From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Jul 06 2005 - 09:19:46 GMT-3
Hi Tom,
Thanks for setting me straight on this. I was close but not quite on the
money.
When HSRP is configured this way with the use-bia command, is the failover
fast enough that any active sessions that hosts might have at the time of
switch over remain intact?
I'm wondering if it's possible to config port security on the 3550 and the
use-bia on the routers such that a failover is transparent to hosts sessions
maybe by lowering hsrp timers?
One last thing:
Suppose your topology was like this:
R1 R2 -----> R3 net3
e0 e0
|----hsrp----|
|
other hosts
R1 is the active router. R2 is the standby router but packets must get to
R3 to get to net3.
How should HSRP be configured such that the hosts use R1 for all
destinations except for net3?
I know that, by default, hsrp disables redirects so I assume I need to
enable redirects. But, how do redirects work in such a topology? Will R1
redirect packets to R2's E0's real ip address?
Besides enabling redirects, is anything else required for this to work?
Thanks very much for your help.
Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tom
Lijnse
Sent: Wednesday, July 06, 2005 2:53 AM
To: ccie2be; Spyros Kranis
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Hi Tim,
In answer to your question:
"Do you know, by any chance, what happens during a failover from a host
point of view? IOW, when the standby router takes over, the virtual mac
address used will also change since now it will become the bia of the
former standby router which is now the active router."
Unfortunately you're making an incorrect assumption here. When using
'use-bia' each of the routers uses its own mac-address, they don't take
over each other's burnt-in-address and there is no virtual mac-address.
So in this case there isn't any shared mac-address.
The trick is that when the standby router takes over it will send out
gratuitous arp-replies, to force all hosts to update their arp table
with the new mac-address instead of the mac-address of the old active
router. This mechanism is not as transparent to the end-hosts as normal
HSRP, since it requires the hosts to react to gratuitous arp-replies by
updating their arp-cache.
See the following show commands and debugs to illustrate the principle:
Let's look at the Active router first:
R5#sh run int e 0/0
Building configuration...
Current configuration : 119 bytes
!
interface Ethernet0/0
ip address 10.4.5.5 255.255.255.0
half-duplex
standby use-bia
standby 37 ip 10.4.5.37
end
R5#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual
IP
Et0/0 37 100 Active local 10.4.5.4
10.4.5.37
R5#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.4.5.5 - 0006.53ab.57c1 ARPA Ethernet0/0
Internet 10.4.5.4 84 0006.53ab.6701 ARPA Ethernet0/0
Internet 10.4.5.37 - 0006.53ab.57c1 ARPA Ethernet0/0
So you can see that at least in his own arp-cache this router 'claims'
the virtual ip address tying it to its own mac-address.
Let's look at the Standby router:
R4#sh run int e 0/0
Building configuration...
Current configuration : 119 bytes
!
interface Ethernet0/0
ip address 10.4.5.4 255.255.255.0
half-duplex
standby use-bia
standby 37 ip 10.4.5.37
end
R4#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual
IP
Et0/0 37 100 Standby 10.4.5.5 local
10.4.5.37
R4#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.4.5.5 84 0006.53ab.57c1 ARPA Ethernet0/0
Internet 10.4.5.4 - 0006.53ab.6701 ARPA Ethernet0/0
R4#debug arp
ARP packet debugging is on
R4#
Now we'll shut the Ethernet on the Active and watch the Standby:
*Mar 1 17:54:18.807: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 37 state
Standby -> Active
*Mar 1 17:54:18.807: IP ARP: sent rep src 10.4.5.37 0006.53ab.6701,
dst 10.4.5.37 ffff.ffff.ffff Ethernet0/0
*Mar 1 17:54:18.807: IP ARP: sent rep src 10.4.5.37 0006.53ab.6701,
dst 10.4.5.37 0100.0ccd.cdcd Ethernet0/0
*Mar 1 17:54:21.807: IP ARP: sent rep src 10.4.5.37 0006.53ab.6701,
dst 10.4.5.37 ffff.ffff.ffff Ethernet0/0
*Mar 1 17:54:21.807: IP ARP: sent rep src 10.4.5.37 0006.53ab.6701,
dst 10.4.5.37 0100.0ccd.cdcd Ethernet0/0
*Mar 1 17:54:24.807: IP ARP: sent rep src 10.4.5.37 0006.53ab.6701,
dst 10.4.5.37 ffff.ffff.ffff Ethernet0/0
*Mar 1 17:54:24.807: IP ARP: sent rep src 10.4.5.37 0006.53ab.6701,
dst 10.4.5.37 0100.0ccd.cdcd Ethernet0/0
R4#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.4.5.5 85 0006.53ab.57c1 ARPA Ethernet0/0
Internet 10.4.5.4 - 0006.53ab.6701 ARPA Ethernet0/0
Internet 10.4.5.37 - 0006.53ab.6701 ARPA Ethernet0/0
R4#
And as you can see, immediately after becoming active this router will
start sending arp-replies with its own mac-address to update the
arp-caches of all hosts on the segment.
Hope this helps,
Tom Lijnse
CCIE #11031
Global Knowledge
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: dinsdag 5 juli 2005 20:53
To: 'Spyros Kranis'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Thanks, Spyros. I figured that if the command, use-bia, is configured,
only
1 mac address is needed for port security.
I assume that the switch side of the config is the same regardless of
whether the 2 routers are connected to the same switch or to 2 different
switches, right?
R1 sw1 --- sw2 R2
Do you know, by any chance, what happens during a failover from a host
point
of view? IOW, when the standby router takes over, the virtual mac
address
used will also change since now it will become the bia of the former
standby
router which is now the active router.
Wouldn't this cause the hosts to have a wrong entry in their arp table
once
the standby router takes over? And, wouldn't that cause any active
sessions
to fail while waiting for the old arp table entries to age out on the
hosts?
I vaguely recall that during a failover, the newly active router might
issue
a gratuitous arp which speeds up the process of the hosts updating their
arp
table, but I'm not sure if I remember this correctly.
Any thoughts?
Tim
-----Original Message-----
From: Spyros Kranis [mailto:skranis@algosystems.gr]
Sent: Tuesday, July 05, 2005 1:06 PM
To: 'ccie2be'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Tim ,
I labed it up and the only thing that you need is the standby use-bia
command at both routers and the following config to the switch
Int fa0/1
switchport mode access
switchport port-security maximum 1 <-- it is default - the switch does
not
display it
switchport port-security violation restrict
switchport port-security mac-address 0050.3efa.f540 <-- this is the real
mac
address of the router interface.
Int fa0/2
switchport mode access
switchport port-security maximum 1 <-- it is default - the switch does
not
display it
switchport port-security violation restrict
switchport port-security mac-address 0050.1adf.ccbc <-- this is the real
mac
address of the router interface.
HTH
skra
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, July 05, 2005 7:25 PM
To: 'Rajib Khan'; alsontra@hotmail.com; 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Thanks Raj.
By any chance, do you know if you have to allow a max of 2 addresses for
HSRP to work with port security?
I assume you do but if the command use-bia is configured, than why
wouldn't
just a max of one mac address work?
Thanks again, Tim
_____
From: Rajib Khan [mailto:rajib56666@yahoo.com]
Sent: Tuesday, July 05, 2005 12:13 PM
To: ccie2be; alsontra@hotmail.com; 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
HI Tim,
You don't need to configure "switchport port-security mac-address
sticky
0050.3eef.6260" in order this to work
with sticky and maximum 2 it wil learn 2 mac address dynamically
But I don't know the answer of your question though. Use a etheral
analyzer
if you can
Thanks
Raj
ccie2be <ccie2be@nyc.rr.com> wrote:
Hi Guys,
Can anybody explain why the below works and what happens when the active
router fails and the standby router takes over as far as the mac
addresses
are concerned?
With the config below, is a failover transparent to users on the
attacked
vlan?
TIA, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
alsontra@hotmail.com
Sent: Sunday, January 09, 2005 11:29 AM
To: 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
All,
Below is a 3550 configuration using bia-addresses. Anyone find a fault
in
the logic?
R1
!
interface Ethernet0/0
ip address 120.1.1.1 255.255.255.0
half-duplex
standby use-bia
standby preempt
standby 1 ip 120.1.1.254
standby 1 priority 150
standby 1 preempt
end
R1#sh stan
Ethernet0/0 - Group 1
State is Active
13 state changes, last state change 01:11:22
Virtual IP address is 120.1.1.254
Active virtual MAC address is 0050.3eef.6260
Local virtual MAC address is 0050.3eef.6260 (bia)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.484 secs
Preemption enabled
Active router is local
Standby router is 120.1.1.2, priority 100 (expires in 7.688 sec)
Priority 150 (configured 150)
IP redundancy name is "hsrp-Et0/0-1" (default)
R2
!
interface Ethernet0/0
ip address 120.1.1.2 255.255.255.0
ip pim sparse-dense-mode
half-duplex
ipv6 address 2001::/64 eui-64
standby use-bia
standby 1 ip 120.1.1.254
standby 1 preempt
end
R2#sh stan
Ethernet0/0 - Group 1
State is Standby
19 state changes, last state change 01:11:41
Virtual IP address is 120.1.1.254
Active virtual MAC address is 0050.3eef.6260
Local virtual MAC address is 0050.3efa.f540 (bia)Hello time 3 sec, hold
time
10 sec
Next hello sent in 1.678 secs
Preemption enabled
Active router is 120.1.1.1, priority 150 (expires in 8.470 sec)
Standby router is local
Priority 100 (default 100)
IP redundancy name is "hsrp-Et0/0-1" (default)
3550
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.3eef.6260
no ip address
!
interface FastEthernet0/2
switchport mode access
switchport port-security maximum 2
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.3efa.f540
no ip address
-----Original Message-----
From: Lai, Ben [mailto:benlai_cn@hotmail.com]
Sent: S! unday, January 09, 2005 10:03 PM
To: 'Alsontra'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Firstly, can we use HSRP without a virtual MAC address for the virtual
router?
Secondly, I use sticky address because it is easy to copy the mac
address of
the attached device to the configuration.
Rgds.