Configuring VoIP Support on a Switch

Manual Configuration

To associate a voice VLAN with a switch port, use the following:

Switch(config-if)#switchport voice vlan vlan-ID


To configure an IOS switch to trust the markings on traffic entering an interface, use the following:

Switch(config-if)#mls qos trust {dscp | cos}


To configure the switch to trust the traffic markings only if a Cisco
phone is connected, use the following:

Switch(config-if)#mls qos trust device cisco-phone


To set a COS value for frames coming from a PC attached to the
phone, use the following:

Switch(config-if)#switchport priority extend cos cos-value


To verify the interface parameters, use the following:

Switch(config-if)#show interfaces interface switchport


To verify the QoS parameters on an interface, use the following:

Switch(config-if)#show mls qos interface interface


Using AutoQoS

When AutoQoS is enabled, the switch configures its interfaces based on a best-practices template. AutoQoS has the following benefits:

• Automatic discovery and classification of network applications.

• Creates QoS policies for those applications.

• Configures the switch to support Cisco IP phones as well as network applications. Manual configuration can be done afterward, also.

• Sets up SNMP traps for network reporting.

• Configures consistently across your network when used on all routers and switches.

CDP must be enabled for AutoQoS to function properly with Cisco IP phones.

AutoQoS commands for switches running the Catalyst OS are listed in Table 7-2.


AutoQoS commands for switches running Native IOS are shown in Table 7-3.

QoS for VoIP

QoS gives special treatment to certain traffic at the expense of others. Using QoS in the network has several advantages:

• Prioritizes access to resources, so that critical traffic can be served.

• Allows good management of network resources.

• Allows service to be tailored to network needs.

• Allows mission-critical applications to share the network with other data.

People sometimes think that there is no need for QoS strategies in a LAN. However, switch ports can experience congestion because of port speed mismatches, many people trying to access the switch backbone, and many people trying to send traffic to the same switch port (such as a server port).


QoS Actions

Three QoS strategies are commonly implemented on interfaces where traffic enters the switch:

• Classification—Distinguishing one type of traffic from another. After traffic is classified, other actions can be performed on it. Some classification methods include access lists, ingress interface, and NBAR.

• Marking—At layer 2, placing 802.1p class of service (CoS) value within the 802.1Q tag. At layer 3, setting IP Precedence or Differentiated Services Code Point (DSCP) values on the classified traffic.

• Policing—Determining whether or not a specific type of traffic is within preset bandwidth levels. If so, it is usually allowed and might be marked. If not, the traffic is typically marked or dropped. CAR and class-based policing are examples of policing techniques.

Other QoS techniques are typically used on outbound interfaces:

• Traffic shaping and conditioning—Attempts to send traffic out in a steady stream at a specified rate. Buffers traffic that goes above that rate and sends it when there is less traffic on the line.

• Queuing—After traffic is classified and marked, one way it can be given special treatment is to be put into different queues on the interface to be sent out at different rates and times. Some examples include priority queuing, weighted fair queuing, and custom queuing. The default queuing method for a switch port is FIFO.
  

• Dropping—Normally interface queues accept packets until they are full and then drop everything after that. You can implement prioritized dropping, so that less important packets are dropped before more important ones—such as with Weighted Random Early Detection (WRED).

DSCP Values

Differentiated services provide levels of service based on the value of certain bits in the IP or ISL header or the 802.1Q tag. Each hop along the way must be configured to treat the marked traffic the way you want—this is called per-hop behavior (PHB).

In the Layer 3 IP header, you use the 8-bit ToS field. You can set either IP Precedence using the top 3 bits or Differentiated Services Code Points (DSCP) using the top 6 bits of the field. The bottom 2 bits are set aside for congestion notification. The default DSCP value is zero, which corresponds to best-effort delivery.

The six DSCP bits can be broken down into two sections: The first 3 bits define the DiffServ Assured Forwarding (AF) class, and the next 2 bits define the drop probability within that class. The sixth bit is 0 and unused. AF classes 1–4 are defined, and within each class, 1 is low drop probability, 2 is medium, and 3 is high (meaning that traffic is more likely to get dropped if there is congestion). These are shown in Table 7-1. Each hop still needs to be configured for how to treat each AF class.



Voice bearer traffic uses an Expedited Forwarding value of DSCP 46 to give it higher priority within the network.


Trust Boundaries

When IP traffic comes in already marked, the switch has some options about how to handle it. It can:

• Trust the DSCP value in the incoming packet, if present.

• Trust the IP Precedence value in the incoming packet, if present.

• Trust the CoS value in the incoming frame, if present.

• Classify the traffic based on an IP access control list or a MAC

Mark traffic for QoS as close to the source as possible. If the source is an IP telephone, it can mark its own traffic. If not, the building access module switch can do the marking. If those are not under your control, you might need to mark at the distribution layer. Classifying and marking slows traffic flow, so do not do it at the core. All devices along the path should then be configured to trust the marking and provide a level of service based on it. The place where trusted marking is done is called the trust boundary.

VoIP in a Campus Network

Many companies are integrating Voice over IP (VoIP) into their networks. Figure 7-1 shows some components of a VoIP system, which can include the following:

• IP phones—Provide voice and applications to the user.

• Voice gateways—Translates between PSTN and IP calls and provides backup to the Cisco CallManager (IP PBX, or Call Agent).

• Gatekeepers—An optional component that can do call admission control, allocate bandwidth for calls, and resolve phone numbers into IP addresses.

• Cisco CallManager—Serves as an IP PBX. Registers phones, controls calls.

• Video conferencing unit—Allows voice and video in the same phone call.

• Multipoint control unit—Allows multiple participants to join an audio and/or video conference call.

• Application server—Provides services such as Unity voice mail.

Voice and data have different network requirements. Although TCP data adjusts to dropped packets, packet loss is one of the biggest enemies of voice transmissions and is often caused by jitter and congestion. Jitter (variable delay) causes buffer over- and under-runs. Congestion at the interface can be caused by traffic from a fast port being switched to exit out a slower port, which causes the transmit buffer to be overrun.

VoIP traffic consists of two types: voice bearer and call control signaling. Voice bearer traffic is carried over the UDP-based Real Time Protocol (RTP). Call control uses one of several different protocols to communicate between the phone and CallManager and between the CallManager and the voice gateways.


Preparing the Network for VoIP

When adding voice or video to an existing network, you should examine several things in advance to provide the high level of availability users expect in their phone system:

• What features are needed?—Power for IP phones, voice VLANs on the switches, network redundancy for high availability, security for voice calls, and Quality of Service (QoS) settings.

• The physical plant—Cabling at least CAT-5.

• Electrical power for the IP phones—Use either inline power from Catalyst switch or power patch panel. Need uninterruptible power supply (UPS) with auto-restart, monitoring, and 4-hour response contract. May need generator backup. Maintain correct operating temperatures.

• Bandwidth—Commit no more than 75 percent of bandwidth. Consider all types of traffic—voice, video, and data. Have more than enough bandwidth if possible. Include both voice and callcontrol traffic in your planning.

• Network management—Need to monitor and proactively manage the network so that it does not go down.

Network and Bandwidth Considerations

The network requirements for VoIP include:

• Maximum delay of 150–200 ms (one-way)
• No more than 1 percent packet loss
• Maximum average jitter of 30 ms
• Bandwidth of 21–106 kbps per call, plus about 150 bps per phone for control traffic

A formula to use when calculating bandwidth needed for voice calls is as follows:

(Packet payload + all headers) * Packet rate per second


Auxiliary (or Voice) VLANs

Cisco switches can be configured to dynamically place IP telephones into a VLAN separate from the data VLANs. They can do this even when the phone and PC are physically connected to the same switch port. This is called an auxiliary VLAN or a voice VLAN. Voice VLANs allow phones to be dynamically placed in a separate IP subnet from hosts, to have QoS (using 802.1Q/p headers) and security policies applied, and makes troubleshooting easier.

Wireless LAN Antennas

Several concepts are important in understanding wireless antennas:

• Gain—The energy an antenna adds to the RF signal.

• Directionality—How the radio coverage is distributed.

• Polarization—The physical orientation the RF element. Cisco Aironet antennas use vertical polarization.

• Multipath Distortion—Receiving both direct and reflected signals arriving from different directions.

• Effective Isotropic Radiated Power (EIRP)—The AP radio’s effective transmission power. Includes gain from the antenna and loss from the antenna’s cable.

Gain
Cisco measures gain in dBi, which stands for decibel isotropic and is a measure of decibels relative to an isotropic source in free space. A decibel is the ratio between two signal levels. An isotropic antenna is a theoretical one in which the signal spreads out evenly in all directions from one point. Thus, dBi is the ratio of an antenna’s signal to that of an isotropic antenna.

Directionality

Omnidirectional antennas have signals that theoretically extend in all directions, both vertically and horizontally. When gain in increased, the signal expands horizontally, but decreases vertically. One omnidirectional example is the dipole “Rubber Duck” antenna.

Directional antennas aim their signal in a specific direction. Signals can spread fairly wide in one direction or can be narrowly focused. Some examples include the Diversity Patch Wall Mount Antenna, Yagi, and dish antennas.

Multipath Distortion

Because radio waves are transmitted in many directions, not all go in a straight line to every client’s antenna. Some bounce off walls or other objects and arrive at the client in varying intervals. Thus, the client receives several copies of the same RF signal, which can cause degraded data quality. This is multipath distortion, or multipath interference. Diversity systems try to minimize this by using two antennas; you might try moving antennas or changing the frequency if this is a problem in your facility. OFDM uses multiple frequencies operating together to increase performance in multipath situations.


EIRP

EIRP is the actual power of the signal that comes from the antenna, measured in Decibel Milliwatts (dBm). (0 dBm equals 1 milliwatt of power.) EIRP is calculated by taking the transmitter power, subtracting the amount of signal lost traversing the cable between the transmitter and antenna, and adding the antenna’s gain. This can be expressed:

EIRP = (power – cable loss) + antenna gain.

Different countries have different rules about the amount of EIRP allowed. For instance, the maximum in the United States is 36 dBm. To minimize signal loss, use the shortest low-loss cable possible. Wider cables conserve more signal but are also more expensive.


Power over Ethernet (PoE) Switches

Access points can receive their power over Ethernet cables from Power over Ethernet (PoE) switches, routers with PoE switch modules, or midspan power injectors, thus alleviating the need for electrical outlets near them. APs require up to 15W of power, so plan your power budget accordingly. Two power standards are the Cisco Prestandard PoE and the IEEE’s 802.3af standard. Both have a method for sensing that a powered device is connected to the port. 802.3af specifies a method for determining the amount of power needed by the device. Cisco devices, when connected to Cisco switches, can additionally use CDP to send that information. Power can be supplied over the data pairs—1, 2, 3, and 6—or over the unused pairs of 4, 5, 7, and 8.

Cisco PoE switches are configured by default to automatically detect and provide power. To disable this function, or to re-enable it, use the interface command power inline {never | auto}. To view interfaces and the power allotted to each, use show power inline [interface].


Configuring Wireless LAN Devices

Autonomous APs must be configured individually, while the WLC provides configuration to lightweight APs. WLAN clients must also be configured; this process varies depending on the client software used.

Configuring Autonomous Access Points

Autonomous APs can be configured in one of three ways:

• IOS Command Line—Either via Telnet or the console port.

• Web browser—This is the Cisco preferred way.

• CiscoWorks WLSE—For centralized configuration control.

The AP must already have an IP address to use any of these except the console port. It attempts to obtain one via DHCP by default. This link has directions and screen shots for both the command line and web browser configuration:

http://www.cisco.com/en/US/products/ps6087/products_installation_ and_configuration_guides_list.html.

Aironet 1100, 1200, and 1300 series APs perform various functions:

• Wireless AP

• Root bridge

• Nonroot bridge

• Repeater

• Scanner

• Workgroup bridge

Configuring a WLAN Controller

Cisco lightweight APs receive their configuration from the Wireless LAN Controller, which must be configured first. Initial configuration of the lightweight WLC can be done via command line using the console port or via web browser using the service port. Subsequent configuration can be done via:

• IOS Command Line—Either by Telnet, SSH, or the console port.

• Web browser—Using the WLC’s IP address and Internet Explorer.

• Cisco Wireless Control System—For centralized configuration control.

You need to configure the WLC with information such as VLANs, SSIDs, and security policies. It downloads a configuration to its associated APs, and you can also configure, monitor, or reset individual APs through the web browser of the WLC. Review the material at this link
for screen shots and WLC configuration information:
http://www.cisco.com/en/US/products/ps6366/products_configuration_
guide_book09186a00806b0077.html.

WLCs use several different types of physical and logical interfaces that are described in Table 6-2.

Cisco Wireless Network Components

This section is mainly concerned with Cisco products and is quite marketing oriented. Cisco supported two types of wireless solutions: one using autonomous access points, and one using lightweight (or “dumb”) access points in combination with WLAN controllers. The wired network infrastructure is the same for both types: switches and routers.


Cisco Unified Wireless Network

The Cisco Unified Wireless Network concept has five components that work together to create a complete network, from client devices to network infrastructure, to network applications. Cisco has equipment appropriate to each component. Table 6-1 lists components and equipment.


Cisco has a wireless NIC that can be installed on Windows 2000 and Windows XP systems. It comes with some utilities: Aironet Desktop Utility (ADU), Aironet Client Monitor (ACM), and Aironet Client Administration Utility (ACAU). Cisco recommends using the ADU and ACM utilities to control your wireless card, rather than the built-in Windows controls to get the increased functionality Cisco provides. The Cisco ACAU allows loading and configuration of the Cisco client software over the network, using encrypted files. There is also an Aironet Site Survey Utility to scan for APs and get information about them.

Cisco wireless IP phones have the same features as Cisco wired IP phones and can use LEAP for authentication.

The Cisco Compatible Extensions Program tests other vendors’ devices for compatibility with Cisco wireless products. Using products certified by this program ensures full functionality of Cisco enhancements and proprietary extensions. A list of these products can be found at www.cisco.com/go/ciscocompatible/wireless.


Autonomous APs

Autonomous APs run Cisco IOS, are programmed individually, and act independently. They can be centrally managed with the CiscoWorks Wireless LAN Solution Engine (WLSE) and can use Cisco Secure Access Control Server (ACS) for RADIUS and TACAS+ authentication. Redundancy consists of multiple APs.


Lightweight Access Points

Lightweight APs divide the 802.11 processing between the AP and a Cisco Wireless LAN Controller (WLC). This is sometimes called “split MAC,” because they split the functions of the MAC layer—Layer 2. Their management components also include the Wireless Control
System (WCS) and a location-tracking appliance. Redundancy consists of multiple WLCs. The AP handles real-time processes, and the WLC handles processes such as:

• Authentication

• Client association/mobility management

• Security management

• QoS policies

• VLAN tagging

• Forwarding of user traffic

The Lightweight Access Point Protocol (LWAP) supports the split MAC function in traffic between a lightweight AP and its controller. LWAP uses AES-encrypted control messages and encapsulates, but does not encrypt, data traffic. LWAP operates at Layer 2, and also at
Layer 3 over UDP. (However, Layer 2 operation has been deprecated by Cisco.) The controller can be either in the same broadcast domain and IP subnet or in a different broadcast domain and IP subnets for Layer 3 operation. The AP follows this process to discover its controller:

Step 1. The AP requests a DHCP address. The DHCP response includes the management IP address of one or more WLCs.

Step 2. The AP sends an LWAPP Discovery Request message to each WLC.

Step 3. The WLCs respond with an LWAPP Discovery Response that includes the number of APs currently associated to it.

Step 4. The AP sends a Join Request to the WLC with the fewest APs associated to it.

Step 5. The WLC responds with a Join Response message, the AP and the controller mutually authenticate each other and derive encryption keys to be used with future control messages. The WLC then configures the AP with settings, such as SSIDs, channels, security settings, and 802.11 parameters.

The Cisco Aironet 2000 series WLC can handle up to six APs; thus, it is sized for small- to medium-sized operations.

The Cisco Aironet 4400 series WLC supports medium to large facilities with the 4402 handling up to 50 APs, and the 4404 handling up to 100 APs.

WLAN Standards

WLANs use three unlicensed frequency bands: 900 MHz, 2.4 GHz, and 5 GHz. These bands are all in the Industrial, Scientific, and Medical (ISM) frequency range. Higher frequency bands allow greater bandwidth, but have smaller transmission ranges. Within all bands, the data rate decreases as the client moves away from the AP.


802.11b Standard

802.11b is a widely adopted standard that operates in the 2.4 GHz range and uses Direct Sequence Spread Spectrum (DSSS). It has four data rates: 1, 2, 5.5, and 11 Mbps. 802.11b provides from 11–14 channels, depending on country standards, but only three channels have nonoverlapping frequencies: 1, 6, and 11. Cisco recommends a maximum of 25 users per cell; expect an actual peak throughput of about 6.8 Mbps.


802.11a Standard

802.11a operates in the 5 GHz range and uses Orthogonal Frequency- Division Multiplexing (OFDM). It has eight data rates: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. 802.11a provides from 12–23 nonoverlapping channels, depending on country regulations. Portions of the 5 GHz range are allocated to radar, so 802.11a uses Dynamic Frequency Selection (DFS) to check for radar signals and choose a different channel if it detects them. It also uses Transmit Power Control (TMC) to adjust client power, so that they use only enough to stay in contact with the AP. DFS and TMC are part of the 802.11h specification. Cisco recommends a maximum of 15 users per cell; expect an actual peak throughput of about 32 Mbps.


802.11g Standard

802.11g operates in the same 2.4 GHz range as 802.11b and uses the same three nonoverlapping channels: 1, 6, and 11. It can provide higher data rates; however. 802.11g uses DSSS to provide 1, 2, 5.5, and 11 Mbps throughput, which makes it backward compatible with 802.11b. It uses OFDM to provide 6, 9, 12, 18, 24, 36, 48, and 54 Mbps throughput, as does 802.11a.

802.11b/g access points can register both 802.11b and 802.11g clients. Because 802.11b clients do not understand OFDM messages, when 802.11b clients register, the AP implements an RTS/CTS protection mechanism against collisions. When a client wants to talk, it sends an RTS message. The AP must answer with a CTS message before the client is allowed to transmit. This creates overhead for the AP and causes a drop in overall throughput for all clients. Cisco recommends a maximum of 20 users per cell; expect an actual peak throughput of about 32 Mbps.


Wireless Security

Wireless security methods, listed from weakest to strongest, include:

• Wired Equivalent Privacy (WEP)—It uses static keys, weak authentication, and is not scalable. n 802.1x Extensible Authentication Protocol (EAP)—Uses RADIUS for authentication, dynamic keys, and stronger encryption. Cisco supports it via Lightweight EAP (LEAP) and Protected EAP (PEAP).

• Wi-Fi Protected Access (WPA)—This is a Wi-Fi Alliance standard. Uses Temporal Key Integrity Protocol (TKIP) for encryption, dynamic keys, and 802.1x user authentication. Cisco supports it via Lightweight EAP (LEAP), Protected EAP (PEAP), and Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).

• WPA2—The Wi-Fi Alliance’s implementation of the 802.11i standard, which specifies the use of Advanced Encryption Standard (AES) for data encryption and uses 802.1x authentication methods. Can also use TKIP encryption.

WPA/WPA2 Authentication

When a host wanting WLAN access needs to be authenticated in a network using WPA or WPA2, the following steps occur:

Step 1. An 802.1x/EAP supplicant on the host contacts the AP (or WLAN controller, if it is a lightweight AP) using 802.1x.

Step 2. The AP or WLAN controller uses RADIUS to contact the AAA server, and attempts to authentication the user.

Step 3. If the authentication succeeds, all traffic from the client to the AP is encrypted.

Using Wireless LANs

Wireless LAN Overview

Devices on a wireless LAN (WLAN) transmit and receive data using radio or infrared signals, sent through an access point (AP). WLANs function similarly to Ethernet LANs with the access point providing connectivity to the rest of the network as would a hub or switch. WLANs use an Institute of Electrical and Electronics Engineers (IEEE) standard that defines the physical and data link specifications, including the use of Media Access Control (MAC) addresses. The same protocols (such as IP) and applications (such as IPSec) can run over both wired and wireless LANs.

WLANs are local to a building or a campus, use customer-owned equipment, and are not usually required to have radio frequency (RF) licenses.

Service Set Identifiers (SSID) correspond to a VLAN and can be used to segment users. SSIDs can be broadcast by the access point, or statically configured on the client, but the client must have the same SSID as the AP to register with it. SSIDs are case sensitive. Clients associate with access points as follows:

Step 1. The client sends a probe request.

Step 2. The AP sends a probe response.

Step 3. The client initiates an association to an AP. Authentication and any other security information is sent to the AP.

Step 4. The AP accepts the association.

Step 5. The AP adds the client’s MAC address to its association table.


Characteristics of Wireless LANs

The following lists some characteristics of wireless LANs, and the data transmitted over wireless networks.

• WLANs use Carrier Sense Multi-Access/Collision Avoidance (CSMA/CA). Wireless data is half-duplex. CSMA/CA uses Request to Send (RTS) and Clear to Send (CTS) messages to avoid collisions.
  

• WLANs use a different frame type than Ethernet.

• Radio waves have unique potential issues. They are susceptible to interference, multipath distortion, and noise. Their coverage area can be blocked by building features, such as elevators. The signal might reach outside the building and lead to privacy issues.

• WLAN hosts have no physical network connection. They are often mobile and often battery-powered. The wireless network design must accommodate this.

• WLANs must adhere to each country’s RF standards.

Clients can roam between APs that are configured with the same SSIDs/VLANs. Layer 2 roaming is done between APs on the same subnet; Layer 3 roaming is done between APs on different subnets.


WLAN Topologies

Use of the Cisco Aironet line of wireless products falls into three categories:

• Client access, which allows mobile users to access the wired LAN resources
  

• Wireless connections between buildings

• Wireless mesh

Wireless connections can be made in ad-hoc mode or infrastructure mode. Ad-hoc mode (or Independent Basic Service Set [IBSS]) is simply a group of computers talking wirelessly to each other with no access point (AP). It is limited in range and functionality. Infrastructure mode’s BSS uses one AP to connect clients. The range of the AP’s signal, called its microcell, must encompass all clients. The Extended Service Set (ESS) uses multiple APs with overlapping microcells to cover all clients. Microcells should overlap by 10–15 percent for data, and 15–20 percent for voice traffic. Each AP should use a different
channel.

Wireless repeaters extend an AP’s range. They use the same channel as their AP, they must be configured with the AP’s SSID, and they should have 50 percent signal overlap.

Workgroup bridges connect to devices without a wireless network interface card (NIC) to allow them access to the wireless network. Wireless mesh networks can span large distances because only the edge APs connect to the wired network. The intermediate APs connect wirelessly to multiple other APs and act as repeaters for them. Each AP has multiple paths through the wireless network. The Adaptive Wireless Path (AWP) protocol runs between APs to determine the best path to the wired network. APs choose backup paths if the best path fails.

Virtual Router Redundancy Protocol (VRRP)

Virtual Router Redundancy Protocol (VRRP) is similar to HSRP, but it is an open standard (RFC 2338). Two or more devices act as a virtual router. With VRRP, however, the IP address used can be either a virtual one or the actual IP address of the primary router.

The VRRP Master router forwards traffic. The master is chosen because 1) it owns the real address, or 2) it has the highest priority (default is 100). If a real address is being supported, the owner of real address must be master. A Backup router takes over if the master fails, and there can be multiple backup routers. They monitor periodic hellos multicast by the master to 224.0.0.18, using UDP port 112, to detect a failure of the master router.

Multiple VRRP groups are allowed, just as with HSRP.

Routers in the same VRRP group must belong to the same subnet/VLAN. To enable VRRP, give this command vrrp groupnumber ip virtual-IP-address under the interface connecting to that
subnet or VLAN:

Router(config-if)#vrrp 39 ip 10.0.0.1

Control the master and backup elections by configuring priority values from 1–255. If a master VRRP router is shutdown, it advertises a priority of 0. This triggers the backup routers to hold an election without waiting for the master’s hellos to time out.

Router(config-if)#vrrp 39 priority 175

VRRP uses the following timers:

• Advertisement, or hello, interval in seconds. Default is 1 second.

• Master down interval. Equals (3 x advertisement interval) plus skew time. Similar to a hold or dead timer.

• Skew time. (256–priority) / 256. This is meant to ensure that the highest priority backup router becomes master, since higher priority routers have shorter master down intervals.

To change the timers on the master, use the following command because it is the router that advertises the hellos:

Router(config-if)#vrrp 39 timers advertise 5

To change the timers on the backup routers, use the following command because they hear the hellos from the master:

Router(config-if)#vrrp 39 timers learn


GLBP

One issue with both HSRP and VRRP is that only the primary router is in use, the others must wait for the primary to fail before they are used. These two protocols use groups to get around that limitation. However, Gateway Load Balancing Protocol (GLBP) allows the simultaneous use of up to four gateways, thus maximizing bandwidth. With GLBP, there is still one virtual IP address. However, each participating router has a virtual MAC address, and different routers’ virtual MAC addresses are sent in answer to ARPs sent to the virtual IP address. GLBP can also use groups up to a maximum of 1024 per physical interface.

The load sharing is done in one of three ways:

• Weighted load balancing—Traffic is balanced proportional to a configured weight.

• Host-dependent load balancing—A given host always uses the same router.

• Round-robin load balancing—Each router MAC is used to respond to ARP requests in turn.

GLBP routers elect an Active Virtual Gateway (AVG). It is the only router to respond to ARPs. It uses this capacity to balance the load among the GLBP routers. The highest priority router is the AVG; the highest configured IP address is used in case of a tie.

The actual router used by a host is its Active Virtual Forwarder (AVF). GLBP group members multicast hellos every 3 seconds to IP address 224.0.0.102, UDP port 3222. If one router goes down, another router answers for its MAC address.

Configure GLBP with the interface command glbp group-number ip virtual-IP-address, as shown:

Router(config-if)#glbp 39 ip 10.0.0.1

To ensure deterministic elections, each router can be configured with a priority. The default priority is 100:

Router(config-if)#glbp 39 priority 150


Hello and hold (or dead) timers can be configured for each interface with the command glbp group-number timers [msec] hello-time [msec] hold-time. Values are in seconds unless the msec keyword is used.

GLBP can also track interfaces; if an interface goes down, another router answers for the first router’s MAC address.