E N D
1. Module 5
Redundancy CCNP Multilayer Switching
2. Introducing redundancy Redundancy - Multiple paths to the destinations can avoid single point of failure.
Resiliency - Fast recovery upon failure.
Besides, network services are distributed geographically.
3. Implementing redundant supervisor engines in Catalyst switches When installing two supervisor engines, the first one to come online becomes the active module. The second supervisor engine goes into standby mode.
4. Implementing redundant supervisor uplink modules in Catalyst switches Supervisor III uplink ports are modular. Modularity lets the administrator install the uplink module to deliver current bandwidth requirements.
Modularity also ensures an easy migration path.
5. Implementing redundant distributed forwarding cards in Catalyst switches The Distributed Forwarding Card (DFC) complements the centralized forwarding of the Catalyst 6500 Supervisor Engine 2 by distributing the centralized forwarding intelligence to each DFC-enabled line card module.
6. Implementing redundant power supplies If one supply malfunctions, the other supply can take over the entire system load.
When two power supplies of equal wattage are used, each provides approximately half of the required power to the system.
Load sharing and redundancy are enabled automatically. No software configuration is required.
7. Implementing Router Redundancy in a Switched Network
8. Router redundancy operation Proxy ARP – discovers the MAC address of the new router in the segment.
Default gateway – use alternate default gateway defined in the host.
Dynamic Routing Protocol – run RIP/OSPF in the host to discover new routes..
DHCP – besides IP address, the host also get a default gateway.
9. ICMP Router Discovery Protocol (IRDP) Some newer IP hosts use IRDP (RFC 1256) to find a new router when a route becomes unavailable.
A host that uses IRDP listens for hello multicast messages from the router that the host is configured to use. The host switches to an alternate router when the host no longer receives those hello messages.
Enabling IRDP Processing
The only required task for configuring IRDP routing on a specified interface is to enable IRDP processing on an interface. Use the following command in interface configuration mode:
Router(config-if)#ip irdp
Troubleshooting IRDP
Use the debug ip icmp command to display information on ICMP transactions. This command helps determine whether the router is sending or receiving ICMP messages. Use this command when troubleshooting an end-to-end connection problem. The no form of this command disables debugging output.
Router#no debug ip icmp
10. Hot Standby Router Protocol (HSRP) One way to achieve near 100% network uptime is to use HSRP (RFC 2281).
By sharing an IP address (Virtual IP) and a MAC address (Virtual MAC), a set of two or more routers can operate as a single router called a virtual router.
This set is known as an HSRP group or a standby group. If the Active router fails, the Standby router takes over as the Active router. Hosts continue to forward IP packets to a consistent IP and virtual MAC address and the changeover between routes is transparent to the end workstation.
11. Server Load Balancing (SLB) SLB is an IOS-based solution defining a virtual server that represents a group of real servers in a server farm. This environment connects clients to the IP address of a single virtual server.
When a client initiates a connection to the virtual server, the SLB function chooses a real server for the connection based on a load balancing algorithm. The network gains scalability and availability when virtual servers represent server farms.
The addition of new servers and the removal or failure of existing servers can occur at any time without affecting the availability of the virtual server.
Supported Platforms
* Catalyst 6000 Series
* Cisco 7200 Series
12. HSRP Operations
13. HSRP Operations Components: Active router, standby router, and a virtual or phantom router.
14. HSRP operations The active router does the forwarding of data packets and transmits hello messages. The standby router takes the active role if the active router fails.
The standby router also transmits hello messages to other routers in the HSRP group.
The virtual router does not really exist. It simply represents a consistently available router with an IP address and a MAC address to the hosts on a network.
It is possible that several other routers exist in an HSRP standby group. These other routers will monitor HSRP hello messages but do not respond. They function as normal routers that forward packets sent to them but do not forward packets addressed to the virtual router. These additional HSRP routers remain in the "init" state.
If both the active and standby routers fail, all other routers in the group will contend for the active and standby roles. The router with the lowest MAC address becomes the active router unless a HSRP priority is configured, then the router with higher priority becomes active (See the diagram).
The default priority for an HSRP router is 100.
15. The virtual router MAC address The MAC address used by the virtual router is made up of the followings:
* Vendor ID – Comprised of the first three bytes of the MAC address.
* HSRP code – Two bytes (07.ac), MAC address is for an HSRP virtual router.
* Group ID – The last byte of the MAC address is the group ID number.
To display the virtual IP and MAC address use the command show standby
16. HSRP messages HSRP messages are encapsulated in UDP packets and use port number 1985.
HSRP messages use the physical interface IP address as the source.
The HSRP messages are sent to the destination multicast address (224.0.0.2). It is used to communicate to all routers, with TTL set to one.
Op Code – indicates type of messages, 0=Hello, 1=Coup (sent when a router wants to become the active router), 2=Resign (sent when a router no longer wants to be the active router)
Holdtime – valid time of Hello message. Priority – elect active/standby routers.
Group – identifies standby group. Authentication data – clear text 8 character password.
Virtual address – IP address of the virtual router. State - active/standby/init.
17. HSRP states HSRP defines six states in which an HSRP-enabled router can exist:
* Initial – beginning of the HSRP process. HSRP is not yet running. It is entered via a configuration change or when an interface first comes up.
* Learn – The router has not determined the virtual IP address, and has not yet seen an authenticated hello message from the active router. In this state the router is still waiting to hear from the active router.
* Listen – The router knows the virtual IP address, but is neither the active router nor the standby router. It listens for hello messages from those routers. Routers other than the active and standby router remain in the listen state.
* Speak – The router sends periodic hello messages and is actively participating in the election of the active or standby router. A router cannot enter Speak state unless it has the virtual IP address.
* Standby – The router is a candidate to become the next active router and sends periodic hello messages. Excluding transient conditions, there must be at most one router in the group in Standby state.
* Active – The router is currently forwarding packets. It sends periodic hello messages. Excluding transient conditions, there must be at most one router in Active state in the HSRP group.
18. HSRP Configuration
19. Configuring HSRP To configure a router as a member of an HSRP standby group, enter the following command in interface configuration mode.
Router(config-if)#standby group-number ip virtual-ip-address
* group-number – (Optional) Indicates the HSRP group to which this interface belongs. Default group is zero.
* ip-address – Address of the virtual HSRP router.
Sample configuration:
int fa0/0
ip address 10.1.1.2 255.255.255.0
standby 50 ip 10.1.1.1
exit
A#show run
...
interface FastEthernet0/0
...
standby 50 ip 10.1.1.1
...
20. How HSRP addresses redundancy issues HSRP routers on a LAN segment or VLAN communicate among themselves to designate 3 possible router states:
* active
* standby
* init
The active router receives the packet sent to the virtual MAC address.
The active router replies with the virtual MAC address to the ARP request.
If the active router fails, the standby router will take over to deliver packets using the same Virtual IP and Virtual MAC, therefore it is transparent to users.
If a third HSRP router was added to the LAN segment, this router would begin to act as the new standby router but remain in the "init" state.
HSRP also works for proxy ARP. When an active HSRP router receives an ARP request for a node that is not on the local LAN, it replies with the virtual MAC address.
If the router that originally sent the ARP reply later loses its connection, the new active router can still deliver the traffic.
21. HSRP standby priority Each standby group has its own active and standby routers. The network administrator can assign a priority value to each router in a standby group. This lets the administrator control the order in which active routers for that group are selected. To set the priority value of a router, enter the following command in interface configuration mode.
Router(config-if)#standby group-number priority priority-value
* group-number – (Optional) Indicates the HSRP standby group. The range is 0 to 255.
* priority-value – Indicates the number that prioritizes a potential hot standby router. The range is 0 to 255 with a default of 100.
The router in an HSRP group with the highest priority becomes the forwarding router. The tiebreaker for matching priority is higher number IP address.
Example:
A(config-if)#standby 50 priority 150
This makes router A interface has a priority value of 150 in HSRP standby group 50.
22. HSRP standby preempt The standby router assumes the active router role when the active router fails or is removed from service. This new active router remains as the forwarding router even when the former active router with the higher priority regains service in the network.
The former active router can be configured to resume the forwarding router role from a router with a lower priority. To enable a router to resume the forwarding router role, enter the following command in interface configuration mode:
Router(config-if)#standby group-number preempt
When the standby preempt command is issued, the interface changes to the appropriate state.
The following message is automatically generated as soon as the router becomes active in the network:
3w1d : %STANDBY-6-STATECHANGE: STANDBY: 50: FastEthernet0/0 state standby ? Active
23. HSRP hello timers An HSRP enabled router sends hello messages to indicate that the router is running and is capable of becoming either the active or standby router.
The hello message contains the priority of the router, hellotime and holdtime.
The hellotime value indicates the interval between the hello messages.
The holdtime value contains the amount of time that the current hello message is considered valid.
If an active router sends a hello message, then receiving routers consider that hello message to be valid for one holdtime.
The holdtime value should be at least three times the value of the hellotime.
Both the hellotime and the holdtime parameters are configurable:
Router(config-if)#standby group-number timers hellotime holdtime
* group-number – (Optional) Group number on the interface to which the timers apply. The default is zero.
* hellotime – Hello interval in seconds (1~255, default=3)
* holdtime – Time before the active or standby router is declared to be down (1~255, default =10)
Example. The following set the interface hello time to 5s and hold time to 15s:
A(config-if)#standby 50 timers 5 15
24. HSRP interface tracking If Router A fa0/1 downs, Router A loses the direct connection to the backbone.
The fa0/0 on Router A is still active, so packets destined for the core would still be sent to Router A and forwarded in turn to Router B, regardless of HSRP.
To prevent this inefficient traffic flow, setup tracking in an HSRP interface:
standby group-number track intf-type number priority
25. Verify HSRP configuration To display the status of the HSRP router, enter the following command in privileged EXEC mode:
Router#show standby [intf-type number] [group] [brief]
* Type-number – (Optional) Indicates the target interface type and number for which output is displayed.
* Group – (Optional) Indicates a specific HSRP group on the interface for which output is displayed.
* Brief – (Optional) Displays a single line of output summarizing each standby group.
If none of the optional interface parameters are used, the show standby command will display HSRP information for all interfaces
26. HSRP over trunk links Running HSRP over ISL allows users to configure redundancy between multiple routers that are configured as front ends for VLAN IP subnets. By configuring HSRP over ISL, situations in which a single point of failure causes traffic interruptions can be eliminated.
To configure HSRP over an ISL link between VLANs, perform the followings:
1. Define the encapsulation format
2. Define an IP address
3. Enable HSRP
HSRP is also supported over 802.1Q trunks.
27. Troubleshooting HSRP Prior to IOS release 12.1, the HSRP debugging command was relatively simple. To enable HSRP debugging, the debug standby command would be used to enable output of HSRP state and packet information for all standby groups on all interfaces.
A debug condition was added in IOS release 12.0(2.1) that allows the output from the standby debug command to be filtered based upon interface and group number. The command utilizes the debug condition paradigm introduced in IOS release 12.0, as follows: debug condition standby interface group. The interface specified must be a valid interface capable of supporting HSRP.
The debug conditions may be set for groups that do not exist, thereby allowing capture of debug information during the initialization of a new group.
The standby debug order must be configured for any debug output to be produced. If no standby debug conditions are specified output is produced for all groups on all interfaces. Configuring at least one standby debug condition will cause the output to be filtered.
28. VRRP VRRP differs from HSRP in the following ways:
VRRP is an IEEE standard for router redundancy, HSRP is a Cisco proprietary
The virtual router, representing a group of routers, is known as a VRRP group.
The active router is referred to as the master virtual router.
The master virtual router may have the same IP address of the virtual router group.
Multiple routers can function as backup routers.
Redundancy features:
VRRP provides redundancy for the real IP address of a router, or for a virtual IP address shared among the VRRP group members.
If a real IP address is used, the owning router becomes the master. If a virtual IP address is used, the master is the router with the highest priority.
A VRRP group has one master router and one or more backup routers. The master router uses VRRP messages to inform group members of the IP addresses of the backup routers
The master sends the advertisement on multicast 224.0.0.18 on a default interval of 1 second.
A VRRP flow message is similar in concept to an HSRP coup message.
A master with a priority of zero triggers a transition to a backup router. The result is similar to an HSRP resign message.
The dynamic failover, when the active (master) becomes unavailable, uses two timers within VRRP: the advertisement interval and the master-down interval
29. Virtual Router Redundancy Protocol (VRRP) Both HSRP and VRRP enable two or more devices to work together in a group, sharing a single virtual IP address.
In HSRP, both the active and standby routers send periodic hello messages. In VRRP, only the master sends periodic messages, known as advertisements.
Cisco recommends using HSRP for superior convergence characteristics. Use VRRP only when local subnet interoperability is required with other vendors.
30. VRRP Configuration
31. VRRP Configuration
32. Gateway Load Balancing Protocol (GLBP)
Cisco designed Gateway Load Balancing Protocol (GLBP) to allow automatic selection and simultaneous use of multiple, available gateways, as well as automatic failover between those gateways.
Multiple routers share the load of frames that, from a client perspective, are sent to a single default gateway address.
With GLBP, resources can be fully utilized without the administrative burden of configuring multiple groups and managing multiple default gateway configurations as is required with HSRP and VRRP.
33. Gateway Load Balancing Protocol (GLBP) Besides redundancy, GLBP also allows a group of routers to share the load of the default gateway on a LAN. This is achieved by sending different ARP reply to different hosts.
34. BLBP Load Balancing
GLBP load balancing:
Weighted load-balancing algorithm – The amount of load directed to a router is dependent upon the weighting value advertised by that router.
Host-dependent load-balancing algorithm – A host is guaranteed to use the same virtual MAC address as long as that virtual MAC address is participating in the GLBP group.
Round-robin load-balancing algorithm – As clients send ARP requests to resolve the MAC address of the default gateway, the reply to each client contains the MAC address of the next possible router in round-robin fashion. Each routers MAC address takes turns being included in address-resolution replies for the default gateway IP address.
35. GLBP Configuration
36. GLBP Configuration
37. Route Processor Redundancy Plus – RPR+
38. Catalyst 6500 - Layer 3 functionality
The MSFC builds the Cisco Express Forwarding Information Base table in software and downloads this table to the hardware or ASIC on the Policy Feature Card (PFC) and any installed Distributed Forwarding Card (DFC).
An MSFC3 with PFC3 on a Supervisor 720 adds Stateless Switchover (SSO) and Non Stop Forwarding (NSF)
39. stateless switchover – SSO
When a redundant supervisor engine runs in SSO mode, the redundant supervisor engine starts up in a fully-initialized state and synchronizes with the persistent configuration and the running configuration of the active supervisor engine.
it offers zero interruption to Layer 2 sessions in a redundant supervisor engine configuration
ports that were active before the switchover will remain active, including the uplink ports
uplink ports are physically on the supervisor engine will be disconnected ONLY if the supervisor engine is removed.
If the active supervisor engine fails, the redundant supervisor engine becomes active.
newly active supervisor engine uses existing Layer 2 switching information to continue forwarding traffic.
Layer 3 forwarding will be delayed until the routing tables have been repopulated in the newly active supervisor engine.
SSO is supported in 12.2(20)EWA and later releases.
40. Single Router Mode (SRM) redundancy SRM redundancy is another alternative to having both Multilayer Switch Feature Card (MSFC) in a chassis active at the same time.
Using SRM redundancy, only the designated router MSFC is visible to the network at any given time. The non-designated router is booted up completely and participates in configuration synchronization, which is automatically enabled when entering SRM.
Unlike the MSFC high availability method, the configuration of the non-designated router is exactly the same as the designated router, but its interfaces are kept in a "line down" state and are not visible to the network.
Processes, such as routing protocols, are created on the non-designated router and the designated router. All non-designated router interfaces are in a "line down" state and do not send or receive updates from the network.
When the designated router fails, the non-designated router changes its state to become the designated router and the interface states change to "link up". The router builds its routing table while the existing Supervisor engine switch processor entries are used to forward Layer 3 traffic.
After the newly designated router builds its routing table, the entries in the switch processor are updated.
41. Failure with SRM and SSO
When the switch is powered on, SRM with SSO runs between the two Supervisor Engines.
The Supervisor Engine that boots first becomes the active Supervisor.
The Multilayer Switch Feature Card 3 MSFC3 and Policy Feature Card 3 PFC3 become fully operational.
If the active Supervisor Engine 720 or MSFC3 fails, the redundant Supervisor Engine 720 and MSFC3 become active.
The newly active Supervisor Engine 720 uses the existing PFC3 Layer 3 switching information to forward traffic while the newly active MSFC3 builds its routing table.
The routing protocols have to establish connectivity with their neighbor or peers and the Routing Information Base is built.
During this time packet forwarding cannot take place.
42. SSO Configuration
43. Nonstop Forwarding – NSF
Cisco NSF always runs with SSO and provides redundancy for Layer 3 traffic. NSF works with SSO to minimize the amount of time that a network is unavailable to its users following a switchover.
The main purpose of NSF is to continue forwarding IP packets following a supervisor engine switchover and the subsequent establishment of the routing protocols peering relationships.
Cisco NSF benefits:
Improved network availability
Network stability may be improved with the reduction in the number of route flaps
Because the interfaces remain up throughout a switchover, neighboring routers do not detect a link flap (the link does not go down and come back up).
User sessions established before the switchover are maintained.
44. NSF aware protocols and Failover
The routing protocols run only on the MSFC of the active supervisor engine, and they receive routing updates from their neighbor routers.
Routing protocols do not run on the MSFC of the redundant supervisor engine.
Following a switchover, the routing protocols request that the NSF-aware neighbor devices send state information to help rebuild the routing tables
The following events cause a switchover:
A hardware failure on the active supervisor engine
Clock synchronization failure between supervisor engines
A manual switchover
45. NFS Configuration
To verify nfs configuration:
Show running-config
Show ip protocols
46. Power supply
47. redundant power supplies
48. redundancy in a switched network
Reliable, fault-tolerant network devices – Hardware and software reliability to automatically identify and overcome failures.
Device and link redundancy – Entire devices may be redundant or modules within devices can be redundant. Links may also be redundant.
Resilient network technologies – Intelligence that ensures fast recovery around any device or link failure.
Optimized network design – Well-defined network topologies and configurations designed to ensure there is no single point of failure.
Best practices – Documented procedures for deploying and maintaining a robust e-commerce network infrastructure.
49. device-level fault tolerance Fault tolerance through device replication offers these benefits:
Minimizes time periods during which the system is non-responsive to requests (for example, while the system is being reconfigured because of a component failure or recovery)
Eliminates all single points of failure that would cause the system to stop
Provides disaster protection by allowing the major system components to be separated geographically
drawbacks.
Massive redundancy within each device adds significantly to its cost. Massive redundancy also reduces physical capacity of each device by consuming slots that could otherwise house network interfaces or provide useful network services.
Redundant subsystems within devices are often maintained in a hot-standby mode.
Focusing on device-level hardware reliability may result in a number of other failure mechanisms being overlooked.
50. redundant network topology
51. stacked switches
52. access layer best practices
53. distribution layer best practices
54. Layer 2 and 3 redundancy alignment
55. Layer 2 and 3 redundancy alignment
56. Layer 2 and 3 redundancy alignment
57. core layer best practices