EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

HSRP Concepts

HSRP Concepts

Posted on Jan 24, 2020 (0)

HSRP Concepts

FHRP is the first hop redundancy protocols which provides 24*7*365 days active gateways to all hosts configured in DC. There are three FHRP protocols available which we will be discussing here.

  • Hot Standby Router Protocol (HSRP)
  • Virtual Router Redundancy Protocol (VRRP)
  • Gateway Load balancing Protocols.

We will discuss one by one in detail and how it behave in VPC environment.

HSRP:

HSRP is the Cisco Propriety Hot Standby Router Protocol. Which has following characteristics:

  • It enables two or more router to provide first-hop redundancy for all IP traffic
  • In HSRP one router is Active and one in standby and all other are in listen state,
  • Active router is responsible for ARP resolution and forwarding all traffic.
  • All the routers/switch participating in HSRP for a Single VLAN must be in same group.
  • HSRP can support 16 groups at maximum.
  • The Active router has virtual IP address which in turn has Virtual MAC address for ARP resolution.
  • If Active router fails then standby will resume the active state with same Virtual MAC address.
  • There is no preemption by default, if any point of time, Active Router who was failed comes if U P than it will not resume its status as Active by its own.
  • HSRP hello packets are used to elect the Active and Standby router, those who has Highest Priority will become active router and second priority will become standby router on multicast address 224.0.0.2.
  • Hello Timer is 3 sec and Hold Down timer is 10 sec.
  • Default Priority of router is 100 and if all router has same priority then Highest IP address of device will be used to elect the Active and standby.
  • In Nexus HSRP is enabled by enabling feature command.
  • In HSRP, HSRP packets can also be secured by HSRP authentication method.
  • HSRP uses plain-text or MD5 method to secure its packets.

HSRP/VRRP Behaviour in vPC

Whenever we configure the HSRP and VRRP in vPC domain , it behaves or operates in active-active mode, means all the ARP request and replay are handled by HSRP Active but for data traffic both Active and Standby acts as active-active . From a control plane standpoint, active-standby mode still applies for HSRP/VRRP in context of vPC; the active HSRP/VRRP instance responds to ARP request. HSRP and VRRP operate in active-active mode from data plane standpoint, as opposed to classical active/standby implementation with STP based network.

If any traffic is send to HSRP standby, instead of sending to HSRP Active over vPC peer-link it acts as Active gateway and forwards the traffic to northbound.


The standby HSRP/VRRP vPC peer device just relays the ARP request to active HSRP/VRRP peer device through vPC peer-link.Here also same vMAC is used as Gateway MAC address at both Active and Standby switch. You can see this by following output:

N7K1# sh hsrp group 100
Vlan100 - Group 100 (HSRP-V2) (IPv4)
Local state is Active, priority 100 (Cfged 100)
Forwarding threshold(for vPC), lower: 1 upper: 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.383000 sec(s)
Virtual IP address is 10.10.10.1 (Cfged)
Active router is local
Standby router is 10.10.10.3, priority 100 expires in 7.386000 sec(s)
Authentication text "cisco"
Virtual mac address is 0000.0c9f.f190 (Default MAC)
2 state changes, last state change 6d01h
IP redundancy name is hsrp-Vlan100-100 (default)
!
!
N7K2# sh hsrp group 100
Vlan100 - Group 100 (HSRP-V2) (IPv4)
Local state is Standby, priority 100 (Cfged 100)
Forwarding threshold(for vPC), lower: 1 upper: 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.848000 sec(s)
Virtual IP address is 10.10.10.1 (Cfged)
Active router is 10.10.10.2, priority 100 expires in 7.852000 sec(s)
Standby router is local
Authentication text "cisco"
Virtual mac address is 0000.0c9f.f190 (Default MAC)
7 state changes, last state change 01:08:24
IP redundancy name is hsrp-Vlan100-100 (default)

Now from data point of view both peer devices are forwarding because of G bit (gateway bit) implementation for HSRP/ VRRP vMAC in MAC address table.

N7K1# sh mac address-table address 0000.0c9f.f190
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN   MAC Address        Type           age     Secure    NTFY      Ports/SWID.SSID.LID
---------+----------------------+-------------+---------+-----------+----------+------------------
G 100       0000.0c9f.f190         static         -           F F                       sup-eth1(R)
!
!
N7K2# sh mac address-table address 0000.0c9f.f190
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN      MAC Address         Type        age      Secure    NTFY        Ports/SWID.SSID.LID
---------+-----------------------+------------+---------+------------+-----------+--------------------------------
G   100        0000.0c9f.f190       static         -             F F                            vPC Peer-Link(R)

vPC & HSRP/VRRP Object Tracking:

When we use HSRP and VRRP in vPC we should not use object tracking to track the L3 uplink failure because this event causes the resulting SVI and its associated HSRP/VRRP configuration to DOWN state.

So every time 7K2 receives a frame destined to HSRP/VRRP vMAC, it bridges this frame over vPC peer-link because the other vPC peer device is able to process this frame (as SVI with associated HSRP/VRRP configuration is still in UP state).

Using vPC with HSRP/VRRP object tracking may leads to traffic black holing in case object tracking is triggered: the reason is that vPC systems will not forward a packet back on a vPC once it has crossed the peer-link (because of the vPC loop avoidance rule), except in the case of a remote vPC member port failure.

HSRP LAB

TASK:  Configure HSRP as per following topology.
• Configure Po100 as trunk between N7K1 and N7K2
• Configure VLAN 10 with VIP 10.10.10.1 and use IP 10.10.10.2 on N7K1 and 10.10.10.3 on N7K2 for interface SVI.
• On N7K1 configure Priority 150 and HSRP group 2 for VLAN 10 also enable Preempt
• On N7K2 configure Priority 100 nd HSRP group 2 for VLAN 10 also enable Preempt
• Configure VLAN 20 with VIP 20.20.20.1 and use IP 20.20.20.2 on N7K1 and 20.20.20.3 on N7K2 for interface SVI.
• On N7K1 configure Priority 150 and HSRP group 2 for VLAN 20 also enable Preempt
• On N7K2 configure Priority 100 and HSRP group 2 for VLAN 20 also enable Preempt

Topology:

N7K1
!
feature lacp
feature vpc
feature hsrp
feature interface-vlan
feature vrrp
!
vlan 10
vlan 20
!
int eth1/1-2
switchport
switchport mode trunk
channel-group 100 mode active
no shut
!
int po100
switchport
switchport mode trunk
no shut
!
interface Vlan10
no shutdown
ip address 10.10.10.2/24
hsrp 2
preempt
priority 150
ip 10.10.10.1
no shut
!
interface Vlan20
no shutdown
ip address 20.20.20.2/24
hsrp 2
preempt
priority 150
ip 20.20.20.1
no shut

N7K2
!
feature lacp
feature vpc
feature hsrp
feature interface-vlan
feature vrrp
!
vlan 10
vlan 20
!
int eth1/1-2
switchport
switchport mode trunk
channel-group 100 mode active
no shut
!
int po100
switchport
switchport mode trunk
no shut
!
interface Vlan10
no shutdown
ip address 10.10.10.3/24
hsrp 2
preempt
ip 10.10.10.1
no shut
!
interface Vlan20
no shutdown
ip address 20.20.20.3/24
hsrp 2
preempt
ip 20.20.20.1
no shut

Verification:




Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.