Re: 3550 port-security and HSRP.

From: san (san.study@gmail.com)
Date: Wed Jul 06 2005 - 13:56:15 GMT-3

• Next message: Joe Deleonardo: "BGP Multicast Inter-AS (IAS) VPN"
• Previous message: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe in reply to: James Ventre: "Re: 3550 port-security and HSRP."
• Next in thread: hulbertj@comcast.net: "Re: 3550 port-security and HSRP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hubert,

Can i assume from your experiments standby use-bia is not the factor
for ICMP redirect to work. The factor for ICMP redirect to work is
adding a secondary group.

IOW, If you have two groups for two routers, irrespective of virtual
MAC or use-bia, ICMP redirect should work ?

Just to clarify again, because you have added two changes in second
step (bia + two groups).

/SAN

On 7/6/05, hulbertj@comcast.net <hulbertj@comcast.net> wrote:
> I just labbed this real quick....it looks as if redirects works fine with the standby use-bia command.
>
> R1 R2 -----> R3-loopback
> e0 e0
> |----hsrp----|
>
> R1 config:
> interface Ethernet0/0
> ip address 192.168.10.2 255.255.255.0
> half-duplex
> standby 1 ip 192.168.10.1
> standby 1 priority 105
> standby 1 preempt
>
> R2 config:
> interface Ethernet0/0
> ip address 192.168.10.3 255.255.255.0
> half-duplex
> standby 1 ip 192.168.10.1
> standby 1 preempt
>
> Rack1R1#sho standby brief
> P indicates configured to preempt. |
> Interface Grp Prio P State Active Standby Virtual IP
> Et0/0 1 105 P Active local 192.168.10.3 192.168.10.1
>
> When a host on this segment tries to reach a destination reachable through R2, this is what the debug on R1 show's;
>
> Rack1R1#debug ip icmp
> ICMP packet debugging is on
> Rack1R1#
> *Mar 4 17:31:29.385: ICMP: redirect not sent to 192.168.10.10 for dest 150.1.3.3
> *Mar 4 17:31:29.385: ICMP: 192.168.10.3 does not contain an active HSRP group
> *Mar 4 17:31:30.383: ICMP: redirect not sent to 192.168.10.10 for dest 150.1.3.3
> *Mar 4 17:31:30.387: ICMP: 192.168.10.3 does not contain an active HSRP group
> Rack1R1#
> *Mar 4 17:31:32.386: ICMP: redirect not sent to 192.168.10.10 for dest 150.1.3.3
> *Mar 4 17:31:32.386: ICMP: 192.168.10.3 does not contain an active HSRP group
>
> Added a second HSRP group to R1 & R2(Active):
> R1
> interface Ethernet0/0
> ip address 192.168.10.2 255.255.255.0
> half-duplex
> standby use-bia
> standby 1 ip 192.168.10.1
> standby 1 priority 105
> standby 1 preempt
> standby 2 ip 192.168.10.254
> standby 2 preempt
>
> R2
> interface Ethernet0/0
> ip address 192.168.10.3 255.255.255.0
> half-duplex
> standby 1 ip 192.168.10.1
> standby 1 preempt
> standby 2 ip 192.168.10.254
> standby 2 priority 105
> standby 2 preempt
>
> Now I can see this on R1's debug.
> Rack1R1#
> *Mar 4 17:38:13.111: ICMP: HSRP changing redirect sent to 192.168.10.10 for dest 150.1.3.3
> *Mar 4 17:38:13.111: ICMP: gw 192.168.10.3 -> 192.168.10.254, src 192.168.10.1
> *Mar 4 17:38:13.111: ICMP: Use HSRP virtual address 192.168.10.1 as ICMP src
> *Mar 4 17:38:13.111: ICMP: redirect sent to 192.168.10.10 for dest 150.1.3.3, use gw 192.168.10.254
>
> Rack1R1#sho standby
> Ethernet0/0 - Group 1
> State is Active
> 4 state changes, last state change 00:03:23
> Virtual IP address is 192.168.10.1
> Active virtual MAC address is 00b0.6405.3100
> Local virtual MAC address is 00b0.6405.3100 (bia)
> Hello time 3 sec, hold time 10 sec
> Next hello sent in 0.657 secs
> Preemption enabled
> Active router is local
> Standby router is 192.168.10.3, priority 100 (expires in 8.722 sec)
> Priority 105 (configured 105)
> IP redundancy name is "hsrp-Et0/0-1" (default)
> Ethernet0/0 - Group 2
> State is Standby
> 1 state change, last state change 00:00:18
> Virtual IP address is 192.168.10.254
> Active virtual MAC address is 0030.94bc.3320
> Local virtual MAC address is 00b0.6405.3100 (bia)
> Hello time 3 sec, hold time 10 sec
> Next hello sent in 2.424 secs
> Preemption enabled
> Active router is 192.168.10.3, priority 105 (expires in 7.007 sec)
> Standby router is local
> Priority 100 (default 100)
>
>
> -------------- Original message --------------
>
> > One more thing to think about. With the below statement from the link Tom
> > provided (thanks):
> >
> > "In certain configurations, such as the use of the standby use-bia interface
> > configuration command specified on an interface, redirects cannot be sent. In
> > this case, the HSRP groups use the interface MAC address as their virtual MAC
> > address. The router now cannot determine if the default gateway of the host is
> > the real IP address or one of the HSRP virtual IP addresses that are active on
> > the interface."
> >
> > I would take this as meaning, that if I wanted optimal operation, I would not
> > implement 'standby use-bia', and I would have to rethink my port-security
> > configuration. Does anyone agree or disagree?
> >
> > I will try to lab this up later today.
> >
> > Thanks,
> > Jerry
> >
> > -------------- Original message --------------
> >
> > > Hi Tom,
> > >
> > > Thanks again for your response.
> > >
> > > I read the link you sent me and see I was wrong on at least one point.
> > >
> > > Per this link, "When running HSRP, it is important to prevent hosts from
> > > discovering the interface (or real) MAC addresses of routers in the HSRP
> > > group. If a host is redirected by ICMP to the real MAC address of a router,
> > > and that router later fails, then packets from the host will be lost."
> > >
> > > But, given the above, how could a packet get to net 3 if R1 is the active
> > > router and R1 and R2 are in the same group?
> > >
> > > R1 R2 -----> R3 net3
> > > e0 e0
> > > |----hsrp----|
> > > |
> > > other hosts
> > >
> > > It seems to me that this isn't possible. To solve this problem it seems
> > > that 2 groups must be configured and R2 must be the active router for the
> > > other group. This way for hosts that use R1 as their default gateway will
> > > be redirected to the virtual mac address of the other group.
> > >
> > > Am I on the right track now?
> > >
> > > TIA, Tim
> > >
> > > -----Original Message-----
> > > From: Tom Lijnse [mailto:Tom.Lijnse@globalknowledge.nl]
> > > Sent: Wednesday, July 06, 2005 9:18 AM
> > > To: ccie2be; Spyros Kranis
> > > Cc: ccielab@groupstudy.com
> > > Subject: RE: 3550 port-security and HSRP.
> > >
> > > Hi Tim,
> > >
> > > Okay, let's see if I can answer your questions:
> > >
> > > - "When HSRP is configured this way with the use-bia command, is the
> > > failover fast enough that any active sessions that hosts might have at
> > > the time of switch over remain intact?"
> > >
> > > As far as I know 'use-bia' has similar convergence to normal HSRP. The
> > > only extra step is that when the Standby becomes Active it has to send
> > > out the gratuitous arp-replies and the hosts need to update their
> > > arp-caches, but as far as I can see that should only add milliseconds to
> > > the convergence time. I haven't tested very extensively, but when I did
> > > use it, it never seemed slower than normal HSRP.
> > >
> > > - "I'm wondering if it's possible to config port security on the 3550
> > > and the use-bia on the routers such that a failover is transparent to
> > > hosts sessions maybe by lowering hsrp timers?"
> > >
> > > As far as I can see this comes down to the same issue. (This depends on
> > > what you mean by transparent). Convergence time for HSRP is determined
> > > by the time it takes for the Standby to discover that the Active Router
> > > disappeared, so this is mainly determined by the hello and holdtime.
> > > Setting these to lower values will decrease the convergence time.
> > > Whether or not you're using 'use-bia' seems negligible to me.
> > >
> > > - " Suppose your topology was like this:
> > >
> > >
> > > R1 R2 -----> R3 net3
> > > e0 e0
> > > |----hsrp----|
> > > |
> > > other hosts
> > >
> > >
> > > R1 is the active router. R2 is the standby router but packets must get
> > > to
> > > R3 to get to net3.
> > >
> > > How should HSRP be configured such that the hosts use R1 for all
> > > destinations except for net3?"
> > >
> > > The whole story about ICMP unreachables being disabled when you enable
> > > HSRP isn't entirely true anymore. You may want to read the following bit
> > > on the Doc-CD:
> > >
> > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> > > fipr_c/ipcprt1/1cfip.htm#wp1044507
> > >
> > > After reading this and possibly quickly labbing it up I think you should
> > > be able to come up with an answer to your own question. In the end I
> > > think this would be more educational than me just giving you the answer,
> > > but let me know when you need a hint.
> > >
> > > Regards,
> > >
> > > Tom Lijnse
> > >
> > > CCIE #11031
> > > Global Knowledge
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joe Deleonardo: "BGP Multicast Inter-AS (IAS) VPN"
• Previous message: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe in reply to: James Ventre: "Re: 3550 port-security and HSRP."
• Next in thread: hulbertj@comcast.net: "Re: 3550 port-security and HSRP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3