Hot Standby Router Protocol

Hot Standby Router Protocol (HSRP) is a Cisco-proprietary First Hop Redundancy Protocol (FHRP). HSRP allows two physical gateways that are configured as part of the same HSRP group to share the same virtual gateway address. Network hosts residing on the same subnet as the gateways are configured with the virtual gateway IP address as their default gateway. You learn HSRP in our Cisco CCNP certification course.

You can learn HSRP troubleshooting in our other blog post.

We also have many CCNP level labs our in book 101 Labs – Cisco CCNP.

While operational, the primary gateway forwards packets destined to the virtual gateway IP address of the HSRP group. In the event that the primary gateway fails, the secondary gateway assumes the role of primary and forwards all packets sent to the virtual gateway IP address. Figure 1 below illustrates the operation of HSRP in a network:

Fig. 1.  Hot Standby Router Protocol (HSRP) Operation

Referencing Figure 1, HSRP is configured between the Layer 3 (Distribution Layer) switches, providing gateway redundancy for VLAN 10. The IP address assigned to the Switch Virtual Interface (SVI) on Layer 3 Switch 1 is 10.10.10.2/24, and the IP address assigned to the SVI on Layer 3 Switch 2 is 10.10.10.3/24. Both switches are configured as part of the same HSRP group and share the IP address of the virtual gateway, which is 10.10.10.1.

Switch 1 has been configured with a priority of 105, while Switch 2 is using the default priority of 100. Because of the higher priority, Layer 3 Switch 1 is elected as the primary switch and Layer 3 Switch 2 is elected as the secondary switch. All hosts on VLAN 10 are configured with a default gateway address of 10.10.10.1. Based on this solution, Switch 1 will forward all packets sent to the 10.10.10.1 address. However, in the event that Switch 1 fails, then Switch 2 will assume this responsibility. This process is entirely transparent to the network hosts.

Real World Implementation

In production networks, when configuring FHRPs, it is considered good practice to ensure that the active (primary) gateway is also the Spanning Tree Root Bridge for the particular VLAN.  Referencing the diagram in Figure 8-1, for example, Switch 1 would be configured as the Root Bridge for VLAN 10 in tandem with being the HSRP primary gateway for the same VLAN.

This results in a deterministic network and avoids suboptimal forwarding at Layer 2 or Layer 3. For example, if Switch 2 was the Root Bridge for VLAN 10, while Switch 1 was the primary gateway for VLAN 10, packets from the network hosts to the default gateway IP address would be forwarded as shown in Figure 2 below:

Fig. 2.  Synchronizing the STP Topology with HSRP

In the network above, packets from Host 1 to 10.10.10.1 are forwarded as follows:

1.      The access layer switch receives a frame destined to the MAC address of the virtual gateway IP address from Host 1. This frame is received in VLAN 10 and the MAC address for the virtual gateway has been learned by the switch via its Root Port.

2.      Because the Root Bridge for VLAN 10 is Switch 2, the uplink toward Switch 1, the HSRP primary router, is placed into a Blocking state. The access layer switch forwards the frame via the uplink to Switch 2.

3.      Switch 2 forwards the frame via the designated port connected to Switch 1. The same suboptimal forwarding path is used for frames received from Host 2.

Currently, two versions of HSRP are supported in Cisco IOS software: versions 1 and 2. The similarities and differences between the versions will be described in the sections that follow. 

Hot Standby Router Protocol Version 1

By default, when Hot Standby Router Protocol is enabled in Cisco IOS software, version 1 is enabled. HSRP version 1 restricts the number of configurable HSRP groups to 255. HSRP version 1 routers communicate by sending messages to Multicast group address 224.0.0.2 using UDP port 1985.  This is shown in Figure 3 below:

Fig. 3.  HSRP Version 1 Multicast Group Address

While going into detail on the HSRP packet format is beyond the scope of the SWITCH exam requirements, Figure 4 below illustrates the information contained in the HSRP version 1 packet:

Fig. 4.  The HSRP Version 1 Packet Fields

In Figure 4, notice that the Version field shows a value of 0. This is the default value for this field when version 1 is enabled; however, remember that this implies HSRP version 1.

Hot Standby Router Protocol Version 2

HSRP version 2 uses the new Multicast address 224.0.0.102 to send Hello packets instead of the Multicast address of 224.0.0.2, which is used by version 1. The UDP port number, however, remains the same. This new address is also encoded in both the IP packet and the Ethernet frame as shown below in Figure 5:

Fig. 5.  HSRP Version 2 Multicast Group Address

While going into detail on the HSRP version 2 packet format is beyond the scope of the SWITCH exam requirements, it is important to remember that HSRP version 2 does not use the same packet format as HSRP version 1.

The version 2 packet format uses a Type/Length/Value (TLV) format. HSRP version 2 packets received by an HSRP version 1 router will have the Type field mapped to the Version field by HSRP version 1 and will be subsequently ignored. Figure 6 illustrates the information contained in the HSRP version 2 packet:

Fig. 6.  The HSRP Version 2 Packet Fields

Hot Standby Router Protocol Version 1 and Version 2 Comparison

HSRP version 2 includes enhancements to HSRP version 1. The version 2 enhancements and differences from version 1 are described in the following section.

Although HSRP version 1 advertises timer values, these values are always to the whole second, as it is not capable of advertising or learning millisecond timer values. Version 2 is capable of both advertising and learning millisecond timer values. Figures 7 and 8 below highlight the differences between the Timer fields for both HSRP version 1 and HSRP version 2, respectively:

Fig. 7.  HSRP Version 1 Timer Fields

Fig. 8.  HSRP Version 2 Timer Fields

HSRP version 1 group numbers are restricted to the range of 0 to 255, whereas the version 2 group numbers have been extended from 0 to 4095. This difference will be illustrated in the HSRP configuration examples that will be provided and documented later in this chapter.

Version 2 provides improved management and troubleshooting by including a 6-byte Identifier field that is populated with the physical router interface MAC address and is used to uniquely identify the source of HSRP active Hello messages. In version 1, these messages contain the virtual MAC address as the source MAC, which means it is not possible to determine which HSRP router actually sent the HSRP Hello message. Figure 9 below shows the Identifier field that is present in the version 2 packet but not in the HSRP version 1 packet:

Fig. 9.  HSRP Version 2 Identifier Field

In HSRP version 1, the Layer 2 address that is used by the virtual IP address will be a virtual MAC address composed of 0000.0C07.ACxx, where ‘xx’ is the HSRP group number in Hexadecimal value and is based on the respective interface. HSRP version 2, however, uses a new MAC address range of 0000.0C9F.F000 to 0000.0C9F.FFFF for the virtual gateway IP address. These differences are illustrated below in Figure 10, which shows the version 1 virtual MAC address for HSRP Group 1, as well as in Figure 11, which shows the version 2 virtual MAC address, also for HSRP Group 1:

Fig. 10.  HSRP Version 1 Virtual MAC Address Format

Fig. 11.  HSRP Version 2 Virtual MAC Address Format

Hot Standby Router Protocol Primary Gateway Election

HSRP primary gateway election can be influenced by adjusting the default HSRP priority of 100 to any value between 1 and 255. The router with the highest priority will be elected as the primary gateway for the HSRP group.

If two gateways are using the default priority values, or if the priority values on two gateways are manually configured as equal, the router with the highest IP address will be elected as the primary gateway. The HSRP priority value is carried in the HSRP frame, as is the current state of the router (e.g. primary or standby). Figure 12 below illustrates the Priority and State fields of a gateway configured with a non-default priority value of 105, which resulted in it being elected as the active gateway for the HSRP group:

Fig. 12.  HSRP Priority and State Fields

Hot Standby Router Protocol Messages

HSRP routers exchange the following three types of messages:

1. Hello messages
2. Coup messages
3. Resign messages

Hello messages are exchanged via Multicast and tell the other gateway the HSRP state and priority values of the local router. Hello messages also include the Group ID, HSRP timer values, version, and authentication information. All of the messages shown in the previous messages are HSRP Hello messages.

HSRP Coup messages are sent when the current standby router wants to assume the role of active gateway for the HSRP group. This is similar to a coup d’état in real life.

HSRP Resign messages are sent by the active router when it is about to shut down or when a gateway that has a higher priority sends a Hello or Coup message. In other words, this message is sent when the active gateway concedes its role as primary gateway.

HSRP Preemption

If a gateway has been elected as the active gateway and another gateway that is part of the HSRP group is reconfigured with a higher priority value, the current active gateway retains the primary forwarding role. This is the default behavior of HSRP.

In order for a gateway with a higher priority to assume active gateway functionality when a primary gateway is already present for an HSRP group, the router must be configured for preemption. This allows the gateway to initiate a coup and assume the role of the active gateway for the HSRP group. HSRP preemption is illustrated in the configuration examples to follow.

NOTE: Preemption does not necessarily mean that the Spanning Tree topology changes also. 

Hot Standby Router Protocol States

In a manner similar to Open Shortest Path First (OSPF), when HSRP is enabled on an interface, the gateway interface goes through the following series of states:

1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active 

NOTE: There are no set time values for these interface transitions.

In either the disabled or the init states, the gateway is not yet ready or is unable to participate in HSRP, possibly because the associated interface is not up.

The listen state is applicable to the standby gateway. Only the standby gateway monitors Hello messages from the active gateway. If the standby gateway does not receive Hellos within 10 seconds, it assumes that the active gateway is down and takes on this role itself. If other gateways exist on the same segment, they also listen to Hellos and will be elected as the group active gateway if they have the next highest priority value or IP address.

During the speak phase, the standby gateway exchanges messages with the active gateway. Upon completion of this phase, the primary gateway transitions to the active state and the backup gateway transitions to the standby state.  The standby state indicates that the gateway is ready to assume the role of active gateway if the primary gateway fails, and the active state indicates that the gateway is ready to actively forward packets.

The following output shows the state transitions displayed in the debug standby command on a gateway for which HSRP has just been enabled:

R2#debug standby HSRP debugging is on R2# R2# R2# R2#conf Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CNTL/Z. R2(config)#logging con R2(config)#int f0/0 R2(config-if)#stand 1 ip 192.168.1.254 R2(config-if)# R2(config-if)# R2(config-if)# R2(config-if)# *Mar  1 01:21:55.471: HSRP: Fa0/0 API 192.168.1.254 is not an HSRP address *Mar  1 01:21:55.471: HSRP: Fa0/0 Grp 1 Disabled -> Init *Mar  1 01:21:55.471: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Disabled -> Init *Mar  1 01:22:05.475: HSRP: Fa0/0 Interface up … [Truncated Output] … *Mar  1 01:22:06.477: HSRP: Fa0/0 Interface min delay expired *Mar  1 01:22:06.477: HSRP: Fa0/0 Grp 1 Init: a/HSRP enabled *Mar  1 01:22:06.477: HSRP: Fa0/0 Grp 1 Init -> Listen *Mar  1 01:22:06.477: HSRP: Fa0/0 Redirect adv out, Passive, active 0 passive 1 … [Truncated Output] … *Mar  1 01:22:16.477: HSRP: Fa0/0 Grp 1 Listen: d/Standby timer expired (unknown) *Mar  1 01:22:16.477: HSRP: Fa0/0 Grp 1 Listen -> Speak … [Truncated Output] … *Mar  1 01:22:26.478: HSRP: Fa0/0 Grp 1 Standby router is local *Mar  1 01:22:26.478: HSRP: Fa0/0 Grp 1 Speak -> Standby *Mar  1 01:22:26.478: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby *Mar  1 01:22:26.478: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Speak -> Standby

HSRP Addressing       

Earlier in this chapter, we learned that in HSRP version 1, the Layer 2 address that is used by the virtual IP address will be a virtual MAC address composed of 0000.0C07.ACxx, where ‘xx’ is the HSRP group number in Hexadecimal value and is based on the respective interface. HSRP version 2, however, uses a new MAC address range of 0000.0C9F.F000 to 0000.0C9F.FFFF for the virtual gateway IP address.

In some cases, it may not be desirable to use these default address ranges. An example would be a situation where several HSRP groups were configured on a router interface connected to a switch port that was configured for port security. In such a case, the router would use a different MAC address for each HSRP group, the result being multiple MAC addresses that would all need to be accommodated in the port security configuration. This configuration would have to be modified each time an HSRP group was added to the interface; otherwise, a port security violation would occur.

To address this issue, Cisco IOS software allows administrators to configure HSRP to use the actual MAC address of the physical interface on which it is configured. The result is that a single MAC address is used by all groups (the MAC address of the active gateway is used) and the port security configuration need not be modified each time an HSRP group is configured between the routers connected to the switches. This is performed via the standby use-bia interface configuration command. The following output illustrates the show standby command, which shows a gateway interface that is configured with two different HSRP groups:

Gateway-1#show standby FastEthernet0/0 – Group 1   State is Active     8 state changes, last state change 00:13:07   Virtual IP address is 192.168.1.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 2.002 secs   Preemption disabled   Active router is local   Standby router is 192.168.1.2, priority 100 (expires in 9.019 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Fa0/0-1” (default) FastEthernet0/0 – Group 2   State is Active     2 state changes, last state change 00:09:45   Virtual IP address is 172.16.1.254   Active virtual MAC address is 0000.0c07.ac02     Local virtual MAC address is 0000.0c07.ac02 (v1 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 2.423 secs   Preemption disabled   Active router is local

In the output above, based on the default HSRP version, the virtual MAC address for HSRP Group 1 is 0000.0c07.ac01, while that for HSRP Group 2 is 0000.0c07.ac02. This means that the switch port that this gateway is connected to learns three different addresses: the actual or burnt-in MAC address assigned to the actual physical FastEthernet0/0 interface, the virtual MAC address for HSRP Group 1, and the virtual MAC address for HSRP Group 2.

The following output illustrates how to configure HSRP to use the actual MAC address of the gateway interface as the virtual MAC address of the different HSRP groups:

Gateway-1#conf Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CNTL/Z. Gateway-1(config)#int f0/0 Gateway-1(config-if)#standby use-bia Gateway-1(config-if)#exit

Based on the configuration in the above output, the show standby command reflects the new MAC address for the HSRP group as illustrated in the following output:

Gateway-1#show standby FastEthernet0/0 – Group 1   State is Active     8 state changes, last state change 00:13:30   Virtual IP address is 192.168.1.254   Active virtual MAC address is 0013.1986.0a20     Local virtual MAC address is 0013.1986.0a20 (bia)   Hello time 3 sec, hold time 10 sec     Next hello sent in 2.756 secs   Preemption disabled   Active router is local   Standby router is 192.168.1.2, priority 100 (expires in 9.796 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Fa0/0-1” (default) FastEthernet0/0 – Group 2   State is Active     2 state changes, last state change 00:10:09   Virtual IP address is 172.16.1.254   Active virtual MAC address is 0013.1986.0a20     Local virtual MAC address is 0013.1986.0a20 (bia)   Hello time 3 sec, hold time 10 sec     Next hello sent in 0.188 secs   Preemption disabled   Active router is local   Standby router is unknown   Priority 105 (configured 105)   IP redundancy name is “hsrp-Fa0/0-2” (default)

The MAC address used by both groups, 0013.1986.0a20, is the MAC address assigned to the physical gateway interface. This is illustrated in the following output:

Gateway-1#show interface fastethernet 0/0 FastEthernet0/0 is up, line protocol is up   Hardware is AmdFE, address is 0013.1986.0a20 (bia 0013.1986.0a20)   Internet address is 192.168.1.1/24   MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set … [Truncated Output]

NOTE: In addition to configuring HSRP to use the burnt-in address (BIA), administrators also have the option of statically specifying the MAC address that the virtual gateway should use via the standby [number] mac-address [mac] interface configuration command. This option is typically avoided as it can result in duplicate MAC addresses in the switched network, which can cause severe network issues and possibly even an outage.

HSRP Plain Text Authentication

By default, HSRP messages are sent with the plain-text key string ‘cisco’ as a simple method to authenticate HSRP peers. If the key string in a message matches the key configured on an HSRP

peer, the message is accepted. If not, HSRP ignores the unauthenticated message(s).

Plain text keys provide very little security because they can be ‘captured on the wire’ using simple packet capture tools, such as Wireshark and Ethereal. Figure 13 below shows the default plain-text authentication key used in HSRP messages:

 Fig. 13.  Viewing the Default HSRP Plain-Text Key

Because plain-text authentication provides very little security, Message Digest 5 (MD5) authentication, which is described in the following section, is the recommended authentication method for HSRP. 

HSRP MD5 Authentication

Message Digest 5 authentication provides greater security for HSRP than that provided by plain text authentication by generating an MD5 digest for the HSRP portion of the Multicast HSRP protocol packet. Using MD5 authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part of the outgoing packet. A keyed hash of the incoming HSRP packet is generated and if the hash within the incoming packet does not match the MD5-generated hash, the packet is simply ignored by the receiving router.

The key for the MD5 hash either can be given directly in the configuration using a key string or can be supplied indirectly through a key chain. Both configuration options will be described in detail later in this chapter. When using plain-text or MD5 authentication, the gateway will reject HSRP packets if any of the following is true:

• The authentication schemes differ on the router and in the incoming packets
• The MD5 digests differ on the router and in the incoming packets
• The text authentication strings differ on the router and in the incoming packets

HSRP Interface Tracking

 

HSRP allows administrators to track the status of interfaces on the current active gateway so that when that interface fails, the gateway decrements its priority by a specified value, the default being 10, allowing another gateway to assume the role of active gateway for the HSRP group. This concept is illustrated below in Figure 14:

 

Fig. 14.  HSRP Interface Tracking

 

Referencing Figure 14, HSRP has been enabled on Switch 1 and Switch 2 for VLAN 150. Based on the current priority configuration, Switch 1, with a priority value of 105, has been elected as the primary switch for this VLAN. Both Switch 1 and Switch 2 are connected to two routers via their GigabitEthernet5/1 interfaces. It is assumed that these two routers peer with other external networks, such as the Internet.

Without HSRP interface tracking, if the GigabitEthernet0/1 interface between Switch 1 and R1 failed, Switch 1 would retain its primary gateway status. It would then have to forward any received packets destined for the Internet, for example, over to Switch 2 using the connection between itself and Switch 2. The packets would be forwarded out via R2 toward their intended destination. This results in a suboptimal traffic path within the network.

HSRP interface tracking allows the administrators to configure HSRP to track the status of an interface and decrement the active gateway priority by either a default value of 10 or a value specified by the administrators. Referencing Figure 8-14, if HSRP interface tracking was configured using the default values on Switch 1, allowing it to track the status of interface GigabitEthernet5/1, and that interface failed, Switch 1 would decrement its priority for the HSRP group by 10, resulting in a priority of 95.

Assuming that Switch 2 was configured to preempt, which is mandatory in this situation, it would realize that it had the higher priority (100 versus 95) and perform a coup, assuming the role of active gateway for this HSRP group.

Real World Implementation

In production networks, Cisco Catalyst switches also support Enhanced Object Tracking (EOT), which can be used with any FHRP (i.e. HSRP, VRRP, and GLBP). Enhanced Object Tracking  allows administrators to configure the switch to track the following parameters:

 

• The IP routing state of an interface
•  IP route reachability
•  The threshold of IP-Route metrics
•  IP SLAs operations

FHRPs, such as HSRP, can be configured to track these enhanced objects, allowing for greater flexibility when implementing FHRP failover situations. For example, using EOT, the active HSRP router could be configured to decrement its priority value by a certain amount if a network or host route was not reachable (i.e. present in the routing table). EOT is beyond the scope of the SWITCH exam requirements and will not be illustrated in the configuration examples.

HSRP Load Balancing

HSRP allows administrators to configure multiple HSRP groups on physical interfaces to allow for load balancing. By default, when HSRP is configured between two gateways, only one gateway actively forwards traffic for that group at any given time. This can result in wasted bandwidth for the standby gateway link. This is illustrated below in Figure 15:

Fig. 15.  A Network without HSRP Load Balancing

In Figure 15, two HSRP groups are configured between Switch 1 and Switch 2. Switch 1 has been configured as the active (primary) gateway for both groups – based on the higher priority value. Switch 1 and Switch 2 are connected to R1 and R2, respectively. These routers are both connected to the Internet via T3/E3 dedicated lines. Because Switch 1 is the active gateway for both groups, it will forward traffic for both groups until such time that it fails and Switch 2 assumes the role of active (primary) gateway.

While this does satisfy the redundancy needs of the network, it also results in the expensive T3/E3 link on R2 remaining idle until Switch 2 becomes the active gateway and begins to forward traffic through it. Naturally, this represents a wasted amount of bandwidth.

By configuring multiple HSRP groups, each using a different active gateway, administrators can effectively prevent the unnecessary waste of resources and load balance between Switch 1 and Switch 2. This is illustrated below in Figure16:

Fig. 16.  A Network Using HSRP for Load Balancing

By configuring Switch 1 as the active gateway for HSRP Group 1 and Switch 2 as the active gateway for HSRP Group 2, administrators can allow traffic from these two groups to be load balanced between Switch 1 and Switch 2, and ultimately across the two dedicated T3/E3 WAN connections. Each switch then backs up the other’s group. For example, Switch 1 will assume the role of active gateway for Group 2 if Switch 2 fails, and vice versa.

Real World Implementation

In production networks, it is important to remember that creating multiple HSRP groups may result in increased gateway CPU utilization, as well as increased network utilization due to HSRP message exchanges. Cisco Catalyst switches, such as the Catalyst 4500 and 6500 series switches, support the implementation of HSRP client groups.

In the previous section, we learned that HSRP allows for the configuration of multiple groups on a single gateway interface. The primary issue with running many different HSRP groups on the gateway interface is that it increases CPU utilization on the gateway and may potentially also increase the amount of network traffic, given the 3-second Hello interval used by HSRP.

To address this potential issue, HSRP also allows for the configuration of client or slave groups. These are simply HSRP groups that are configured to follow a master HSRP group and that do not participate in the HSRP election. These client or slave groups follow the operation and HSRP status of the master group and, therefore, do not need to exchange periodic Hello packets themselves. This reduces CPU and network utilization when using multiple HSRP groups.

However, it should be noted that client groups send periodic messages in order to refresh their virtual MAC addresses in switches. The refresh message may be sent at a much lower frequency compared with the protocol election messages sent by the master group. While the configuration of client groups is beyond the scope of the SWITCH exam requirements, the following output illustrates the configuration of two client groups, which are configured to follow master group HSRP Group 1, also named the SWITCH-HSRP group:

Gateway-1(config)#interface vlan 100

Gateway-1(config-if)#ip address 192.168.1.1 255.255.255.0

Gateway-1(config-if)#ip address 172.16.31.1 255.255.255.0 secondary

Gateway-1(config-if)#ip address 10.100.10.1 255.255.255.0 secondary

Gateway-1(config-if)#standby 1 ip 192.168.1.254

Gateway-1(config-if)#standby 1 name SWITCH-HSRP

Gateway-1(config-if)#standby 2 ip 172.16.31.254

Gateway-1(config-if)#standby 2 follow SWITCH-HSRP

Gateway-1(config-if)#standby 3 ip 10.100.10.254

Gateway-1(config-if)#standby 3 follow SWITCH-HSRP

Gateway-1(config-if)#exit

In the configuration in the above output, Group 1 is configured as the master HSRP group and Groups 2 and 3 are configured as client or slave HSRP groups. 

Configuring HSRP on the Gateway

 

The following steps are required to configure HSRP on the gateway:

1. Configure the correct IP address and mask for the gateway interface using the ip address [address] [mask] [secondary] interface configuration command.

2. Create an HSRP group on the gateway interface and assign the group the virtual IP address via the standby [number] ip [virtual address][secondary] interface configuration command. The [secondary] keyword specifies the IP address as a secondary gateway IP address for the specified group.

3. Optionally, assign the HSRP group a name using the standby [number] name [name] interface configuration command.

4. Optionally, if you want to control the election of the active gateway, configure the group priority via the standby [number] priority [value] interface configuration command.

The following HSRP configuration outputs in this section will be based on the network below in Figure 17:

 

Fig. 17.  HSRP Configuration Examples Topology 

NOTE: It is assumed that the VLAN and trunking configuration between VTP-Server-1 and VTP-Server-2 is already in place and the switches are successfully able to ping each other across VLAN 172. For brevity, this configuration output will be omitted from the configuration examples.

VTP-Server-1(config)#interface vlan 172

VTP-Server-1(config-if)#ip address 172.16.31.1 255.255.255.0

VTP-Server-1(config-if)#standby 1 ip 172.16.31.254

VTP-Server-1(config-if)#standby 1 priority 105

VTP-Server-1(config-if)#exit

NOTE: No priority value is manually assigned for the HSRP configuration applied to VTP-Server-2. By default, HSRP will use a priority value of 100, allowing VTP-Server-1, with a priority value of 105, to win the election and to be elected the primary gateway for the HSRP group.

Once implemented, HSRP configuration may be validated using the show standby [interface brief] command. The show standby brief command is shown in the following outputs: 

VTP-Server-1#show standby brief                      P indicates configured to preempt.                      | Interface   Grp  Pri P State   Active          Standby         Virtual IP Vl172       1    105   Active  local           172.16.31.2     172.16.31.254

 

VTP-Server-2#show standby brief                      P indicates configured to preempt.                      | Interface   Grp  Pri P State   Active          Standby         Virtual IP Vl172       1    100   Standby 172.16.31.1     local           172.16.31.254

Based on this configuration, VTP-Server-2 will become the active gateway for this group only if VTP-Server-1 fails. Additionally, because preemption is not configured, when VTP-Server-1 comes back online, it will not be able to assume forcefully the role of active gateway, even though it has a higher priority for the HSRP group than that being used on VTP-Server-2.

Configuring HSRP Preemption

 

Preemption allows a gateway to assume forcefully the role of active gateway if it has a higher priority than the current active gateway. HSRP preemption is configured using the standby [number] preempt command. This configuration is illustrated on VTP-Server-1 in the following output:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 preempt

The show standby [interface [name]|brief] command is also used to verify that preemption has been configured on a gateway. This is illustrated by the ‘P’ shown in the output of the show standby brief command below: 

VTP-Server-1#show standby brief                      P indicates configured to preempt.                      | Interface   Grp  Pri P State   Active          Standby         Virtual IP Vl172       1    105 P Active  local           172.16.31.2     172.16.31.254

Based on this modification, if VTP-Server-1 did fail and VTP-Server-2 assumed the role of active gateway for VLAN 172, VTP-Server-1 could forcibly reassume that role once it reinitializes. When configuring preemption, Cisco IOS software allows you to specify the duration the switch must wait before it preempts and forcibly reassumes the role of active gateway.

By default, this happens immediately. However, it may be adjusted using the standby [number] preempt delay [minimum|reload|sync] interface configuration command. The [minimum] keyword is used to specify the minimum amount of time to wait (seconds) before preemption. The following output shows how to configure the gateway to wait 30 seconds before preemption:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 preempt delay minimum 30

This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:

VTP-Server-1#show standby vlan 172 Vlan172 – Group 1   State is Active     5 state changes, last state change 00:00:32   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 0.636 secs   Preemption enabled, delay min 30 secs   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 8.629 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)

The [reload] keyword is used to specify the amount of time the gateway should wait after it initializes following a reload. The [sync] keyword is used in conjunction with IP redundancy clients. This configuration is beyond the scope of the SWITCH exam requirements.

Configuring HSRP Interface Tracking

HSRP interface tracking allows administrators to configure HSRP in order to track the state of interfaces and decrement the current priority value by the default value (10) or a preconfigured value, allowing another gateway to assume the role of primary gateway for the specified HSRP group.

In the following output, VTP-Server-1 is configured to track the state of interface GigabitEthernet5/1, which is connected to an imaginary WAN router. In the event that the state of that interface transitions to ‘down,’ the gateway will decrement its priority value by 10 (which is the default):

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 track gigabitethernet 5/1

This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:

VTP-Server-1#show standby vlan 172 Vlan172 – Group 1   State is Active     5 state changes, last state change 00:33:22   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 1.085 secs   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 7.616 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)   Priority tracking 1 interfaces or objects, 1 up:   Interface or object           Decrement  State   GigabitEthernet5/1            10         Up

To configure the gateway to decrement its priority value by 50, for example, the standby [name] track [interface] [decrement value] command can be issued as shown in the following output:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 track gigabitethernet 5/1 50

This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:

VTP-Server-1#show standby vlan 172 Vlan172 – Group 1   State is Active     5 state changes, last state change 00:33:22   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 1.085 secs   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 7.616 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)   Priority tracking 1 interfaces or objects, 1 up:   Interface or object           Decrement  State   GigabitEthernet5/1            50         Up

Configuring the HSRP Version

As stated previously in this chapter, by default, when HSRP is enabled, version 1 is enabled. HSRP version 2 can be manually enabled using the standby version [1|2] interface configuration command. HSRP version 2 configuration is illustrated in the following output:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby version 2

This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:

VTP-Server-1#show stand vlan 172 Vlan172 – Group 1 (version 2)   State is Active     5 state changes, last state change 00:43:42   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c9f.f001     Local virtual MAC address is 0000.0c9f.f001 (v2 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 2.419 secs   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 4.402 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)

Enabling HSRP automatically changes the MAC address range used by HSRP from an address in the 0000.0C07.ACxx range to one in the 0000.0C9F.F000 to 0000.0C9F.FFFF range. It is therefore important to understand that this may cause some packet loss in a production network, as devices must learn the new MAC address of the gateway. Such changes are always recommended during a maintenance window or planned outage window.

Configuring the HSRP Timers

HSRP timers are configured using the standby [number] timers [[hello-time][hold-time]|msec [hello-time][hold-time]|msec[hold-time]] interface configuration command. The [msec] keyword allows administrators to configure timer values in milliseconds (ms).

If the timer values are not configured using this keyword, they will be configured in seconds. The following output illustrates how to configure a Hello time of 5 seconds and a Hold time of 15 seconds for HSRP Group 1:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 timers 5 15

This configuration may be validated using the show standby [interface] command. This is illustrated in the following output:

VTP-Server-1#show standby vlan 172 Vlan172 – Group 1   State is Active     5 state changes, last state change 00:54:12   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 5 sec, hold time 15 sec     Next hello sent in 1.463 secs   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 11.599 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)

The following output illustrates how to configure Hello and Hold timers of 15 and 60 ms, respectively, for HSRP Group 1:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 timers msec 15 msec 60

This configuration may be validated using the show standby [interface] command. The output of this command based on this configuration is illustrated as follows:

VTP-Server-1#show standby vlan 172 Vlan172 – Group 1   State is Active     5 state changes, last state change 00:56:34   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 15 msec, hold time 60 msec     Next hello sent in 0.007 secs   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 0.048 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)

Configuring HSRP Plain Text Authentication

By default, plain-text authentication is enabled for HSRP using the default password ‘cisco.’ Cisco IOS software allows administrators to configure a different plain-text password using the standby authentication text [password] or standby [number] authentication text [password] interface configuration commands.

NOTE: If you do not issue the HSRP group number, authentication will be configured for all configured HSRP groups on the interface using the password specified. The group number allows you to configure a different text password for each HSRP group.

The following outputs illustrate how to configure a plain text password of SWITCH for HSRP Group 1:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 authentication text SWITCH

VTP-Server-2(config)#interface vlan 172 VTP-Server-2(config-if)#standby 1 authentication text SWITCH

This configuration may be validated using the show standby [interface] command. The output of this command based on this configuration is illustrated as follows:

VTP-Server-1#show standby Vlan172 – Group 1   State is Active     2 state changes, last state change 01:54:48   Virtual IP address is 172.16.31.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 15 msec, hold time 60 msec     Next hello sent in 0.000 secs   Authentication text, string “SWITCH”   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 0.052 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)

Configuring HSRP MD5 Authentication

Cisco IOS software allows administrators to configure MD5 authentication for HSRP with or without a key chain. The standby authentication md5 key-string [password] or standby [number] authentication md5 key-string [password] interface configuration commands are used to configure HSRP MD5 authentication without configuring a key chain.

NOTE: If you do not issue the HSRP group number, authentication will be configured for all configured HSRP groups on the interface using the password specified. The group number allows you to configure a different text password for each HSRP group.

The following outputs illustrate how to configure an MD5 password of SWITCH for HSRP Group 1:

VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)# standby 1 authentication md5 key-string SWITCH

VTP-Server-2(config)#interface vlan 172 VTP-Server-2(config-if)#standby 1 authentication md5 key-string SWITCH

This configuration may be validated using the show standby [interface] command. The output of this command based on this configuration is illustrated as follows:

VTP-Server-1#show standby Vlan172 – Group 1   State is Active     2 state changes, last state change 01:59:41   Virtual IP address is 192.168.1.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 15 msec, hold time 60 msec     Next hello sent in 0.007 secs   Authentication MD5, key-string   Preemption enabled   Active router is local   Standby router is 172.16.31.2, priority 100 (expires in 0.040 sec)   Priority 105 (configured 105)   IP redundancy name is “hsrp-Vl172-1” (default)

NOTE: Notice that when MD5 authentication is enabled, the password string is not displayed in the output of the show standby [interface] command. The only way to view the configured password is to issue the show running-config [interface][name] command on the switch.

The configuration of HSRP using key chains requires the use of additional global configuration commands to create the key chain, which are then associated with the HSRP authentication. Key chains contain the keys that are configured with the actual password to be used for authentication. Think of a key chain as something of an authentication route-map. The route-map itself does nothing, but it is required in order to be able to create match and set clauses that perform the required actions.

Similarly, the key chain is required to be able to configure the keys, which contain the actual passwords that are used for routing protocol authentication. The keys do not have to be the same on the gateways on which authentication is being configured; however, the password in the keys (the key-string) must be the same in order for authentication to be successful. The following steps describe the configuration commands required to configure key chains in Cisco IOS software:

1. Configure and name the key chain to be used for authentication using the key chain [name] global configuration command.

2. Configure a key for the key chain. Multiple keys may be configured for each key chain. The key is configured using the key [number] key-chain key configuration command. The valid [number] range is 0 to 2147483647, though this may vary depending on IOS image or platform.

3. Configure a password (secret) for the key using the key-string [password] key-chain key configuration command.

4. Optionally, configure advanced key lifetime parameters using the send-lifetime and accept-lifetime key-chain key configuration commands.

NOTE: You are not expected to perform advanced key chain configuration using the send-lifetime and accept-lifetime key-chain key configuration commands. More information on these commands can be found in the CCNP certification guide on www.howtonetwork.com, under the EIGRP configuration section.

The following outputs illustrate how to configure an MD5 password of SWITCH for HSRP Group 1 using key chains on VTP-Server-1 and VTP-Server-2:

VTP-Server-1(config)#key chain VTP-Server-1-HSRP-Key-Chain VTP-Server-1(config-keychain)#key 1 VTP-Server-1(config-keychain-key)#key-string SWITCH VTP-Server-1(config-keychain-key)#exit VTP-Server-1(config-keychain)#exit VTP-Server-1(config)#interface vlan 172 VTP-Server-1(config-if)#standby 1 authentication md5 key-chain VTP-Server-1-                        HSRP-Key-Chain VTP-Server-1(config-if)#exit

 

VTP-Server-2(config)#key chain VTP-Server-2-HSRP-Key-Chain VTP-Server-2(config-keychain)#key 1 VTP-Server-2(config-keychain-key)#key-string SWITCH VTP-Server-2(config-keychain-key)#exit VTP-Server-2(config-keychain)#exit VTP-Server-2(config)#interface vlan 172 VTP-Server-2(config-if)#standby 1 authentication md5 key-chain VTP-Server-2-                        HSRP-Key-Chain VTP-Server-2(config-if)#exit

NOTE: Notice that although the key chain names on both switches are different, both keys are using the same key number and the same key string (password).

This configuration may be validated using the show standby [interface] command. The output of this command based on this configuration is illustrated as follows: 

VTP-Server-2#show standby Vlan172 – Group 1   State is Standby     79 state changes, last state change 00:02:00   Virtual IP address is 192.168.1.254   Active virtual MAC address is 0000.0c07.ac01     Local virtual MAC address is 0000.0c07.ac01 (v1 default)   Hello time 15 msec, hold time 60 msec     Next hello sent in 0.000 secs   Authentication MD5, key-chain “VTP-Server-2-HSRP-Key-Chain”   Preemption enabled, delay min 30 secs   Active router is 192.168.1.1, priority 105 (expires in 0.012 sec)   Standby router is local   Priority 100 (default 100)   IP redundancy name is “hsrp-Vl172-1” (default)

In the output above, on the standby router, we can see that HSRP is using a key chain named for authentication. However, the password in that key chain is not included, for security purposes. To view the configured key or keys, use the show key chain [name] command as illustrated in the following output:

VTP-Server-2#show key chain Key-chain VTP-Server-2-HSRP-Key-Chain:     key 1 — text “SWITCH”         accept lifetime (always valid) – (always valid) [valid now]         send lifetime (always valid) – (always valid) [valid now]

NOTE: Once a key chain has been configured and applied, all keys are immediately activated and the passwords used in those keys are used for authentication. This default behavior can be adjusted using the accept-lifetime and send-lifetime commands.

Debugging Hot Standby Router Protocol

Although FHRP debugging and troubleshooting will be covered in detail in the TSHOOT guide, the debug standby command can be used to debug HSRP operation. The options that are available with this command are shown in the following output:

VTP-Server-1#debug standby ?   errors   HSRP errors   events   HSRP events   packets  HSRP packets   terse    Display limited range of HSRP errors, events and packets   <cr>

Hot Standby Redundancy Protocol (HSRP) Lab

Lab Objective:

The objective of this lab exercise is for you to learn and understand how to implement and verify the operation of the Cisco Hot Standby Router Protocol. This lab will NOT work on Cisco packet tracer. Use your home rack or live Cisco racks.

 

Lab Topology:

IMPORTANT NOTE   If you are using the www.howtonetwork.com racks, please begin each and every lab by shutting down all interfaces on all switches and then manually re-enabling the interfaces that are illustrated in this topology.

 Task 1

Configure VTP domain name FHRP for all switches. Enable VTP v2 on all switches. Configure a VTP password of REDUNDANCY on all switches. Disable VTP on all switches

Task 2

Configure an LACP Etherchannel between switches DLS1 and DLS2. This Etherchannel should be configured as an ISL trunk

Task 3

Configure 802.1Q trunks on the switches within the network as follows:

• Configure an 802.1Q trunk between DLS1 and ALS1
• Configure an 802.1Q trunk between DLS1 and ALS2
• Configure an 802.1Q trunk between DLS2 and ALS1
• Configure an 802.1Q trunk between DLS2 and ALS2

Task 4

Configure Switched Virtual Interfaces on the Distribution layer switches as follows:

• Configure SVI 100 on switch DLS1. Assign this interface IP address 192.168.100.1/24
• Configure SVI 100 on switch DLS2. Assign this interface IP address 192.168.100.2/24
• Configure SVI 200 on switch DLS1. Assign this interface IP address 192.168.200.1/24
• Configure SVI 200 on switch DLS2. Assign this interface IP address 192.168.200.2/24

Verify that the Distribution layer switches can ping each other using these SVIs

Task 5

Configure Switched Virtual Interfaces on the Access layer switches as follows:

• Configure SVI 100 on switch ALS1. Assign this interface IP address 192.168.100.5/24
• Configure SVI 200 on switch ALS2. Assign this interface IP address 192.168.200.5/24

Configure the switches with a gateway address of 192.168.100.254 (ALS1) and 192.168.200.254 (ALS2). Verify that the Access layer switches can ping both of the distribution switches

Task 6

Configure HSRP between switches DLS1 and DLS2 as follows:

• Ensure that HSRP uses IP Multicast group address 224.0.0.102 to send packets
• Configure HSRP group 100 for SVI 100
• Authenticate HSRP using the password CISCO for plain text authentication
• Configure switch DLS1 as the primary (active) gateway using any priority value
• Configure HSRP to use a virtual address of 192.168.100.254
• Switch DLS1 should assume the role of active (primary) switch upon re-initialization

Verify your configuration using the appropriate commands

 

Task 7

Configure HSRP between switches DLS1 and DLS2 as follows:

• Ensure that HSRP uses IP Multicast group address 224.0.0.102 to send packets
• Configure HSRP group 200 for SVI 200
• Authenticate HSRP using the password CISCO for MD5 authentication
• Configure switch DLS2 as the primary (active) gateway using any priority value
• Configure HSRP to use a virtual address of 192.168.100.254
• Switch DLS2 should assume the role of active (primary) switch upon re-initialization

Verify your configuration using the appropriate commands

Task 8

Synchronize your Layer 2 and Layer 3 topologies using best practices

Task 9

Configure the Access layer switches so that the backup port transitions to the Forwarding state in less than 5 seconds after the switch has detected that the primary link has failed. You are required to only use a single command to complete this task

Lab Validation 

Task 1

DLS1(config)#vtp domain FHRP DLS1(config)#vtp password REDUNDANCY DLS1(config)#vtp mode transparent

 

DLS2(config)#vtp domain FHRP DLS2(config)#vtp password REDUNDANCY DLS2(config)#vtp mode transparent

 

ALS1(config)#vtp domain FHRP ALS1(config)#vtp password REDUNDANCY ALS1(config)#vtp mode transparent

 

ALS2(config)#vtp domain FHRP ALS2(config)#vtp password REDUNDANCY ALS2(config)#vtp mode transparent

 

Task 2

 

DLS1(config)#interface range f0/11 – 12 DLS1(config-if-range)#switchport DLS1(config-if-range)#switchport trunk encapsulation isl DLS1(config-if-range)#switchport mode trunk DLS1(config-if-range)#channel-group 1 mode on Creating a port-channel interface Port-channel 1   DLS1(config-if-range)#no shutdown DLS1(config-if-range)#exit

 

DLS2(config)#interface range f0/11 – 12 DLS2(config-if-range)#switchport DLS2(config-if-range)#switchport trunk encap isl DLS2(config-if-range)#switchport mode trunk DLS2(config-if-range)#channel-group 1 mode on Creating a port-channel interface Port-channel 1   DLS2(config-if-range)#no shutdown DLS2(config-if-range)#exit

 

Verify your configuration as follows:

 

DLS1#show etherchannel 1 summary Flags:  D – down        P – in port-channel         I – stand-alone s – suspended         H – Hot-standby (LACP only)         R – Layer3      S – Layer2         U – in use      f – failed to allocate aggregator         u – unsuitable for bundling         w – waiting to be aggregated         d – default port     Number of channel-groups in use: 1 Number of aggregators:           1   Group  Port-channel  Protocol    Ports ——+————-+———–+——————————————– 1      Po1(SU)          –        Fa0/11(P)   Fa0/12(P)

 

DLS2#show etherchannel 1 summary Flags:  D – down        P – bundled in port-channel         I – stand-alone s – suspended         H – Hot-standby (LACP only)         R – Layer3      S – Layer2         U – in use      f – failed to allocate aggregator           M – not in use, minimum links not met         u – unsuitable for bundling         w – waiting to be aggregated         d – default port     Number of channel-groups in use: 1 Number of aggregators:           1   Group  Port-channel  Protocol    Ports ——+————-+———–+——————————————- 1      Po1(SU)          –        Fa0/11(P)   Fa0/12(P)

 

Task 3

 

DLS1(config)#int range f0/7 , f0/9 DLS1(config-if-range)#switchport DLS1(config-if-range)#switchport trunk encapsulation dot1q DLS1(config-if-range)#switchport mode trunk DLS1(config-if-range)#no shut DLS1(config-if-range)#exit

 

DLS2(config)#int range f0/7 , f0/9 DLS2(config-if-range)#switchport DLS2(config-if-range)#switchport trunk encapsulation dot1q DLS2(config-if-range)#switchport mode trunk DLS2(config-if-range)#no shutdown DLS2(config-if-range)#exit

 

ALS1(config)#int range f0/7 , f0/9 ALS1(config-if-range)#switchport mode trunk ALS1(config-if-range)#no shut ALS1(config-if-range)#exit

 

ALS2(config)#int range f0/7 , f0/9 ALS2(config-if-range)#switchport mode trunk ALS2(config-if-range)#no shutdown ALS2(config-if-range)#exit

 

Task 4

 

DLS1(config)#vlan 100,200 DLS1(config-vlan)#exit DLS1(config)#interface vlan 100 DLS1(config-if)#ip address 192.168.100.1 255.255.255.0 DLS1(config-if)#exit DLS1(config)# exit interface vlan 200 DLS1(config-if)#ip address 192.168.200.1 255.255.255.0 DLS1(config-if)#no shut DLS1(config-if)#

 

DLS2(config)#vlan 100,200 DLS2(config-vlan)#exit DLS2(config)#interface vlan 100 DLS2(config-if)#ip address 192.168.100.2 255.255.255.0 DLS2(config-if)#no shutdown DLS2(config-if)#exit DLS2(config)#interface vlan 200 DLS2(config-if)#ip address 192.168.200.2 255.255.255.0 DLS2(config-if)#no shutdown DLS2(config-if)#exit

 

Verify your configuration as follows:

 

DLS1#ping 192.168.100.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms   DLS1#ping 192.168.200.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.200.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

 

DLS2#ping 192.168.100.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms   DLS2#ping 192.168.200.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.200.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

 

Task 5

 

ALS1(config)#vlan 100 ALS1(config-vlan)#exit ALS1(config)#interface vlan 100 ALS1(config-if)#ip address 192.168.100.5 255.255.255.0 ALS1(config-if)#no shutdown ALS1(config-if)#exit ALS1(config)#ip default-gateway 192.168.100.254

 

ALS2(config)#vlan 200 ALS2(config-vlan)#exit ALS2(config)#interface vlan 200 ALS2(config-if)#ip address 192.168.200.5 255.255.255.0 ALS2(config-if)#no shut ALS2(config-if)#exit ALS2(config)#ip default-gateway 192.168.200.254

 

Verify your configuration as follows:

 

ALS1#ping 192.168.100.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

 

ALS2#ping 192.168.200.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.200.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

 

Task 6

 

DLS1(config)#int vlan 100 DLS1(config-if)#standby version 2 DLS1(config-if)#standby 100 authentication text CISCO DLS1(config-if)#standby 100 priority 105 DLS1(config-if)#standby 100 ip 192.168.100.254 DLS1(config-if)#standby 100 preempt DLS1(config-if)#exit

 

DLS2(config)#interface vlan 100 DLS2(config-if)#standby version 2 DLS2(config-if)#standby 100 authentication text CISCO DLS2(config-if)#standby 100 ip 192.168.100.254 DLS2(config-if)#exit

Verify your configuration as follows:

 

DLS1#show standby brief                      P indicates configured to preempt.                      | Interface   Grp Prio P State    Active          Standby         Virtual IP Vl100       100 105    Active   local           192.168.100.2   192.168.100.254

 

DLS2#show standby Vlan100 – Group 100 (version 2)   State is Standby     1 state change, last state change 00:00:21   Virtual IP address is 192.168.100.254   Active virtual MAC address is 0000.0c9f.f064     Local virtual MAC address is 0000.0c9f.f064 (v2 default)   Hello time 3 sec, hold time 10 sec     Next hello sent in 2.620 secs   Authentication text “CISCO”   Preemption disabled   Active router is 192.168.100.1, priority 105 (expires in 8.748 sec)   Standby router is local   Priority 100 (default 100)   IP redundancy name is “hsrp-Vl100-100” (default)

 

Task 7

 

DLS1(config)#interface vlan 200 DLS1(config-if)#standby version 2 DLS1(config-if)#standby 200 authentication md5 key-string CISCO DLS1(config-if)#standby 200 ip 192.168.200.254 DLS1(config-if)#exit

 

DLS2(config)#int vlan 200 DLS2(config-if)#standby version 2 DLS2(config-if)#standby 200 authentication md5 key-string CISCO DLS2(config-if)#standby 200 ip 192.168.200.254 DLS2(config-if)#standby 200 preempt DLS2(config-if)#standby 200 priority 105 DLS2(config-if)#exit

 

Verify your configuration as follows:

 

DLS1#show stand brief                      P indicates configured to preempt.                      | Interface   Grp Prio P State    Active          Standby         Virtual IP Vl100       100 105  P Active   local           192.168.100.2   192.168.100.254 Vl200       200 100    Standby  192.168.200.2   local           192.168.200.254

 

DLS2#show standby brief                      P indicates configured to preempt.                      | Interface   Grp Prio P State    Active          Standby         Virtual IP Vl100       100 100    Standby  192.168.100.1   local           192.168.100.254 Vl200       200 105  P Active   local           192.168.200.1   192.168.200.254

 

Task 8

 

DLS1(config)#spanning-tree vlan 100 priority 0

 

DLS2(config)#spanning-tree vlan 200 priority 0

 

Task 9

 

ALS1(config)#spanning-tree uplinkfast

 

ALS2(config)#spanning-tree uplinkfast

 

Verify your configuration as follows:

 

ALS1#show spanning-tree vlan 100   VLAN0100   Spanning tree enabled protocol ieee   Root ID    Priority    100              Address     000d.291e.7f00              Cost        3019              Port        7 (FastEthernet0/7)              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec     Bridge ID  Priority    49252  (priority 49152 sys-id-ext 100)              Address     000b.5f9e.4dc0              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time 300   Uplinkfast enabled   Interface        Role Sts Cost      Prio.Nbr Type —————- —- — ——— ——– ——————————– Fa0/7            Root FWD 3019      128.7    P2p Fa0/9            Altn BLK 3019      128.9    P2p   ALS1#show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfig guard is enabled Extended system ID           is enabled Portfast Default             is disabled PortFast BPDU Guard Default  is disabled Portfast BPDU Filter Default is disabled Loopguard Default            is disabled UplinkFast                   is enabled BackboneFast                 is disabled Pathcost method used         is short   Name                   Blocking Listening Learning Forwarding STP Active ———————- ——– ——— ——– ———- ———- VLAN0001                     1         0        0          1          2 VLAN0100                     1         0        0          1          2 ———————- ——– ——— ——– ———- ———- 2 vlans                      2         0        0          2          4   Station update rate set to 150 packets/sec.   UplinkFast statistics ———————– Number of transitions via uplinkFast (all VLANs)            : 2 Number of proxy multicast addresses transmitted (all VLANs) : 8

 

ALS2#show spanning-tree vlan 200   VLAN0200   Spanning tree enabled protocol ieee   Root ID    Priority    200              Address     000f.24ce.0d80              Cost        3019              Port        7 (FastEthernet0/7)              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec     Bridge ID  Priority    49352  (priority 49152 sys-id-ext 200)              Address     0008.21a9.4f80              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time 300   Uplinkfast enabled   Interface        Role Sts Cost      Prio.Nbr Type —————- —- — ——— ——– ——————————– Fa0/7            Root FWD 3019      128.7    P2p Fa0/9            Altn BLK 3019      128.9    P2p   ALS2#show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfig guard is enabled Extended system ID           is enabled Portfast Default             is disabled PortFast BPDU Guard Default  is disabled Portfast BPDU Filter Default is disabled Loopguard Default            is disabled UplinkFast                   is enabled BackboneFast                 is disabled Pathcost method used         is short   Name                   Blocking Listening Learning Forwarding STP Active ———————- ——– ——— ——– ———- ———- VLAN0001                     1         0        0          1          2 VLAN0200                     1         0        0          1          2 ———————- ——– ——— ——– ———- ———- 2 vlans                      2         0        0          2          4   Station update rate set to 150 packets/sec.   UplinkFast statistics ———————– Number of transitions via uplinkFast (all VLANs)            : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0

 

Final Switch Configurations

 

DLS1

 

DLS1#show running-config Building configuration…   Current configuration : 4836 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname DLS1 ! ! no aaa new-model no standby redirect ip subnet-zero ip routing ! vtp domain FHRP vtp mode transparent ! ! ! ! ! no file verify auto ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 100 priority 0 ! vlan internal allocation policy ascending ! vlan 100,200 ! ! interface Port-channel1  switchport trunk encapsulation isl  switchport mode trunk ! interface FastEthernet0/1  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/2  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/3  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/4  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/5  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/6  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/7  switchport trunk encapsulation dot1q  switchport mode trunk ! interface FastEthernet0/8  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/9  switchport trunk encapsulation dot1q  switchport mode trunk ! interface FastEthernet0/10  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/11  switchport trunk encapsulation isl  switchport mode trunk  channel-group 1 mode on ! interface FastEthernet0/12  switchport trunk encapsulation isl  switchport mode trunk  channel-group 1 mode on ! interface FastEthernet0/13  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/14  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/15  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/16  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/17  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/18  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/19  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/20  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/21  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/22  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/23  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/24  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/25  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/26  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/27  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/28  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/29  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/30  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/31  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/32  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/33  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/34  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/35  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/36  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/37  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/38  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/39  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/40  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/41  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/42  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/43  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/44  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/45  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/46  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/47  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/48  switchport mode dynamic desirable  shutdown ! interface GigabitEthernet0/1  switchport mode dynamic desirable ! interface GigabitEthernet0/2  switchport mode dynamic desirable ! interface Vlan1  no ip address  shutdown ! interface Vlan100  ip address 192.168.100.1 255.255.255.0  standby version 2  standby 100 ip 192.168.100.254  standby 100 priority 105  standby 100 preempt  standby 100 authentication CISCO ! interface Vlan200  ip address 192.168.200.1 255.255.255.0  standby version 2  standby 200 ip 192.168.200.254  standby 200 authentication md5 key-string CISCO ! ip classless ip http server ip http secure-server ! ! ! control-plane ! ! line con 0 line vty 0 4  no login line vty 5 15  no login ! ! end   DLS1#

 

DLS2

 

DLS2#show running-config Building configuration…   Current configuration : 4797 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname DLS2 ! ! no aaa new-model ip subnet-zero ip routing ! vtp domain FHRP vtp mode transparent ! ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 200 priority 0 ! vlan internal allocation policy ascending ! vlan 100,200 ! ! ! ! ! ! interface Port-channel1  switchport trunk encapsulation isl  switchport mode trunk ! interface FastEthernet0/1  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/2  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/3  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/4  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/5  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/6  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/7  switchport trunk encapsulation dot1q  switchport mode trunk ! interface FastEthernet0/8  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/9  switchport trunk encapsulation dot1q  switchport mode trunk ! interface FastEthernet0/10  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/11  switchport trunk encapsulation isl  switchport mode trunk  channel-group 1 mode on ! interface FastEthernet0/12  switchport trunk encapsulation isl  switchport mode trunk  channel-group 1 mode on ! interface FastEthernet0/13  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/14  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/15  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/16  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/17  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/18  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/19  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/20  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/21  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/22  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/23  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/24  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/25  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/26  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/27  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/28  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/29  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/30  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/31  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/32  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/33  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/34  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/35  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/36  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/37  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/38  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/39  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/40  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/41  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/42  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/43  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/44  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/45  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/46  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/47  switchport mode dynamic desirable  shutdown ! interface FastEthernet0/48  switchport mode dynamic desirable  shutdown ! interface GigabitEthernet0/1  switchport mode dynamic desirable ! interface GigabitEthernet0/2  switchport mode dynamic desirable ! interface Vlan1  no ip address  shutdown ! interface Vlan100  ip address 192.168.100.2 255.255.255.0  standby version 2  standby 100 ip 192.168.100.254  standby 100 authentication CISCO ! interface Vlan200  ip address 192.168.200.2 255.255.255.0  standby version 2  standby 200 ip 192.168.200.254  standby 200 priority 105  standby 200 preempt  standby 200 authentication md5 key-string CISCO ! ip classless ip http server ip http secure-server ! ! ! control-plane ! ! line con 0 line vty 0 4  login line vty 5 15  login ! end   DLS2#

 

ALS1

 

ALS1#show running-config Building configuration…   Current configuration : 1808 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ALS1 ! no logging console ! ip subnet-zero ! no ip domain-lookup ip ssh time-out 120 ip ssh authentication-retries 3 vtp domain FHRP vtp mode transparent ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree uplinkfast ! ! ! ! vlan 100 ! interface FastEthernet0/1  shutdown ! interface FastEthernet0/2  shutdown ! interface FastEthernet0/3  shutdown ! interface FastEthernet0/4  shutdown ! interface FastEthernet0/5  shutdown ! interface FastEthernet0/6  shutdown ! interface FastEthernet0/7  switchport mode trunk ! interface FastEthernet0/8  switchport mode trunk ! interface FastEthernet0/9  switchport mode trunk ! interface FastEthernet0/10  shutdown ! interface FastEthernet0/11  shutdown ! interface FastEthernet0/12  shutdown ! interface FastEthernet0/13  shutdown ! interface FastEthernet0/14  shutdown ! interface FastEthernet0/15  shutdown ! interface FastEthernet0/16  shutdown ! interface FastEthernet0/17  shutdown ! interface FastEthernet0/18  shutdown ! interface FastEthernet0/19  shutdown ! interface FastEthernet0/20  shutdown ! interface FastEthernet0/21  shutdown ! interface FastEthernet0/22  shutdown ! interface FastEthernet0/23  shutdown ! interface FastEthernet0/24  shutdown ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1  no ip address  no ip route-cache  shutdown ! interface Vlan100  ip address 192.168.100.5 255.255.255.0  no ip route-cache ! interface Vlan200  ip address 192.168.200.15 255.255.255.0  no ip route-cache  shutdown ! ip default-gateway 192.168.100.254 ip http server ! line con 0 line vty 0 4  login line vty 5 15  login ! ! end   ALS1#

 

ALS2

 

ALS2#show running-config Building configuration…   Current configuration : 2621 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ALS2 ! no logging console ! ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 vtp domain FHRP vtp mode transparent ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree uplinkfast ! ! ! ! vlan 200 ! interface FastEthernet0/1  shutdown ! interface FastEthernet0/2  shutdown ! interface FastEthernet0/3  shutdown ! interface FastEthernet0/4  shutdown ! interface FastEthernet0/5  shutdown ! interface FastEthernet0/6  shutdown ! interface FastEthernet0/7  switchport mode trunk ! interface FastEthernet0/8  shutdown ! interface FastEthernet0/9  switchport mode trunk ! interface FastEthernet0/10  shutdown ! interface FastEthernet0/11  shutdown ! interface FastEthernet0/12  shutdown ! interface FastEthernet0/13  shutdown ! interface FastEthernet0/14  shutdown ! interface FastEthernet0/15  shutdown ! interface FastEthernet0/16  shutdown ! interface FastEthernet0/17  shutdown ! interface FastEthernet0/18  shutdown ! interface FastEthernet0/19  shutdown ! interface FastEthernet0/20  shutdown ! interface FastEthernet0/21  shutdown ! interface FastEthernet0/22  shutdown ! interface FastEthernet0/23  shutdown ! interface FastEthernet0/24  shutdown ! interface FastEthernet0/25  shutdown ! interface FastEthernet0/26  shutdown ! interface FastEthernet0/27  shutdown ! interface FastEthernet0/28  shutdown ! interface FastEthernet0/29  shutdown ! interface FastEthernet0/30  shutdown ! interface FastEthernet0/31  shutdown ! interface FastEthernet0/32  shutdown ! interface FastEthernet0/33  shutdown ! interface FastEthernet0/34  shutdown ! interface FastEthernet0/35  shutdown ! interface FastEthernet0/36  shutdown ! interface FastEthernet0/37  shutdown ! interface FastEthernet0/38  shutdown ! interface FastEthernet0/39  shutdown ! interface FastEthernet0/40  shutdown ! interface FastEthernet0/41  shutdown ! interface FastEthernet0/42  shutdown ! interface FastEthernet0/43  shutdown ! interface FastEthernet0/44  shutdown ! interface FastEthernet0/45  shutdown ! interface FastEthernet0/46  shutdown ! interface FastEthernet0/47  shutdown ! interface FastEthernet0/48  shutdown ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1  no ip address  no ip route-cache  shutdown ! interface Vlan200  ip address 192.168.200.5 255.255.255.0  no ip route-cache ! ip default-gateway 192.168.200.254 ip http server ! line con 0 line vty 0 4  login line vty 5 15  login ! ! end   ALS2#