Wednesday, December 23, 2009

Layer 3 Redundancy

Specifying a default gateway leads to a single point of failure. Proxy Address Resolution Protocol (ARP) is one method for hosts to dynamically discover gateways, but it has issues in a highly-available environment. With Proxy ARP:
  • Hosts ARP for all destinations, even remote.
  • Router responds with its MAC.
  • Problem: Slow failover because ARP entries take minutes to timeout.
Instead of making the host responsible for choosing a new gateway, Layer 3 redundancy protocols allow two or more routers to support a shared MAC address. If the primary router is lost, the backup router assumes control of traffic forwarded to that MAC. This section refers to routers, but includes those Layer 3 switches that can also implement Layer 3 redundancy.


Hot Standby Router Protocol (HSRP)

HSRP is a Cisco proprietary protocol.

With HSRP, two or more devices support a virtual router with a fictitious MAC address and unique IP address. Hosts use this IP address as their default gateway, and the MAC address for the Layer 2 header. The virtual router’s MAC address is 0000.0c07.ACxx, where xx is the HSRP group. Multiple groups (virtual routers) are allowed.

The Active router forwards traffic. The Standby is backup. The standby monitors periodic hellos (multicast to 224.0.0.2, UDP port 1985) to detect a failure of the active router. On failure, the standby device starts answering messages sent to the IP and MAC addresses of the virtual router.

The active router is chosen because it has the highest HSRP priority (default priority is 100). In case of a tie, the router with the highest configured IP address wins the election. A new router with a higher priority does not cause an election unless it is configured to preempt— that is, take over from a lower priority router. Configuring a router to preempt also insures that the highest priority router regains its active status if it goes down but then comes back online again.

Interface tracking reduces the active router’s priority if a specified circuit is down. This allows the standby router to take over even though the active router is still up.


HSRP States

HSRP devices move between these states:
  • Initial—HSRP is not running.
  • Learn—The router does not know the virtual IP address and is waiting to hear from the active router.
  • Listen—The router knows the IP and MAC of the virtual router, but it is not the active or standby router.
  • Speak—Router sends periodic HSRP hellos and participates in the election of the active router.
  • Standby—Router monitors hellos from active router and assumes responsibility if active router fails.
  • Active—Router forwards packets on behalf of the virtual router.

Configuring HSRP

To begin configuring HSRP, use the standby group-number ip virtual-IP-address command in interface configuration mode. Routers in the same HSRP group must belong to the same subnet/virtual LAN (VLAN.) Give this command under the interface connecting to that subnet or VLAN. For instance, use the following to configure the router as a member of HSRP group 39 with virtual router IP address 10.0.0.1:


Tune HSRP with four options: Priority, Preempt, Timers, and Interface Tracking.

Manually select the active router by configuring its priority higher than the default of 100:

Along with configuring priority, configure preempt to allow a router to take over if the active router has lower priority, as shown in the following commands. This helps lead to a predictable data path through the network. The second command shown delays preemption until the router or switch has fully booted, and the routing protocol has converged. Time how long it takes to boot and add 50 percent to get the delay value in seconds:


Speed convergence by changing the hello and hold timers. The following sets the hello interval to 2 seconds and the hold time to 7 seconds. They can be set between 1–255 seconds (the default hello is 3 seconds and hold time is 10 seconds):

Tracking an interface can trigger an election if the active router is still up, but a critical interface (such as the one to the Internet) is down. In the following, if serial 1/0/0 is down, the router’s HSRP priority is decremented by 100:

Multiple HSRP standby groups can be configured, and the same router can be active for some groups and standby for others by adjusting priorities. You can have a maximum of 255 groups. When using Layer 3 switches, configure the same switch as the primary HSRP router and the Spanning Tree root.

To view the HSRP status, use the show standby interface interface command, or show standby brief. To monitor HSRP activity, use the debug standby command.

Wednesday, December 2, 2009

Multilayer Switching

Multilayer Switching (MLS) is a switch feature that allows the switch to route traffic between VLANs and routed interfaces in a highly optimized and efficient manner. Cisco Express Forwarding (CEF) is an example technology used to facilitate MLS (see Figure 4-1). Cisco Express Forwarding (CEF) does the following:


Separates control plane hardware from data plane hardware.

  • Controls plane runs in software and builds FIB and adjacency table.
  • The data plane uses hardware to forward most IP unicast traffic.
  • Handles traffic that must be forwarded in software (much slower) and includes:
—Packets originating from device.
—Packets with IP header options.
—Tunneled traffic.
—802.3 (IPX) frames.
—Load sharing traffic.
—FIB is an optimized routing table, stored in TCAM.
—Builds adjacencies from ARP data.
—Eliminates recursive loops.


ARP Throttling

ARP throttling is a tool to limit ARPs into a VLAN. ARPs, you may recall, are sent as broadcast. Once an ARP is sent for a given IP, the switch prevents repetitive ARPs for a short period of time:
  • First packet to destination forwarded to Route Processor.
  • Subsequent traffic dropped until MAC is resolved.
  • It prevents overwhelming the Route Processor (RP) with redundant ARP requests.
  • It helps during Denial of Service attacks.
  • It is removed when MAC is resolved or in two seconds.

Configuring and Troubleshooting CEF

By default, CEF is on and supports per destination load sharing. To disable CEF:
  • 4500—Use (config)#no ip cef.
  • 3500/3700—On each interface, use (config)#no ip routecache cef.
  • 6550 with policy feature card, distributed FC, and multilayer switch FC—cannot be disabled.

View CEF information with the following:

#show interface fastethernet 2/2 | begin L3


View switching statistics with the following:

#show interface fastethernet 2/2 | include switched


View FIB with the following:

#show ip cef


View detailed CEF FIB entry with the following:

#show ip cef fastethernet 2/2 10.0.0.1 detail


Troubleshoot CEF drops with the following:

#debug ip cef drops


Troubleshoot packets not forwarded by CEF with the following:

#debug ip cef receive


Troubleshoot CEF events with the following:

#debug ip cef events