The Black RackCisco Networking Training Lab

HSRP – Basics and Configuration

HSRP is a Cisco proprietary First Hop Redundancy Protocol, which means, it’s a way to provide gateway redundancy for your hosts.

It’s a very handy resource when you need high availability at the boundary of your access to distribution layer (or the access VLAN, if you prefer).

The configuration is quite simple, but the theory behind this technology is a little complicated if you are inexperienced in enterprise and datacenter environments.

 

-> How does it work?

First of all, you must remember how the basic gateway-routing works.

As the client PC tries to communicate with another host on a different VLAN (or subnet), he sends the IP packet with the destination IP of that host and a frame with the destination of the client’s default gateway as the L2 destination.

As the router receives the frame, it analyzes the packet and does the route lookup (well, that’s not so important now).

So, knowing that proccess, HSRP works by setting one or more routers in a group that responds arp replies for the same IP address.

For these replies, the routers use a special crafted mac address, that consists of a default prefix followed by 8 bits representing the group ID.

 

SW3750(config-if)#standby 7 ip 10.0.0.10

SW3750#sh standby vlan 60

Vlan60 – Group 7

State is Init (interface down)

Virtual IP address is 10.0.0.10

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac07 (v1 default)

 

When a machine requests a L2 address for the 10.0.0.10 gateway, this specific router should respond with the 0000.0c07.ac07 address (if it is the Active router).

In HSRP there is an Active/Standby concept, where only the active member should respod to the arp requests.

To become the active router, it must have the highest priority for the group. The default priority is 100.

If the priority ties on 2 or more routers, the router with the highest IP address on the HSRP interface becomes the active router for the group.

In the case of a failure in the current Active router, the standby router waits for the hold time (10 seconds) and takes the active role. If there is any other router on the current HSRP group, it moves from the Listen to the Speak state and then to the Standby state.

HSRP consists of the following states:

Disabled – Interface not participating in the HSRP group.

Init – This is the initial state for a newly joined router.

Listen – The router learned the Virtual IP address, but has not been elected for the Active nor Standby role.

Speak – The router is participating in the HSRP election.

Standby – In this state, the router acts as a backup for the Active router. It constantly monitors and sends hello packets to the HSRP Active router.

Active – The router currently forwards user traffic and exchanges hello packets with the standby router.

 

-> HSRP Configuration:

 

R1(config-if)#exit

R1(config)#interface f0/0

R1(config-if)#ip address 172.16.50.2 255.255.255.0

R1(config-if)#standby 1 ip 172.16.50.1

R1(config-if)#standby 1 priority 200

R1(config-if)#standby 1 preempt

R1(config-if)#standby 1 track lo0 130

R1(config-if)#end

 

When configuring a virtual IP for the HSRP group, you must use an IP address that is in the same subnet of the address configured on the physical interface.

This router will be the active router because it has been configured with a priority of 200. If the other routers on the group are left with the default values, this router will certainly become the active router.

The preempt feature was enabled for this router. This feature allows the failed router to take back it’s prior active position after it recovers from a failure.

At last, but not least, it’s configured with the track feature. It means that in the case of a failure on the interface configured for tracking (lo0), it will decrease the current priority for the amount configured on the standby command. For example: if the interface lo0 fails on this router, the priority will be changed to 70 (200-130=70), giving the opportunity to the standby router to take the active role for the group.

R1(config-if)#do show standby

FastEthernet0/0 – Group 1

State is Active

4 state changes, last state change 00:20:44

Virtual IP address is 172.16.50.1

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.304 secs

Preemption enabled

Active router is local

Standby router is 172.16.50.4, priority 150 (expires in 9.384 sec)

Priority 200 (configured 200)

Track interface Loopback0 state Up decrement 130

Group name is “hsrp-Fa0/0-1″ (default)

 

###Interface Down### 

 

R1(config-if)#shutdown

R1(config-if)#do show standby

FastEthernet0/0 – Group 1

State is Standby

5 state changes, last state change 00:00:00

Virtual IP address is 172.16.50.1

Active virtual MAC address is c002.1a1c.0000

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.976 secs

Preemption enabled

Active router is 172.16.50.4, priority 150 (expires in 9.964 sec)

Standby router is local

  Priority 70 (configured 200)

    Track interface Loopback0 state Down decrement 130

Group name is “hsrp-Fa0/0-1″ (default)

 

For more info about HSRP, visit http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html

 

WebVPN access to the lab

By connecting via WebVPN (SSl VPN), you will have full IP access to the lab equipment, so you could use SSH, TFTP, HTTP, HTTPS, and tools such as SDM and ASDM. Fallback to console access is still available, so no worrying about loosing connection due to interface reconfigurations.

For connecting, use the Cisco AnyConnect client. I currently use AnyConnect 3.0.4235 on Windows, which works fine. Enter https://blackrack.selfhost.bz (if powered up) for downloading the client, or get it via the Internet, such as from Cisco. Or directly start your installed AnyConnect and connect to the address blackrack.selfhost.bz. Accept the certificate and use the login and password which I provided to you. This login with the same password works for WebVPN/Anyconnect, telnet to the Access Router (same address), and to the BlackRack blog site.

The connection works with split tunneling and adds two routes to your system, 172.16.0.0/12 and 10.0.0.0/8 are routed through the tunnel and now you can use addresses from those ranges for IP access to lab devices (telnet, ssh, http(s), ASDM), so besides full console access you also have VPN wizards, packet tracer and packet capture tools etc. You could even use an ASA as SFTP server.

AnyConnect login
Connected to blackrack.selfhost.bz

Cisco ASA Lab

Often labs are accessible via telnet or SSH and devices accessible via console cable, using an access router and terminal lines. Did you ever dare to configure a production ASA with a thousand ACLs, a lot of NATs, possibly a dozen VPNs, via the command prompt? I like the command line (especially when similarly configuring a dozen ASAs of branch offices), but the ASDM provides a high level overview. You cannot use this GUI via a console cable, you need IP access.

Now you can access the BlackRack.net lab via WebVPN. Just use the freely available Cisco Anyconnect client, which runs on Windows, Linux, Mac OS X, and iOS, or use OpenVPN. You will get a tunnel to the BlackRack LAN with the lab ASAs, routers and switches – including an access router with console cables to all devices, and SSH, telnet and HTTPS access (ASDM).

Due to the relocation I currently have online: 2 ASA 5520, 2 ASA 5505, 2 1841 routers and two switches, to have an ASA lab for example for doing VPN.

Just contact me if you would like to have access for serious training or tests.

ASA 5520

The lab is moving

This week I began with the relocation of the lab to Hamburg. A part of it is already available, specifically four firewalls (two ASA 5520, two ASA 5505), one 2821 router and two 1841 routers, four 3560 switches and one 3750. So for example training with ASA, ASDM, and VPN would be possible.

The remaining devices will be added soon, creating new topologies by the way.

The new location currently has a dynamically changing IP address, but you can use the regularly updated DNS entry blackrack.selfhost.bz. Note, the rack is not always powered up, often just on user request.

Basic EIGRP

EIGRP is a proprietary routing protocol designed by Cisco, and it is labeled as an advanced distance-vector routing protocol, which means it is not a distance-vector protocol, neither a link state protocol.

Why should I use EIGRP?

EIGRP’s ability to load balance routes with different metrics, summed up with its real fast convergence easily answers this question. But there’s still a problem: It is proprietary. Which means, you should use EIGRP ONLY if your routing network is composed entirely by Cisco Routers, and that’s why it’s not often seen around.

How does it work?

First of all, before EIGRP can send EIGRP packets and exchange its topology database, it needs to form a neighbor relationship with another EIGRP router. For a successfull neighbor relationship,EIGRP has some requirements, listed below:

-> The routers must be able to forward ip packets to each other: This one seems pretty obvious, but checking ip connectivity is never a bad idea.

-> Both routers must have their reachable interfaces in the same subnet: Well, this one seems obvious too, but I would advice to always double-check network masks, specially if you are a beginner :)

-> Reachable interfaces must not be in a passive state: When a router is configured with a passive interface, it will not listen and send EIGRP packets out of that same interface, but it will still advertise the network it belongs to (if configured with the network command, of course)

-> Must pass authentication phase: This one is optional, but deserves attention since authentication is a cool security feature for routing protocols.

-> ASN number MUST match on both routers: When you first enable EIGRP globally, you need to inform your Autonomous System Number.

Router1(config)#router eigrp 36
Router1(config-router)#

-> ‘K’ Values: These values are numbers that influences the metric calculation, and are configurable via an EIGRP router subcommand, and must match on both routers as well.

Router1(config)#router eigrp 36
Router1(config-router)#metric weights 0 7 6 5 4 3
Router1(config-router)#end
Router1#show ip protocols
Routing Protocol is “eigrp 36″
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=7, K2=6, K3=5, K4=4, K5=3

If both routers met those requirements, they should have formed a neighbor relationship. The next step is to exchange their routing table and calculate their metrics. The proccess of exchanging routing information consists first in:

-> Full routing updates: When EIGRP discovers a new neighbor, the router sends a full routing update to populate its neighbor topology database.

-> Continuous hello packets: AKA “Are you there?”. EIGRP constantly checks for its neighbor reachability. If no hello packets are received within the time for the Dead Interval, EIGRP considers its neighbor unreachable, and remove it from its topology table.

-> Partial Updates: These packets are only sent when EIGRP detects new routes or changes to its topology database.

DUAL algorithm

For the calculation, each router sends the Reported Distance (RD) for each route, and calculate the Feasible Distance (FD) using the DUAL algorithm, which will populate their topology table. The reported distance is the metric that is received from a neighbor to reach a certain subnet. FD is actually the total metric value to reach the neighbor, plus its RD to reach a certain subnet.

With these numbers in the topology table, now the router can choose which ones will be added to its routing table. EIGRP considers the neighbor with the lowest FD to a certain subnet as a Successor, which means, this same router will be the gateway for that subnet. EIGRP also stores in the topology table information regarding other paths to that same subnet. If another neighbor advertises its RD with a number lower than the current successor’s FD for that subnet, then the neighbor will be a Feasible Successor, which means that EIGRP will also put this neighbor in the topology table, but not in the routing table. If the successor goes down, then EIGRP quickly checks its topology table (without calculating anything again) and adds its new successor to the routing table (if there’s any). This feature is the one that makes EIGRP’s convergence incredibly fast.

Topology:

null

EX:

R1#show ip route
D 172.16.0.0 [90/33280] via 10.1.1.2, 00:00:32, FastEthernet0/0
R1#show ip eigrp topology
!!!!!!!!omitted!!!!!!!!
P 172.16.0.0/24, 1 successors, FD is 33280
via 10.1.1.2 (33280/7680), FastEthernet0/0 > Successor
via 10.2.2.2 (79360/30720), FastEthernet0/1 > RD Lower than FD for the subnet
!!!!!!!omitted!!!!!!!

###########Link R2-R4 is down!############

R1#show ip route
D 172.16.0.0 [90/79360] via 10.2.2.2, 00:01:49, FastEthernet0/1

R1#show ip eigrp topology all-links
!!!!!!!omitted!!!!!!!!
P 172.16.0.0/24, 1 successors, FD is 33280, UR, serno 26, refcount 2
via 10.2.2.2 (79360/30720), FastEthernet0/1 < New successor
via 10.1.1.2 (Infinity/Infinity), R, FastEthernet0/0, serno 24
!!!!!!!omitted!!!!!!!!

Well, that was kinda basic. Let’s go further.

Controlling neighbor relationships

In a real world environment, sometimes, you will need to control when and where to send and listen to EIGRP packets. That can be for security reasons, or even to reduce multicast traffic over the network.
EIGRP supports some mechanisms that gives us control over these relationships:

-> Passive-interface feature: This feature prevents any EIGRP relationships in the selected interfaces. If the interface is matched using the network command, the route will still be advertised by other EIGRP interfaces. tl;dr, Passive interfaces don’t send or listen to EIGRP packets, but the known subnet are still advertised by other interfaces.

R1(config-router)#passive-interface fa0/1
R1(config-router)#do show ip protocols
Routing Protocol is “eigrp 35″
!!!Omitted!!!
Routing for Networks:
10.0.0.0/24
192.168.0.0
Passive Interface(s):
FastEthernet0/1
!!!Omitted!!!

-> Manual neighbor configuration: When using this method, EIGRP will stop sending and listening to multicast EIGRP packets on that interface. Neighborships will be formed only with the routers and through the interfaces you specify MANUALLY. (Need to configure on BOTH routers)

ps: R2 already configured.

R1(config-router)#neighbor 10.0.0.2 fastEthernet 0/0
R1(config-router)#
*Mar 1 00:08:44.231: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.0.0.2 (FastEthernet0/0) is up: new adjacency
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 35
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.0.2 Fa0/0 14 00:00:04 117 702 0 7
R1#

-> Routing protocol authentication: Last but not least, the mighty “authentication”. It is often used since it provides an extra security layer to the network. The keys can be static or time-based. Some attention is required while configuring this feature. Here follows the basic static key configuration.

R1(config)#key chain AUTHEN > Name of the key-chain
R1(config-keychain)#key ?
Key identifier
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string MYPASS > This string MUST match on both neighbors
R1(config-keychain-key)#exit
R1(config-keychain)#exit
R1(config)#int f0/0 > Select the interface facing the other router
R1(config-if)#ip authentication mode eigrp 35 md5 > Specifies md5 authentication
R1(config-if)#ip authentication key-chain eigrp 35 1 > Specifies which key to use

Well, I hope this post help you understand the basics about EIGRP.

Credits:

PacketLife
Wendell Odom’s CCNP ROUTE Official Cert Guide

Changelog

Dec 11, 2012:

Dec 4, 2012: