Archive for the ‘hsrp’ tag
ACLs and HSRP, BGP, OSPF, VRRP, GLBP…
Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.
- BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179
- EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10
access-list 101 permit eigrp any host 224.0.0.10
- OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers
access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6
- HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 224.0.0.2 eq 1985
- HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.102.
access-list 101 permit udp any host 224.0.0.2 eq 1985
- RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9
access-list 101 permit udp any host 224.0.0.9 eq 520
- VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18
access-list 101 permit 112 any host 224.0.0.18
- VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 224.0.0.2
access-list 101 permit 112 any host 224.0.0.2 eq 8888
- GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102
access-list 101 permit udp any host 224.0.0.102
- DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
If anyone else has one to add, do so in the comments.
Object Tracking and HSRP
We’ve done some tracking with HSRP in other articles, but there are lots and lots of ways to use object tracking on an HSRP device. In our example network, we tracked the interface, and, if it went down, we decremented the standby priority. What if just the line protocol goes down? How about if the BGP peer on the other end stops sending you routes? If you don’t know that object tracking is the answer, you didn’t read the title.
In doing any type of object tracking, the first thing you is…wait for it…create the object. Let’s do the line protocol object first.
track 100 interface S0/0 line-protocol
This creates an object with the object number of 100 that tracks the line protocol of interface S0/0. Now what? If we look back to the HSRP setup we have two routers with HSRP running on each of the FastEthernets. If we add an interface S0/0 for Internet access (or corporate access or POS access or access to your toilet), we probably want to track the line protocol of those interfaces to make sure the interface is still healthy. Here’s the new configuration on the FastEthernet interfaces.
interface FastEthernet 0/0
ip address 10.1.1.11 255.255.255.0
standby 75 ip 10.1.1.1
standby 75 priority 100
standby 75 preempt
standby 75 track 100 decrement 55
Now, when the line protocol of S0/0 goes down, the priority of standby group 75 goes down by 55. Sweet. How about if S0/0 is to an Internet circuit, and the BGP peer stops providing routes? It’s just as easy to set up.
First, you need to find a route in your BGP table that’s going to be stable. I like Google or Yahoo, but it doesn’t really matter. Let’s say the route you want is 1.2.0.0/20, so let’s build the object.
track 101 ip route ip route 1.2.0.0/20 reachability
We put this in the config, and we end up with this.
interface FastEthernet 0/0
ip address 10.1.1.11 255.255.255.0
standby 75 ip 10.1.1.1
standby 75 priority 100
standby 75 preempt
standby 75 track 101 decrement 55
If your router doesn’t have the exact route in object 101, the priority of standby group 75 goes down by 55. Notice I said exact — if you have a bigger or smaller route, it won’t match. You knew that, though. And, yes, you can have more than one track statement in each standby group, so you can track the route and the line protocol at the same time if you want. Good stuff.
If you implement HSRP anywhere, you should probably do tracking of some kind. Check out Cisco’s page on Enhanced Object Tracking for a list of the tracking objects you can use.
HSRP Interface Tracking
Remember the article on router-on-a-stick? And the one on HSRP? Let’s add to that example network, shall we? Let’s make those routers into edge routers so they connect your internal network to the Internet with some size circuit. Let’s just say they each terminate DS3s to different providers.
Here’s our network now (I’m experimenting with Visio alternatives, so excuse the diagram footer there). Let’s assume that we have [tag]HSRP[/tag] set up like the HSRP article and that we have many sub-interfaces on the Ethernet side of the routers like the ROAS article. Also, Router1 is the HSRP active peer and each router has a default route pointing to the upstream ISP through interface Serial 0/0.
This looks pretty good, but what happens if the DS3 on Router1 goes down? We won’t be able to pass traffic to the Internet at all since all the hosts are using the HSRP IP as their gateways. Oh, God…that sucks. What can we do? HSRP has a tracking feature, and we can use it to monitor the DS3 and decrement [tag]priority[/tag] if something happens to it.
Like everything in the network world, this is a piece of cake. All we have to do is one single line to each of our HSPR standby groups to set this all up. Remember to do each standby group on both routers.
standby 1 track Serial 0/0 decrement 55
Now, when the [tag]interface[/tag] goes down, the HSRP priority will be decremented by 55. If Router1 gets decremented by 55, Router2 will be the active peer since Router1′s new priority will be 45. If Router2 loses the interface and gets decremented by 55, nothing will really happen since Router2 is already the standby peer.
—-
The note: An interface has to be down for this to take place. If you lose line protocol but the interface stays up (the interface is up/down), HSRP won’t decrement the priority. Look out for an article on object tracking later to fix this problem.
Running HSRP for Availability
In the article describing a router-on-a-stick, I mentioned that I would use two routers that run HSRP for availability, so I figured that I would write up a short post on what it is and how it works.
HSRP (Hot Standby Router Protocol) is a Cisco-proprietary protocol for establishing two or more layer-3 devices as a fault-tolerant gateway. Please note that it is not a routing protocol like OSPF or BGP. HSRP provides availability and fault-tolerance…it does not advertise routes. I actually found several Google results that said it was a routing protocol. Those were on the first page of the results, so be careful when searching! Webopedia.com is terrible.
I’m sure you would like to know how it works, so let’s walk through the process. Each router (we’ll just assume its a router, but you can run HSPR on any Cisco layer-3 device) is configured with a standby group, priority, and standby address. Each advertises its configuration to the others, and, after everyone knows what the other routers’ settings are, each looks at the list of priorities and figures out which one is the highest. If a router thinks that it has the highest priority, it becomes the active router and will start answering for the standby address. If a router doesn’t think it has the highest priority, it becomes the standby router and just chills. Every few seconds, everyone sends hello packets to let everyone know that they’re still alive, and, if the active router doesn’t answer in a certain amount of time, another internal election occurs, and the router with the highest priority becomes the new active router. This whole process takes less than 10 seconds and is automatic. As long as at least one router is configured for the standby group, the standby ip is available.
That was awfully technical, so let’s look at an example. Here’s another terrible diagram to show what I’m talking about. I can’t afford Visio. :( Anyway, both routers have their FastEthernet0/0 on the same network, and we want to configure them as HSRP pairs.
Let’s do the configuring. We’ll use standby group 75 for our configuration. It’s just a number so you can use multiple HSPR configurations on the same interface, so it doesn’t really matter. Router 1 and Router 2 have IP addresses of 10.1.1.11 and 10.1.1.12, respectively. We’ll use 10.1.1.1 as the standby IP. We’ll also say that the priority of Router 1 should be higher just so we can get an example going.
Router 1
interface FastEthernet 0/0
ip address 10.1.1.11 255.255.255.0
standby 75 ip 10.1.1.1
standby 75 priority 100
standby 75 preempt
Router 2
interface FastEthernet 0/0
ip address 10.1.1.12 255.255.255.0
standby 75 ip 10.1.1.1
standby 75 priority 50
standby 75 preempt
The only thing I haven’t noted yet is the preempt command. This tells the router that it can take over the standby IP if its priority says so. Everything else is pretty straightforward and should work like a champ. If you’re using a router-on-a-stick setup, you configure the sub-interfaces instead of the physical interfaces (like F0/0.1 instead of F0/0).
Have fun and let me know if you have any questions.
A note as usual: These are just the basics of HSRP. It can do all sorts of stuff like interface tracking, object tracking, load sharing (it’s a workaround, really), and authentication.