FHRP is the first hop redundancy protocols which provides 24*7*365 days active gateways to all hosts configured in DC. There are three FHRP protocols available which we will be discussing here.
- Hot Standby Router Protocol (HSRP)
- Virtual Router Redundancy Protocol (VRRP)
- Gateway Load balancing Protocols.
We will discuss one by one in detail and how it behave in VPC environment.
HSRP is the Cisco Propriety Hot Standby Router Protocol. Which has following characteristics:
- It enables two or more router to provide first-hop redundancy for all IP traffic
- In HSRP one router is Active and one in standby and all other are in listen state,
- Active router is responsible for ARP resolution and forwarding all traffic.
- All the routers/switch participating in HSRP for a Single VLAN must be in same group.
- HSRP can support 16 groups at maximum.
- The Active router has virtual IP address which in turn has Virtual MAC address for ARP resolution.
- If Active router fails then standby will resume the active state with same Virtual MAC address.
- There is no preemption by default, if any point of time, Active Router who was failed comes if U P than it will not resume its status as Active by its own.
- HSRP hello packets are used to elect the Active and Standby router, those who has Highest Priority will become active router and second priority will become standby router on multicast address 184.108.40.206.
- Hello Timer is 3 sec and Hold Down timer is 10 sec.
- Default Priority of router is 100 and if all router has same priority then Highest IP address of device will be used to elect the Active and standby.
- In Nexus HSRP is enabled by enabling feature command.
- In HSRP, HSRP packets can also be secured by HSRP authentication method.
- HSRP uses plain-text or MD5 method to secure its packets.
HSRP/VRRP Behaviour in vPC
Whenever we configure the HSRP and VRRP in vPC domain , it behaves or operates in active-active mode, means all the ARP request and replay are handled by HSRP Active but for data traffic both Active and Standby acts as active-active . From a control plane standpoint, active-standby mode still applies for HSRP/VRRP in context of vPC; the active HSRP/VRRP instance responds to ARP request. HSRP and VRRP operate in active-active mode from data plane standpoint, as opposed to classical active/standby implementation with STP based network.
If any traffic is send to HSRP standby, instead of sending to HSRP Active over vPC peer-link it acts as Active gateway and forwards the traffic to northbound.
The standby HSRP/VRRP vPC peer device just relays the ARP request to active HSRP/VRRP peer device through vPC peer-link.Here also same vMAC is used as Gateway MAC address at both Active and Standby switch. You can see this by following output:
Now from data point of view both peer devices are forwarding because of G bit (gateway bit) implementation for HSRP/ VRRP vMAC in MAC address table.
vPC & HSRP/VRRP Object Tracking:
When we use HSRP and VRRP in vPC we should not use object tracking to track the L3 uplink failure because this event causes the resulting SVI and its associated HSRP/VRRP configuration to DOWN state.
So every time 7K2 receives a frame destined to HSRP/VRRP vMAC, it bridges this frame over vPC peer-link because the other vPC peer device is able to process this frame (as SVI with associated HSRP/VRRP configuration is still in UP state).
Using vPC with HSRP/VRRP object tracking may leads to traffic black holing in case object tracking is triggered: the reason is that vPC systems will not forward a packet back on a vPC once it has crossed the peer-link (because of the vPC loop avoidance rule), except in the case of a remote vPC member port failure.
TASK: Configure HSRP as per following topology.
• Configure Po100 as trunk between N7K1 and N7K2
• Configure VLAN 10 with VIP 10.10.10.1 and use IP 10.10.10.2 on N7K1 and 10.10.10.3 on N7K2 for interface SVI.
• On N7K1 configure Priority 150 and HSRP group 2 for VLAN 10 also enable Preempt
• On N7K2 configure Priority 100 nd HSRP group 2 for VLAN 10 also enable Preempt
• Configure VLAN 20 with VIP 220.127.116.11 and use IP 18.104.22.168 on N7K1 and 22.214.171.124 on N7K2 for interface SVI.
• On N7K1 configure Priority 150 and HSRP group 2 for VLAN 20 also enable Preempt
• On N7K2 configure Priority 100 and HSRP group 2 for VLAN 20 also enable Preempt