RE: 3550 port-security and HSRP.

From: Tom Lijnse (Tom.Lijnse@globalknowledge.nl)
Date: Wed Jul 06 2005 - 14:58:38 GMT-3

Hi Jerry,

Thanks for testing. It's always good to see when theory and reality are
in sync...

It also takes at least another thing off my list of things to test :-)

Regards,

Tom

-----Original Message-----
From: hulbertj@comcast.net [mailto:hulbertj@comcast.net]
Sent: woensdag 6 juli 2005 19:12
To: san
Cc: ccie2be; Tom Lijnse; Spyros Kranis; ccielab@groupstudy.com
Subject: Re: 3550 port-security and HSRP.

No, standby-bia is not needed for redirects to function. I added this
based on the original subject of this thread, and that was for
port-security using a bia.

Jerry

        -------------- Original message --------------

> Hubert,
>
> Can i assume from your experiments standby use-bia is not the
factor
> for ICMP redirect to work. The factor for ICMP redirect to
work is
> adding a secondary group.
>
> IOW, If you have two groups for two routers, irrespective of
virtual
> MAC or use-bia, ICMP redirect should work ?
>
> Just to clarify again, because you have added two changes in
second
> step (bia + two groups).
>
>
> /SAN
>
>
>
> On 7/6/05, hulbertj@comcast.net wrote:
> > I just labbed this real quick....it looks as if redirects
works fine with the
> standby use-bia command.
> >
> > R1 R2 -----> R3-loopback
> > e0 e0
> > |----hsrp----|
> >
> > R1 config:
> > interface Ethernet0/0
> > ip address 192.168.10.2 255.255.255.0
> > half-duplex
> > standby 1 ip 192.168.10.1
> > standby 1 priority 105
> > standby 1 preempt
> >
> > R2 config:
> > interface Ethernet0/0
> > ip address 192.168.10.3 255.255.255.0
> > half-duplex
> > standby 1 ip 192.168.10.1
> > standby 1 preempt
> >
> > Rack1R1#sho standby brief
> > P indicates configured to preempt. |
> > Interface Grp Prio P State Active Standby Virtual IP
> > Et0/0 1 105 P Active local 192.168.10.3 192.168.10.1
> >
> > When a host on this segment tries to reach a destination
reachable through R2,
> this is what the debug on R1 show's;
> >
> > Rack1R1#debug ip icmp
> > ICMP packet debugging is on
> > Rack1R1#
> > *Mar 4 17:31:29.385: ICMP: redirect not sent to
192.168.10.10 for dest
> 150.1.3.3
> > *Mar 4 17:31:29.385: ICMP: 192.168.10.3 does not contain an
active HSRP
> group
> > *Mar 4 17:31:30.383: ICMP: redirect not sent to
192.168.10.10 for dest
> 150.1.3.3
> > *Mar 4 17:31:30.387: ICMP: 192.168.10.3 does not contain an
active HSRP
> group
> > Rack1R1#
> > *Mar 4 17:31:32.386: ICMP: redirect not sent to
192.168.10.10 for dest
> 150.1.3.3
> > *Mar 4 17:31:32.386: ICMP: 192.168.10.3 does not contain an
active HSRP
> group
> >
> > Added a second HSRP group to R1 & R2(Active):
> > R1
> > interface Ethernet0/0
> > ip address 192.168.10.2 255.255.255.0
> > half-duplex
> > standby use-bia
> > standby 1 ip 192.168.10.1
> > standby 1 priority 105
> > standby 1 preempt
> > standby 2 ip 192.168.10.254
> > standby 2 preempt
> >
> > R2
> > interface Ethernet0/0
> > ip address 192.168.10.3 255.255.255.0
> > half-duplex
> > standby 1 ip 192.168.10.1
> > standby 1 preempt
> > standby 2 ip 192.168.10.254
> > standby 2 priority 105
> > standby 2 preempt
> >
> > Now I can see this on R1's debug.
> > Rack1R1#
> > *Mar 4 17:38:13.111: ICMP: HSRP changing redirect sent to
192.168.10.10 for
> dest 150.1.3.3
> > *Mar 4 17:38:13.111: ICMP: gw 192.168.10.3 ->
192.168.10.254, src
> 192.168.10.1
> > *Mar 4 17:38:13.111: ICMP: Use HSRP virtual address
192.168.10.1 as ICMP src
> > *Mar 4 17:38:13.111: ICMP: redirect sent to 192.168.10.10
for dest 150.1.3.3,
> use gw 192.168.10.254
> >
> > Rack1R1#sho standby
> > Ethernet0/0 - Group 1
> > State is Active
> > 4 state changes, last state change 00:03:23
> > Virtual IP address is 192.168.10.1
> > Active virtual MAC address is 00b0.6405.3100
> > Local virtual MAC address is 00b0.6405.3100 (bia)
> > Hello time 3 sec, hold time 10 sec
> > Next hello sent in 0.657 secs
> > Preemption enabled
> > Active router is local
> > Standby router is 192.168.10.3, priority 100 (expires in
8.722 sec)
> > Priority 105 (configured 105)
> > IP redundancy name is "hsrp-Et0/0-1" (default)
> > Ethernet0/0 - Group 2
> > State is Standby
> > 1 state change, last state change 00:00:18
> > Virtual IP address is 192.168.10.254
> > Active virtual MAC address is 0030.94bc.3320
> > Local virtual MAC address is 00b0.6405.3100 (bia)
> > Hello time 3 sec, hold time 10 sec
> > Next hello sent in 2.424 secs
> > Preemption enabled
> > Active router is 192.168.10.3, priority 105 (expires in
7.007 sec)
> > Standby router is local
> > Priority 100 (default 100)
> >
> >
> > -------------- Original message --------------
> >
> > > One more thing to think about. With the below statement
from the link Tom
> > > provided (thanks):
> > >
> > > "In certain configurations, such as the use of the standby
use-bia interface
> > > configuration command specified on an interface, redirects
cannot be sent.
> In
> > > this case, the HSRP groups use the interface MAC address
as their virtual
> MAC
> > > address. The router now cannot determine if the default
gateway of the host
> is
> > > the real IP address or one of the HSRP virtual IP
addresses that are active
> on
> > > the interface."
> > >
> > > I would take this as meaning, that if I wanted optimal
operation, I would
> not
> > > implement 'standby use-bia', and I would have to rethink
my port-security
> > > configuration. Does anyone agree or disagree?
> > >
> > > I will try to lab this up later today.
> > >
> > > Thanks,
> > > Jerry
> > >
> > > -------------- Original message --------------
> > >
> > > > Hi Tom,
> > > >
> > > > Thanks again for your response.
> > > >
> > > > I read the link you sent me and see I was wrong on at
least one point.
> > > >
> > > > Per this link, "When running HSRP, it is important to
prevent hosts from
> > > > discovering the interface (or real) MAC addresses of
routers in the HSRP
> > > > group. If a host is redirected by ICMP to the real MAC
address of a
> router,
> > > > and that router later fails, then packets from the host
will be lost."
> > > >
> > > > But, given the above, how could a packet get to net 3 if
R1 is the active
> > > > router and R1 and R2 are in the same group?
> > > >
> > > > R1 R2 -----> R3 net3
> > > > e0 e0
> > > > |----hsrp----|
> > > > |
> > > > other hosts
> > > >
> > > > It seems to me that this isn't possible. To solve this
problem it seems
> > > > that 2 groups must be configured and R2 must be the
active router for the
> > > > other group. This way for hosts that use R1 as their
default gateway will
> > > > be redirected to the virtual mac address of the other
group.
> > > >
> > > > Am I on the right track now?
> > > >
> > > > TIA, Tim
> > > >
> > > > -----Original Message-----
> > > > From: Tom Lijnse [mailto:Tom.Lijnse@globalknowledge.nl]
> > > > Sent: Wednesday, July 06, 2005 9:18 AM
> > > > To: ccie2be; Spyros Kranis
> > > > Cc: ccielab@groupstudy.com
> > > > Subject: RE: 3550 port-security and HSRP.
> > > >
> > > > Hi Tim,
> > > >
> > > > Okay, let's see if I can answer your questions:
> > > >
> > > > - "When HSRP is configured this way with the use-bia
command, is the
> > > > failover fast enough that any active sessions that hosts
might have at
> > > > the time of switch over remain intact?"
> > > >
> > > > As far as I know 'use-bia' has similar convergence to
normal HSRP. The
> > > > only extra step is that when the Standby becomes Active
it has to send
> > > > out the gratuitous arp-replies and the hosts need to
update their
> > > > arp-caches, but as far as I can see that should only add
milliseconds to
> > > > the convergence time. I haven't tested very extensively,
but when I did
> > > > use it, it never seemed slower than normal HSRP.
> > > >
> > > > - "I'm wondering if it's possible to config port
security on the 3550
> > > > and the use-bia on the routers such that a failover is
transparent to
> > > > hosts sessions maybe by lowering hsrp timers?"
> > > >
> > > > As far as I can see this comes down to the same issue.
(This depends on
> > > > what you mean by transparent). Convergence time for HSRP
is determined
> > > > by the time it takes for the Standby to discover that
the Active Router
> > > > disappeared, so this is mainly determined by the hello
and holdtime.
> > > > Setting these to lower values will decrease the
convergence time.
> > > > Whether or not you're using 'use-bia' seems negligible
to me.
> > > >
> > > > - " Suppose your topology was like this:
> > > >
> > > >
> > > > R1 R2 -----> R3 net3
> > > > e0 e0
> > > > |----hsrp----|
> > > > |
> > > > other hosts
> > > >
> > > >
> > > > R1 is the active router. R2 is the standby router but
packets must get
> > > > to
> > > > R3 to get to net3.
> > > >
> > > > How should HSRP be configured such that the hosts use R1
for all
> > > > destinations except for net3?"
> > > >
> > > > The whole story about ICMP unreachables being disabled
when you enable
> > > > HSRP isn't entirely true anymore. You may want to read
the following bit
> > > > on the Doc-CD:
> > > >
> > > >
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/

> > > > fipr_c/ipcprt1/1cfip.htm#wp1044507
> > > >
> > > > After reading this and possibly quickly labbing it up I
think you should
> > > > be able to come up with an answer to your own question.
In the end I
> > > > think this would be more educational than me just giving
you the answer,
> > > > but let me know when you need a hint.
> > > >
> > > > Regards,
> > > >
> > > > Tom Lijnse
> > > >
> > > > CCIE #11031
> > > > Global Knowledge
> > > >
> > > >

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3