7 - Redundancia Con HSRP-VRRP-GLBP

Embed Size (px)

Citation preview

  • Implementing High Availability Options in MLS with HSRPMSIG MSIA

  • *Implementing High Availability To achieve high network availability, the following network components are required:Reliable, fault-tolerant network devices Hardware and software reliability to automatically identify and overcome failures.Device and link redundancy Entire devices may be redundant or modules within devices may be redundant. Links may also be redundant.Resilient network technologies Intelligence that ensures fast recovery around any device or link failure.Optimized network design Well-defined network topologies and configurations designed to ensure that there is no single point of failure.Best practices Documented procedures for deploying and maintaining a robust network infrastructure.

  • *High Availability: 6 Years and counting

  • *Single Forwarding Path vs Redundancy

  • *High Availability

  • *Implementing High Availability The network devices that provide redundancy do not need to be co-located in the same physical location. This reduces the probability that problems with the physical environment, such as a power outage or other environmental issue, will interrupt service.Paraphrasing Jim Warner, Network Engineer at UCSC, When adding redundancy, know what you are trying to protect yourself from. It doesnt help to have redundant devices when there is a power failure, or redundant links when the cables laid in the same conduit.

  • *Redundancy can be used for load balancingWith appropriate resiliency features combined with careful design and configuration, the traffic load between the respective layers of the network topology (that is, Building Access submodule to Building Distribution submodule) can be shared between the primary and secondary forwarding paths. Therefore, network-level redundancy can also provide increased aggregate performance and capacity.HSRP Load Balancing

  • *Implementing Default Gateway Router Redundancy in Multilayer Switched Networks

  • *Implementing Default Gateway Router Redundancy in Multilayer Switched Networks The availability of a default gateway router is a must for hosts in a multilayer switched network. There are several ways a LAN host can determine which router should be the first hop to a particular remote destination. The host can use a dynamic process or static configuration.Examples of dynamic router discovery are as follows:Proxy ARP The host uses Address Resolution Protocol (ARP) to determine the next-hop MAC address for off-network destinations. Local routers respond to the ARP request with their own MAC address.Routing protocol The host listens to dynamic routing protocol updates (for example, Routing Information Protocol [RIP]) and forms its own routing table.ICMP Router Discovery Protocol (IRDP) client The host runs an Internet Control Message Protocol (ICMP) router discovery client.Static/DHCP Host is statically configured or uses DHCP.

  • *Proxy ARP

  • *Proxy ARPTo acquire the MAC address of the failover router, the source end station must either:initiate another ARP requestwait for the ARP entry to be flushed dynamically. The ARP flush timer determines the period of time in which the source end station cannot communicate with the destination even though the routing protocol has converged. Once the ARP flushes the entry due to flush timer expiry, the host recovers the default gateway MAC address. Nevertheless, Cisco does not recommend the use of proxy ARP, because it makes troubleshooting very difficult. In addition, proxy ARP does not scale at all in medium-size to large networks.Router down, but Host ARP entry is still Router A, packets continue to get dropped.PacketsOnce ARP entry times out on host, it will send another ARP RequestRouter B will send a Proxy ARP Reply with its MAC addressHost now sends packets to Router B for File Server A.

  • *IRDP ICMP Router Discovery Message Protocol

  • *A host that uses IRDP:Listens for hello multicast messages from the preferred default router. The IRDP-based advertisements are considered valid only for a predefined lifetime value. If a new advertisement is not seen during that lifetime, the router address is considered invalid and the host removes the corresponding default route. The IRDP protocol allows for varying timing values. A lifetime value is included in the header of every IRDP advertisement. A host uses the router address only for the specified number of lifetime seconds after the most recent advertisement.IRDP ICMP Router Discovery Message ProtocolIRDP AdvertisementsI will use Router A as my default gateway.

  • *Static or DHCPThe most common method of providing a host with a default gateway address is:Static configurationDHCPThis approach simplifies end-device configuration and processing, but creates a single point of failure. If the default gateway fails, the end device is limited to communicating only on the local IP network segment and is cut off from the rest of the network.

  • *Redundancy ProtocolsCisco IOS offers several features to provide a redundant default gateway to end devices. The redundancy protocol provides the mechanism for determining which router should take the active role in forwarding traffic, and when that role must be taken over by one of the other routers. The transition from one forwarding router to another is transparent to the end devices.The following are the default gateway redundancy features supported by Cisco IOS routers and switches:Hot Standby Routing Protocol (HSRP)Virtual Router Redundancy Protocol (VRRP)Gateway Load Balancing Protocol (GLBP)

  • Hot Standby Router ProtocolHSRP

  • *HSRP (Hot Standby Routing Protocol)HSRP, a Cisco proprietary protocol, supplies a method of providing nonstop path redundancy for IP by sharing protocol and MAC addresses between redundant gateways. The protocol consists of a:virtual MAC address IP address These are shared between two routers, and a process that monitors both LAN and serial interfaces via a multicast protocol.

  • *One standby router The backup router in case the active router fails for the subnet. In that case, the standby router becomes the active router and starts forwarding traffic destined to the virtual IP address.One virtual router The virtual router is not an actual router. Rather, it is a concept of the entire HSRP group acting as one virtual router as far as hosts on the subnet are concerned. One active router The active router forwards traffic destined to the virtual IP address.

  • *The host connected to the switch sends the packet destined for the virtual router, but in reality the active router does the packet forwarding. Note: Additional HSRP member routers Other routers are neither active nor standby, but they are configured to participate in the same HSRP group. They monitor the current active and standby routers and transition into one of those roles if the current router fails for the subnet. 0000.0c07.ac01172.16.10.82 0010.f6b3.d000172.16.10.169 0010.0b79.5800My default gateway is Table = 0000.0c07.ac01

  • *The active router assumes and maintains its active role through the transmission of hello messages (default 3 seconds). The hello interval time defines the interval between successive HSRP hello messages sent by active and standby routers. The router with the highest standby priority in the group becomes the active router. The default priority for an HSRP router is 100; however, this option is configurable on a per-standby-group basis.When the preempt option is not configured, the first router to initialize HSRP becomes the active router 0000.0c07.ac01172.16.10.82 0010.f6b3.d000172.16.10.169 0010.0b79.5800My default gateway is Table = 0000.0c07.ac01HSRP Hellos: Active

  • *The second router in the HSRP group to initialize or second highest priority is elected as the standby router. The function of the standby router is to monitor the operational status of the HSRP group and to quickly assume packet-forwarding responsibility if the active router becomes inoperable. The standby router also transmits hello messages to inform all other routers in the group of its standby router role and status. 0000.0c07.ac01172.16.10.82 0010.f6b3.d000172.16.10.169 0010.0b79.5800My default gateway is Table = 0000.0c07.ac01HSRP Hellos: Standby

  • *The virtual router presents a consistent available router (default gateway) to the hosts. The virtual router is assigned its own IP address and virtual MAC address; however, the active router acting as the virtual router actually forwards the packets.Additional HSRP member routers: These routers in listen state monitor the hello messages but do not respond. Do forward any packets addressed to the routers' IP addresses. Do not forward packets destined for the virtual router because they are not the active router. 0000.0c07.ac01172.16.10.82 0010.f6b3.d000172.16.10.169 0010.0b79.5800My default gateway is Table = 0000.0c07.ac01I receive and forward packet sent to the virtual router.

  • *When the active router fails, the other HSRP routers stop receiving hello messages and the standby router assumes the role of the active router. This occurs when the holdtime expires (default 10 seconds). Because the new active router assumes both the IP address and virtual MAC address of the virtual router, the end stations see no disruption in service. The end-user stations continue to send packets to the virtual router's virtual MAC address and IP address where the new active router delivers the packets to the destination. 0000.0c07.ac01172.16.10.82 0010.f6b3.d000172.16.10.169 0010.0b79.5800My default gateway is Table = 0000.0c07.ac01HSRP Hellos: ActiveHSRP HellosI dont see Hellos from Active (10 secs), so I will receive and forward packet sent to the virtual router.New Active Router

  • *HSRP StatesInitialInitialListenListenActiveSpeakStandbyListenSpeakSpeak StandbyRouter APriority100Router BPriority50HSRP Standby Group 1Router B hears that router A has a higher priority, so router B returns to the listen state.Router A does not hear any higher priority than itself, so promotes itself to standby.Router A does not hear an active router, so promotes itself to active.All other routers remain in this state.

  • *HSRP StatesInitial state All routers begin in the initial state. This state is entered via a configuration change or when an interface is initiated.Learn state The router has not determined the virtual IP address, and has not yet seen a hello message from the active router. In this state, the router is still waiting to hear from the active router.Listen state The router knows the virtual IP address, but is neither the active router nor the standby router. All other routers participating in the HSRP group besides the active or standby routers reside in this state. Speak state HSRP routers in the speak state send periodic hello messages and actively participate in the election of the active or standby router. The router remains in the speak state unless it becomes an active or standby router.Standby state In the standby state, the HSRP router is a candidate to become the next active router and sends periodic hello messages. There must be at least one standby router in the HSRP group.Active state In the active state, the router is currently forwarding packets that are sent to the virtual MAC and IP address of the HSRP group. The active router also sends periodic hello messages.Not all HSRP routers transition through all states. For example, a router that is not the standby or active router does not enter the standby or active states.

  • *HSRP Group Identifier Router A has a priority of 200 Router B has a default priority of 100. Router A assumes the active router role and forwards all frames addressed to the well-known MAC address of 0000.0c07.acxx, where xx is the HSRP group identifier.

  • *HSRP Group Identifier If the HSRP group number of router A is 01, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac01. If the HSRP group number of router A is 2f, the MAC address that corresponds to the virtual IP address is 0000.0c07.ac2f. The HSRP group number is the standby group number (47) converted to hexadecimal (2f).

  • *Configuring HSRPRouter Ainterface vlan 10ip add standby 1 priority 200 standby 1 ip standby 1 preempt

    Router Binterface vlan 10ip add standby 1 priority 100 standby 1 ip standby 1 preempt

  • *HSRP Load Balancing

  • *HSRP Load Balancing Two HSRP-enabled routers participate in two separate VLANs using Inter-Switch Link (ISL) or 802.1Q. Trunking allows users to configure HSRP redundancy between multiple routers to eliminate situations in which a single point of failure causes traffic interruptions.

  • *HSRP Interface Tracking Primary T1 link experiences a failure. Without HSRP enabled, router A would detect the failed link and send an ICMP redirect to router B. Active RouterXRouter A sends ICMP Redirect to Host, pointing it to Router B.Host now sends packets to Router B.

  • *HSRP Interface Tracking Interface tracking enables the priority of a standby group router to be automatically adjusted based on availability of the other interfaces on that router. Active RouterXRouter A still sends HSRP Hellos.Hosts continue to send packets to Router A.

  • *HSRP Interface Tracking The E0 interface on router A tracks the S1 interface. If the link between the S1 interface and headquarters fails, the router automatically decrements its priority on that interface and stops transmitting hello messages out interface E0. Router B assumes the active router role when no hello messages are detected for the specific holdtime period. Active RouterXRouter A tracks S1 and automatically decrements its priority and stops sending hello messages.Hosts now send packets to Router B.Router B assumes Active role after holdtime.

  • *Router Ainterface Ethernet0 ip address /24 no ip redirects standby 1 priority 105 standby 1 preempt standby 1 ip standby 1 track Serial1

    interface Serial1 ip address /24Router Binterface Ethernet0 ip address /24 no ip redirects standby 1 priority 100 standby 1 preempt standby 1 ip standby 1 track Serial1

    interface Serial1 ip address /24

  • Virtual Router Redundancy ProtocolVRRP

  • *VRRPLike HSRP, VRRP is a default gateway redundancy method. VRRP enables a group of routers to form a single virtual router. The VRRP standard (RFC 2338) solves the static default gateway configuration problem. VRRP is similar in functionality to HSRP, and hence the LAN hosts can be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is known as a VRRP group.Cisco switches and routers support VRRP on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, and on MPLS VPNs and VLANs.

  • *VRRPRouters A, B, and C, are VRRP-enabled routers.Routers A, B, and C form a virtual router, with as the virtual IP address.IP address of the virtual router is the same as that configured for the Ethernet interface of Router A ( the virtual router uses the IP address of the physical Ethernet interface of router A, router A assumes the role of the master virtual router and is known as the IP address owner. As the master virtual router, router A controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP address. Hosts 1 through 3 are configured with the default gateway IP address of B and C function as backup virtual routers. If the master virtual router fails, the router configured with the higher priority will become the master virtual router and provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the master virtual router again.The virtual router can use a physical IP address or a virtual IP address.

  • *VRRPLAN topology in which VRRP is configured such that:Router A is default gateway for Hosts 1 and 2.Router B is default gateway for Hosts 3 and 4. Act as backup virtual routers to each other if either router fails.

  • *VRRPInterface IP address = virtual IP address for the VRRP groupOwning router is the master in a VRRP group The priority associated with that interface should be configured as 255. Otherwise, the highest priority wins the election and is the master. Backup values range from 1 to 254; the default value is 100.

  • *VRRPA main difference between HSRP and VRRP is that in VRRP, the backup router does not send advertisements. Therefore, the VRRP master is not aware of the current backup router.In summary, VRRP is similar to HSRP in functionality, but it is standard compared to Cisco's proprietary HSRP. Nevertheless, in enterprise and service provider networks, HSRP deployments far outnumber VRRP deployments.

  • Gateway Load Balancing Protocol GLBP

  • *GLBPCisco designed GLBP to allow automatic selection and simultaneous use of multiple available gateways, and to provide automatic detection and failover to a redundant path in the event of failure to any active gateway. With GLBP, it is possible to fully use resources without the extra administrative burden of configuring multiple groups and managing multiple default gateway configurations.

  • *GLBPA GLBP group has up to four member routers acting as IP default gateways, Known as the Active Virtual Forwarders (AVFs). GLBP: Automatically manages the virtual MAC address assignmentDetermines who handles the forwardingEnsures that each station has a forwarding path in the event of failures to gateways or tracked interfaces. These functions are accomplished by one of the routers in the group acting as the active virtual gateway (AVG).Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.Up to 4 members1 router

  • *Client 1Default Gateway = Gateway = Request for Reply: 0007.b400.0101Send Packet encapsulated in frame to 0007.b400.0101 000C.0417.91CC10.21.8.100172.16.10.100007.b400.0101

  • *Client 2Default Gateway = Gateway = Request for Reply: 0007.b400.0102Send Packet encapsulated in frame to 0007.b400.0102 000C.0417.91CC10.21.8.100172.16.10.100007.b400.0102

  • *GLBPIf Router A becomes unavailable Client 1 will not lose access to the WAN because Router B will assume responsibility for forwarding packets sent to the virtual MAC address of Router A, and for responding to packets sent to its own virtual MAC address. Router B will also assume the role of the AVG for the entire GLBP group. Round-robin load-balancing algorithm Each virtual forwarder MAC address takes turns being included in address resolution replies for the virtual IP address. The round-robin load-balancing algorithm is the default.

  • *GLBP Interface TrackingLike HSRP, GLBP can be configured to track interfaces. The link from router R1 is lost. GLBP detects the failure.The responsibility of forwarding packets destined for virtual MAC 1 is taken over by the secondary virtual forwarder

  • *SummaryVRRP provides router redundancy in a manner similar to HSRP.VRRP supports a master and one or more backup routers.VRRP and GLBP are configured per interface.GLBP provides router redundancy and load balancing.GLBP balances traffic by allocating a virtual MAC Address to each AVF.