fa0/0
R1(config-if)#standby 1 track FastEthernet0/1 ?
[1-255] Decrement value
[cr]
R1(config-if)#standby 1 track FastEthernet0/1 30
This command decrements Router 1’s HSRP priority by 30 if the uplink interface (Fast Ethernet 0/1) fails. This makes the priority value equal to 90, which is lower than Router 2’s priority of 100, so Router 2 will be used as the primary gateway toward the external destination.
[END OF MINI-LAB]VRRP
Virtual Router Redundancy Protocol works in a way similar to HSRP, with a few small differences. The main difference is that VRRP is an IETF protocol, which means that it can be implemented on multiple vendor equipment. One of the other differences is that the two routers are configured in a VRRP group; one router is called the master device (instead of the active router), which does all the forwarding, while the other is called the backup device (instead of the standby router). The main differences are highlighted in Table 18-1 below:
Table 18-1: Differences between HSRP and VRRP
Hot Standby Router Protocol (HSRP) | Virtual Redundancy Router Protocol (VRRP) |
Cisco proprietary | Industry standard |
Uses multicast address 224.0.0.2 or 224.0.0.102 | Uses multicast address 224.0.0.18 |
Uses virtual Mac address 0000.0c07.acxx | Uses virtual MAC Address 0000.5e00.01xx |
Described in RFC 2281 | Described in RFC 5798 |
Preemption disabled by default | Preemption enabled by default |
Hello timer is three seconds | Hello timer is one second |
As with the xx in the HSRP address, this will be replaced with the group number (in hexadecimal) when configured. We will explore VRRP using a similar network topology:
FIG 18.7 – Virtual Router Redundancy Protocol
As was the case for HSRP, the VRRP group presents a virtual IP address to the clients. An interesting aspect of VRRP is that you can utilize the virtual IP address using the same address that is allocated to the master device. In this case, the virtual address is configured as 10.10.10.1, identical to the address on the Router 1 interface.
![]() |
This is very useful in real-world implementations when VRRP is used in public segments (Internet edge, DMZ, etc.)—it needs only two public IPs, while HSRP needs three public IPs. |
The rest of the VRRP functionality details are the same as with HSRP, including authentication, interface tracking, etc. The configuration differences will be presented in detail in the next section.
Mini-lab – VRRP Configuration
Referring to Figure 18.7 above, Router 1 and Router 2 will act as edge routers toward the external network (you can consider this to be the Internet), and an internal host will be configured to use the VRRP address as the gateway to all external networks.
Start by defining the IP addresses on both routers:
R1(config)#int fa0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#no sh
R2(config)#int fa0/0
R2(config-if)#ip address 10.10.10.2 255.255.255.0
R2(config-if)#no sh
R1#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.!!!!
At this point, you have connectivity between the routers. Proceed with configuring the VRRP virtual IP. This is done using the vrrp [group_id] ip [virtual_ip_address] command on the interfaces of both routers. As opposed to HSRP, VRRP allows you to use a virtual IP identical to the interface-level IP. Make Router 1 primary, configuring a priority of 120. Router 2 will have the default priority of 100.
R1(config)#int fa0/0
R1(config-if)#vrrp 1 ip 10.10.10.1
R1(config-if)#vrrp 1 priority 120
*Mar 1 01:01:55.643: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -] Master
R2(config)#int fa0/0
R2(config-if)#vrrp 1 ip 10.10.10.1R2(config-if)#
*Mar 1 00:48:01.467: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -] Backup
Next, authenticate the VRRP peering session using an MD5 password in order to secure the VRRP connection.
R1(config)#int fa0/0
R1(config-if)# vrrp 1 authentication md5 key-string CCNA
R2(config)#int fa0/0
R2(config-if)# vrrp 1 authentication md5 key-string CCNA
You can also define some additional parameters, such as a VRRP description. VRRP preemption is enabled by default, as opposed to HSRP.
R1(config)#int fa0/0
R1(config-if)# vrrp 1 description CCNA
R2(config)#int fa0/0
R2(config-if)# vrrp 1 description CCNA
Next, check the status of the VRRP group on each router:
R1#sho vrrp
FastEthernet0/0 – Group 1
CCNA
State is Master
Virtual IP address is 10.10.10.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 120
Authentication MD5, key-string CCNA
Master Router is 10.10.10.1 (local), priority is 255
Master Advertisement interval is 1.000 sec
Master Down interval is 3.003 sec
R2#sho vrrp
FastEthernet0/0 – Group 1
CCNA
State is Backup
Virtual IP address is 10.10.10.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Authentication MD5, key-string CCNA
Master Router is 10.10.10.1, priority is 255
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.593 sec)
At this point, the internal host can use the VRRP virtual address of 10.10.10.1 as the default gateway in order to access external networks.
[END OF MINI-LAB]Configuring VRRP Interface Tracking
VRRP offers a facility referred to as object tracking (HSRP offers only interface tracking). VRRP cannot directly track an interface but it can track an object, which can be anything but most commonly is an interface. When tracked, the priority of the device can be altered to allow the best VRRP router to take over as master.
In order to configure VRRP to track an interface (for example), a tracked object must be created in global configuration mode using the track [object number] [interface] [line-protocol|ip routing] global configuration command for interface tracking or the track [object number] ip route [address/prefix] [reachability | metric threshold] command for IP prefix tracking. Up to 500 objects may be tracked on the switch, depending on the software and platform. Tracked objects are then tracked by VRRP using the vrrp [number] track [object] interface configuration command.
The following output shows how to configure tracking for VRRP, referencing tracked object 1, which tracks the line protocol of the Loopback 0 interface:
Switch(config)#track 1 interface Loopback0 line-protocol
Switch(config-track)#exit
Switch(config)#interface vlan 192
Switch(config-if)#vrrp 1 track 1
Switch(config-if)#exit
The following output shows how to configure tracking for VRRP, referencing tracked object 2, which tracks the reachability of the 1.1.1.1/32 prefix. A tracked IP route object is considered to be up and reachable when a routing table entry exists for the route and the route is not inaccessible (i.e., has a route metric of 255), in which case the route is removed from the Routing Information Base (RIB) anyway:
Switch(config)#track 2 ip route 1.1.1.1/32 reachability
Switch(config-track)#exit
Switch(config)#interface vlan 192
Switch(config-if)#vrrp 1 track 2
VRRP tracking configuration is verified using the show vrrp interface [name] command. This is illustrated in the following output:
Switch#show vrrp interface vlan 192
Vlan192 – Group 1
State is Master
Virtual IP address is 192.168.1.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 0.100 sec
Preemption enabled
Priority is 105
Track object 1 state Up decrement 10
Track object 2 state Up decrement 10
Authentication MD5, key-string
Master Router is 192.168.1.1 (local), priority is 105
Master Advertisement interval is 0.100 sec
Master Down interval is 0.889 sec
To view the parameters of the tracked objects, use the show track [number][brief] [interface] [ip] [resolution][timers] command. The output of the show track command is illustrated as follows:
Switch#show track
Track 1
Interface Loopback0 line-protocol
Line protocol is Up
1 change, last change 00:11:36
Tracked by:
VRRP Vlan192 1
Track 2
IP route 1.1.1.1 255.255.255.255 reachability
Reachability is Up (connected)
1 change, last change 00:08:48
First-hop interface is Loopback0
Tracked by:
VRRP Vlan192 1
NOTE: Tracked objects can also be used in conjunction with HSRP and GLBP.
GLBP
Gateway Load Balancing Protocol is Cisco proprietary and is the most unique of the First Hop Redundancy Protocols. With GLBP, you not only have the ability to achieve gateway redundancy but also the ability to load balance, and it is a lot easier to use for more than two devices.
FIG 18.8 – Gateway Load Balancing Protocol
Let’s consider an example in which you have three routers configured in a GLBP group that will be assigned a virtual default gateway address (10.10.10.4) also configured on the clients. One of the devices (Router 1, in this example) is elected AVG (Active Virtual Gateway), and the other devices are in the state of AVF (Active Virtual Forwarder). There can be up to four AVFs load-sharing simultaneously. In addition, GLBP supports up to 1,024 virtual routers (GLBP groups).
When the hosts ARP for the 10.10.10.4 MAC address, the AVG responds to the ARP requests, and it can round-robin with the virtual MAC addresses of the AVF machines. Router 1 responds to the first ARP it receives with its own virtual MAC address, then it responds to the second ARP it receives with the second router’s virtual MAC address, and then to the third ARP with the third router’s virtual MAC address. In this way, the AVG can round-robin the traffic over the available AVF devices. This simplistic round-robin balancing approach can be changed in the configuration of other load-balancing techniques for GLBP.
NOTE: The AVG can also function as an AVF and it usually does so.
GLBP uses weights to determine the forwarding capacity of each group member. The assigned weight will determine the proportion of the total traffic that will be served by each AVF. The default weight value is 100. In addition, GLBP uses a number of load-balancing algorithms:
- Host-dependent – each client will be assigned to a unique AVF
- Round-robin – traffic is equally distributed across all AVFs by default
- Weighted – traffic is distributed based on the weight values; a higher weight value means the specific AVF MAC address will be used more frequently in ARP replies toward clients
Just as with HSRP and VRRP, GLBP can use plain text or MD5 authentication. The MD5 option offers a higher level of security, so it is recommended over plain text authentication.
GLBP Configuration
Referring to Figure 18.8, Router 1 and Router 2 will act as edge routers toward the external network (you can consider this to be the Internet), and an internal host will be configured to use the GLBP address as the gateway to all external networks.
Start by defining the IP addresses on both routers:
R1(config)#int fa0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#no sh
R2(config)#int fa0/0
R2(config-if)#ip address 10.10.10.2 255.255.255.0
R2(config-if)#no sh
R1#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.!!!!
At this point, you have connectivity between the routers. Proceed with configuring the GLBP virtual IP. This is done using the glbp [group_id] ip [virtual_ip_address] command on the interfaces of both routers. Make Router 1 primary, configuring a priority of 120. Router 2 will have a priority of 100.
R1(config)#int fa0/0
R1(config-if)#glbp 1 ip 10.10.10.4
R1(config-if)#glbp 1 priority 120
R2(config)#int fa0/0
R2(config-if)#glbp 1 ip 10.10.10.4
R2(config-if)#glbp 1 priority 100
Next, authenticate the GLBP peering session using an MD5 password in order to secure the GLBP connection.
R1(config)#int fa0/0
R1(config-if)#glbp 1 authentication md5 key-string CCNA
R2(config)#int fa0/0
R2(config-if)#glbp 1 authentication md5 key-string CCNA
You can also define some additional parameters, such as assigning a GLBP group name and adjusting the timers. By default, GLBP Hello packets are transmitted every three seconds, with a Dead timer of 10 seconds. Enable both routers for preemption (disabled by default).
R1(config)#int fa0/0
R1(config-if)#glbp 1 name CCNA
R1(config-if)#glbp 1 timers 1 3
R1(config-if)#glbp 1 preempt
R2(config)#int fa0/0
R2(config-if)#glbp 1 name CCNA
R2(config-if)#glbp 1 timers 1 3
R2(config-if)#glbp 1 preempt
Next, adjust the AVF weights and the load-balancing mechanism so that Router 1 can forward twice as much traffic as Router 2 can. In order to do this, set the value on Router 1 at a value that’s double the weight value on Router 2. You also need to configure the load-balancing mechanisms to weighted as opposed to the default behavior of round-robin.
R1(config)#int fa0/0
R1(config-if)#glbp 1 weighting 200
R1(config-if)#glbp 1 load-balancing weighted
R2(config)#int fa0/0
R2(config-if)#glbp 1 weighting 100
R2(config-if)#glbp 1 load-balancing weighted
Next, check the status of the GLBP group on each router:
R1#show glbp
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:07:35
Virtual IP address is 10.10.10.4
Hello time 1 sec, hold time 3 sec
Next Hello sent in 0.292 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Authentication MD5, key-string CCNA
Preemption enabled, min delay 0 sec
Active is local
Standby is 10.10.10.2, priority 100 (expires in 2.472 sec)
Priority 120 (configured)
Weighting 200 (configured 200), thresholds: lower 1, upper 200
Load balancing: weighted
IP redundancy name is CCNA
Group members:
c201.0f00.0000 (10.10.10.1) local
c202.2d6c.0000 (10.10.10.2) authenticated
There are 2 forwarders (1 active)
Forwarder 1
State is Active
1 state change, last state change 00:07:25
MAC address is 0007.b400.0101 (default)
Owner ID is c201.0f00.0000
Redirection enabled
Preemption enabled, min delay 30 sec
Active is local, weighting 200
Forwarder 2
State is Listen
4 state changes, last state change 00:04:17
MAC address is 0007.b400.0102 (learned)
Owner ID is c202.2d6c.0000
Redirection enabled, 599.880 sec remaining (maximum 600 sec)
Time to live: 14399.880 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.10.10.2 (primary), weighting 100 (expires in 2.880 sec)
R2#show glbp
FastEthernet0/0 – Group 1
State is Standby
3 state changes, last state change 00:05:20
Virtual IP address is 10.10.10.4
Hello time 1 sec, hold time 3 sec
Next Hello sent in 0.580 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Authentication MD5, key-string CCNA
Preemption enabled, min delay 0 sec
Active is 10.10.10.1, priority 120 (expires in 2.508 sec)
Standby is local
Priority 100 (default)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: weighted
IP redundancy name is CCNA
Group members:
c201.0f00.0000 (10.10.10.1) authenticated
c202.2d6c.0000 (10.10.10.2) local
There are 2 forwarders (1 active)
Forwarder 1
State is Listen
MAC address is 0007.b400.0101 (learned)
Owner ID is c201.0f00.0000
Time to live: 14398.960 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.10.10.1 (primary), weighting 200 (expires in 1.956 sec)
Forwarder 2
State is Active
3 state changes, last state change 00:05:09
MAC address is 0007.b400.0102 (default)
Owner ID is c202.2d6c.0000
Preemption enabled, min delay 30 sec
Active is local, weighting 100
At this point the internal host can use the GLBP virtual address of 10.10.10.4 as the default gateway in order to access external networks. Traffic will be load balanced between Router 1 and Router 2 based on the configured weights.
You can see from the output above that the unique MAC address for GLBP follows the format of 0007.b400.xxyy, with xx as the GLBP group and yy as a different number for each router. When hosts ARP for the IP address (virtual), the AVG will reply with one of the virtual MAC addresses, thus achieving load balancing as opposed to using just one active router.
End of Chapter Questions
Please visit www.howtonetwork.com/ccnasimplified to take the free Chapter 18 exam.
Chapter 18 Labs
Lab 1: HSRP
The physical topology is shown in Figure 18.9 below:
FIG 18.9 – HSRP Lab
Lab Exercise
Your task is to configure the network in Figure 18.9 to allow the workstation to have connectivity to the HSRP group created on the two routers.
Purpose
HSRP is a very popular FHRP protocol and is in wide use today. You will need to have a good working knowledge of it for the CCNA exam and as a Cisco engineer.
Lab Objectives
- Configure IP addresses on the router interfaces.
- Configure HSRP on the routers.
- Fine-tune the HSRP configuration as per the configuration guidelines presented in this chapter.
- Verify workstation connectivity and HSRP configuration.
Lab Walk-through
- Configure the IP address 192.168.0.100/24 and the gateway address 192.168.0.10/24 (HSRP group address) on the workstation:
FIG 18.10 – IP address and Gateway address configuration
- Configure IP addressing on the routers: 192.168.0.1/24 and 192.168.0.2/24 on the switch-facing interfaces.
R1(config)#int fa0/1
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#no sh
*Mar 1 00:07:38.915: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:07:39.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R2(config)#int fa0/1
R2(config-if)#ip add 192.168.0.2 255.255.255.0
R2(config-if)#no sh
*Mar 1 00:07:50.647: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:07:51.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
- Configure HSRP group 10 on the switch-facing interfaces using the 192.168.0.10 address. Name the HSRP group CCNA. Control the election of the primary HSRP gateway using priority 110 on R1 and 100 on R2.
R1(config)#int fa0/1
R1(config-if)#standby 10 ip 192.168.0.10
R1(config-if)#standby 10 name CCNA
R1(config-if)#standby 10 priority 110
*Mar 1 00:09:34.987: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -] Active
R2(config)#int fa0/1
R2(config-if)#standby 10 ip 192.168.0.10
R2(config-if)#standby 10 name CCNA
R2(config-if)#standby 10 priority 100
R2(config-if)#
*Mar 1 00:10:16.719: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Speak -] Standby
- Configure HSRP preemption on both routers:
R1(config-if)#standby 10 preempt
R2(config-if)#standby 10 preempt
- Adjust HSRP timers to 1 and 3 seconds:
R1(config-if)#standby 10 timers 1 3
R2(config-if)#standby 10 timers 1 3
- Configure MD5 HSRP authentication between the routers:
R1(config-if)#stand 10 authentication md5 key-string CCNA
R2(config-if)#stand 10 authentication md5 key-string CCNA
- Verify HSRP configuration on the routers:
R1(config-if)#do sho standby
FastEthernet0/1 – Group 10
State is Active
2 state changes, last state change 00:03:49
Virtual IP address is 192.168.0.10
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 1 sec, hold time 3 sec
Next Hello sent in 0.032 secs
Authentication MD5, key-string CCNA
Preemption enabled
Active router is local
Standby router is 192.168.0.2, priority 100 (expires in 1.976 sec)
Priority 110 (configured 110)
Group name is CCNA (cfgd)
R2(config-if)#do sho standby
FastEthernet0/1 – Group 10
State is Standby
4 state changes, last state change 00:00:53
Virtual IP address is 192.168.0.10
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 1 sec, hold time 3 sec
Next Hello sent in 0.468 secs
Authentication MD5, key-string CCNA
Preemption enabled
Active router is 192.168.0.1, priority 110 (expires in 2.516 sec)
Standby router is local
Priority 100 (default 100)
Group name is CCNA (cfgd)
- Test PC to HSRP group connectivity:
C:\Users\ccna]ping 192.168.0.10
Pinging 192.168.0.10with 32 bytes of data:
Reply from 192.168.0.10: bytes=32 time=1ms TTL=64
Reply from 192.168.0.10: bytes=32 time=1ms TTL=64
Reply from 192.168.0.10: bytes=32 time=1ms TTL=64
Reply from 192.168.0.10: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.0.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Read the Cisco FHRP notes also.