ENCOR - High Availability Techniques

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody happy wednesday welcome back to another encore study group uh we've got to jump right in honestly because we've got a lot to cover today we're covering high availability techniques which is stuff like hsrp is pull the agenda up here hsrp and vrrp and glbp and then we're going to dive into a little bit of sso and nsf which is staple switchover and non-stop forwarding and i think that most of us probably grasp these first opportunity protocols but maybe less so understanding exactly how sso and nsf tie into things again keep in mind that when it comes to the encore content we're specifically in this blueprint item high availability techniques it's not just about first operancy protocols sso and nsf are not for top redundancy protocols they are simply high availability techniques if we look at the encore blueprint it specifically calls those out alongside first off redundancy protocols so again we've got a lot to cover so let's go ahead and jump right in so high availability techniques first opportunity protocols this is encore meaning that you've likely already either studied ccna or you're going for your ccna or just kind of you know testing the waters without encore maybe you've already got your ccna but either way we're assuming that you've got a ccna level of knowledge and understanding if indeed you're here studying encore level content and so the ccna level of a first-half redundancy protocol is basically just understanding what exactly we're trying to accomplish and i'll spend a couple of minutes here just as a quick review especially just in case anybody is still covering these topics at a ccna level the idea is this we have a client pc on a subnet on a network and it is trying to get out to devices that are not on its network now this could be an unknown destination like somewhere out on the internet or it could just be another subnet you know we could have let just toss out here another subnet we'll call this like vlan 20. so maybe we have vlan 10 is green vlan 20 is blue and in order for these two clients to communicate with one another we have to get routed we can't just directly communicate at a layer two level so you know this concept of arping right is if i have two clients let me let me switch my color again if i have two clients on the same vlan let's say that this is vlan 10 again green vlan is 10 these two clients can communicate with each other directly they do not have to go up to the routers they can communicate logically on this network segment and the reason for that is because i can arp directly for this ip address my ip address is somewhere in the let's just say 10.1.1.x range it's a 24 and this client pc over here would be on the same subnet so maybe it's dot 50 and this is dot 127 who knows slash 24 the whole 256 range well 254 right minus two the full range of addresses are available there so we just grabbed two of them 50 and 127. so they're able to communicate with each other directly however any communication that happens off the subnet needs to go through something we call the default gateway now again if you're still just kind of diving into networking life then you might not be fully familiar with this but the idea is simply that rather than arping rather than saying hey where are you to this ip address i'm trying to communicate with if i'm trying to communicate now to [Music] this guy so let's say he's on 10.2.2.x maybe he's a 28 on that subnet my pc knows that this is a network that is not mine and therefore i can't directly reach it in theory it's on a different broadcast domain it might be here in the same building as me it might be you know in the same organization but a different building it could be out on the internet it could be around the world who knows where this subnet is it's not my job as the pc to know where that is it's the router's job and so i'm going to send it up to the router and that would be my default gateway so here's the problem as we get into this a little bit more the default gateway is my upstream router but as we can see here i drew this with two routers and there's a good reason for that it's because of redundancy you know if i you know let me just kind of pull back to the original drawing so if i were to show this drawing and say okay well both of them have an upstream connection to another router and that's going to go off to the internet somewhere so here's my connectivity i deploy two routers for redundancy that's great but what happens if this is my default gateway and i'm sending my traffic up to my default gateway to get out to the internet and then this device goes down well that's a big problem because i just lost my default gateway and it's great that i've got i mean i'm looking at this i see the path up to the redundant router i see the path that goes to the uh maybe it's a service provider router or what have you internet router and let's see so i've got this path out to the internet but i can't use it because i am hard configured for a specific default gateway and my default gateway is down so if my default gateway is down what am i supposed to do so the idea of first off redundancy protocols is to say you know instead of configuring one default gateway on one of these devices i'm going to share a default gateway so this default gateway is usually something we call a virtual ip address or a vip this vip is shared by both of these routers but usually only owned by one at a time so what that means is i'm going to send out to let's say dot one as my default gateway and this router up here on the left happens to be dot one and well slight caveat there it owns the dot one ip address but here's the thing when this device goes down now my backup router can take on this.one persona and therefore as far as my computer is concerned my nothing ever happened nothing ever changed so because it's a layer two operation i keep forwarding out my interface and now the layer two network instead of directing it this way the layer two network is going to converge and realize that dot one now lives that way and again my pc is none the wiser so i never had to change the ip address on my pc and ideally this happens very very quickly and so maybe i didn't even drop any packets in an ideal scenario okay so that is basically the ccna level of high availability first half redundancy protocols that you know if you're taking your ccna and you know these basic things that might be good enough i mean you might need a couple of commands for how to enable these and such but you know just from a general general conceptual perspective this is what we need to know and so this is where we are going to stop from a ccna perspective for better or worse encore requires us to know a little bit more details so here's what we're going to do we're going to start covering a lot of the different protocols that are available to us as part of a first hop redundancy protocol design so we've got a lot of different options out there ultimately what it comes down to is kind of a tail as old as time cisco came out with a version of a protocol the industry said oh that's a great idea we'll come out with our own version of that protocol and then you know cisco in some cases will defer to that in other cases cisco will be like oh you actually had some good ideas as well so we're going to revamp our protocol which is what they did in this case and so um you know cisco even came out with you know a fourth protocol so we've got four different protocols we have to cover and uh and again this is why we don't have much time so let's drill into this the first two options are really the same protocol but two different versions two of our four so this would be the hot standby router protocol or hsrp and as mentioned we have two versions we have version one and we have hsrp version two so we're gonna cover generally speaking what hsrp is and try and flag the differences between version 1 and version 2. hsrp generally speaking is configured using these standby commands so i'm going to get onto a router's layer 3 interface and typically that's a sub interface it could also be a layer 3 switch virtual interface svi that's pretty common actually it could just be a raw physical layer 3 interface so just any layer 3 interface where i have an ip address configured i'd get on there and issue the standby command now i can't just write standby i've got to get some more information the first piece of information would be the group id i wrote this backwards because i didn't plan to write group but then id felt kind of naked on its own so anyways the group id is going to be between depending on your version hsrp supports 256 groups so that means zero through 255. if you don't by the way include the group id which you don't have to if you just issue the standby command without specifying the group id then it would actually assume that you want group zero so that would be what happens in that case so zero to 255 for version one version two gives us 4096 and we'll cover why here in a little bit say well wait a second are we really going to have 4 000 different instances of hsrp running and the answer is fortunately no but every single layer 3 interface that we're going to configure hsrp on on a single router should be in its it really should be in its own group because what this group defines is for the most part it represents a subnet these two routers are going to be communicating with one another and they will only successfully communicate with each other if the group id is correct or i'm the same the group id must be in agreement and so as soon as i enter you know group one here and then i enter maybe on a different subnet if i were to also enter group one well that technically that starts to cause some problems so we usually are going to apply a different group to each layer three interface that we're participating in all right the the big um the big re uh what am i trying to say here all right so the big concept i think that's what i was trying to say the big concept we need to understand here is this concept of who owns the ip address so we're going to create this virtual ip address that we mentioned this virtual ip and that command would be by the way the standby then the group id then the word ip and then the ip address and that would be our full command and by the way that's the only command that we need in order to enable hsrp it is a little weird that our command is standby and not hsrp they took the s out of hot standby router protocol and made that the command if you don't like that then go buy nexus switches because they actually use hsrp as their command which is pretty exciting we don't have to worry about standby anymore in nexus switches but in most ios platforms you're going to see standby which is why we lay it out this way but you just give it a virtual ip address and it'll start communicating to other devices out there so that's technically all we need although again we're going to explore some other options here as well so i specify this virtual ip address and the big concept that we need to understand here is there's going to be an election because we need to know who actually owns this ip address i just configured the same virtual ip address on both sides you know maybe it's dot one got one on the other side and they're just gonna say they fight over it they don't really fight over it they have an election process to see who's the active router and so this is what cisco calls again the active router and the standby router and these phrases change depending on our protocol so we just need to make sure we're paying attention but yes the active router in hsrp is going to own that ip address which means that it's going to respond to all of the arp requests as well so when i arp i send an arp for my default gateway for dot one basically saying dot one equals who are you give me your mac address well an arp is a broadcast and so from a layer two perspective this is gonna be one packet that goes up hits the network and for the sake of our drawing it's going to go two different ways really it's going to go to every single interface in the broadcast domain so this is again why we want to reduce our broadcast domains and keep our vlans small is because there's just a lot of broadcast traffic and arps are one of those so we're going to arp for our default gateway it's going to go everywhere and the active is going to be responsible for responding to this arp request and so i send the arp reque response arp response is going to come down and it's going to specify the virtual mac address why is it a virtual mac address well because when this device inevitably goes down which you know everything falls or fails at some point so you know it's going to go down at some point um once it goes down we need the standby router to turn back up you know number one the ip address yes but also it has to have the same mac address and so we share a virtual ip address and we share a virtual mac address in a first top redundancy environment so that's the concept is going to be extremely important this is where especially it starts to get above ccna levels because we don't usually talk a whole lot about virtual mac addresses in the ccna world so what is this virtual mac address that we are responding with well it again depends on the version let me change my colors here all right and i get to cheat i've got it written down but this is something that i guarantee you're going to want to memorize or at least be able to point out if you're studying for the encore exam i'm not saying you're going to get a question on it but i'm going to say that it is within the realm of possibility that you do in other words cisco does expect that we're going to have this memorized so virtual i'm sorry the version 1 mac address is 000.0c that would be an oui or the first you know the organizational unique identifier that cisco owns it's actually going to be the same in both of these versions um that's going to be 0 7 dot and then what is it ac and then xx okay so these two hexadecimal characters each hex character is four bits so four bits is 16 values and two of them together would be 16 times 16. hey guess what that's 256 different virtual mac addresses that cisco will use in hsrp version 1. well 256 should sound a little familiar version 1 256 groups the virtual mac address is going to be based on the group so if it's group 0 our mac address will be ac 0 0 at the end if our group is 10 it'll be ac 0 a because a is hexadecimal for 10. and so that's and by the way if your group 255 it'll be ff and so you've got the whole range there from 0 to 255 that would be 256 addresses total and the virtual mac address is going to be based on that group so when we have our virtual to mac address version version 2 virtual mac address yeah anyways so zero dot zero c zero nine dot oops didn't uh it is f yes it's f wait oh boy i wrote that down wrong okay zero c nine f dot f there we go sorry about that and then x x x okay that looks that looks better zero zero zero c's nine f dot f okay um this should be the virtual mac address for version two and these three now we see we have three different hex characters and 16 times 16 is 256 but times 16 again 4096. so we have 4096 different virtual mac addresses which again should sound familiar version 2 has 4096 groups so that's why we have all the different mac addresses available to us and again cisco is is it's on the table it's part it's within the scope of the blueprint to be able to identify which virtual mac address is being used by which protocol so we're also going to cover the vrrp and the glbp virtual mac addresses so uh just get ready for that all right so these are the two different types of virtual mac addresses that we could possibly use in an hsrp environment the key thing to keep in mind here is primarily that the virtual mac address is what i mapped my default gateway to so i've got my default gateway it's dot one or what have you this is what it's respond it's usually the default gateway i mean yes it can be manually configured but it's usually part of the dhcp scope okay the dhcp scope does not include the mac address we should be comfortable with that by now it's we've got the ip address but we don't know where in the network from a layer 2 perspective that that address is living and so that's what the arp request does and the arp request is going to give us that virtual mac address which we do not want to have change if one of these devices were to go down all right hopefully that's clear if not and by the way i didn't do my traditional intro because i wanted to jump in right away but especially hey you know now we're what about 15 minutes into this so for those of you who maybe have just joined us or this is your first time this is meant to be a very open conversation so you've got any kind of questions be sure to chime into the chat ask those questions i'm this is pre-recorded so i'm in the chat right now answering as many questions has come in if you've got anything then be sure to jump in and let me know and by the way if uh you're in the middle of your encore studies and you're studying something else you've got a quick question about that then don't hesitate to ask i mean we're we're all just kind of trying to help each other out as we go through our encore journey together so if you've got some questions that maybe aren't related to hsrp etc then by all means ask them and we'll do our best to answer me or somebody else appreciate everybody else who james into the chat as well as always welcome to have other people answering others questions okay so that's a lot we've covered in 15 minutes holy cow so high availability uh wait okay lost my train of thought here all right so we need to we need to kind of keep covering some other hsrp stuff so i'm going to leave this on i'm going to i'm going to refresh our board here in a moment so if you've got anything you want to jot down then be sure to drop it down next we need to cover this concept of the election so i'm gonna go ahead and take these down all right so we have an election that we have to be concerned with we need to know which of these routers is going to be active and which is going to be the standby now this election happens on a per-group basis so if i've got lots of different groups you know i probably want to split between my two physical devices the which one is the active so maybe if i've got for example in my case let's just say i only have two vlans maybe i want the active to be um this device here you know do one thing at once would be this device right here for vlan 10 but then on my other device i think i had these colors backwards on the other drawing but that's fine it'll be active for vlan 20 on the right device so how do i make sure that it load balances how do i control this and the way i control elections is with this value called priority now the priority defaults to 100 and the higher priority wins so if i want oh and by the way the range um can be zero to 255 so it's a 16 bit uh 16 bit 8 bit sorry it's an 8 bit identifier so uh we have 256 different values for from a priority perspective so i can assign this let's say here the router on the left maybe i'll make it 110 for vlan 10 but i'll make it 90 for vlan 20. now meanwhile on the router on the right here this would be for 10 this would be for 20. i mean on the router on the right i'm going to flip that so i'm going to say you are 90 for vlan 10 but you're 110 for vlan 20. this would make it so that this router on the left is the winner of the election for vlan 10 and that would translate to group 10 by the way and then group 20 here is active on the right because we assigned it a higher priority value on the router on the right if the priorities are tied the tiebreaker is equal to the highest i p address assumedly we don't have to duplicate ip addresses other than you know the virtual ip address that we're sharing we don't count that so if i've got dot one on the left and dot two on the right the writer on the right will win whoa not sure what that was the router on the right will win and so the yeah so that's our tiebreaker all right now next point what color do i want to use yeah do some more blue these routers are going to be communicating with one another as you can imagine we just talked about an election they're going to be sending messages back and forth a couple of these messages like for example they're gonna be sending the hello messages to each other um that would include their ip address information their priority value and just generally speaking it's going to be there um letting the other one know that that they're alive because if the primary goes down the secondary needs to be aware of that um we that uh let's see here oh yeah timers so we're by default talk about these timers by default we are going to send the hello packet every three seconds and then we have by default this concept of a hold timer the hold timer is 10 seconds that means that if i don't hear a hello in the hold timer so 10 seconds if i haven't heard you in 10 seconds then i'm going to assume you're down now if i'm the primary if i'm the active then i'm not going to do anything with that actually you're down i'm going to log it it'll you know show up in my show standby commands but i there's nothing for me to do i'm already the active but if this if the standby router detects that the active is down then it's going to take action it's going to move into an active state and it'll take over for that virtual ip address and that virtual mac address and so that's what that's what our hello timers and hold timers define now we can tweak these and it's usually recommended that we do we can make them a whole lot faster because 10 seconds is a long time for a gateway to go down in in the situation so you might make the holo timer every one second and the whole time or every three seconds let's say you can actually go into millisecond timers so you get sub second back and forth timer so hellos several times a second and maybe you wait a second or a half a second to really act on that but if you're gonna do millisecond timers this does require version two incidentally by the way if you're deploying hsrp into an environment there's really no reason not to go version two so if you find out that you've your organization has hsrp configured and it's still in version one state you know i mean probably look into upgrading that to version two at some point no reason to go out and do it right away but it's just these some of these concepts are are really nice from a you know just having version two oops there goes my camera okay so um yeah my my camera i'm working on options for my camera but yes it turns off automatically every 30 seconds that's always exciting or 30 minutes so it'll turn off again before we're done alright so um let's see here let me check my notes what's next oh yes okay preemption some of you are familiar with this concept i'm sure what's this concept of preemption so here's the situation we just had this router go down our router over on the right became active for vlan 10 to keep vlan 10 online and functional that's great that's exactly what we want but guess what then this router if i can get my eraser to work here we go this router comes back online eventually ideally i don't know what brought it down but it's not going to stay down forever so our previously active router is now back online here's the question do we want that router to become the active or do we want it to be the standby okay if we have this concept of preemption enabled um then it will become the active again so i'd get on there and i'd issue the command standby with my group id let's say it's 100 well i guess it was 10 in this case stand by 10 and then we just use the command preempt and hit enter this command is never needed on the secondary switch because in theory it'll never have well there's a caveat to this of course but generally speaking it's really for the primary the active switch only because it's the one that needs to is going to have a better priority and have a chance to take over um but but just keep this concept in mind and there's no harm in configuring it on the secondary especially if you are doing things like object tracking which we'll talk about later but basically if your priority changes depending on network conditions is what that means then it's a little more complicated and you might want to consider configuring preemption on both sides but the idea is simply the active went down the active is now back online it's got a higher priority but the election has already happened happened without it right router 2 is now our active and so if we want router 1 to be the active again we have to configure preemption all right so that's that concept and again by default preemption is disabled so if we don't if we don't configure preemption you're going to find that one of your routers is probably the active for all of your device all of your subnets at once because at some point this one went down and then it came back up but it's no longer active for any of them and then maybe this one went down at some point and then this one's the active for all of them and so yeah if you really want to keep it load balanced you need to configure preemption okay um last thing so these hello messages these these conver this conversation that's happening first of all from a multicast address perspective this is going to differ depending on the let me change my color again all right multicast this is going to differ depending on the the version as well so version 1 uses 224.0.0.2 now this may look a little bit familiar if you are familiar with multicast addresses 224.0.0.2 is actually the ip address the multicast address that represents all multicast routers so when hsrp came out cisco didn't reserve and their own ip address their own multicast address they just use the all routers and so this is going to go this isn't a big deal but just be aware of this hsrp version one is going to send its hello messages out onto the network and every single router on that network segment is going to receive it if it's running multicast it's going to receive it have to realize that you know it's going to have to process it and then realize i i don't need this and then it'll drop it and so again it's not a huge deal because in most production networks you're not going to have a plethora of routers on one network domain that don't want to receive this information but you know just just be aware of it so version two cisco came out with their you know or shouldn't say they came out with but they reserved a multicast address and it is 224.0.0.102. all right good i did squeeze it in there and sometimes i write things underneath my my face i guess so dot 102 would be the multicast address that is reserved for hsrp and we're also going to interestingly find out that glbp uses the same multicast address cisco probably assumed you're not running both protocols in your network at once so which is a pretty valid assumption let's be real all right so the one thing oh yeah and one other thing too these configurations also can i'm sorry these communications besides using this multicast address we can authenticate these messages and so we can use a password basically to protect ourselves it's largely protecting ourselves from our own misconfigurations i mean sure somebody could truly plug in i mean it's it's not beyond their own possibility you've got a a nerdy well somebody who sneaks onto your enterprise campus and plugs into a wall that happens to be active which is bad security practice anyways uh so you plug into a wall jack and you you plug your own router in or you've got your pc designed to be a router and it tries to go in and preempt the hsrp messages right so you'd want to lock your network down with authentication i mean it's it's always recommended you do this there are two different types of authentication we have open authentication and md5 if you have any experience in this field you already know which one is recommended the md5 because open's truly an open text so if you use open you can just hook up a common ethernet sniffer and sniff out the password that these routers are broadcasting to each other multicasting to each other whereas md5 is is going to be and not encrypted but it's going to be um hashed it's going to be a hashed password so all that to say um we do want to authenticate our hsrp communications we should always do that it should always be md5 all right the last thing i want to say about hsrp especially when it comes to version 1 and version 2 is i told you i'd answer this question which is why on earth do we have 4096 different groups why did we why did cisco see the need to change it and here's the reason why it comes back to that concept that we did at the start which is to have two different subnets or many different subnets so let's say these are layer 3 switches and if this is a layer three switch that's running i don't know 100 vlans on it in fact you know what let's just say it's running 10 v lines it doesn't matter if i'm running 10 different vlans and those vlans are 10 and 20 and 30 and and it goes you know but then it skips let's say to 350 435 uh 1058. whatever our vlan ids are it doesn't matter but here's the point when i could create these interfaces they're going to be an interface vlan 10 interface vlan 20 interface vlan 30. and so when i get onto interface vlan 10 what group id would you expect that i'm going to configure vlan 10 to use probably vlan 10 or probably group 10 vlan 10 group 10 makes sense so what about vlan 20 vlan 20 gets group 20. makes sense all right we're in sync vlan 30 vlm 30 gets group 30. if you land 350 vlan 350 gets i can't go above 255 with version one can i so this is why cisco expanded version two [Laughter] maybe that's the noise i heard earlier all right google thank you for that all right um what was it saying vlan okay yeah um hsrp we we can't actually let's see here vlan 350 can't use hsrp group 350 because we max out at 255. so even though we don't need i mean we've only got 10 vlans we do not need even the 256. the reason cisco increased it is not to give us more groups so let's go increased it so that we can match the vlan id to the group id or vice versa however you want to say that all right so with hsrp version 2 i can do group 350 on vlan 350 i can do group 435 on vlan 435 and i can even do group 1058 on vlan 1058 again all the way up to 4096 or really 4094 which is the max vlan id that we can use so that is why we have 4096 groups in hsrp version 2. just wanted to note that okay so yes this is what i was afraid of we're 30 minutes in we have covered our first first half redundancy protocol on hsrp fortunately most of what we just studied is going to apply to vrrp and we're gonna make sure that we explore the differences same with glbp but we are going to still make as good time as we can in order to respect everybody's time okay so vrrp the virtual router redundancy whoops uh there we go protocol okay vrrp is again it's it's your standard story cisco comes out with a really cool protocol slash feature the industry wants it as well on non-cisco devices so they come up with their own version it's usually got some shiny things in there that cisco likes to grab and put into their version as well but um you know vrrp is one of those that you know cisco didn't just retire their own again they they went and they just made theirs better and i'm not exactly sure why that is you know there are some things like isl versus 1q trunking where isl died as soon as 1q came out um pagp and lacp pagp is dead i mean cisco had that protocol before lacp came out as soon as lacp came out that that got deprecated i don't know why hsrp is still alive when we have vrp other than vrp well we'll see here there are a few things that we still don't get with vrrp that we do get with hsrp version 2. so the biggest thing that we get is this is industry standard so it is not cisco owned industry standard if you're interfacing with a non-cisco device you have to use vrrp you cannot use hsrp because hsrp is cisco only so if you are deploying this on non-cisco devices if you are interfacing with a non-cisco device with this you know even though you're on a cisco device the rrp is for you interestingly because the industry didn't want to copy says go directly we don't use active and standby anymore instead we use master and backup those are our role designations in a vrp environment um most of the same concepts apply we need to figure out which one of these is going to be the master they do an election there's a priority comparison that priority bizarrely even though it's still an 8-bit number can only be between 1 and 254 so you may notice that hsrp allowed 0-255 and that was great other than we could use 0 and 255 and vrp doesn't let us do that okay so um be aware of that now there might be there there's sort of a reason for that for the for the zero um for not using the zero but we'll actually let's just talk about it now so here's an interesting thing that might actually warrant us at cisco people switching from hsrp because most networks that i've seen that are cisco networks are still running hsrp um by the way worth mentioning vrp only 256 groups that's one of the biggest disadvantages to vrrp honestly is i can't use you know again group id 350 on vlan 350 and so that's that's a bit of a pain that's a good enough reason for me to go with hsrp uh version 2 instead of vrp however again i already teased it there is a reason why you might want to consider vrrp and here it is vrrp allows us to uh what's the word uh share yeah i guess um now there's another word i'm looking for either way it allows us to share the physical ip address of the primary router or the master router okay so in an hsrp environment i mentioned if this is like dot one and this is dot two and i might have a virtual ip address of dot three i have to use three ip addresses in an hsrp environment i have to use three ip addresses in vrrp i can actually assign the virtual ip address to one of those two ips so if i assign to dot one i well either way i guess regardless of which one i assign it i'm only using two ip addresses now some of you are already saying okay well wait a second it's a slash 24 256 ip addresses i can save an ip address what do you do right i mean what what's the what's the big deal here's the big deal what if instead of this being a client subnet this is an internet service provider subnet and what if this internet service provider subnet says okay this is a slash 29 and this slash 29 gets me eight ip addresses which okay well wait a second eight minus two because we always subtract two is really six ip addresses whoops six ip addresses and uh i just used two of them for my router so now we're down to four oh and the isp needs one as well so now we're down to three so you get three ip addresses do you really want to waste one of your three ip addresses on the virtual ip address so this is this is where you can get a big bang for your buck because i might actually want to keep that ip address in my back pocket in case i want to do some static natting down the line assuming i've got a firewall upstream from there or something like that so this is this is why i might want to consider using vrrp instead of hsrp at the internet edge to conserve an ip address now there are some interesting rules to this the interesting rules there's one interesting rule and that's when i sign the virtual ip address to one of those devices physical addresses so like in my case i have assigned this to dot one that forces the master to be the primary in fact um i don't know if it's in my notes i don't believe it is my understanding um this this forces the priority to be zero is is what i believe happens um don't quote me on that but i'd have to lab that up to confirm but as i recall on the back of my head that's that's what that's doing and that's why we don't get a priority of zero as an option for configuration but regardless of whether it actually hard configures that as a priority of zero or not or if it just ignores the priority either way what happens is it forces this device to be the master and the reason for that is because there's no way for the backup like let's say i assigned it dot one and then this router on the right becomes the master well how does the router on the right manage dot one while dot one is still online it's it can't happen without duplicating the ip address and so we don't do it that way instead what happens is the master now has the physical ip address which is the same as the virtual ip address has a physical mac address but it still applies a virtual mac address to this interface as well then what happens is if this device goes down the backup has its you know again its own physical ip address no different than hsrp but it inherits the virtual ip address of dot one at that point along with the virtual mac address so what is that virtual mac address so i'm glad you asked virtual mac address is uh again i get to cheat i get to use my notes you won't get to use your notes on the exam 000.5e 0.01 xx again as we see here they only gave us two hex slots for the virtual mac address and i yeah i don't know why they didn't give us a third because then we could have 40 4096 groups at that point so um as far as anything else is concerned what are some of the other things we need to know um here here are a few differences versus hsrp let's just put the differences down here preemption concept still applies preemption is enabled by default so now if it's the opposite if you don't want preemption enabled you have to disable it in vrrp okay what else oh authentication still an option still have open and md5 options so always configure authentication so that's so that's good um the mac addrecast address by the way is 224.0.0.18. that's not a great eight there that's a better eight and let's see here i think that might be it um one other point to make just worth noting there are actually two versions of vrrp but unlike hsrp it's not well you know i'll just explain version two is for ipv4 version three is for ipv6 so there you go so it's not like hsrp where you could deploy either one depending on your fire and mint it's um depending on which one you want with vrp it depends on whether you're configuring for ip version 4 or ipv version 6. so if it's ipv4 environment you have to enable vrp version 2 and same with um ipv6 so being version 3. and again this isn't something like you have to go configure on your router you don't have to specify which version it's simply if you're enabling it for ipv4 it's going to leverage the rp version too whereas with cisco you do have to configure which version of hsrp want okay now what all right so running extremely low on time we're going to do our best here in fact i'm going to well you know what let's just leave it next everybody's favorite protocol to freak out about global load balancing protocol glbp this is not that bad of a protocol i have experienced it from the side of freaking out about this because it just seems more complicated i've experienced it from the instructor side as well where i see students freaking out about it i don't exactly know what it is about glbp that makes all of our hearts pound in our chests and we get clammy hands as we're configuring it the idea of glbp for those who don't know is this we can now expand beyond two routers i don't think i explicitly stated this but hsrp and vrrp only allow you can support many different routers but you only have one router in the active state and one router in the standby state everything else is in another state or a listen state depending on which protocol you're using so that's well and good even in an hsrp or vrp environment even though we're supporting two routers active standby um only one of those is forwarding traffic and so glbp kind of came out in this age of well like we want to be efficient so what if we have four different routers on our network and we want all of them to forward or for that matter i mean i could get rid of these two i just drew and just say i want both of my routers to forward now in many cases this isn't required there's not a strong reason to use hsrp over glbp other than the complexity and it is a little more complex there's a there are a few more configuration commands but from a like a technical side for whatever reason we only get 256 groups in glbp cisco just never updated glbp to get more groups that's the main thing you lose all right um otherwise yeah it forwards in an active active state so enable glbp let's go for it [Laughter] um yeah don't take that by the way that was mostly a joke i mean um glbp is more complicated from a troubleshooting perspective you're having problems in your network you'd probably rather be troubleshooting hsrp instead of dlbp but you know that's just again it's it's just a comfort level i mean a lot of people understand hsrp and not as many people understand glbp so here's how glbp works it is also a cisco proprietary protocol so you can't do this flat out if you're running this on non-cisco hardware or your interface interfacing with a non-cisco device all right we have one active virtual gateway we're going to have an election same concept priority and we are going to decide which one of us is going to be the active virtual gateway avg okay so avg this is a priority based election same thing highest priority wins once we have the active virtual gateway then we're going to find the next best active virtual forwarders now the avg is going to be an active virtual forwarder avf but we're going to find up to three others avf avf avf it does only support up to four total including the avg so if i had a fifth router on here it's just not part of that i don't know what network we'd have five different upstream routers you know this could be used i guess at the internet edge but there's usually more sophisticated techniques at the internet edge like maybe have four different internet service providers i don't know if you've ever seen this in production and you've seen a you like a real solid use case for it then chime into the chat let us all know i've done a lot of network designs over the years i've seen a lot of networks i don't think i've ever seen glbp in production i don't think i have so take that as uh as kind of a ah what's the word recommendation uh that well anyway word escapes me so um so here's how this works okay the avg is going to push different virtual mac addresses out and assign these so we have different vmax so we have vmac 1 vmac 2 vmac 3 and vmac 4. and what's going to happen is when a client arps sends an arp response or sends an arp request to the network the active virtual gateway technically again it's a broadcast right everything is going to receive it the active virtual gateway is going to send the arp response the difference is that this arp response is going to contain the virtual mac address for i don't know one through four one of these one of these active virtual forwarders okay um there are several different ways of load balancing this you can do it um well let's just say here um load balancing options so three different techniques for this we have round robin that's truly just i assign one to you i assign one to you i assign one to you i send one to you i come back here i send one i sign one assign one assign one and so i just load balances from a client number perspective so i should have the same number of clients on each one of my active virtual forwarders um the other option another one of the two would be weighted so i can actually configure weights on each one of these so if i configured weights of 100 200 200 and 100 then my assignment would be vmac one then two of vmac2 then two of vmac3 and then one on vmac4 and then we'd start over so we'd be assigning twice as much traffic to the avf's in the middle because the weight is twice as much this would be a good use case if you have different upstream circuits so maybe you've got like 100 meg circuits on on these two and then on the edge ones you've only got like a 10 meg circuit or a 50 meg circuit or something like that so that would be the situation where you'd want to use weighted the third one we call host dependent and host dependent is going to it's it bases it on the client mac address so the client mac address it runs it through a hash and it basically hashes it and decides okay based on your mac address i'm going to assign you this virtual mac address what that means is when i disconnect from the network and then i come back later in the day and i reconnect to the network i will always be given the same same gateway i don't know why that matters it would probably less be with pcs and more like if you've got a downstream router or something along those lines but um yeah i mean either way this this concept would be that it's based on your mac address and therefore you will always get the exact same active virtual forwarder as your arp response all right a couple of quick things and then we'll move on so multicast i already mentioned this it's going to be 224.0.0.102 it uses the same multicast address as hsrp version 2. so keep that in mind it also helps it with memorization it makes it easier virtual mac address yes again we do have to memorize these zero zero zero seven dot b i'll make that capital b for zero all right yes b four zero and then get this x x x y y what in the world is going on there okay um i must spoke earlier and i apologize i got it half right these are the group id say wait a second jeff uh he said we don't have well anyways what i said was slightly wrong but either way we don't have 4096 groups um i don't know why but what cisco did was they gave us not x x x would be 12 bits for whatever reason the first two of those bits have to be zero so really we only get ten bits it looks like this zero zero x x and then dot x x x x dot x x x x so we really get 10 bits so that's 2 to the 10 power which is 1024 groups so i misspoke earlier i said 256 i think it's i was i was wrong with the number but the point was we don't get 4096. so what we do is we get 10 024. the yy would be which active forwarder you are so it's you're assigned a a semi-random id you're assigned an id as an active virtual forwarder and that id shows up in the mac address because every recta virtual forwarder again we've got the same concept as groups right we could have 50 different groups on here and so within one group you need a different virtual mac address because they're all active at once unlike an hsrp where only one device has the virtual mac all four of these have a virtual mac at the same time going therefore we have to have the active virtual forwarder id in there now why we couldn't have taken two of those bits and given it back to the group id because we can only have four of these guys active at once so we only need you know anyways um that i mean these are questions that we'll never have answers to but it is what it is last quick thing what are we up to oh boy um buckle up we're gonna we're gonna go fast here at the end um one last thing that's worth noting with glbp if one of these devices were to go down okay if an active virtual forwarder goes down this virtual mac address gets reassigned to another active virtual forwarder the active virtual gateway is responsible for that all right um if there's another router available if there were five routers on this subnet then that other router would become an avf and so you'd still have four routers but if one of those four goes down and you only have three others then the virtual mac address gets assigned to another avf in the event that the avg goes down same concept as with hsrp um the role would pass to that there it goes told you is going to come the role gets passed to um another avf picks up the role of active virtual gateway so um same concept there so in in reality glbp is is not i'm telling you it's not complicated it's just you have to split up in your mind i mean everything we understand about hsrp and vrp from group ids and priority and elections and such all apply to the avg and if we can just keep those roles separate in our minds as the avg side winning the election being a priority etc and then we think about the load balancing side that's the avs and the virtual mac addresses being different and the different load balancing options that we have and maybe even configuring weights i mean configuring weights is not required we don't have to do that so just just kind of split those concepts up in our minds and then once we've compartmentalized it a little better um then uh we'll we'll do we'll do better um i believe at keeping it all straight okay all right we are truly running out of time this time i do need to get rid of oops not that i need to get rid of nope not that either this haha all right last concept so we have this concept called stateful switchover and oftentimes it's used in conjunction with non-stop forwarding nsf so you hear the phrase sso slash nsf used quite a bit they solve two different problems to but but combine together to solve the greater issue if that makes sense okay here's what i'm talking about we have this concept of chassis switches and in chassis switches we have this concept of dual supervisors many of us are familiar with this concept it's one logical switch and but it's modular and so i can throw 48 port copper port blades in there you know like give myself 48 ports of copper but then i can also throw like 12 ports of fiber in there and it just allows me to modularly fill out this chassis as however i want and so the brains of the switch are also modular modular modular we can deploy two different supervisors in there and of course we want two for redundancy in case one of those supervisors dies and by the way we have this exact same concept with some of cisco's router platforms where you have a router and typically what this is going to look like is you have two what we call route processors interestingly by the way we do have route processors on a layer 3 switch they are just embedded inside the supervisor so either way we're talking about route processors but we take for granted that a technology like a chassis switch or a chassis router would just have two brains and if one of them goes down the other one comes up really fast right i mean we just take it for granted these days uh when when these devices first came out if one of the supervisors died like all we really did was we stored the configuration on both and if the second supervisor detected that the first supervisor died it would automatically boot do a cold boot boot all the way up apply the configuration bring up all the line cards i mean it would be like a 10 minute process basically or maybe five minutes i don't know just it would take a lengthy amount of time and so cisco came up with this concept of sso stateful switchover a staple switchover allows me to very quickly transition over to a different route processor very very quickly so we're talking about like less than three seconds like you know it detects it's down but but here's the thing even though it detects it's down really fast like it could detect it's down in the millisecond range it still has to like it can be in almost their state but it's still got to get like ospf running and eigrp and hsrp that we just talked about and all these protocols have to activate and it has to take over all of these things and so what sso doesn't help us with is the idea that i might have another router out on the network and these two are talking ospf to each other or like i said hsrp or um or eigrp or what have you and so when the supervisor goes down if you have the right type of chassis meaning a distributed chassis so like a nexus chassis or the 6800s with the line cards etc like a 4500 chassis is not distributed if you have a distributed chassis these ports or these i should say like this these line cards have their own forwarding table they have the forwarding information base built in there and essentially it's the routing table they can forward traffic even though the supervisor is down that's what a distributed model is a centralized model says i forward everything to the supervisor because it's the brains of the switch and it tells me what to do with it you know like i i dumb i don't know what to do with it so i i just listen to the supervisor that's that's what the super that's what a centralized line card has to do i did because it doesn't have a fib now the fib is stored on the supervisor so the uh the route processor i'm sorry wait wait where are we here okay so nsf okay let me say why we need nsf okay here's what here's what safe switchover doesn't do for us sample switchover gets us back online very very quickly but it still makes it so that ospf for example is down for 30 for three seconds in some cases that means this router is going to drop that neighborship so the data plane is online that's good i can forward traffic if you send me a packet i can receive that interface i can look up my fib where it's supposed to go and i can send it off okay my data plane is up is my control plane up because my supervisor just died who sends the hellos who tracks the neighbors the supervisor even in a distributed architecture the supervisor is still the brains and who's by the way populating this forwarding information base the supervisor is my control plane up no my control plane is down so what are we trying to accomplish here what we're trying to accomplish is we do not want this part to happen we do not want the router to drop that ospf connection because i want this router to keep sending me packets i can forward packets i just can't respond to ospf hello messages right now i can't send ospf hellos i can't send eigrplos i can't send hsrp hellos but i can forward all that traffic if you just send it to me so i'm trying to do is i'm trying to maintain my neighborships this is what non-stop forwarding is meant to address nonstop forwarding solves this problem and allows me to have grace on responding to hello messages okay so um what what happens here is when i when i configure nsf on an ospf process when these two devices become neighbors they send their hellos to each other and they become neighbors this part this nsf concept is exchanged this router knows that that device is nsf capable which means that if i stop receiving hellos from that side i'm going to show it a little bit of grace not too long because if it legit went down then i need to redirect my routes and certainly i do need to have the conversation in-house as to whether i want this functionality but the idea here is is not to give it an extra three minutes of grace it's saying i am leveraging sso to make sure that i am back up and running within three seconds so i now need nsf to maintain the control plane information hold it pause it basically say don't drop me as a neighbor send me that traffic and allow my data plane to do its thing okay um i hope that made sense let me just check my notes here real quick um okay still taking my notes okay yeah the only other thing would be um both sides need to have nsf enabled we can't just if if this side doesn't have nsf enabled it's going to ignore the the fact that the left side is has it enabled um also when the pier goes down when it does detect it's still going to detect that that device is down it's just not going to drop the neighborship but it will mark all of its routes as stale yeah because it needs to know which routes it learned from that neighbor so that it basically can react once it's either down or whether it comes back online um once it comes back up it's going to send a graceful restart message to say hey i'm i'm uh you're graceful restart so you send that message to the router and say hey i'm back online what i miss and so it's going to fill basically it's going to update their their eyes are going to update each other because i just fired i just fired my secondary supervisor up i need to populate this fib again and so i need all of that information and so i'm gonna bring it all in make sure i didn't miss anything it's been a few seconds this works great as long as nothing changes in the network you know i mean if if for whatever reason another router somewhere went down during this three second process or however long it takes doesn't matter i keep saying that but if a change happens in the network this fib doesn't get updated because i have no ability to update it my control plane is down my data plane is assuming nothing has changed again all of this would be completely a bad idea and completely pointless if we don't have sso configured if we have sso configured then we should be back up on running really really quickly and so it's just there to absorb the hiccup we expect again we expect if a supervisor dies or a rock processor dies that we'll be back up online very very quick or okay i shouldn't even say that if a supervisor dies we expect there to be no behavior no hiccup whatsoever we want traffic to keep flowing it's why i invested in the you know the decentralized or the distributed model of chassis you know i want this to keep going if one of my supervisors dies why should my switch experience a hiccup that's what this technology is meant to give us so all that said um that was a lot that was a lot in an hour we we barely almost almost made it very very close but uh so thank you for sticking around for a few extra minutes um sso and nsf is something that is glossed over a lot i hope that helped uh make a little bit of sense because i i mean even even a lot of like official cert guides don't exactly do it justice with the amount of time and effort and of course i just gave it five minutes i'm talking about doing it justice but splitting those concepts up and understanding what they do i mean yes they go very well together peanut butter and jelly go very well together but they're both there for different reasons and they solve different purposes i'm not sure what the purpose of you know peanut butter gets you a little bit of salty and jelly gives you a little bit of sweet and you combine them and that's even better together i don't know this analogy's getting going downhill fast so thank you very much for everybody to everybody for joining us i'm going to keep this video rolling for another five minutes just in case there's other questions in the chat and prevent the youtube live from rolling over to whatever's next for you um so hit me up with any questions that you might have and i'll be doing my best to answer those next week we are going to be covering oh cloud versus on-prem deployments so if you've heard of the cloud and you're trying to figure out what that means from a networking perspective be sure to come in two weeks we are going to be covering exactly that what exactly cloud means why it matters and the cool thing about this too is we're going to be covering a little bit about data centers data center technology is a big passion of mine i love data center technology i spent a lot of time with data center technology and my experience is both my experience and the experience i've seen of others is that if you don't if you don't live and breathe the data center you don't really know what's going on in there and if you find yourself in that situation you're a network engineer you spend your time focused on the network or whatever the situation is there then come and hang out because you're going to learn a lot about what exactly is going on in the data center why it's so important and yes what that means versus what a cloud deployment means so that's in two weeks that would be on august 12th in the meantime i hope everybody has a great couple weeks and we'll see you next time bye [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] you

Info

Channel: KishSquared

Views: 2,639

Rating: 5 out of 5

Keywords:

Id: uRr387ohLaM

Channel Id: undefined

Length: 74min 21sec (4461 seconds)

Published: Wed Jul 29 2020