Published on February 5, 2008
Slide1: Mälardalens högskola Stefan Löfgren Avancerad switching och felsökning i datornätverk CCNP 3 – 4 Föreläsning 2_1 Slide2: STP orsakar mer än 50% av konfigurationsfel, felsökning och underhållsproblem i datornätverk. STP är ett komplext protokoll som oftast inte förstås rätt! STP är ett protokoll för att förhindra loopar. STP låter lager2-enheter kommunicera för att kunna detektera loopar. STP skapar en trädstruktur med loopfri logisk topologi. Spanning Tree Protocol Slide3: Broadcasts och Lager 2 loopar är en farlig kombination. Ethernet frames har ingen TTL, så om en frame startar i loop… Hur kan den stoppas?? Spanning Tree Protocol Redundancy Creates Loops! Slide4: STP använder en algoritm som kallas Spanning Tree Algorithm. STA bestämmer en referenspunkt (root bridge) och bestämmer sedan tillgängliga vägar till denna punkt. Om mer än en två vägar existerar väljer STA den bästa vägen och blockerar resten. STP använder i sin kalkyl: Bridge ID Path Cost Spanning Tree Protocol Slide5: Bridge ID (BID) används för att identifiera switcharna - och bestämma root bridge: 2-byte Bridge Priority: Cisco switchar har defaultvärdet 32,768 or 0x8000. 6-byte MAC address Lägst Bridge ID blir root bridge – om alla har samma prioritet så vinner den som har lägst MAC. Spanning Tree Protocol Slide6: Switchar använder cost (går att modifiera manuellt). Ursprungligen definierade 802.1d cost som 1000/bandwidth i Mbps. 10 Gps Ethernet tvingade fram en ny cost. IEEE:s modifierade cost: Spanning Tree Protocol Slide7: Alla som inte är root bridge måste välja en root port - den port som är närmast root bridge. Root path cost är den sammanlagda kostnaden av alla länkar till root bridge. Varje segment i nätet har en designated port (alla portar på rootbridgen är designated), som fungerar som den enda switchporten som sänder o mottar trafik från segmentet och rootbridge. Switchen som har designated port kallas för designated bridge för segmentet. Spanning Tree Protocol Slide8: Spanning Tree always uses the same four-step decision sequence: Lowest root BID Lowest path cost to root bridge Lowest sender BID Lowest port ID Bridges use Configuration BPDUs during this four-step process. Spanning Tree Protocol Slide9: The STP algorithm uses three simple steps to converge on a loop-free topology: STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports Spanning Tree Protocol Slide10: Välja rootport Cat-B kan nå Root Bridge med en cost av 19 via Port 1/1 jämfört med en cost av 38 via Port 1/2. Port 1/1 blir Root Port för Cat-B, den port som är närmast Root Bridge. Cat-C gör samma sak. Not!: Både Cat-B:1/2 and Cat-C:1/2 sparar den bästa BPDUn på 19 (den egna).. BPDU Cost=0 BPDU Cost=0 BPDU Cost=19 BPDU Cost=19 BPDU Cost=38 (19=19) BPDU Cost=38 (19=19) Root Port Root Port Slide11: Välja designated port 1) Alla tre switchar anser att Cat-A är Root Bridge. 2) Root Path Cost för båda är 19 - oavgjort. 3) Source BID är lägre på Cat-B än på Cat-C, så Cat-B:1/2 blir Designated Port för Segment 3. Cat-C:1/2 blir därför non-Designated Port for Segment 3. Root Port Root Port Segment 1 Segment 2 Segment 3 Root Path Cost = 0 Root Path Cost = 0 Root Path Cost = 19 Root Path Cost = 19 Root Path Cost = 19 Root Path Cost = 19 Designated Port Designated Port 32,768.BB-BB-BB-BB-BB-BB 32,768.CC-CC-CC-CC-CC-CC Designated Port Non-Designated Port Slide12: Om path cost och bridge IDs är samma (parallella länkar från samma switch),använder switchen port priority för att göra valet. Lägst port priority vinner (alla portar har 32 som defaultvärde - men kan sättas 0 - 63). Om alla portar har samma prioritet så vinner porten med lägst portnummer. Spanning Tree Protocol Slide13: Spanning-Tree Port States Spanning Tree Protocol Slide14: STP Timers Spanning Tree Protocol Slide15: Forward Delay Timer Default värdet av forward delay räknades ursprungligen fram med antagandet av en nätstorlek av 7 hopp. Forward används för att bestämma tiden för: Listening state och Learning state Max Age Timer Max Age är den tid som en BPDU sparas innan den kastas. Varje port spar den bästa BPDUn så det kan ta 20 s innan switchen flyttar porten till Listening. Spanning Tree Protocol Slide16: Det kan ta 30-50 s för en switch att anpassa sig till en förändring i topologin. Under denna tid är adresser som ej kan nås fortfarande listade i MAC tabellen – vilket förstås kan ge problem. Normal aging time för denna tabell är 300 s (5 minuter) För att bli av med ickekontaktbara adresser så kan switchen sända en Topology Change Notification (TCN) BPDU från sin root port. TNC BPDUn skickas sedan ut i hela nätet av root switchen – och switcharna ändrar tillfälligt aging time från 300 till 15 s. Spanning Tree Protocol Slide17: PortFast ger möjlighet att snabba upp uppstarten av portar anslutna till tex datorer. Enheter får direkt acces till nätverket utan att porten behöver gå igenom alla nivåer av STP learning och listing. Bör ej användas på länkar mellan switchar. Spanning Tree Protocol Slide18: UplinkFast kan reducera konvergenstiden för att skapa en loopfri topologi. Uplinkfast tillåter en port som är i blocked mode att direkt börja skicka datapaket när switchen detekterar fel på forwarding link. Porten måste ha direkt information om att en länk går ned för att kunna ändra mode. Note: When you enable the set spantree uplinkfast command, it affects all VLANs on the switch (You cannot configure UplinkFast on an individual VLAN) Spanning Tree Protocol Slide19: BackboneFast initieras när en root port eller blocked port på en switch mottar sämre (inferior) BPDUs från sin designated bridge. Detta ger möjlighet till snabbare konvergens om en backbonelink slutar fungera. Spanning Tree Protocol Switch>(enable) set spantree backbonefast Slide20: STP and VLANs Spanning Tree Protocol Common Spanning Tree (CST) is the IEEE 802.1Q solution to VLANs and Spanning Tree. CST defines a single instance of Spanning Tree for all VLANs. BPDU information runs on VLAN 1. Per-VLAN Spanning Tree (PVST) is a Cisco proprietary implementation. PVST requires Cisco Inter-Switch Link (ISL) encapsulation in order to work. PVST runs a separate instance of STP for every VLAN. PVST+ is a Cisco proprietary implementation that allows CST information to be passed correctly into PVST. A solution to the scaling and stability problems associated with large Spanning-Tree networks is to create separate instances of PVST. SPT kan bara aktiveras på max 64 VLAN samtidigt (VLAN 1 till 64 default). Rapid Spanning-Tree Protocol: Rapid Spanning-Tree Protocol The IEEE802.1w Rapid Spanning-Tree Protocol (RSTP) is an evolution of 8021.D standard. RSPT can provides much faster convergent speed than STP. Only 3 states – Merged disabled, blocking and listening to a unique Discarding state. It can safely transits a port to forwarding without relying on any timer configuration. Edge port corresponds to PortFast (directly to forwarding state). Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port. Link Type RSTP (point-to-point or shared) can only achieve rapid transition to forwarding on edge ports and on point-to-point links. A port operating in full-duplex will be assumed to be point-to-point. Slide22: The RSTP role is now a variable assigned to a given port. The root port and designated port roles remain, while the blocking port role is now split into the backup and alternate port roles. An alternate port is a port blocked by receiving more useful BPDUs from another bridge. A backup port is a port blocked by receiving more useful BPDUs from the same bridge it is on. An alternate port provides an alternate path to the root bridge and could therefore replace the root port should it fail. A backup port provides redundant connectivity to the same segment. Slide23: Uplink Fast RSTP incorporates an automatically enabled feature exactly similar to Cisco uplink fast proprietary spanning tree extension. The 802.1w topology change mechanism clears the appropriate entries in the Content Addressable Memory (CAM) tables of the upstream bridges, removing the need for the dummy multicast generation process of uplink fast. In RSTP, only non-edge ports moving to the Forwarding state cause a topology change. This means that a loss of connectivity is not considered as a topology change any more. The initiator of the topology change is flooding this information throughout the network (as opposed to 802.1D where only the root could do so). This is much faster than 802.1D. RSTP BPDU format: RSTP BPDU format The Flag byte in BPDU has added Proposal, Portrole, Learning, Forwarding & Agreement bits. The BPDU type is set to type 2, version 2 and will be dropped by legacy bridges. Every bridge (not only the root bridge) are sending BPDU every hello-time. As a keep alive mechanism, the connection is considered to be lost if missed 3 BPDUs in a row. This allows quick failure detection. In the figure , Bridge C still knows the root is alive and well and immediately sends a BPDU to Bridge B containing information about the root bridge. As a result, Bridge B stops sending its own BPDUs and accepts the port leading to Bridge C as its new root port (similar to BackboneFast in STP). Slide25: Common spanning tree (CST) is specified in the IEEE 802.1Q standard. CST defines a single instance of Spanning Tree for all VLANs. BPDUs are transmitted over VLAN 1. Per-VLAN spanning tree (PVST) is a Cisco-proprietary implementation requiring ISL trunk encapsulation. PVST runs a separate instance of STP for each VLAN, increases CPU load and links traffic. PVST+ supports 8021.Q trunks and is automatically enabled on Catalyst 802.1Q trunks. provides layer 2 load balancing. Mono spanning tree (MST) is the spanning tree implementation used by non-Cisco 802.1Q switches. One instance of STP for all VLAN traffic. Multiple Instance of Spanning-Tree Protocol (MISTP) is compromise between PVST+ and MST, allows the grouping of multiple VLANs under a single instance of spanning tree. MISTP combines the Layer 2 load-balancing benefits of PVST+ with the lower CPU load of IEEE 802.1Q. Slide26: Spanning Tree Protocol Slide27: Span-ning Tree Proto-col MST (802.1 s): MST (802.1 s) MST stands for two things: Mono Spanning Tree & Multiple Spanning Tree The multiple spanning tree is specified in IEEE 802.1s, an amendment to IEEE 802.1Q. MST extends the IEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning-trees, as opposed to the single CST of the original IEEE 802.1Q specification. This extension provides for both rapid convergence and load balancing in a VLAN environment. Cisco implementation of MST is backward compatible with 802.1D STP, the 802.1w Rapid Spanning-Tree Protocol (RSTP), and the Cisco PVST+ architecture. MST can be thought of as a standards-based Multiple Instance of Spanning-Tree Protocol (MISTP). Load balancing: Load balancing The most common method of load sharing is through root bridge placement on a per-VLAN basis. This will distribute traffic for separate VLANs across separate paths to different root bridges. In load sharing using STP port priorities, each trunk port assigns different priorities for different VLAN. In the following diagram, Trunk 1 carries VLAN 8-10, and Trunk 2 carries VLAN 3-6. In load sharing using STP path cost, each trunk port assigns different path cost for different VLAN. In the following diagram, Trunk port 1 carries VLAN 8-10, and Trunk port 2 carries VLAN 2-4. Switchport tuning using BPDU guard: Switchport tuning using BPDU guard In the figure, bridge A has priority 8192 - the root for the VLAN. Bridge B has priority 16384 - backup root bridge for the same VLAN. Bridges A and B make up a core of the network. Bridge C is an access switch and has PortFast configured on the port connected to device D. Normally Device D (PC) is not participating in STP. The red arrows indicate the flow of STP BPDUs. Now, if device D started to participate in STP with priority zero, it will take over the root bridge function, and the Gigabit link connecting the two core switches will transition into blocking mode. . This causes all the data in that particular VLAN to flow via the 100 Mbps link, thus lower the network performance to 1/10. This is a simple Denial of Service attack to the network. To prevent this, setup STP PortFast BPDU guard to disable the workstation port when it receives BPDU Switchport tuning using root guard: Switchport tuning using root guard The standard STP does not allow the administrator to enforce the position of the root bridge. If a bridge is introduced into the network with lower bridge priority, it will take the role of the root bridge. Root guard is configured on a per-port basis, and does not allow the port to become a STP root port. This means that the port is always STP-designated, and if there is a better BPDU received on this port, BPDU guard disables the port, rather than taking the BPDU into account and electing a new STP root. When BPDU stop, the port goes through STP process to recover. Root guard needs to be enabled on all ports where the root bridge should not appear. Slide32: EtherChannel Spanning Tree Protocol Fast EtherChannel technology bygger på standard 802.3 full-duplex Fast Ethernet. Tillåter parallella länkar att betraktas som en fysisk länk av STP - full-duplex bandwidth på 200 till 800 Mbps Ger möjlighet till load sharing och redundancy Slide33: Inter-VLAN Routing Overview: Overview Configuring virtual LANs (VLANs) helps control the size of broadcast domains and keeps local traffic local. The downside to this benefit is that devices in different VLANs are unable to communicate without the presence of some form of layer 3 routing. Key components of Inter-VLAN routing: Key components of Inter-VLAN routing For routing between VLANs, three key components must be present. These are a VLAN capable switch, a router (standalone or integrated within the switch), and some form of connectivity between the two. With an external router the connection to the switch can be via a separate Ethernet/Fast Ethernet/Gigabit Ethernet link for each VLAN or a single trunking link can be utilized. Comparison of Layer 2 and Layer 3 operations in the core: Comparison of Layer 2 and Layer 3 operations in the core The core should have adequate redundancy. In a LAN it is possible to implement the core as a switched or routed layer. The Layer 2 or switched core manages its redundant links using the Spanning-Tree Protocol. Some links are not used because one or more ports will be in a Blocking state. Not only does this under utilize the available bandwidth, it also often results in inefficient traffic paths. The Layer 3 core manages its redundant links using a routing protocol. The routing protocol select the optimal path for traffic and can make use of redundant links through load balancing. Furthermore, implementing the core using Layer 3 allows more flexibility and control over packet flows, permitting additional benefits such as Quality of Service (QoS) to be implemented. Inter-VLAN routing performance and scalability issues: Inter-VLAN routing performance and scalability issues Both an external and an internal router can be used with subinterfaces, with tradeoff between cost and performance. Once the 100 Mbps capacity of the external routers link is exceeded, the use of an integrated route processor becomes the only realistic option for providing Inter-VLAN routing. Care should be taken to ensure that the distribution switch is the root of the spanning tree for each VLANs. This step is easily overlooked and although a network will provide connectivity with an access layer switch acting as the STP root, the inefficient traffic flow will seriously limit the throughput of the distribution layer links. Role of the different VLANs: Role of the different VLANs Types of VLANS: VLAN 1, default VLAN, user VLANs, native VLAN, and management VLAN VLAN1 – For layer 2 protocols: CDP, PagP, DTP and VTP Default VLAN – All port are default to VLAN1. User VLANs – segment a group of users. Native VLAN – Untagged frames are belong to native VLAN. Default is VLAN1. Management VLAN - In case there are network problems, such as broadcast storms or spanning tree convergence issues, an independent management VLAN allows the network administrator to still be able to access these devices through network and troubleshoot the problem. Slide39: Implementing Multilayer Switching in the Network Overview: Overview * Multilayer Switching * Cisco Express Forwarding One of the bottlenecks in high-speed networking is the decision-making process within the router. In recent years, technologies and accompanying hardware have enhanced the process of rewriting PDU headers to move traffic to its ultimate destination. A number of software and hardware combinations enable hardware-based PDU header rewrites and forwarding. Two of the methods used by Cisco devices are Multilayer Switching (MLS) and Cisco Express Forwarding (CEF). MLS is sometimes known as "Route once, switch many". CEF can be thought of as "Route never, switch always". Multilayer switching: Multilayer switching Properties of Multilayer Switching: * Hardware based (high speed). * Performs PDU Header Rewrites and Forwarding. * Uses Layer 2, 3 and 4 Header Information. Multilayer Switching (MLS) performs layer 3 switching at layer 2 speed. This solves the router-as-a-bottleneck issue. MLS components: MLS components * MLS Switching Engine (MLS-SE) * MLS Route Processor (MLS-RP) * MLS Protocol (MLSP) MLS looks at the first packet in a flow of data and caches some header information describing the flow. Subsequent packets in the flow circumvent (or bypass) the router by rewriting the packet header. (wire-speed switching)Switching is performed by ASIC switching hardware. Packets that do not have a switched path to reach their destinations are still forwarded by routers, e.g. OSPF, IS-IS. Catalyst 5000 with a Supervisor Engine IIIG is an example MLS-SE hardware that performs packet switching. Only certain combinations of MLS-SEs and MLS-RPs can run MLS. MLS flows: MLS flows The maximum size of the MLS cache is 128,000 entries. The MLS-SE rewrites the Layer 2 frame header, changing the destination MAC address and the source MAC address to the MAC address. Layer 3 information remains the same, except TTL (-1) and checksum. MLS flows: MLS flows The MLS-SE uses flow masks to determine how MLS entries are created. The flow Mask is a set of criteria, based on a combination of source IP address, destination IP address, protocol, and protocol ports that describes the characteristics of the flow. The MLS-SE learns the flow mask through Multilayer Switching Protocol (MLSP) messages from each MLS-RP. When the MLS-SE flow mask changes, the entire MLS cache is purged. MLS flows: MLS flows The three flow masks are as follows: * destination-ip – The least specific flow mask. The MLS-SE maintains one MLS entry for each destination IP address. This mode is used if no access control lists (ACLs) are configured on any of the MLS-RP interfaces. * source-destination-ip – The MLS-SE maintains one MLS entry for each source and destination IP address pair. All flows between a given source and destination use this MLS entry, regardless of the IP protocol ports. This mode is used if any of the MLS-RP interfaces has a standard ACL. * ip-flow – The most-specific flow mask. The MLS-SE creates and maintains a separate MLS cache entry for every IP flow. An ip-flow entry includes the source IP address, destination IP address, protocol, and protocol ports. This mode is used if any of the MLS-RP interfaces has an extended ACL. MLS operation: MLS operation The MLSP Hello packets are sent every 15 seconds by multicast. XTAG is used to identify the router processor (RP). Packet shortcut is done by the switch NetFlow Feature Card (NFFC). It switches the packets and rewrites the source & destination MAC addresses. Use show port capabilities to check the port. If the port does not support in-line rewrite, the packet rewrite is done in the Supervisor Engine. Cisco Express Forwarding overview: Cisco Express Forwarding overview A simplified block diagram of CEF is as follows. Packet forwarding is based on the three tables. Comparing MLS and CEF: Comparing MLS and CEF MLS – route once, switch many. CEF – route never, switch always. In MLS, route change in a large network will causes many cached entries to expire. Small MLS cache result in low hit rate. However, large cache requires more time to find an entry! CEF uses the routing table directly for switching. The following tables are maintained: * Forwarding Information Base – a copy of the routing table. * Adjacency table – a table of layer 3 to layer 2 address mappings of the neighbor (adjacent) devices. * NetFlow table – keep records of packet switching. CEF is supported on Catalyst 8500 switch routers, Catalyst 3550 switches, Catalyst 2948G-L3 switches, Catalyst 4000 switches, and Catalyst 6000 switches. Cisco routers running Cisco IOS Software Release 12.2 or later also support CEF. CEF operation: CEF operation Supervisor Engine 2 consists of three primary components: * Supervisor base board – network management, daughter board connections. * Policy Feature Card 2 (PFC2) – daughter board for packet forwarding. * Mulitilayer Switching Feature Card 2 (MSFC2) – for layer 3 activities. CEF forwarding information base: CEF forwarding information base 4 level based on the 4 bytes IP address. CEF relies on a longest-match forwarding algorithm, meaning that the tree is searched in descending order until the “longest match", or greatest number of bits, is matched. CEF adjacency table: CEF adjacency table The adjacency table contents are fundamentally a function of the ARP process, whereby Layer 2 addresses are mapped to corresponding Layer 3 addresses. When the router issues an ARP request, a corresponding reply is received, and a host entry is added to the adjacency table to reflect this. In addition, the router can also glean (collect) next hop routers from routing updates and make entries in the adjacency table to reflect this. This lets the router build the next hop rewrite information necessary for Layer 3 packet forwarding. By having this data already stored in a table, CEF can perform highly efficient and consistent forwarding, because no discovery process is required. CEF adjacency table: CEF adjacency table The command show ip cef is used to view the contents of the CEF adjacency table from the MSFC2. The command show ip cef summary gives a brief overview of the CEF process. It shows information such as the total number of adjacencies and routes. The third table used by CEF is the NetFlow table. Because this table compiles network accounting data and does not play a role in the PDU header rewrite mechanism of CEF, it will not be discussed. Additional benefits of CEF-based forwarding: Additional benefits of CEF-based forwarding Scalability – additional line cards for distributed CEF (dCEF). Availability – hardware based switching reduces router CPU loading. ACL – can also handled by CEF hardware. Multicast – multicast entries are also supported. Slide54: Redundancy ICMP Router Discovery Protocol (IRDP): ICMP Router Discovery Protocol (IRDP) Some newer IP hosts use IRDP (RFC 1256) to find a new router when a route becomes unavailable. A host that uses IRDP listens for hello multicast messages from the router that the host is configured to use. The host switches to an alternate router when the host no longer receives those hello messages. The only required task is to enable IRDP processing on an interface. Use the following command in interface configuration mode: Router(config-if)#ip irdp Use the debug ip icmp command to display information on ICMP transactions. This command helps determine whether the router is sending or receiving ICMP messages. Use this command when troubleshooting an end-to-end connection problem. Hot Standby Router Protocol (HSRP): Hot Standby Router Protocol (HSRP) One way to achieve near 100% network uptime is to use HSRP (RFC 2281). By sharing an IP address (Virtual IP) and a MAC address (Virtual MAC), two or more routers operates as a single router called a virtual router. This set is known as an HSRP group or a standby group. If the Active router fails, the Standby router takes over as the Active router. Hosts continue to forward IP packets to a consistent IP and virtual MAC address and the changeover between routes is transparent to the end workstation. Virtual Router Redundancy Protocol (VRRP): Virtual Router Redundancy Protocol (VRRP) Both HSRP and VRRP enable two or more devices to work together in a group, sharing a single virtual IP address. In HSRP, both the active and standby routers send periodic hello messages. In VRRP, only the master sends periodic messages, known as advertisements. Cisco recommends using HSRP for superior convergence characteristics. Use VRRP only when local subnet interoperability is required with other vendors. Gateway Load Balancing Protocol (GLBP): Gateway Load Balancing Protocol (GLBP) Besides redundancy, GLBP also allows a group of routers to share the load of the default gateway on a LAN. This is achieved by sending different ARP reply to different hosts. Single Router Mode (SRM) redundancy: Single Router Mode (SRM) redundancy SRM redundancy is another alternative to having both Multilayer Switch Feature Card (MSFC) in a chassis active at the same time. Using SRM redundancy, only the designated router MSFC is visible to the network at any given time. The non-designated router is booted up completely and participates in configuration synchronization, which is automatically enabled when entering SRM. Unlike the MSFC high availability method, the configuration of the non-designated router is exactly the same as the designated router, but its interfaces are kept in a "line down" state and are not visible to the network. Single Router Mode (SRM) redundancy: Single Router Mode (SRM) redundancy Processes, such as routing protocols, are created on the non-designated router and the designated router. All non-designated router interfaces are in a "line down" state and do not send or receive updates from the network. When the designated router fails, the non-designated router changes its state to become the designated router and the interface states change to "link up". The router builds its routing table while the existing Supervisor engine switch processor entries are used to forward Layer 3 traffic. After the newly designated router builds its routing table, the entries in the switch processor are updated. Server Load Balancing (SLB): Server Load Balancing (SLB) SLB is an IOS-based solution defining a virtual server that represents a group of real servers in a server farm. (a single virtual server). When a client initiates a connection to the virtual server, the SLB function chooses a real server for the connection based on a load balancing algorithm. The network gains scalability and availability when virtual servers represent server farms. The addition of new servers and the removal or failure of existing servers can occur at any time without affecting the availability of the virtual server. Supported Platforms * Catalyst 6000 Series * Cisco 7200 Series HSRP Operations: HSRP Operations HSRP operations: HSRP operations The active router does the forwarding of data packets and transmits hello messages. The standby router takes the active role if the active router fails. The standby router also transmits hello messages to other routers in the HSRP group. It is possible that several other routers exist in an HSRP standby group. These other routers will monitor HSRP hello messages but do not respond. They function as normal routers that forward packets sent to them but do not forward packets addressed to the virtual router. These additional HSRP routers remain in the "init" state. If both the active and standby routers fail, all other routers in the group will contend for the active and standby roles. The router with the lowest MAC address becomes the active router unless a HSRP priority is configured, then the router with higher priority becomes active (See the diagram). The default priority for an HSRP router is 100. The virtual router MAC address: The virtual router MAC address The MAC address used by the virtual router is made up of the followings: * Vendor ID – Comprised of the first three bytes of the MAC address. * HSRP code – Two bytes (07.ac), MAC address is for an HSRP virtual router. * Group ID – The last byte of the MAC address is the group ID number. To display the virtual IP and MAC address use the command show standby HSRP messages: HSRP messages HSRP messages are encapsulated in UDP packets and use port number 1985. HSRP messages use the physical interface IP address as the source. The HSRP messages are sent to the destination multicast address (126.96.36.199). It is used to communicate to all routers, with TTL set to one. Op Code – indicates type of messages, 0=Hello, 1=Coup (sent when a router wants to become the active router), 2=Resign (sent when a router no longer wants to be the active router) Holdtime – valid time of Hello message. Priority – elect active/standby routers. Group – identifies standby group. Authentication data – clear text 8 character password. Virtual address – IP address of the virtual router. State - active/standby/init. HSRP states: HSRP states Initial – beginning of the HSRP process. HSRP is not yet running. Learn – The router has not determined the virtual IP address, and has not yet seen an authenticated hello message from the active router. Still waiting to hear from the active router. Listen – The router knows the virtual IP address, but is neither the active router nor the standby router. Routers other than the active and standby router remain in the listen state. Speak – The router sends periodic hello messages and is actively participating in the election of the active or standby router. A router cannot enter Speak state unless it has the virtual IP address. Standby – The router is a candidate to become the next active router and sends periodic hello messages. Excluding transient conditions, there must be at most one router in the group in Standby state. * Active – The router is currently forwarding packets. It sends periodic hello messages. Excluding transient conditions, there must be at most one router in Active state in the HSRP group. How HSRP addresses redundancy issues: How HSRP addresses redundancy issues HSRP routers on a LAN segment or VLAN communicate among themselves to designate 3 possible router states: * active * standby * init The active router receives the packet sent to the virtual MAC address - replies with the virtual MAC address to the ARP request. If the active router fails, the standby router will take over to deliver packets using the same Virtual IP and Virtual MAC, therefore it is transparent to users. If a third HSRP router was added to the LAN segment, this router would begin to act as the new standby router but remain in the "init" state. HSRP also works for proxy ARP. When an active HSRP router receives an ARP request for a node that is not on the local LAN, it replies with the virtual MAC address. HSRP standby priority: HSRP standby priority Each standby group has its own active and standby routers. The network administrator can assign a priority value to each router in a standby group. This lets the administrator control the order in which active routers for that group are selected.. Router(config-if)#standby group-number priority priority-value * group-number – (Optional) Indicates the HSRP standby group. The range is 0 to 255. * priority-value – Indicates the number that prioritizes a potential hot standby router. The range is 0 to 255 with a default of 100. The router in an HSRP group with the highest priority becomes the forwarding router. The tiebreaker for matching priority is higher number IP address. Example: A(config-if)#standby 50 priority 150 (priority value of 150 in HSRP standby group 50.) HSRP standby preempt: HSRP standby preempt The standby router assumes the active router role when the active router fails or is removed from service. This new active router remains as the forwarding router even when the former active router with the higher priority regains service in the network. The former active router can be configured to resume the forwarding router role from a router with a lower priority. To enable a router to resume the forwarding router role, enter the following command in interface configuration mode: Router(config-if)#standby group-number preempt HSRP hello timers: HSRP hello timers An HSRP enabled router sends hello messages to indicate that the router is running and is capable of becoming either the active or standby router. The hello message contains the priority of the router, hellotime and holdtime. The hellotime value indicates the interval between the hello messages. The holdtime value contains the amount of time that the current hello message is considered valid. The holdtime value should be at least three times the value of the hellotime. HSRP over trunk links: HSRP over trunk links Running HSRP over ISL allows users to configure redundancy between multiple routers that are configured as front ends for VLAN IP subnets. By configuring HSRP over ISL, situations in which a single point of failure causes traffic interruptions can be eliminated. HSRP is also supported over 802.1Q trunks.