CCIE R&S Advanced Technologies Class v4.5 - IP Services Overview, HSRP

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:14	Our next class sessions here for the routing and switching
0:00:16	advanced technologies class are going to focus on the
0:00:20	IP services topics and the system management topics
0:00:23	specifically within the scope of IP services
0:00:26	we're going to look at the first hop redundancy protocols
0:00:29	which are HSRP, VRRP and GLBP.
0:00:33	We'll see configuration wise these three are going to be
0:00:36	very similar and from a technology point of view, generally they're
0:00:40	used to accomplish the same functionality.
0:00:43	Now behind the scenes, we know that there's going to be
0:00:45	some difference between the three of them from the protocol
0:00:48	formats, the type of transport they use
0:00:51	some minor differences in the features, so we'll look at some
0:00:54	configuration examples as to what the advantages are
0:00:57	of running GLBP versus HSRP or VRRP.
0:01:02	We'll also look at network address translation
0:01:05	for doing simple source translations of private addresses to public addresses
0:01:10	then some of the advanced functionalities of NAT
0:01:13	like doing destination translations for allowing inside servers access
0:01:19	to the public internet from the outside, also doing things
0:01:23	like TCP load distribution with NAT.
0:01:25	We'll also look at some of the other minor features of the
0:01:28	router like DHCP and the DNS server.
0:01:31	NetFlow for collecting traffic statistics and then WCCP for
0:01:36	web caching for optimizing the traffic flows for clients'
0:01:41	traffic that is either going out of the router or coming
0:01:44	inbound of the router.
0:01:47	Now a lot of these services topics beyond the things that
0:01:51	are having a lot of technology understanding which would be
0:01:54	like the first hop redundancy protocols or possibly the network
0:01:57	address translation, most of these you should be able to
0:02:00	look up in the documentation at the actual time of the exam
0:02:04	pretty much look at the configuration examples that
0:02:06	they're using and then change them around to
0:02:09	get a basic functional configuration per the requirements of the exam.
0:02:14	So we'll see that both for the system management and
0:02:16	for the IP services topics, you really don't necessarily
0:02:19	have to be an expert in these as long as you know
0:02:22	what are the different features that the IOS supports
0:02:25	you pretty much can use the documentation to piece together
0:02:27	whatever minor functional configuration that you need.
0:02:32	So to see this, first let's go to the documentation
0:02:36	and from the main documentation page, there's a couple different
0:02:39	sections that we would go to for the IP services
0:02:41	related topics.
0:02:44	So both of these are going to be under the IP category
0:02:47	specifically these are the IP addressing services
0:02:50	and the IP application services.
0:02:53	Where the main difference between them is that the
0:02:56	addressing document is things that are specifically
0:03:00	related to the IP version 4 address services on the router.
0:03:04	So things like DHCP that is for leasing address
0:03:07	DNS that is going to be for translating our IP addresses
0:03:10	to our fully qualified domain names.
0:03:13	The NHRP protocol
0:03:17	I mentioned this a little bit before this is the Next Hop
0:03:20	Resolution Protocol. This is usually used with dynamic
0:03:23	multipoint VPNs.
0:03:25	So it's possible that you could get this within routing
0:03:28	and switching, it's going to be used for multipoint GRE
0:03:31	tunnel, but most likely that's going to be reserved
0:03:34	for the CCIE Security exam because generally, DMVPN
0:03:37	means that you're also running IPSec encryption.
0:03:41	Then lastly we have the network address translation
0:03:44	where when we look in the newer versions
0:03:46	there's a lot of advanced features that network address translation
0:03:50	supports especially with the different application level
0:03:55	gateways or ALGs that are going to be specific
0:03:58	to different protocols like SIP translations or ESP
0:04:03	and AH translations for different type of application
0:04:07	flows that need to go through our either network address translation
0:04:10	or our port address translation.
0:04:16	The other document we would need to focus on
0:04:18	is the IP application services
0:04:21	which would be things like the enhanced object tracking
0:04:24	that we talked about in our generic IP routing
0:04:27	discussions. We'll also look at this a little bit more
0:04:30	later today when we get to the object tracking that
0:04:34	can be tied to the first hop redundancy protocols
0:04:37	and then also for the embedded event manager or the EEM scripting
0:04:42	that can be used for automation of different scripting tasks on the IOS.
0:04:49	So we see here the first hop redundancy protocols
0:04:51	this is where GLBP, HSRP and VRRP would be documented.
0:04:56	The fourth one IRDP this is the ICMP router discovery protocol
0:05:02	which is pretty much a legacy protocol, it was the
0:05:04	original implementation before DHCP was supported
0:05:08	where through the ICMP stack, the end host can figure
0:05:12	out who is the router on the segment in order to use
0:05:15	as its default gateway. So in general, this
0:05:18	is going to be replaced by DHCP, but technically you
0:05:21	could configure the router in order to advertise its
0:05:24	local address as a candidate default gateway through the
0:05:28	ICMP router discovery protocol.
0:05:32	So a lot of these minor documents here like the
0:05:34	configuring IP services to configuring TCP. Again, there's
0:05:38	really not a lot of technology understanding that goes behind
0:05:41	these. You simply need to sit down and spend some time
0:05:43	to read through the documentation and really there's no shortcut to this.
0:05:47	As long as you read through these documents and figure out
0:05:50	what are the different features the router supports
0:05:53	then at the exam time you could always come back to these
0:05:56	as a reference to figure out what's the syntax I need to
0:05:58	use for TCP path MTU discovery
0:06:02	or how do I rate limit the ICMP unreachable messages
0:06:06	that the router is generating or how do I deal with different
0:06:09	MTU problems by manually changing the fragmentation
0:06:14	on the routers.
0:06:17	Then under the configuring TCP, this is going to be
0:06:22	of course TCP specific.
0:06:24	Options like the TCP window scaling and the sliding windows
0:06:28	this is going to be for TCP sessions again that are
0:06:31	locally generated from or locally destined to the router.
0:06:36	So most of this is not going to affect the traffic that is
0:06:38	transiting through the router
0:06:41	from end hosts.
0:06:43	This is going to be for the router itself.
0:06:47	So if we're trying to track down some sort of latency
0:06:49	problems in the network, we could turn TCP time stamping on
0:06:54	to see how long is it actually taking us maybe to do a telnet
0:06:57	to the router.
0:07:00	But you can see most of these particular configurations
0:07:04	are simply going to be one command
0:07:07	either in global configuration or at the interface level
0:07:10	and the vast majority of them are going to start with the
0:07:12	IP keyword.
0:07:14	So if we were to go to the command line
0:07:17	and go to global config look at the ip ?
0:07:20	for the context sensitive help
0:07:23	or go to the interface level
0:07:25	and say ip ?
0:07:28	This is another way that you can figure out what are
0:07:30	some of the minor features available in the IOS
0:07:33	is simply to look through the context sensitive help
0:07:36	figure out which of these features do I know already
0:07:38	what they do, which ones don't I know what they do
0:07:42	and then correlate this either with the configuration guide
0:07:45	or with the command reference.
0:07:49	So you'll see there's a lot of minor features that if
0:07:51	you didn't read through the documentation, then
0:07:53	if you were to be asked a question about that
0:07:57	it's going to take you way too much time to figure out
0:07:59	what are they even asking us about in the first place.
0:08:03	And that's really the problem that we're trying to prevent here
0:08:05	with these different feature type questions
0:08:08	is if we know what they're asking in the first place
0:08:11	then we can always use the documentation as a reference.
0:08:14	But if I were to ask you a question that was related to
0:08:17	NetFlow for keeping traffic statistics
0:08:20	and you've never even heard of NetFlow to begin with
0:08:23	then you're going to be in trouble when you get to the exam
0:08:25	because from the question, there's really not going to be
0:08:28	any way to derive where you need to look in the documentation
0:08:32	unless you already knew that that feature existed in the first place.
0:08:37	So as I mentioned, unfortunately there's really no shortcut for this
0:08:40	you simply need to look through these different addressing application
0:08:44	services documents and see what are the different features
0:08:47	that this particular release of the IOS supports.
0:08:52	Now additionally, another way that you could do this
0:08:54	as I mentioned when we were going over through the -- the very
0:08:58	first day the overview of the documentation, if you go to this
0:09:02	specific IOS release, so let's start back at the main documentation page
0:09:10	to products, IOS
0:09:13	regular IOS
0:09:14	12.4, 12.4 T
0:09:19	then we'll go to release and general information
0:09:21	and the release notes.
0:09:25	From here we can see the new features for that particular
0:09:28	version. In this case it's 12.4 T
0:09:34	so it may be a good idea to skim through this to see what are the
0:09:36	changes from 12.4 mainline and 12.4 T
0:09:40	and then see which of these specifically are within the scope of
0:09:43	the lab exam.
0:09:44	So some of these we already talked about before like the
0:09:46	BGP 4-byte autonomous system number.
0:09:51	You'll see some of this stuff is not going to be within our scope
0:09:54	like IKE responder-only mode this is the protocol for IPSec
0:09:59	tunnel negotiation.
0:10:01	Some of this stuff like the performance routing
0:10:04	which is also known as the optimized edge routing.
0:10:07	Technically this is going to be within the scope of the
0:10:09	exam, but it's one of those minor features that you
0:10:12	as long as you try it out once and you know where this is
0:10:15	documented, then you should be able to piece together
0:10:17	from their configuration examples exactly what you
0:10:20	need to do, so now let's take a look at our first
0:10:24	specific topic here which is going to be the first hop redundancy protocols
0:10:28	which are used to implement a virtualization of the default
0:10:32	gateway address from the perspective of an end host.
0:10:36	So our Windows host or our Mac OS machine that's the
0:10:40	actual end host on the LAN, there's going to point their
0:10:44	default gateway to a virtual IP address whether this is
0:10:47	statically or through DHCP it doesn't really matter.
0:10:51	Now multiple routers or gateways are going to share
0:10:54	the same virtual address, but only one of them is
0:10:58	going to respond to ARP requests that are going
0:11:00	to the virtual IP.
0:11:03	Once the active router or the master router
0:11:07	receives this ARP response, it's going to reply back with a
0:11:10	virtual Mac address that corresponds to that
0:11:12	particular group that we have configured.
0:11:16	So the idea is that we're decoupling the ARP request and
0:11:19	response from the actual physical Mac address or
0:11:22	the main IP address assigned on the interface
0:11:26	to allow multiple routers to participate in the response
0:11:30	the ARP response for this particular Mac address.
0:11:33	So the idea is that the active gateway or the
0:11:36	master gateway is going to respond with the virtual Mac
0:11:39	address and use that locally, but if that active gateway
0:11:43	goes down, then some backup device is going to take over for that.
0:11:48	So the backup device is then going to take care of the
0:11:50	ARP responses going to the virtual Mac address
0:11:55	and for any traffic that's actually going to that
0:11:57	virtual IP. Now specifically there's three different ways we can
0:12:01	implement this with HSRP, VRRP and GLBP.
0:12:07	The main difference will be is the protocol a Cisco proprietary
0:12:11	version or is it an open standard and do we want to allow
0:12:15	load balancing between multiple active routers at the same time.
0:12:21	Now the first one HSRP it is a Cisco proprietary
0:12:25	protocol, but what's kind of strange here is that it is
0:12:28	actually RFC defined.
0:12:31	So if you look up RFC 2281 which is for Cisco HSRP
0:12:36	it does talk about how the protocol is supposed to be
0:12:39	implemented, but it's technically not open source.
0:12:42	So you'll see some verbiage in there about licensing the
0:12:45	protocol if you were to use it for other vendors'
0:12:48	perspectives, so you can see exactly how it is supposed
0:12:51	to work, but it's still technically a proprietary protocol.
0:12:56	The other alternative to this would be the virtual router
0:12:59	redundancy protocol or VRRP which essentially does
0:13:03	the same thing, but it was developed from the ground
0:13:05	up by IETF
0:13:07	So it is an open standard that is defined by an
0:13:10	RFC as opposed to HSRP which is a closed standard.
0:13:17	Now the idea behind any of these redundancy protocols
0:13:20	is that we first need some sort of election mechanism
0:13:23	to figure out who is going to be the active gateway on the segment.
0:13:27	In the case of HSRP, we're going to use a priority value
0:13:31	that is from 1 to 256
0:13:34	where a 100 is the default and the higher value is better.
0:13:41	Now since all the routers are going to use the same priority by
0:13:44	default, we need some sort of tie breaker and this is going
0:13:47	be based on the highest IP address.
0:13:51	A key point to remember about HSRP is that it does
0:13:54	not run preemption by default.
0:13:59	This means that if a new router comes onto the segment with a
0:14:02	higher priority, it will not be able to take the active status
0:14:08	away from whoever is the current active router.
0:14:11	So it's similar to how the OSPF DR election works that even
0:14:15	if a new router comes in with a higher priority
0:14:18	it's not going to take the DR status away from whoever is currently elected.
0:14:24	Now the case of this can be a problem is when we're trying to do
0:14:28	some sort of tracking based on a state in the network
0:14:31	whether it's based on an interface being up or some
0:14:34	sort of IP SLA or enhanced object that once we decrement
0:14:40	our priority to try to release the active status
0:14:44	unless preemption is configured then we're not actually going to
0:14:48	change who is the active router on the segment.
0:14:51	Specifically for transport, HSRP is going to be using
0:14:55	UDP multicasts that are going to the all host multicast
0:14:59	which is 224.0.0.1
0:15:02	using UDP port number 1985
0:15:07	Now the actual transport protocol and the port numbers
0:15:10	you don't necessarily need to memorize this for the different
0:15:13	first hop redundancy protocols because we'll look at a way
0:15:16	on the command line we can actually figure this out
0:15:19	at run time to figure out what's the transport difference
0:15:23	between VRRP or HSRP or GLBP
0:15:28	So if we had a very specific question in the exam
0:15:30	that says use a first hop redundancy protocol
0:15:33	that doesn't use port 1985 for transport
0:15:38	then we would need to memorize that, we could just simply look at
0:15:40	on the command line the either access list logging output
0:15:44	or the debug ip packet detail output. It's going to show us
0:15:47	what's the destination address, what's the Layer 4 protocol
0:15:50	and what's the particular port number.
0:15:53	HSRP does support authentication both through clear text or MD5
0:15:59	where in general in a real application of course you
0:16:01	would want to use the MD5 authentication.
0:16:05	So since the messages are not actually encrypted
0:16:08	you could look into the payload to figure out
0:16:10	what is the clear text authentication string
0:16:13	and since it is also going to the all host multicast
0:16:17	of 224.0.0.1
0:16:19	there's nothing preventing the Layer 2 switch in the
0:16:23	transit path from essentially treating these as broadcasts.
0:16:29	So we'll see that with VRRP there's a little bit of an
0:16:32	optimization for this because we're using a specific dedicated
0:16:36	protocol number and a dedicated multicast address that is specific
0:16:41	for the VRRP transport.
0:16:44	But since HSRP didn't have an IANA protocol assignment
0:16:48	they just use the all host multicast.
0:16:54	Additionally, we can run multiple HSRP groups
0:16:57	on the same interface. This is going to be
0:17:00	used for a crude load balancing mechanisms where some of the
0:17:05	hosts will have one default gateway assigned and then
0:17:09	some of the hosts are going to have a different default gateway assigned.
0:17:13	So the idea behind this is that if we had two routers
0:17:15	on the segment, we could have one of them using the address
0:17:18	.1 for one group, we can have the other one using the address .2
0:17:24	some of the hosts are pointing at .1, some of them are pointing at
0:17:26	.2, but if either of these virtual IP addresses goes down, the other
0:17:31	router is going to take over for it.
0:17:34	Now we'll see there's a more efficient way to do this with the
0:17:36	newer protocol gateway load balancing or GLBP
0:17:40	but this was kind of a hack that they came up with
0:17:42	since HSRP did not support a multiple active forwarders at the same time.
0:17:50	To keep track of what is the specific group that we are referencing
0:17:53	it's going to be encoded inside the virtual Mac address that the
0:17:57	router is exchanging.
0:17:59	So when we look at the last byte of the address
0:18:03	which is the last two digits in hex, that's going to encode
0:18:07	the group value which is going to be from 00 to FF
0:18:10	or in decimal from 0 to 255
0:18:14	Now as I mentioned, the different first hop redundancy protocols
0:18:17	they can use object tracking whether this is based on
0:18:21	just the line protocol of the connected interface
0:18:24	or whether it's tied to some sort of enhanced object
0:18:27	that then in turn could call an IP SLA instance
0:18:31	or the IP routing status or the link status or the
0:18:35	line protocol status of a connected interface.
0:18:40	So the idea behind this is that if we're using the different
0:18:42	virtual addresses for our default gateways on the segment
0:18:47	we want to make sure that whoever is the active gateway
0:18:50	actually has connectivity to further upstream in the network.
0:18:55	So if one of the active routers loses its connection to the service
0:18:58	provider or to the internet, then it may make sense to
0:19:01	remove it from the election and switch over to an alternate path.
0:19:08	And as I mentioned the key point about this is that
0:19:11	if preemption is off, then the object tracking and the decrement
0:19:15	of the priority is not going to do anything. We need to make
0:19:18	sure that whoever is trying to take over the active status
0:19:21	does have HSRP preemption enabled.
0:19:25	So typically to avoid this issue, you would just enable
0:19:28	preemption on every router that is running the HSRP process
0:19:32	but technically it only needs to be enabled on the actual router
0:19:35	that is doing the preempting.
0:19:38	So in our particular topology to test this out
0:19:41	we're going to look at the segment between routers
0:19:43	1, 4, and 6
0:19:47	where Router 6 and Router 4 are going to be the two routers
0:19:51	that are running in the HSRP group.
0:19:55	Now to test this out, we're going to have Router 1
0:19:58	being used as a client.
0:20:01	And we'll either point a static route that goes to
0:20:04	the virtual IP address
0:20:06	or we could turn IP routing off and issue the IP default
0:20:10	gateway command, so HSRP you can use it not only for
0:20:15	your end host's redundancy
0:20:18	you could use it between the routers at the network edge
0:20:21	and point routes towards the virtual address
0:20:25	in order to achieve load balancing out of the network.
0:20:31	So to demonstrate this, what I'm also going to do is that
0:20:33	on Router 4 and Router 6
0:20:36	I'm going to disable their other connections to the rest
0:20:39	of the network, so essentially the only possible way to get
0:20:43	to either BB1 or BB3 is going to be to use this
0:20:48	segment that Router 1 is attaching to four and six.
0:20:54	So the traffic somehow is going to come up to Router 1
0:20:58	then depending on who is the active router, traffic
0:21:01	is either going to forward out this direction to BB3
0:21:03	or it's going to forward out that direction to BB1
0:21:08	We'll also see depending on which particular firs hop
0:21:11	redundancy protocol we're using whether it's HSRP, VRRP or GLBP
0:21:17	there's going to be some difference in the functional behavior
0:21:20	between the three of them.
0:21:22	So as we know, there's obviously going to be
0:21:24	protocol format differences but there are some functional
0:21:27	difference that are keyed to note.
0:21:30	So now let's take a look at the command line
0:21:32	and again, the first thing I'm going to do is on Route 4 and Router 6
0:21:35	I'm going to make sure to isolate them from the
0:21:38	other links of the network
0:21:41	so that everyone is essentially going to be forced to use
0:21:44	that HSRP segment in order to leave out to any of the rest
0:21:50	of the network.
0:21:53	Now on Router 4 and Router 6 we are learning multiple destinations
0:21:57	from the backbone routers. On Router 6 if we look at
0:22:00	the show ip route output
0:22:04	we see that on the frame relay interface to BB1
0:22:08	which is serial 0/0/0
0:22:11	we are learning the networks that are 200.0.1
0:22:17	200.0.2, 200.0.3
0:22:21	then as we look at Router 4's routes
0:22:28	to BB3 let's look at the show ip route rip
0:22:33	Router 4 should be learning prefixes from BB3 here.
0:22:39	So let's look at the full
0:22:43	routing table.
0:22:47	And let's look at the show ip interface brief
0:22:56	and this link has the wrong address on it, so this should
0:22:59	be 204.12.28.4
0:23:11	then we have a rip process that's running here
0:23:16	which is being redistributed into EIGRP.
0:23:20	So if we look at the show ip route rip
0:23:26	we see that we have reachability out to
0:23:29	to BB3
0:23:32	Now from the actual backbone routers themselves, again in
0:23:35	the actual exam, you're not going to be able to check this.
0:23:39	But from our particular perspective if you are using our equipment
0:23:42	to test these scenarios, you can login to the backbones
0:23:45	so if we look at the routing table here
0:23:55	we can see that these routers do have routes to each other's
0:24:00	segments so for example BB1 does have reachability to
0:24:05	30.0.0.1, so ultimately what we're going to be
0:24:08	testing here is what happens when Router 3 or switch 4 or
0:24:13	switch 3 as they send their traffic out to the external network
0:24:18	to BB1 or BB3, which path are they going to use? Are they going
0:24:21	to go to Router 4 or are they going to go to Router 6?
0:24:25	And ultimately that's going to be controlled based on
0:24:27	who is the active router.
0:24:31	Now to facilitate this, what I'm going to do on Router 1
0:24:35	is essentially replace its dynamically learned information
0:24:39	if we show ip route eigrp
0:24:44	I'm going to replace any of the information learned
0:24:47	in on this segment with just a static route.
0:24:51	And this is going to point to the virtual address that I'm going to assign.
0:24:56	So on Router 1, first I'm going to say access list 1
0:24:59	simply is going to deny anything.
0:25:03	If we show ip eigrp neighbors
0:25:07	this is EIGRP AS 100
0:25:09	I'm going to say under the EIGRP process I want
0:25:12	distribute list 1 in Fast Ethernet 0/0
0:25:18	so I'm essentially denying all updates from coming in on that link.
0:25:23	Then as opposed to the dynamic information,
0:25:25	I'm simply going to have a default static route
0:25:30	that is going to point to the virtual address, so I'll ay
0:25:33	the virtual address is going to be 155.28.146.254
0:25:40	so it could be any address that's on that segment.
0:25:44	Then under the EIGRP process
0:25:50	router eigrp 100 I'll say redistribute static
0:25:55	and we could give it any metric here.
0:25:58	So the ultimate goal being is that Router 1 is going to
0:26:01	generate this default route
0:26:03	when it collects all the traffic, it's then going to be forwarding to the
0:26:07	virtual address which should be represented either Router 4
0:26:11	or by Router 6
0:26:14	If we look at the in result of this on anywhere else
0:26:16	in the network let's see on switch 3
0:26:19	and show ip route eigrp
0:26:25	we see that we do have a default route. If I were to
0:26:28	trace to 30.0.0.1
0:26:32	we see that the traffic is routed up to Router 1
0:26:34	but from that point on it doesn't know how to forward it
0:26:37	because we don't have the virtual address assigned.
0:26:41	So essentially once this is done, Router 1 should forward it to
0:26:46	either Router 4 or 6
0:26:54	Now one other change that I want to do here is on
0:26:59	Router 4 and 6, I actually need to
0:27:01	make sure that they have the same routes
0:27:04	out to the network because right now through IGP
0:27:06	they're learning two different sets of routes from BB1 and BB3
0:27:12	so to do this I'm going to enable the BGP process.
0:27:16	Where these two devices are going to be running
0:27:17	in BGP AS 100
0:27:22	so Router 4 and 6
0:27:24	the remote AS for BB1 is 54
0:27:28	same as BB3
0:27:31	so essentially what we're simulating here is that
0:27:32	these are the border routers that are learning the full
0:27:35	public BGP table, then we're going to decide
0:27:39	which exit point we're using based on the HSRP, VRRP
0:27:43	or GLBP priorities.
0:27:46	So next on Router 4 let's say
0:27:48	router bgp 100
0:27:50	I'm going to peer with BB3 who is an AS 54
0:27:57	Now I don't need to do any internal exchange with Router 6
0:28:00	because I'm using this just to learn the route's from the
0:28:04	remote neighbors
0:28:10	which in this case BB1 is 54.28.1.254
0:28:20	who is in remote as 54
0:28:24	so now on Router 4 we see that we do have the
0:28:27	BGP -- if we show ip route bgp
0:28:34	we see we have the 112 through 119
0:28:38	plus the 28.119.16 and 17
0:28:41	These ultimately should be the same routes that we're
0:28:43	learning on Router 6 so these are the destinations
0:28:47	that we're going to be testing the traffic to.
0:28:51	Now to see the differences in the three protocols
0:28:54	what I'm also going to do on Router 4 and Router 6
0:28:57	is as the packets are received in on that interface
0:29:02	I'm going to deny everything and log it.
0:29:07	And technically, I could also permit the traffic and
0:29:09	log it, but by denying it it's going to tell us
0:29:12	exactly what the particular transport that we need on
0:29:15	that interface. Now I know already that I'm running EIGRP as my
0:29:19	routing protocol so I'll make that as one of the exceptions.
0:29:24	And I'll do this on Router 6 by saying access list 100
0:29:27	is going to permit EIGRP any any
0:29:33	then I'll permit icmp any any because this is what we'll use to
0:29:37	test our pings
0:29:39	for everything else...
0:29:42	so permit icmp any any
0:29:44	for everything else I'm going to deny it.
0:29:47	So deny ip any any
0:29:50	and I'll log that
0:29:53	So now on the connection to that LAN segment, I
0:29:56	have ip access group 100 in
0:30:00	and I want to make sure that I'm logging to the console.
0:30:03	So logging console at level seven.
0:30:09	Router 4 is going to have the same configuration.
0:30:13	show run include access list
0:30:17	so the same ACL
0:30:21	And from Router 4's perspective this is going to be applied in on
0:30:24	Fast Ethernet 0/1
0:30:27	so fa0/1 ip access group 100 in
0:30:31	I'll log to the console
0:30:35	but without the time stamping.
0:30:42	So now we have the topology staged for the first hop redundancy
0:30:46	protocols. Again, first implementation we're going to look at is with HSRP.
0:30:51	Syntax wise this is going to be at the link level
0:30:54	the standby command.
0:30:59	If we say standby with no group number
0:31:01	so if I just say standby ip
0:31:03	or standby ip v6 we can see these also support IP version 6
0:31:08	for first hop redundancy.
0:31:10	By simply saying standby ip that's going to use group number 0
0:31:15	and again, the group ID is going to be encoded
0:31:17	inside of the virtual Mac address.
0:31:21	The minimum configuration for this would just be standby
0:31:24	whatever the group number is either nothing or any value
0:31:30	the IP address then our virtual IP is going to be 155.28.146.254
0:31:41	Router 6 is going to do the same thing, so we need to make sure
0:31:44	they agree on both the group number and
0:31:50	the address.
0:31:51	So the virtual address and the group number.
0:31:59	We can see now the packets are coming in.
0:32:01	And they're going to the all routers multicast, so
0:32:06	actually I had that wrong in the slide. That should say
0:32:11	this should say 224.0.0.2 so it's for all routers, not
0:32:15	all hosts.
0:32:18	224.0.0.2
0:32:20	we can see from the command line that this is UDP
0:32:23	but it doesn't necessarily tell us the specifics about the
0:32:30	the protocol that's being denied.
0:32:32	So to figure out what is the port numbers and the more detail about
0:32:36	the transport, we would have to look at the debug output.
0:32:42	Now since this traffic is going to be locally destined to the
0:32:45	router, it means it's going to be process switched and we
0:32:48	can see the debug. The only thing I want to do here is
0:32:51	make sure that I'm not debugging EIGRP
0:32:54	and not debugging BGP
0:32:56	because that's going to be just extra output to the command line
0:32:59	I don't want.
0:33:00	So on Router 6, I'm going to create another access list.
0:33:04	Let's say access list 101 deny eigrp any any
0:33:09	deny tcp any any equal to bgp
0:33:14	or coming from bgp going anywhere
0:33:19	then I'll permit anything else permit ip any any
0:33:23	so now I'm going to use access list 101
0:33:26	to debug ip packet detail.
0:33:28	We can see now on Router 6 we are locally originating
0:33:33	these HSRP packets
0:33:35	where specifically they're coming from Router 4
0:33:39	and from Router 6 they're going to the all router multicast
0:33:43	with destination port 1985
0:33:48	What we would also see that both Router 4 and
0:33:52	Router 6 have elected themselves as the active router
0:33:57	because there's a problem in the transport for the group.
0:34:01	So this would be useful in your troubleshooting any time
0:34:03	you look at the show standby
0:34:07	and if you see that multiple routers say that they are the
0:34:11	active device
0:34:15	this is an indication of a problem in the transport
0:34:18	because ideally, one of them should be active and all of the
0:34:22	other routers should not
0:34:25	but we can see here likewise on Router 4, it says that
0:34:28	it is the active router.
0:34:31	So once Router 1 actually sends packets to this destination
0:34:36	let's say that we ping 112.0.0.1
0:34:43	there's essentially going to be a problem in the address resolution
0:34:47	protocol for this particular Mac address
0:34:51	where both Router 4 and Router 6 are going to be
0:34:53	responding with that same Mac address.
0:34:59	One way that you could see this would be on the
0:35:01	switches we may see a log message here that the
0:35:07	Mac address is flapping between multiple interfaces.
0:35:14	And to figure out specifically who is the active router
0:35:17	what we could do is telnet to the address, so if I were
0:35:19	to telnet to 155.28.146.254
0:35:24	destination unreachable gateway or host down.
0:35:30	Let's try pinging it ping 155.28.146.254
0:35:38	and that is -- that's being denied by the access list, so
0:35:41	let me make an exception for that real quick.
0:35:43	Let's say show run include access list
0:35:52	so ip access list 100 or ip access list extended 100
0:35:59	I'll say sequence number five permit tcp any any equal to
0:36:04	telnet
0:36:09	and on Router 4 I'll do the same thing.
0:36:11	ip access list extended 100
0:36:15	sequence 5 permit tcp any any
0:36:19	equal to telnet
0:36:20	Now notice again on Router 1 the response that I got back in
0:36:25	from the telnet, the session did not hang
0:36:29	which means that when Router 1 set the -- out
0:36:32	which is the first portion of the TCP three-way handshake
0:36:35	immediately a TCP reset came back in
0:36:39	or specifically in this case it was an ICMP unreachable
0:36:42	which is the administratively prohibited that came from the
0:36:46	ACL, so this would be different than doing the telnet and then the
0:36:51	session just sits there
0:36:57	which could be an indication of a transport problem or
0:37:01	some sort of filtering.
0:37:03	Now notice here that the connection is being reset.
0:37:08	Basically what this means is that there is the transport problem
0:37:12	because both of the routers are responding to that particular
0:37:16	Mac address.
0:37:18	So right now it says that Router 4 is the one that is receiving those packets.
0:37:25	And specifically this is connecting to Router 4's Fast Ethernet 0/1
0:37:31	where physically, this port is going to switch 4's
0:37:35	port Fast Ethernet 0/4
0:37:40	so if I were to go to the Layer 2 switch and
0:37:44	look at the show Mac address table for interface Fast Ethernet 0/4
0:37:53	we see this first entry.
0:37:58	This is the virtual Mac address that came from the HSRP process.
0:38:04	Now if I were to look at what is Router 6's connection
0:38:10	which on switch 2 this is going to be on interface Fast Ethernet 0/6
0:38:17	We see the same Mac address
0:38:19	which is not what we want.
0:38:23	So in the Layer 2 network in the CAM table
0:38:27	we need to make sure that only one of these ports has that
0:38:31	particular Mac address associated with it.
0:38:33	Whether this is going to be for HSRP, VRRP or GLBP
0:38:37	it's the same type of logic where the Layer 2 switch
0:38:40	needs to know exactly where to forward packets that are
0:38:44	going to the virtual Mac address.
0:38:47	If it's assigned to multiple interfaces, then there's going to
0:38:51	be a Layer 2 forwarding problem from the switch's perspective.
0:38:56	Now sometimes you'll see this error message on the switch
0:38:59	where it says the Mac address is flapping between the ports.
0:39:03	That could be an indication either of some sort of Layer 2
0:39:06	forwarding error like a spanning tree loop or
0:39:10	some sort of spoofing attack against the Mac address
0:39:13	like an ARP spoofing attack
0:39:16	which is essentially what's happening here because
0:39:18	Router 4 and Router 6 are sending essentially gratuitous
0:39:22	ARPs for that address which is the unsolicited ARP reply
0:39:28	without having an ARP request come in.
0:39:34	So again, for any of these three protocols when you were
0:39:37	verifying it, when you look at the show standby or show vrrp
0:39:41	or show glbp, you need to make sure that only one of
0:39:44	them is active which means that that particular router is
0:39:48	going to be in charge of sending the ARP replies
0:39:51	for the virtual address.
0:39:53	Now specifically we know why that's happening in this case
0:39:57	because I configured the access list to deny that particular
0:40:01	traffic flow, so now let's add an entry that's going to allow that.
0:40:06	Specifically in this case
0:40:08	I'll say ip access list extended 100
0:40:12	and sequence 1 is going to permit UDP
0:40:16	that is going to 224.0.0.2 that is equal to 1985
0:40:24	Once I apply this on Router 4 and 6
0:40:28	we should see that one of these routers is going to
0:40:31	change to the standby state
0:40:36	and only one of them is going to stay as the
0:40:39	the backup.
0:40:41	Now again, since they both have the default priority of
0:40:44	100, Router 4 changes to the standby state
0:40:48	because it has the lower IP address.
0:40:54	If we look at the show standby
0:40:58	Router 4 says my state is standby
0:41:01	the active router is 146.6
0:41:05	The priority of 100 is the same as my configured value.
0:41:11	But since Router 4 has the higher address, that's the one
0:41:13	that's winning.
0:41:17	This is also going to tell us what are the particular timers
0:41:20	which are three seconds and ten seconds as the whole time by default.
0:41:25	Preemption is off.
0:41:27	The virtual Mac address again is derived from the
0:41:31	group identifier
0:41:33	where if this was group 10, then the Mac address would end
0:41:38	in AC0A
0:41:42	where 0A is 10 in hex.
0:41:49	So most of the rest of the features for this should be
0:41:52	fairly self-explanatory if you either look in the command
0:41:55	reference or simply at the link level, look at the standby
0:42:00	question mark or the standby ip question mark
0:42:03	or I could say standby authentication. Either use MD5 authentication or clear text.
0:42:10	And this is going to be on a per group basis
0:42:12	where I would want to say for group number one
0:42:15	run authentication
0:42:18	then I'm going to call either a key string directly
0:42:27	so key string 0 I'll say Cisco
0:42:29	This would be the MD5 authentication password.
0:42:33	Or I could do a key chain which is going to allow me to do what?
0:42:39	why would I want to use the key chain as opposed to
0:42:42	applying the password directly onto the link with the key string?
0:42:45	The key chain is going to allow me to do automated key rotation.
0:42:50	So based on the time of the day whether this is a periodic or
0:42:54	an absolute timer, I could say Monday through Friday
0:42:57	I'm going to use one password and then when it gets to Saturday
0:43:01	I'm going to change over to a different one.
0:43:03	So it's similar to how the EIGRP authentication worked
0:43:06	with the time rotation, same logic is going to apply to
0:43:09	HSRP here.
0:43:11	Now we could see we have the bad authentication
0:43:14	because I configured the password on one side, but not the other.
0:43:17	So it's pretty obvious based on this log message what the
0:43:20	problem is.
0:43:21	So you don't need to look at the detail debugs
0:43:23	most of the problems with HSRP, VRRP or GLBP
0:43:28	it's going to show right up here as a normal syslog message.
0:43:36	So again typically what you would also want to enable
0:43:39	here is the standby preempt feature
0:43:43	so it's saying whoever has the current highest priority
0:43:49	we want to make sure that they are the active router.
0:43:52	I could also tell them to use what is my assigned Mac address
0:43:55	on the interface
0:43:57	as opposed to the virtual address
0:44:02	where again, if I were doing any type of Layer 2 filtering
0:44:05	based on Mac addresses
0:44:08	whether it be with port security or maybe some sort of DHCP
0:44:14	snooping or IP source guard
0:44:17	or the dynamic ARP inspection
0:44:19	then using multiple Mac addresses on the link
0:44:22	could potentially be an issue.
0:44:25	If I say standby use BIA
0:44:28	Router 4 is going to use its own physical Mac address
0:44:30	for the group and Router 6 is going to use its own physical address.
0:44:34	Then whoever takes over the active status, we'll send
0:44:38	gratuitous ARPs which again is the ARP reply
0:44:42	without asking for the ARP request
0:44:44	in order to update the CAM table and in order to update
0:44:47	the ARP cache of the other routers on the segment.
0:44:50	So now let's look at a case where we are
0:44:54	tracking the links
0:44:57	that are going to the remote provider
0:45:00	where I want Router 4 to be my primary active router
0:45:06	but if the link to BB3 goes down, I want to reroute
0:45:09	the traffic over to Router 6
0:45:12	So let's say that this interface that connects to BB3
0:45:16	this is a 100 megabits per second
0:45:18	as metro Ethernet and then the frame relay is my DS3
0:45:23	backup, so I would prefer to use the higher bandwidth link
0:45:29	which is the Fast Ethernet versus the 45 Megabit
0:45:32	per second frame relay.
0:45:34	But again, the issue is that with HSRP and with VRRP
0:45:39	we can only have one active forwarder at a time.
0:45:44	To do load balancing we would have to have multiple groups on
0:45:47	the interface and assign some of the hosts to one gateway
0:45:54	and some of the hosts to alternate gateway.
0:46:01	So first let's configure Router 4 to be the active router.
0:46:05	Right now I have the standby preempt feature on
0:46:09	and I would also want to do this on Router 6
0:46:12	because Router 6 is going to be tracking the priority of Router 4
0:46:17	and if Router 4's priority is lower, six would take over the
0:46:21	active status.
0:46:26	So next on Router 4 I'm going to change for standby group 1
0:46:34	the priority and this essentially could be anything greater than a 100
0:46:38	so I'll say the maximum, 255
0:46:41	So now Router 4 should be most likely to be the active router on this segment.
0:46:47	We should see shortly that it's going to change its status to active.
0:46:52	And this is going to based on the default timers.
0:46:59	If we look at the show standby
0:47:04	Router 6 says that I'm active
0:47:09	standby router is Router 4, but notice Router 4 right now
0:47:14	it has the higher priority value.
0:47:21	If we look at Router 4 and look at the show standby
0:47:26	Router 4 says my local priority is 255
0:47:30	which is higher than Router 6's
0:47:33	but I'm not the active router right now. I'm the standby router.
0:47:39	So why would Router 4 not be elected the active router here?
0:47:44	Notice that Router 4 says that preemption is disabled.
0:47:50	So even though I did configure this on the interface, if we look at the
0:47:54	show run interface Fast Ethernet 0/1
0:47:59	you'll see that some of these options are group specific
0:48:03	where some of them are global to the process
0:48:06	like using the burned-in address that's going to affect all of the groups
0:48:09	where in the case of the preemption, that would be on a per group basis.
0:48:14	So I don't want to say standby preempt, I actually need to say
0:48:17	standby 1 preempt.
0:48:25	The result of this we can see Router 4 changes to the active
0:48:28	status. If we look at Router 6, we see it changes from active to
0:48:32	speak and now the active router is Router 4
0:48:38	Again, we would need to do this on both sides
0:48:40	say that preemption is allowed
0:48:43	so now if Router 6's priority ends up being higher than four's
0:48:47	we need to make sure that six is going to take over this
0:48:49	active status.
0:48:57	Now our next step would be to configure Router 4
0:48:58	to track the link out to BB3
0:49:02	If we look at what the current path is, let's say we go to switch 4
0:49:07	and I'm going to do a trace to 30.0.0.1
0:49:14	It says this gets to Router 4, but then this is administratively prohibited
0:49:19	that's what the capital A is based on the access list.
0:49:21	So to make this a little bit easier right now, what I'm just going to do is
0:49:24	is remove that ACL.
0:49:27	We'll see later based on the logging what are the
0:49:31	differences in transport between HSRP, VRRP and GLBP
0:49:36	so on Router 4 no ip access group 100 in
0:49:43	So again, the point of this was that if you didn't know
0:49:46	what this specific transport was, you can use the access list or
0:49:50	you could use the debug ip packet
0:49:52	to figure out what one of the protocols is using different
0:49:56	than the other one.
0:50:00	Now on Switch 4 if we look at the trace route
0:50:03	we see that the active router is Router 4
0:50:10	There's also an option at the link level that is the standby
0:50:19	redirect. It says configure the sending of icmp redirect messages
0:50:21	with an HSRP virtual address as the default gateway
0:50:25	because some of the messages that Router 4 and Router 6 are
0:50:29	replying with, they're using their primary address that's assigned
0:50:33	on the link as opposed to the virtual address.
0:50:37	So we see one of these is based on the icmp unreachable
0:50:40	where Router 4 and 6 are sending this from their primary
0:50:44	address, not the standby address.
0:50:47	In the case of unreachable, I'm not sure that we can change this
0:50:50	we might need to just disable it
0:50:53	but a redirect would be if the packet routes to Router 4
0:51:00	but then needs to go back out that same interface.
0:51:03	Normally Router 4 is going to send a redirect from its primary address
0:51:07	where this command is going to tell it to send it from the
0:51:10	virtual address.
0:51:13	So if you go through the command reference, you'll see that there's a lot of
0:51:16	minor options you can change, but again, most of them should be
0:51:19	fairly self-explanatory if you look at what the usage guidelines are.
0:51:26	So right now, the communication is working properly.
0:51:30	The traffic is forwarding to Router 1
0:51:35	then Router 1 is forwarding it to four which is the current
0:51:39	standby router or excuse me, the current active router.
0:51:43	What I want to do now is track this link status
0:51:47	and if that link goes down, I want to change the active
0:51:50	router over to Router 6
0:51:55	There's a couple different ways we could do this on Router 4
0:51:58	We could say directly at the link level standby 1 track
0:52:04	I want to track Fast Ethernet 0/0
0:52:07	and if this link goes down, I need to decrement my priority
0:52:11	by some value that is eventually going to end up to be less than
0:52:17	Router 6's priority.
0:52:20	So right now, my priority is 255, Router 6's is 100
0:52:24	The easy way to do this is simply decrement your
0:52:28	your entire priority.
0:52:30	Unless you're trying to do some complex design where there's
0:52:33	multiple interfaces that you're tracking and we want to stay
0:52:37	active if one of them is down, but not both of them
0:52:40	then you could just decrement your entire priority.
0:52:46	So now what we would see is that if the connection to
0:52:50	Router 4 goes down where specifically in this case
0:52:53	this is Fast Ethernet
0:53:02	Fast Ethernet 0/4 on switch 2
0:53:07	once this goes down, Router 4 says the link goes down which the
0:53:12	tracking state goes down
0:53:16	which ultimately means that Router 6 is going to promote
0:53:18	itself to the active state, so if we look at the change in the trace route now
0:53:24	we see now that packets are going to exit via Router 6
0:53:31	Again, that capital A means administratively prohibited
0:53:33	which means I have the ACL still applied on that link, so
0:53:40	I'm going to take this off.
0:53:51	Now the design issue that we could run into with this
0:53:54	HSRP tracking is again, just like in our IP routing designs
0:53:58	we saw before, any case where the Layer 2 link status
0:54:03	is not a good indication of the end-to-end connectivity
0:54:08	we can have certain designs where the link is up
0:54:11	but connectivity is down.
0:54:15	And this is a very typical case in metro Ethernet or DSL
0:54:20	deployments where we're going to some other Layer 1
0:54:24	or Layer 2 device in the middle of the network that is doing a
0:54:28	link level keepalive, but that doesn't actually
0:54:32	tell us whether the end-to-end status of connectivity is up.
0:54:38	So in our particular case here, Router 4's connection is
0:54:41	going to switch 2
0:54:46	but there is a different Layer 2 connection that is going to BB3
0:54:52	so this means that if we were to go back to the scenario
0:54:56	and re-enable Router 4's interface
0:54:59	we should see it's going to change itself back to the active status.
0:55:08	And now the traffic routes out via Router 4
0:55:11	but if the link to BB3 directly goes down
0:55:16	Router 4 is going to have no way to track this.
0:55:21	So the HSRP process is not getting updated.
0:55:27	There's now a couple different solutions for this.
0:55:30	One thing we could do would be to configure enhanced
0:55:34	object tracking on Router 4
0:55:37	and tie this to some sort of IP SLA instance.
0:55:40	So instead of looking at the direct line protocol
0:55:43	of the link, on Router 4 I could say ping BB3's
0:55:48	address every five seconds.
0:55:50	We'll send ICP echoes.
0:55:53	If I don't get a reply back in within a certain period of time
0:55:57	I'll declare my enhance object down which then in turn is going to
0:56:02	cause me to decrement my HSRP priority.
0:56:08	If we look at the documentation here, let's go to the IP addressing
0:56:14	services or actually IP application services
0:56:19	then under HSRP
0:56:22	this would be how object tracking affects the priority of the
0:56:25	HSRP router.
0:56:34	Or another way to do this
0:56:38	is with the bidirectional forwarding detection.
0:56:41	It says BFD peering
0:56:43	feature introduces BFD in the HSRP group member health monitoring
0:56:46	system. HSRP supports BFD as part of the group
0:56:50	monitoring system. Without BFD, HSRP runs as a process blah blah blah
0:57:00	A BFD session between the two routers can provide early
0:57:04	fail over notification for multiple HSRP groups.
0:57:07	So the key behind this is that on the actual link that is directly
0:57:13	between Router 4 and Router 6
0:57:17	we are using the HSRP timers of a three-second
0:57:24	hello and a ten-second dead interval.
0:57:31	So what this means is that if I were to go to Router 4
0:57:35	and directly shut this link down
0:57:37	Fast Ethernet 0/1
0:57:41	Router 6 is not going to detect this for about ten
0:57:45	seconds and then ultimately Router 6 is going to
0:57:50	take over the active status, but just using that normal
0:57:55	keepalive is going to be fairly slow to converge.
0:57:58	So in newer versions, HSRP supports the integration of
0:58:01	BFD where Router 4 and Router 6 on the link that is
0:58:06	running the actual HSRP process, they would use
0:58:10	the BFD keepalive instead.
0:58:14	So BFD is going to run on this link
0:58:17	that if Router 6 sees that Router 4 is down based
0:58:22	based on the bidirectional forwarding detection
0:58:25	it can then promote itself to the active status.
0:58:29	And the reason why you would want to do this
0:58:31	is then you can get sub second reconvergence
0:58:35	of the HSRP process
0:58:38	where previously the tracking is going to be based on the
0:58:41	hello interval and the dead time
0:58:43	and default convergence is going to be somewhere in the
0:58:46	order of ten seconds.
0:58:50	So there's two different types of tracking. One is going to be
0:58:53	related to the actual link that you're running the HSRP
0:58:56	process directly on, the other tracking is going to be
0:59:00	for your upstream interfaces that you want to make sure can still
0:59:05	forward the traffic.
0:59:10	So now let's look at the upstream tracking using the
0:59:13	IP SLA and the enhanced object tracking.
0:59:28	On Router 4, if we send pings to 204.12.28.254
0:59:35	we should see that right now we do have connectivity to
0:59:38	BB3, so that link is up.
0:59:41	This ultimately means that Router 4 should be active.
0:59:44	If we look at the track route, we see that the traffic is
0:59:48	leaving via Router 4
0:59:50	But now I want to prevent the case that if BB3's interface
0:59:55	goes down directly
0:59:57	I want Router 4 to be able to detect that.
1:00:01	So our first step is to configure and IP SLA instance.
1:00:05	I'll say ip sla 1
1:00:08	The monitoring type is going to use icmp echo
1:00:12	and it could be using any of these. We could look at
1:00:16	do we have connectivity to our web server?
1:00:21	Can we download a file through FTP?
1:00:24	Can we get a DNS resolution response?
1:00:27	So there's a lot of different application level trackings that
1:00:29	you can look at.
1:00:34	Specifically I want to ping BB3's address.
1:00:39	I'm going to send this every five seconds
1:00:43	with a timeout of two seconds.
1:00:48	So then of course depending on how you change these timers
1:00:51	that's going to affect what the convergence is of the SLA.
1:00:58	Next I need to tie the SLA to an enhanced object
1:01:01	which is with the track command.
1:01:04	I'll say this is object number two
1:01:06	that is calling the IP SLA instance number one.
1:01:15	I could configure a delay
1:01:19	for when the object goes down. I could say wait until the SLA
1:01:23	instance reports down for at least 20 seconds
1:01:27	before declaring down
1:01:30	then likewise on the other side, I could say once the SLA
1:01:32	instance comes back, I want to make sure that it's stable for
1:01:35	10 seconds before I change over.
1:01:38	But in this particular case, I'll just leave the defaults.
1:01:41	Now what I'm going to change on the link level
1:01:44	is that I'm no longer tracking the Fast Ethernet directly.
1:01:50	Instead I'm going to track the object number two
1:01:55	and I want to decrement my priority be 255
1:02:00	if that object reports down.
1:02:05	Right now the object should be reporting up if we look at the
1:02:07	show track 2
1:02:17	and right now it says the state is down because why?
1:02:22	Latest operation return code is unknown.
1:02:28	What step did I miss here?
1:02:42	I have the tracked object calling the SLA
1:02:48	The SLA is saying ping BB3 every five seconds.
1:02:55	I didn't actually start it though.
1:02:57	So I need to schedule the SLA instance.
1:02:59	We'll say ip sla 1 schedule
1:03:03	or ip sla schedule 1
1:03:07	I want to start now and I want this to have a life
1:03:12	of forever.
1:03:19	Or start now, life is forever
1:03:25	You can change this scheduling if you were to say start after
1:03:31	some time interval. This would be useful during your initial boot up.
1:03:36	So when the router reloads, you may want to wait five
1:03:39	minutes or so for the network to converge before you start
1:03:41	running the SLA.
1:03:45	But in this case, I'm just going to run it continuously. We can see that
1:03:48	this is working now because the HSRP group changed to the
1:03:52	active status from standby.
1:03:56	If we look at the change
1:03:58	in the show track
1:04:02	and the show standby
1:04:05	it now says that since tracked object number two
1:04:09	is up, my priority is 255
1:04:14	Final result of this is that switch 4 is going to use Router 4 as the exit point.
1:04:22	But if the link to BB3 goes down which we can simulate by
1:04:26	shutting down Fast Ethernet 0/24 on switch 3
1:04:31	The object should detect this.
1:04:34	Now the object is down
1:04:36	which means that we removed ourselves from the active status
1:04:41	and now Router 6 takes over.
1:05:04	We should see that then shortly
1:05:10	this is going to reconverge to Router 6
1:05:14	Router 6 is saying -- actually that's the wrong address I'm
1:05:16	I'm testing. I want to trace 112.0.0.1
1:05:22	Now this is going out to Router 6
1:05:31	So typically in a real design in today's networks, you would
1:05:35	normally want to call the SLA instance for the tracking
1:05:38	because a lot of times the line protocol status of the link
1:05:41	is not good indication whether you actually have connectivity.
1:05:46	The only case that you would want to use the line protocol
1:05:49	is that if you had a point-to-point link.
1:05:51	So if you were using packet over sonet to connect to the
1:05:55	service provider or a point-to-point T1, point-to-point DS3
1:05:59	where the line protocol of your local side is a good
1:06:03	indication of the line protocol on the other side
1:06:06	then that would be valid.
1:06:09	But there are even certain cases with those protocols
1:06:11	where line protocol is not a good indication
1:06:15	where you're going to some external CSU DSU that's
1:06:18	providing the clocking or there's some sort of like Layer 1 add drop
1:06:24	multiplexer for sonet that is giving you the Layer 1 keepalive
1:06:28	for your PLS link.
1:06:32	So the IP SLA since it's adding the application level intelligence
1:06:35	to the tracking, this is a better indication of whether
1:06:39	actual end-to-end connectivity is working on the link.
1:06:43	Now we'll see a little bit later when we get into the EEM
1:06:46	in the Embedded Event Manager, you can use EEM scripting to
1:06:50	tie it to the IP SLA to give you a notification of
1:06:54	these type of events.
1:06:55	So let's say in this particular topology I want to know
1:06:59	if Router 4's link to BB3 goes down.
1:07:02	I could configure the EEM to additionally track object
1:07:06	number two and when it changes its state to down
1:07:10	I could tell the router to send me an e-mail.
1:07:13	Or I could script it to hit some web page that's going to send me a
1:07:16	text message on my phone.
1:07:19	So there's a lot of different flexibility as what you can
1:07:21	do with the management of EEM. Most of it is going to be outside
1:07:25	of our scope because it's more of a programming issue
1:07:28	for the scripting with the EEM applets and then the TCL for the
1:07:32	EEM scripts, so you do want to be aware of the basic
1:07:36	stuff that you can get from the configuration guide
1:07:40	but from a real world perspective, most of this you're going to research
1:07:43	offline. Test out the scripting before you actually implement
1:07:46	it in your production network.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

IP Services Overview, HSRP

Create Bookmark