Configuring and Explaining HSRP + Interface Tracking | Network Redundancy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so you've thought about adding some layer three redundancy to your network or you are studying for your CCNA or you just want to become more knowledgeable on the subject either way it's never a bad idea to have some redundancy in key parts of the network today I'm going to show you how to configure Cisco's hot standby router protocol I'm going to go a little bit more in depth and also show you how to track specific links to fail over the whole standby group and I'm also going to show you the magic behind it and how it actually works [Music] okay so maybe you are used to having a topology like this where you have a single router connected to the internet and a layer to switch and you have your hosts and your wireless access points coming off of this guy so in this video and showing you how to configure H SRP we're going to have something like this where we have redundant firewall enabled routers and I also threw in dual internet providers as well so you could have a dual single home connection where you just have one provider and it breaks off to both of these routers here and they might be running something like HSR P on their side as well but for this example we're going to have provider 1 and provider 2 which is going to be reachable at this 8.8.8.8 IP address and so let's let's get started first let me get rid of this right here okay and then let's get started with the first step so everything is configured to work except for the configuration necessary for HSR P so let's start by going into router firewall 1 now I haven't even assigned any IP addresses to these to the land side yet either so I thought that I would wait to do that for this video so that way it can be more complete so I'm gonna put these I'm gonna give these a RFC 1918 address in the with a Class C subnet so we're going to go 1 9 2 1 6 8 10.0 Network / 24 so the first thing you're going to want to do is go into interface configuration mode so we see we have a fastethernet 0/1 connected to router firewall 1 on our land side this is where HSR P is going to be routing so there's going to be a virtual actually let me let me go up here and the virtual IP is going to be 192.168 that 10.1 so I should probably put that up there first so depending on which one is active whichever one is the active virtual gateway is going to accept requests for the destined for the virtual Mac for 192 168 10.1 so there are both of they both of these are going to have IP addresses assigned to their interface but they're going to share that these two are going to share this virtual IP depending on which one is active and which one is in standby so let's go into interface configuration mode so we'll go fast Ethernet 0 / 1 and we'll go ahead and give this an IP address of 192.168.0.0 - and a slash 24 subnet mask so 255 255 255 0 ok and then let me go ahead and configure router firewall - with an IP address as well before I actually get into the HSR P part so we'll go interface s we've been at 0 / 1 I P address 192 168 10.3 now why did I put this at 10.2 and this other one at 10.3 because like I said the virtual IP will be 192 168 10.1 so we want to bump them up ok so now we should have let's open our PC which is actually a router disguised in disguise as a PC let's go let's try to ping make sure we have reach ability I'm always leery of certain things in gns3 where I have issues once in a while where I won't have reach ability and has nothing to do with anything that's been configured wrong it's just sometimes it doesn't work until you shut down or do a shutdown and a no shutdown on an interface or an S VI so let me just make sure I can reach one 92168 10.2 so send an ARP and then 100% 10.3 ok perfect so here's where the magic comes in because we have these two routers and this the the PC and clearly in in a real life Network you're going to have many PCs and other devices coming off the switch and you may even have different zones coming off of your routers as well maybe a DMZ or something so but we know that we can only this PC if we do a show IP route we see our default gateway is 192 168 10.1 which is going to be this virtual IP up here so we can only point this PC 2 to one gateway and that's where the magic of HS RP comes in or any first-half redundancy protocol for that matter so vrrp or GL BP so let's go and configure this and we'll start with router firewall one so we're still on fastethernet 0/1 and now this is this is super easy this is probably one of the easiest things you go stand by the standby group number so we'll go with one actually we'll go with 10 just because the third octet is 10 the switch is on VLAN 10 so we'll make it ten standby 10 IP and then 1 9 2 1 6 8 10 that one which is our virtual IP now we're gonna do this same exact thing over on router firewall 2 but then we have a situation where they're going to negotiate who is active and who is primary because the I believe the default priority is 100 so and we see right here HSR P change state fastethernet 0/1 state standby to active and that's because it's not receiving any sort of communication there are no hello messages coming from router firewall 2 so it's the only one in its group right now so it went into standby so what just happened there is it actually it just sent a gratuitous ARP to this switch and so that gratuitous ARP was broadcasted so the MAC address table of the switch should be updated now for this virtual Mac as well as the ARP cache on the you know what actually I'm not sure it may only be if that entry exists but of course it's the PC is going to art for that when we perform some sort of communication so let's just go show Karp okay so no so it's not in the it's not in the PC yet but once we initiate some sort of communication that relies on this gateway to get to another network such as the internet you'll see that in there but I'm getting a little ahead of myself I'm starting to get into how it works before I've actually showed you how to fully configure it so okay so this became active because it's the only one in the group so and like I was saying before once we configure a router firewall - they're going to Auto negotiate who is the primary and who is the secondary so who's active who's standby we don't really want that normally you want to dictate what is the stick which one is going to be the primary and which one is going to be secondary and that might be there might be several factors that play a role in that one might be the fact that maybe maybe this is a more powerful router you know maybe this one is kind of like a more dinky router maybe this is a twenty nine twenty one and and this is a an eighteen forty one or something or maybe based on the providers maybe this is your primary provider and then this is your maybe this is a slower and maybe even more expensive provider so we definitely want to select or tell these routers hey you know you're gonna be primary you're gonna be you know secondary or in standby so let's head over at a router firewall - I know I'm kind of bouncing back and forth but I'm just trying to keep this configuration even so we can figure one thing on one we can figure something on the other one and then I'm gonna go back and configure the priorities and a preemption etc so same thing on here so the standby group has to it has to be in the same group so we did standby ten group 10 and then IP one 92168 10.1 okay so now router firewall 2 is going to send some hellos and determine what's going on in what it's state should be and I'm guessing since router firewall 1 is already active and preemption isn't enabled priorities are the same yep exactly he's right there he's gonna he's going to negotiate himself as standby ok so actually now that right there is is a very basic H SRP configuration you if you wanted to if you wanted to you could be done this PC is pointed to 192 168 10.1 is its default gateway this is just layer 2 here and traffic is going to be forwarded through Fast Ethernet a 1/1 out fast ethernet 1/14 this will accept it since it's active and forward it out to the provider but of course we don't want to do the bare minimum here we want to go a little bit further and define those other parameters like I mentioned such as you know hey who's gonna be active and are you going to take over again if your priority drops and in that that that kind of stuff so let's go back over to router firewall 1 and we want to ensure that router firewall 1 we want to make sure he is going to be primary so we're gonna raise his priority up just a little bit so we'll go standby 10 priority we'll just do 105 why not 5 more than what the default is but that 5 more it doesn't matter it could be 101 but as is as long as it's higher than the priority of the other router in the group he's gonna win the election for being the active virtual forwarder so now we've configured the priority no we're not going to do anything with the priority over here like I said it's already 100 so we want router firewall 1 to be primary so we're good there but we do want it we also want to do is we want to enable preemption as well and preemption is going to allow him to take back over ask the primary if there is a change in priority so say router firewall 2 was active for some reason without the preemption command if he came back online even though his priority would be higher he would stay in standby now there's a reason why this isn't enabled by default and that is is that the reason for that is is because sometimes convergence time is especially if you have multiple convergence events for multiple protocols going on like spanning tree and then you've got your convergence with HSR P which doesn't take long at all but sometimes there can be you can do there's a few packets that might be dropped and that could affect and you know the the flow of traffic in in a very busy network just the smallest amount of downtime when things are switching over so maybe you would want to make it to where yeah he's gonna router firewall to is gonna take over if this goes down or if provider number one goes down which I'm gonna show you how to configure that now coming up here in a few but maybe you don't want router number one to take back over because hey one failure is enough we'll just wait till you know it's after hours and then will you know get get you know router firewall one you know switch back over so we don't have any further interruption you don't let that flapping back and forth but normally I configure both with the preemption command because I I don't mind having that switch over especially if I really have if I have a reason why I really want this this guy to be the the primary router so of course in a fit in a failover to this lesser router if you will or this more expensive provider of course I'm going to want router firewall one to come back to be active again once once there you know once it recovers from whatever the fault was so so anyways so that's that's pretty much it over here so we add it to a go stand by 10 and then the virtual IP we set a priority of 105 and the preemption command so over here we're just simply going to enable preemption or router firewall 2 as well ok so now let's just do a quick test and see if we have reach ability to our to our internet our 8.8.8.8 from our pc just gonna send that arp and success rate is 100% so we have reach ability and actually let's just do a show art and there you go so now we have 192 168 10.1 the hardware address and what you really want to look at is every time I see this over here this you know 0-7 a see that right there is going to tell you it's an HS RP MAC address so we which we just forwarded the traffic through the switch and the switch is aware of which switch port to send the to forward that frame out of because of the MAC address table which is saying that hey this MAC address right here lives off of fast ethernet 1/14 sent it to router firewall 1 which accepted the which accepted the frame because it is active and will accept traffic with this MAC address stripped off that frame looked in its routing table to see where to go to get to 8.8.8.8 you know made that forwarding decision tree encapsulated it with stuck on another layer 2 header with the MAC address for its egress interface and the as the source and the destination MAC address for whatever the Mac is for a Fast Ethernet 0 0 here and on its way it went so there you there you have it so that is H SRP so if you were just watching this video to learn how to configure H SRP then that is pretty much it right there now you might actually you might want to stick around for a few more because I'm going to show you how to I'm going to show you how to configure it where say this guy goes down or say provider one goes down altogether what what then then we have a black hole so we want to say because I mean already by default if this link right here fails or this router fails altogether he's gonna take over us he's gonna take over it's active because he's not going to there's gonna there's going to be note there's going to be no layer two adjacency because this is going to be gone either this link is gonna be gone or this whole router is going to be gone he's not gonna receive any replies back to his hellos and he's going to assume that his neighbor's dead and he needs to become active as soon as possible and gratuitously ARP that virtual Mac you know out this fastethernet 0/1 which I'm going to explain to you how that works at the end and that's what I meant by you know explaining them the magic behind H SRP so we'll get to that so again so let's say that this doesn't fail or this router doesn't fail let's say this LAN link fails or the provider fails what would how would we configure that in a scenario like this so what we'll do is we'll go back over to router firewall one and we'll simply create a tracking object we want to track the line protocol of that's the Ethernet 0/0 so we'll go track and let's do track 1 Oak interface fastethernet 0/0 line protocol now you can play around some fancier options where if there's a you can set the delay so you could you could set a figure for what would be considered down and what would be up so this could this tracking object could go down if there was a if your delay met the threshold which is really cool but we're not gonna worry about that we just want to track the status of the interface and say hey if this goes down let's let's do something about it so here we go so we have track 1 which is up of course because it is it is up so now we'll go back into fastethernet 0/1 and we just go stand by and then our group which is 10 and then track 1 and then how much do we want to decrement the priority if this fails well if this fails it's there's it with this in this topology this router is only good for the internet because that's the only thing connected to it so I would just consider this router a dead end if this failed right here so let's just decrement the priority let's decrement the priority 100 in there there it is so just decrement the priority 100 or as you see fit for your specific scenario and if the line protocol I'm here goes down then this is going to go into standby and then this will take over as active so let's uh let's try it so this is Janice 3 so I have to think I just need to go in there and shut the link down no physical unplugging of cables will go interface Ethernet 0/0 and shut you see that that's cool right there so our tracking object went down because the line protocol fastethernet 0/0 went down HSR P changed States so it went from active to speak and then it's going to go right into standby which it did so here we see H SRP change state change faster uther net 0 / 1 group 10 went from speak to standby so now because this has failed this is now our active virtual gateway right here now let's go ahead and do a test ok so so let's just and then we'll do it we'll do a trace as well to make sure - well obvious obviously it it has to go through here because you saw me shut this down but just to sometimes never believable until you do a traceroute so we'll do trace 8.8.8.8 yep and here we go we see it going through remember the actual interface the IP address assigned to the interface was 1 9 to instigate 10.3 so we got our our ICMP reply from there proving that it is going through here to firewall router firewall to to provide her to all right and then let's see that a preemption command in action so let's do a no shot on fastethernet 0/0 on router firewall one should immediately cause the tracking object to come back up and will cause HS RP to go back into active there we go do another trace you see one 92168 10.2 so we're back through router firewall one how cool is that I think it's pretty neat so uh last thing would be is and I some of you might be thinking this already second let's take a drink caffeine I gotta keep my energy up so some of you might be thinking well what if provider one fails internally the line protocol is going to stay up between here and in here because you're probably to say it's cable you're going to have uh you know your cat5e or cat6 connected to your cable modem so what then you'd like to switch over to provider to because you know again that would that would be a situation where traffic would still be going to router fire well one it would be a dead end and we have this provider two up here that's you know might be more expensive or might be slower but hey at least there's least you have connectivity we want to tell the we want to tell this router hey if you sense that there's no internet then then also just drop the priority and switch over to you know switch over to here so we're gonna configure that really quick and we're going to do it using a using an IP SLA monitor actually what I'm gonna do is I'm going to let me create a different loop back on here for that because tip in the real world is you want to ping a well-known ping a well-known IP address on the internet like you know Google DNS servers or Open DNS or you know something something out there that you know is going to be up and you know of course you know we we all know 8.8.8.8 is actually Google's DNS servers or one of them but what we're gonna do is just create a you know will create that well known address in a loopback so we'll just do not one not one not one not one this is what we're gonna set our IP SLA monitor to send an ICMP echo requests to first okay we have reach ability so let's say this goes down let's say provider one's having an internal failure line protocol doesn't go down on here so we're not going to have a failover so let's do I PS LA one ICMP echo 1.1.11 source source interface fastethernet 0/0 will set the frequency to five seconds for this okay and then IP SLA schedule one start time now life forever and then we will do Oh see I'm getting a little disorganized typically I want to make my tracking objects match up to the number we already did track one but actually we don't have to I add more clutter than we need why have track one tracking the line protocol or and then also having an IP SLA monitor as well because hey we could just we could get rid of that track one now not worry about the line protocol because this this is going to work for us either way meaning if provider one is having an internal failure this eye tracking object that we're going to tie to the IP SLA monitor is going to go down as well it's also gonna go down if the if the link goes down so we don't need to separately track the line part I mean you could you could for quicker convergence if the link went down or if the line was pulled but sitting the frequency to five seconds here I mean might as well just just go with the IP SLA monitor is the you know all-in-one solution so we're gonna get rid of that tracking object will go no track one and then we'll we're gonna reassign track 1 to the IPS la monitor we just created and it's up and it's already being tracked by fastethernet 0/1 because we have that in there from before so but again just to refresh just in case we would go track or stand by 10 and track 1 and decrement 100 okay so let's test leave this on top and let's test a failure of provider 1 oops I meant to I meant to do suspend but I just I stopped I stopped it so that 1.1.1 loopback is not saved so this won't come back when I power this back up so and there you go fastethernet 0/1 standby group 10 went to standby so now we're forwarding traffic through to provider - that's pretty neat stuff oh you gotta love it I think that's really cool how you can just have that switch over so quick and a lot of time if you set your you know set your your timer is low enough I mean you can have this like seamless to the end user they don't even know they won't even know that a whole router switch over just happened which is really neat so let's let's start him back up provider number one and in order for the IP SLA monitor to come back up we have to create that loop back again okay so now look here on router firewall one it's going to see hey look provider ones backup let's go back to active because we want to use provider one as our primary is B and we also prefer you know maybe use router firewall one is our primary router as well so now we're back up and there you go one nine two one six eight ten dot two now the reason in case any of you are wondering why why we are receiving a response from and I think it would be actually I don't know if this will do it but if you were on a Windows PC you would get that that ICMP echo reply back so say you ping the default gateway of 191 six eight ten dot one just like you see here we got 192 and six eight ten dot two which is the actual interface IP address if you ping that from a few ping this from a Windows PC you would get a reply back from that interface IP and the reason for that is is because it doesn't actually reply you're not going to get a reply from the virtual IP that is just there to have that virtual Mac because if you know how things work at layer two when we reach out to a host on the internet like say 8.8.8.8 it sees PC this PC knows that 8.8.8.8 is not in its network it looks at its IP address and its subnet mask and it says I need to use my my default gateway default gateway is programmed into its configuration and if it has the MAC address then it's good to go if not it sends an ARP and this will respond with that virtual Mac that H srp MAC address it puts that in its art cache and it encapsulates that and sends it along its way through the wire where the active router will accept it and receive that and forward it along its way so this being a virtual IP if you ping it you're going you'll get a reply because it's going to be the the ICMP echo request is going to be received but when it sends its reply back it's going to be from that actual interface ID or the interface IP address so yes so that leads me to my last point and that is the magic behind H SRP how does it work as I've mentioned several times during this video that gratuitous ARP so that's definitely the magic behind it but the grid here's here's the thing I guess I never thought about this I guess I would have known affected but I never totally thought it through I was I was always thinking about the PCs the devices on the land and I'm like oh it sends a gratuitous ARP so now those devices now know how to get to their new gateway well that's not that's not how it works at all that the virtual Mac is never going to change so this art cache is going to stay that virtual Mac will be the same for this default gateway no matter what the reason the way H SRP works is it updates the MAC address tables on the switches that's it that's the magic behind it so when this goes down or like we configure this right here this link or provider one goes down in the priorities decremented either way whatever would cause this guy to come you know go into active mode that gratuitous ARP that all that does is just updates the MAC address table on the switch so the switch now knows oh fast ethernet 1/15 not fast ethernet 1/14 and that's really it it's really that simple and to show you really quick let's go back into the switch and do another show MAC address table like we saw before we're on the virtual Mac for the HS RP group is on fastethernet 1/14 so let's simulate a failure Oh let's bring the PC up - come on it's in the way okay show ARP so here we are so 1 9 2 & 6 8 10 . 1 there's that same virtual Mac and so let's do it let's simulate a failure by just shutting down fastethernet 0/1 it happened yet oh there we go already so there you see the same same MAC address the car dudas ARP was sent from router firewall to write down to the switch updated its MAC address table it now knows that this MAC address lives off lives off of Fast Ethernet 1/15 in the PC to show ARP PC doesn't care because the Mac's never going to change that gratuitous ARP isn't for the PC it's for the switches and that is the magic behind H SRP and how it works anyways everybody like I said I apologize that this video was a little bit longer than I originally anticipated but I really hoped you learned something and I hope you enjoyed it anyways feel free to reach out if you have any questions you can you can contact me at Rob at RM Tech central.com you can leave a comment in the comment section like the video if you want to like it subscribe if you want to subscribe and I'll see you in the next video thanks for watching

Info

Channel: Robert Mayer

Views: 212

Rating: undefined out of 5

Keywords: Cisco, HSRP, Configuring HSRP, Configuring Redundant Routers, Network Redundancy, First Hop Redundancy Protocol, Router Redundancy, Layer 3 Redundancy

Id: wZySD8V5N7c

Channel Id: undefined

Length: 39min 9sec (2349 seconds)

Published: Fri Jun 12 2020