network high availability design – Expert Network Consultant https://www.expertnetworkconsultant.com Networking | Cloud | DevOps | IaC Sat, 31 Aug 2019 23:00:26 +0000 en-GB hourly 1 https://wordpress.org/?v=6.3.5 Understanding First Hop Redundancy Protocols (FHRP) https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/understanding-first-hop-redundancy-protocols-fhrp/ Sat, 31 Aug 2019 23:00:10 +0000 http://www.expertnetworkconsultant.com/?p=3270 Continue readingUnderstanding First Hop Redundancy Protocols (FHRP)]]> Modern network design requires an important consideration of how the network deals with failure. With this Understanding First Hop Redundancy Protocols (FHRP) in mind, the network must be built with as much redundancy as possible. In fact, the design must have a good financial backing on redundancy as many of the enterprise companies are heavily reliant on internet access and cannot lose money due to a network design without much care for handling crisis.

From the client’s perspective, outside of their local network, they next important piece they deal with is the default gateway. Should the gateway go down, then access to an entire subnet would go down.

To deal with gateway redundancy, we implement a first hop redundancy protocol. There are a number of these technologies on the market and today we shall look at Cisco’s Hot Standby Router Protocol (HSRP) to start with. The others are the Virtual Router Redundancy Protocol (VRRP) and Gateway Load Balancing Protocol (GLBP). Many modern Cisco equipment supports the full flavor of the First Hop Redundancy Protocols.

Understanding First Hop Redundancy Protocols (FHRP)

You connect a computer to your network, it boots up and automatically receives IP Address information from the DHCP Server. There is a piece of information there called the Default Gateway.
The Default Gateway is the router that gets us off our local subnet. Now, imagine that router acting as the default gateway fails, suddenly we are not able to send traffic off the local subnet, the good news is that we can add some redundancy to this scenario through the use of a first hop redundancy protocol. This is the focus of this article Understanding First Hop Redundancy Protocols (FHRP). Specifically we shall be looking at 3 FHRP Protocols, these are HSRP, VRRP and GLBP.

These protocols allows our device(s) to use a backup router to get us off our local subnet whiles still pointing to the same Default Gateway IP Address that we learned via DHCP.

Let’s have a look at the Cisco’s Hot Standby Routing Protocol

Note: HSRP sends its hello messages to the multicast destination 224.0.0.2 (“all routers”) using UDP port 1985.

Equipment Used

  • Router 1 (Active) : 10.1.1.2
  • Router 2 (Standby) : 10.1.1.3
  • Access Switch
  • Workstation
  • Gateway Design and Configuration

    Virtual Gateway 1: 10.1.1.1
    Virtual Gateway 2: 10.1.1.10
    

    Figure A.1 – Workstation Default Gateway Configured as : 10.1.1.1
    Understanding First Hop Redundancy Protocols FHRP - Gateway 1

    Figure A.2 – Workstation Default Gateway Configured as : 10.1.1.10

    Understanding First Hop Redundancy Protocols (FHRP) - Gateway 2


    Figure 1.0 – Understanding First Hop Redundancy Protocols (HSRP)
    In this high availability architecture diagram, we have the said two routers in active and standby modes with the access switch and workstation configured as per the above setup in Figure A.1.
    Understanding First Hop Redundancy Protocols (FHRP)

    Operation of HSRP

    The Hot Standby Routing Protocol is considered a firt hop redundancy protocol. What does this mean? Look at the pc above in Figure 1.0, it has an IP Address of 10.1.1.120 and a Default Gateway of 10.1.1.1. What is that default gateway? This is typically the IP Address of the router that may get PC off from it’s local subnet to another network, perhaps the internet. This could be information the PC may have learned via DHCP when it joined the network. The router which is its default gateway could become the single point of failure for the PC as when the router fails, the PC may be limited to communicate on its local subnet. It cannot go beyond it’s local subnet. HSRP helps us out with this issue. HSRP is a Cisco proprietary protocol as is GLBP. The industry standard is the VRRP.

    The Default Gateway cannot be seen in the Figure 1.0 for Switch 1 or Switch 2. Switch 1 has a layer 3 ip address of 10.1.1.2 and Switch 2 has a layer 3 ip address of 10.1.1.3, So who is servicing packets reaching 10.1.1.10. Well notice the greyed out router in the middle of the diagram, this is normally called the phantom router or logical router. This is the router that the PC is logically using.

    HSRP allows one router to serve as the active router and is able to serve packets destined for the 10.1.1.10 and route them the right where they need to go.

    . In today’s network you will realise that most of our networking is with Layer 3 Switches which support FHRP. It is a popular practice to see machines point to the Switches as their Default Gateways. These are normally Multi-layer Switches which acts as routers for our FHRP deployment. The IP 10.1.1.1 has a corresponding mac address which the PC has learned using ARP. If Switch 1 went Kaboom!, Switch 2 is able to carry on with the work to serve devices their gateway and access to resources without a down time.

    Understanding First Hop Redundancy Protocols (FHRP)

    Configuration Time – Configuring an HSRP Group on Router or Layer 3 Switch

    In this configuration, we have created Switch Group 1 for both Routers or Layer 3 Switches participating in the HSRP Gateway Redundancy.

    Router A or Layer 3 Switch Network Device

    Router-A(config)# interface vlan 20
    Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
    Router-A(config-if)# standby 1 priority 200
    Router-A(config-if)# standby 1 preempt
    Router-A(config-if)# standby 1 ip 10.1.1.1
    Router-A(config-if)# no shutdown
    

    Router B or Layer 3 Switch Network Device

    Router-B(config)# interface vlan 20
    Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
    Router-B(config-if)# standby 1 priority 100
    Router-B(config-if)# standby 1 preempt
    Router-B(config-if)# standby 1 ip 10.1.1.1
    Router-B(config-if)# no shutdown
    

    Perform Load Balancing –
    In the previous configuration, Router-A becomes the Active Router serving all users the gateway for their traffic over its uplink whiles Router-B sits there as the Standby HSRP Router with its Uplink idle only waiting for the day of failure which may or may never happen.

    Load balancing traffic across two uplinks to two HSRP routers with that single HSRP Group 1 is not possible. There is however a method to achieving this design and that is to use two HSRP groups.

    HSRP Group One : Assigns an active router to one router or layer 3 switch
    HSRP Group Two: Assigns another active router to the other router or layer 3 switch

    With this setup, two different virtual router or gateway addresses can be used simultaneously. The rest of this setup is to make each router or layer 3 switch function as the standby router for its partner’s HSRP Group.

    Simply put, each router is the active HSRP router for one group but standby for the other group.

    Using a DHCP server, the clients can be cnfigured to have one of the two HSRP group addresses.

    Look at the diagram below – Figure 1.1.

    Router A is not only the active HSRP router for the HSRP Group 1 (10.1.1.1) but also the standby router for the HSRP Group 2 (10.1.1.10)

    Load Balancing

    Router-A as Active HSRP Router for HSRP Group 1

    Router-A(config)# interface vlan 20
    Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
    Router-A(config-if)# standby 1 priority 200
    Router-A(config-if)# standby 1 preempt
    Router-A(config-if)# standby 1 ip 10.1.1.1
    

    Configure Authentication for HSRP Peers

    Router-A(config-if)# standy 1 authentication K3y1h4v3Ch05en!
    

    The above authentication is based on PLain-Text HSRP Authentication. These are HSRP messages sent with a plain-text key strong (up to 8 characters) as a simple method to authenticate HSRP peers. Keys have to match to approve peering.

    You can use MD5 authentication. The command below helps to achieve this

    Router(config)# key chain chain-name
    Router(config-keychain)# key key-number
    Router(config-keychain-key)# key-string [0 | 7] string
    Router(config)# interface type mod/num
    Router(config-if)# standby group authentication md5 key-chain chain-name
    

    This configuration makes Router-A Standy HSRP Router for HSRP Group 2

    Router-A(config-if)# standby 2 priority 100
    Router-A(config-if)# standby 2 preempt
    Router-A(config-if)# standby 2 ip 10.1.1.10
    Router-A(config-if)# standy 2 authentication K3y1h4v3Ch05en!
    

    Router-B as Standby HSRP Router for HSRP Group 1

    Router-B(config)# interface vlan 20
    Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
    Router-B(config-if)# standby 1 priority 100
    Router-B(config-if)# standby 1 preempt
    Router-B(config-if)# standby 1 ip 10.1.1.1
    Router-B(config-if)# standy 1 authentication K3y1h4v3Ch05en!
    

    This configuration makes Router-B Active HSRP Router for HSRP Group 2

    Router-B(config-if)# standby 2 priority 200
    Router-B(config-if)# standby 2 preempt
    Router-B(config-if)# standby 2 ip 10.1.1.10
    Router-B(config-if)# standy 2 authentication K3y1h4v3Ch05en!
    

    Use the following command to display information about the status of either HSRP Groups

    Router#show standby [brief] [vlan vlan-id | type mod/num]
    

    Virtual Router Redundancy Protocol (VRRP)

    You can never talk about VRRP without mentioning HSRP as that is the proprietary original innovation Cisco created many years ago but since then, the open standard VRRP has become a loved version for many vendors. It is supported by major vendors including Cisco who ships the support in their iOS platforms.

    Like with HSRP, VRRP has a configured group that contains a number of routers also known as gateways. In the network design process, an engineer will configure one of the gateways as the master and the other the backup or standby. These terms could be used interchangeably.

    In the example we had with the HSRP, the Active Router had an IP address of 10.1.1.2 and the Standby 10.1.1.3. The Virtual Router’s IP address was 10.1.1.1 which was served to clients as the default gateway. In VRRP, the Master Router’s physical IP address of the interface connecting the subnet is used by the clients as a default gateway.

    In this example, the Master IP address is : 10.1.1.1 and the Backup or Standby IP address is: 10.1.1.10.

    There isn’t a logical IP Address for a Virtual Router as VRRP handles it quite differently. Behind the scenes, the backup router of the VRRP group will communicate with the master gateway and assume the duty of forwarding traffic, should the master router fail due to any known reasons. The IP address used for the VRRP always belongs to the master router which is referred to as the IP address owner. When the Master router recovers, it will take back the duties of routing for that IP address.

    It is possible to have multiple VRRP groups on a single subnet, which can be used to spread the load of the traffic coming off of a subnet. However, this must be done manually at the client’s location, by changing their default gateway addresses.

    Figure 1.1 – Understanding First Hop Redundancy Protocols (VRRP)
    Understanding First Hop Redundancy Protocols (VRRP)

    VRRP Router A Load Balancing Configuration
    VRRP Group 1

    Router-A(config)# interface vlan 20
    Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
    Router-A(config-if)# vrrp 1 priority 200
    Router-A(config-if)# vrrp 1 ip 10.1.1.1
    

    VRRP Group 2

    Router-A(config-if)# vrrp 2 priority 100
    Router-A(config-if)# no vrrp 2 preempt
    Router-A(config-if)#vrrp 2 ip 10.1.1.10
    

    Let’s head over to Router B to perform a similar configuration as per below;

    VRRP Router B Load Balancing Configuration

    VRRP Group 1

    Router-B(config)# interface vlan 20
    Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
    Router-B(config-if)# vrrp 1 priority 100
    Router-B(config-if)# no vrrp 1 preempt
    Router-B(config-if)#vrrp 1 ip 10.1.1.1
    

    VRRP Group 2

    Router-B(config-if)#vrrp 2 priority 200
    Router-B(config-if)# vrrp 2 ip 10.1.1.10
    

    Gateway Load Balancing Protocol (GLBP)
    In this article of Understanding First Hop Redundancy Protocols (FHRP), we have looked at the most popular first hop redundancy protocols like the HSRP and VRRP. Are you thinking what the GLBP has to offer?

    GLBP is another, you guessed it,Cisco proprietary protocol that can be used for first hop redundancy. The key feature GLBP offers which the first two do not is dynamic load balancing.

    With GLBP, unlike HSRP or VRRP, routers that exist within the GLBP group are all active and are forwarding traffic. I prefer this as it only makes economic sense to utilise these routers to achieve great throughput and resource balancing. When a GLBP group is configured, one of the routers within the group will be elected as the Active Virtual Gateway (AVG); each of the other routers will back up the AVG, should it fail due to hardware or any other unforseeable variable. The AVG is responsible for assigning virtual MAC addresses to each of the members of the GLBP group; each of these members is referred to as an Active Virtual Forwarder (AVF). The AVG is responsible for responding to ARP request by subnet devices, and selecting which group’s router will handle the traffic. The IP address of the default gateway is the same across all of the subnet devices; this IP address is virtual. Because load balancing is inherent to this protocol, you will not need to employ multi groups or instances to handle gateway load balancing. When the device ARPs for a MAC address, the AVG will respond with one of the virtual MAC addresses since it’s responsible to creating or assigning the mac addresses to begin with. This way, the AVG is able to control which router will handle the load of each individual subnet device. There is a great deal to this amazing protocol but it is not an open standard and so can only be enjoyed by Cisco customers. Cisco has an excellent documentation on their proprietary Gateway Load Balancing Protocol.

    How to Configure OSPF Step by Step
    The Ultimate Guide to Understanding and Configuring OSPF

    ]]>