I wrote sometime back about how to implement HSRP using Cisco IOU and in GNS3, but it has been pointed out that even though it might look like it works, in fact it's actually a little more hit and miss, with some people having issues, such as not being able to ping the Virtual IP address configured on the HSRP standby group - check out the comments to follow the reference, hopefully you'll understand why I am writing this subsequent post.
A recap on HSRP
HSRP (Hot Standby Routing Protocol) allows you to set up the same SVI (Switched Virtual Interface) on a pair of switches so that you have some redundancy, in the event that one switch is unavailable then the virtual IP address assigned to the standby group will still be available. The virtual IP address is given the same MAC address, which is a combination of the well-known HSRP MAC address (0000:0c07:ac) and the standby group number (in our case this is 10, which is 0a in hexadecimal).HSRP is Cisco specific, other vendors user the industry standard of VRRP (Virtual Router Redundancy Protocol), there is also GLBP (Gateway Load Balancing Protocol) for routers.
We will be using two different versions of GNS3 for this, the first is the publicly available 0.8.6 version, because that can still use qemu, which means that we can use the IOSv images to try this out on, as well as the image c3660-is-mz.124.25b referenced in the first article. If you haven't checked out how to get the IOSv images from onePK into GNS3 then you might want to have a quick read of it.
So the goals for this post are to prove that we can get HSRP working between two devices. One should show up as the active and one as the standby, and we should be able to ping the virtual IP assigned to the HSRP group. As per the original post we need to create a multi-layer switch to enable the required functions, this still holds true today, so do have a read over the original article.
For each example we will have an HSRP group, number 10, one switch will use the IP address 10.10.1.2/24, the other will use 10.10.1.3/24 and they will have a virtual IP address of 10.10.1.1. The HSRP MAC address will be 0000.0c07.ac0a, so this is what we will be looking for in our ARP table.
Let's check out GNS3 first.
HSRP using native GNS3
Once we have set up our multi-layer switch in GNS3, the configurational steps for our first switch are as follows:R4#vlan database
R4(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
R4(vlan)#exit
APPLY completed.
Exiting....
*Mar 1 00:00:35.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#int vlan 10
R4(config-if)#ip add 10.10.1.2 255.255.255.0
R4(config-if)#standby 10 ip 10.10.1.1
R4(config-if)#standby 10 pri 150
R4(config-if)#standby 10 preem del min 60
R4(config-if)#no shut
R4(config-if)#int fa 1/10
R4(config-if)#switchport mode trunk
*Mar 1 00:02:00.087: %DTP-5-TRUNKPORTON: Port Fa1/10 has become dot1q trunk
*Mar 1 00:02:00.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
R4(config-if)#no shut
R4(config-if)#
*Mar 1 00:02:30.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar 1 00:02:30.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
R4(config-if)#
*Mar 1 00:02:51.699: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby
*Mar 1 00:02:52.199: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active
R4(config-if)#exit
R4(config)#exit
R4#
*Mar 1 00:03:34.879: %SYS-5-CONFIG_I: Configured from console by console
R4#
So far our first device is looking healthy for HSRP. The second switch is very similar:R5#vlan database
R5(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
R5(vlan)#exit
APPLY completed.
Exiting....
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int fa1/10
R5(config-if)#switchport mode trunk
*Mar 1 00:02:45.687: %DTP-5-TRUNKPORTON: Port Fa1/10 has become dot1q trunk
*Mar 1 00:02:46.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
R5(config-if)#no shut
R5(config-if)#exit
R5(config)#int vlan 10
R5(config-if)#
*Mar 1 00:02:53.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
R5(config-if)#ip add 10.10.1.3 255.255.255.0
R5(config-if)#standby 10 ip 10.10.1.1
R5(config-if)#standby 10 pri 90
R5(config-if)#
*Mar 1 00:03:16.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
R5(config-if)#
*Mar 1 00:03:40.299: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby
R5(config-if)#
With our trunk setup to carry the VLAN information, as well as the HSRP multicast, we should be able to check that everything is in order. Using the command "sh standby vlan" with the vlan number we can check the HSRP settings and status. Let's check to see if we have everything we are hoping for, including the correct ARP entries and making sure that the interfaces are pingable:
R4#sh standby vlan 10
Vlan10 - Group 10
State is Active
2 state changes, last state change 00:03:19
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.724 secs
Preemption enabled, delay min 60 secs
Active router is local
Standby router is 10.10.1.3, priority 90 (expires in 7.344 sec)
Priority 150 (configured 150)
IP redundancy name is "hsrp-Vl10-10" (default)
R4#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 - 0000.0c07.ac0a ARPA Vlan10
Internet 10.10.1.2 - cc04.38a1.0000 ARPA Vlan10
R4#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 - 0000.0c07.ac0a ARPA Vlan10
Internet 10.10.1.3 0 cc05.38a1.0000 ARPA Vlan10
Internet 10.10.1.2 - cc04.38a1.0000 ARPA Vlan10
R4#
R5#sh standby vlan 10
Vlan10 - Group 10
State is Standby
1 state change, last state change 00:03:22
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.992 secs
Preemption disabled
Active router is 10.10.1.2, priority 150 (expires in 7.376 sec)
Standby router is local
Priority 90 (configured 90)
IP redundancy name is "hsrp-Vl10-10" (default)
R5#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.3 - cc05.38a1.0000 ARPA Vlan10
R5#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/21/24 ms
R5#ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/21/24 ms
R5#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 0 0000.0c07.ac0a ARPA Vlan10
Internet 10.10.1.3 - cc05.38a1.0000 ARPA Vlan10
Internet 10.10.1.2 0 cc04.38a1.0000 ARPA Vlan10
R5#
So arp looks good and we can ping the Virtual IP address for the standby group, with no problems here. Let's check out HSRP on IOU next.HSRP using IOU
With the same configuration (apart from the priority of 150 on the first device) as before running on the IOU routers do we have the same level of visibility?Switch#sh standby vlan 10
Vlan10 - Group 10
State is Active
2 state changes, last state change 00:00:34
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.984 secs
Preemption enabled, delay min 60 secs
Active router is local
Standby router is 10.10.1.3, priority 90 (expires in 9.904 sec)
Priority 100 (default 100)
Group name is "hsrp-Vl10-10" (default)
Switch#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 - 0000.0c07.ac0a ARPA Vlan10
Internet 10.10.1.2 - aabb.cc80.0100 ARPA Vlan10
Internet 10.10.1.3 0 aabb.cc80.0200 ARPA Vlan10
Switch#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Switch#sh ver | i IOS
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.1(20130124:233217) [dstivers-jan24-2013-team_track 101]
Switch#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
Vlan10 10.10.1.2 YES manual up up
Switch#
Switch2#sh standby vlan 10
Vlan10 - Group 10
State is Standby
1 state change, last state change 00:00:29
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.912 secs
Preemption disabled
Active router is 10.10.1.2, priority 100 (expires in 9.696 sec)
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Vl10-10" (default)
Switch2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.3 - aabb.cc80.0200 ARPA Vlan10
Switch2#ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Switch2#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Switch2#sh ver | i IOS
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.1(20130124:233217) [dstivers-jan24-2013-team_track 101]
Switch2#
Again arp looks good and we can ping the virtual IP address again.EDIT:-
It just goes to show that image is everything. As Maureen (in the comments below) has pointed out whilst following this blog and my posts about HSRP, nothing is 100% guaranteed when using a virtualized environment.
If you try adding a guest to the mix then it probably won't be able to ping the standby address, and if you do, it probably won't last. I will go into it in more depth in my post about IOU Images and functions.
Finally lets check out IOSv.
HSRP using IOSv on GNS3
HSRP is slightly different on IOSv, there are no vlan commands, and instead everything is performed under the interface, so technically it's not enabling redundancy for a vlan, it's enabling it for the interface, but the principal remains the same, it still requires the same coding within IOS for the feature to work, and multicast for the communication to flow over. I am including it here because of this.
SW1(config)#int gi 0/0
SW1(config-if)#ip add 10.10.1.2 255.255.255.0
SW1(config-if)#standby 10 ip 10.10.1.1
SW1(config-if)#standby 10 pri 150
SW1(config-if)#standby 10 preem delay min 60
SW1(config-if)#no shut
SW1(config-if)#
*May 11 16:11:44.818: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*May 11 16:11:45.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
*May 11 16:12:05.647: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 10 state Standby -> Active
SW1(config-if)#exit
SW1(config)#exit
SW1#sh standby
*May 11 16:12:25.655: %SYS-5-CONFIG_I: Configured from console by consoleand
GigabitEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:00:27
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.272 secs
Preemption enabled, delay min 60 secs
Active router is local
Standby router is 10.10.1.3, priority 90 (expires in 9.232 sec)
Priority 150 (configured 150)
Group name is "hsrp-Gi0/0-10" (default)
SW1#
SW2(config)#int gi 0/0
SW2(config-if)#ip add 10.10.1.3 255.255.255.0
SW2(config-if)#standby 10 ip 10.10.1.1
SW2(config-if)#standby 10 pri 90
SW2(config-if)#no shut
SW2(config-if)#
*May 11 16:11:44.460: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*May 11 16:11:45.460: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
*May 11 16:12:29.371: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 10 state Speak -> Standby
SW2(config-if)#
SW2(config-if)#exit
SW2(config)#exit
SW2#sh stand
GigabitEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:00:23
Virtual IP address is 10.10.1.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.744 secs
Preemption disabled
Active router is 10.10.1.2, priority 150 (expires in 10.480 sec)
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Gi0/0-10" (default)
SW2#
So it certainly looks like HSRP works on IOSv, let's make sure by looking at arp, and seeing if we can ping the virtual IP address:
SW1#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.1.1 - 0000.0c07.ac0a ARPA GigabitEthernet0/0 Internet 10.10.1.2 - 00ab.60a2.3000 ARPA GigabitEthernet0/0 SW1#ping 10.10.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 3/8/11 ms SW1#ping 10.10.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms SW1#sh ver | i Version Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.4(1.24)T0.9, MAINTENANCE INTERIM SOFTWARE SW1# SW2#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.1.2 0 00ab.60a2.3000 ARPA GigabitEthernet0/0 Internet 10.10.1.3 - 00ab.1061.0700 ARPA GigabitEthernet0/0 SW2#ping 10.10.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 4/7/11 ms SW2#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.1.1 0 0000.0c07.ac0a ARPA GigabitEthernet0/0 Internet 10.10.1.2 0 00ab.60a2.3000 ARPA GigabitEthernet0/0 Internet 10.10.1.3 - 00ab.1061.0700 ARPA GigabitEthernet0/0 SW2#sh ver | i Version Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.4(1.24)T0.9, MAINTENANCE INTERIM SOFTWARE SW2#So again, all good and we are three for three.
So why am I going over this again, if actually I am only proving that it does work? Well, it's all to do with mileage, and your mileage may vary. Remember we are dealing with emulated, or virtualized hardware, so there will be issues, especially when we come across things that the router, or more specifically switch, generally offload to ASICs. With all the benefits that Cisco emulation software offers, the one thing it cannot do is truly emulate the functions contained within the ASIC.
What's a running shoe brand got to do with Cisco emulation software?
An ASIC is an Application-Specific Integrated Circuit, not to be confused with ASICS the running shoe manufacturer. These ASICs are so complex that they can (depending on the type of ASIC) be referred to as a system on a chip. It is this off-loading that makes running a virtualised switch, with the full functionality and speed as a proper hardware one, extremely difficult to implement.The most common Cisco specific ASIC you will encounter is the port ASIC, and these handle traffic forwarding, QoS and ACL lookups. A number of switches have within these port ASICs their TCAM, which holds the IPv4 and IPV6 addresses, MAC addresses, and Access Control Entries.
For a greater understanding of packet flow within a switch and how this is governed by the ASIC then have a look at this PDF from Cisco Live.
So in short, we can get close, but close is a very relative term, finding the right IOU or GNS3 image can be a bit of a mission.
It will be interesting to see how CML stands up to higher-level switch functionality when it is finally released. One would think that as it is the basis for the new version of the CCIE exam then it will be supported. Time will tell on that!
In an ideal world we would all have the required hardware, it wouldn't cost more than a cup of coffee, and it would fit into your pocket. But for the moment we'll have to see how far our mileage gets us.
4 comments
commentsHSRP using L2 IOU as described on your web page works as far as you tested it. But if you connect a PC in vlan 10 to either of the switches you will not be able to ping the Virtual IP address after 30 seconds. Can I recommend you edit your otherwise excellent web page to reflect this crucial limitation. This limitation in effect makes HSRP unworkable.
ReplyHi Maureen
ReplyI will lab it up and if I get the same then I will amend the post.
Stuart
Hi Maureen I have labbed this using both the image referenced previously and with a later image. It did work better with the first image, but not 100% as you are finding yourself. The later image refused to get HSRP working at all. I will edit the post...
ReplyHSRP doesn't work, but not because of ASICs. Try this: HSRP1 <> L2 switch <> L2 switch <> HSRP2. Then do a packet capture link by link. You'll see that L2 switches eat up HSRP packets. I.e. HSRP packet leaves the interface, reaches the L2 switch, and then it's not being forwarded further. However L2 switches don't have any problems with passing STP, IPv6 HSRP or OPSF packets.
Reply(P.S.: L2 switch is an IOU with "no ip routing" and just vlans/trunk.)