From: Tom Lijnse (Tom.Lijnse@globalknowledge.nl)
Date: Wed Jul 06 2005 - 12:15:07 GMT-3
Hi Tim,
You reached the exact same conclusion that I did.
If I interpret the documentation correctly R1 will only redirect to R2
if R2 is the Active router for another HSRP group.
Of course 'the proof of the pudding is in the eating' as they say, so
all that needs to be done now is to verify this by labbing it up.
Unfortunately I don't have the opportunity to do this myself right now,
but I'll put this on my list of things to test. If you can find the time
to try it out yourself though I think this would be an excellent
exercise to enhance your understanding of HSRP.
Have fun!
Tom Lijnse
CCIE #11031
Global Knowledge
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: woensdag 6 juli 2005 16:59
To: Tom Lijnse; 'Spyros Kranis'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Hi Tom,
Thanks again for your response.
I read the link you sent me and see I was wrong on at least one point.
Per this link, "When running HSRP, it is important to prevent hosts from
discovering the interface (or real) MAC addresses of routers in the HSRP
group. If a host is redirected by ICMP to the real MAC address of a
router,
and that router later fails, then packets from the host will be lost."
But, given the above, how could a packet get to net 3 if R1 is the
active
router and R1 and R2 are in the same group?
R1 R2 -----> R3 net3
e0 e0
|----hsrp----|
|
other hosts
It seems to me that this isn't possible. To solve this problem it seems
that 2 groups must be configured and R2 must be the active router for
the
other group. This way for hosts that use R1 as their default gateway
will
be redirected to the virtual mac address of the other group.
Am I on the right track now?
TIA, Tim
-----Original Message-----
From: Tom Lijnse [mailto:Tom.Lijnse@globalknowledge.nl]
Sent: Wednesday, July 06, 2005 9:18 AM
To: ccie2be; Spyros Kranis
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Hi Tim,
Okay, let's see if I can answer your questions:
- "When HSRP is configured this way with the use-bia command, is the
failover fast enough that any active sessions that hosts might have at
the time of switch over remain intact?"
As far as I know 'use-bia' has similar convergence to normal HSRP. The
only extra step is that when the Standby becomes Active it has to send
out the gratuitous arp-replies and the hosts need to update their
arp-caches, but as far as I can see that should only add milliseconds to
the convergence time. I haven't tested very extensively, but when I did
use it, it never seemed slower than normal HSRP.
- "I'm wondering if it's possible to config port security on the 3550
and the use-bia on the routers such that a failover is transparent to
hosts sessions maybe by lowering hsrp timers?"
As far as I can see this comes down to the same issue. (This depends on
what you mean by transparent). Convergence time for HSRP is determined
by the time it takes for the Standby to discover that the Active Router
disappeared, so this is mainly determined by the hello and holdtime.
Setting these to lower values will decrease the convergence time.
Whether or not you're using 'use-bia' seems negligible to me.
- " Suppose your topology was like this:
R1 R2 -----> R3 net3
e0 e0
|----hsrp----|
|
other hosts
R1 is the active router. R2 is the standby router but packets must get
to
R3 to get to net3.
How should HSRP be configured such that the hosts use R1 for all
destinations except for net3?"
The whole story about ICMP unreachables being disabled when you enable
HSRP isn't entirely true anymore. You may want to read the following bit
on the Doc-CD:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fipr_c/ipcprt1/1cfip.htm#wp1044507
After reading this and possibly quickly labbing it up I think you should
be able to come up with an answer to your own question. In the end I
think this would be more educational than me just giving you the answer,
but let me know when you need a hint.
Regards,
Tom Lijnse
CCIE #11031
Global Knowledge
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3