Tag Archives: HA

Implementing Cisco Switched Networks Chapter 5 Review

Posted on by
Reply

This is my review and notes of Chapter 5 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 5: Implementing High Availability and Redundancy in a Campus Network

I think this chapter was probably quite good. Although I did find it pretty long, and there were various points I wish it would have just finished.

It followed a structure of theory behind High Availability trying to get the reader to think about why they’re implementing it, along with how they should implement it.

It then covered a bit on Cisco’s chassis or stack based HA options (failover methods of bad HW etc), and then moved into different monitoring methods (SNMP, IP SLA, Syslog etc).

Following that was a look at First Hop redundancy with HSRP, VRRP, and GLBP. Lastly was Cisco IOS Server Load Balancing (which I highly doubt is in the exam).

I find it hard to fault much in this chapter, there was just a lot there.

What’s probably going to be in the exam:
– Possibly a question on the 5 components of HA (Redundancy, Technology, People, Processes and Tools).
Definitely on Network Monitoring (SNMP, Syslog, IP SLA)
– Very likely something on HSRP, VRRP, and GLBP.

What the chapter covers:
– The above summarises it quite well.

High Availability
High availability is technology that enables network wide resilience to increase IP network availability.

5 Components of High Availability

Redundancy
Attempts to eliminate single points of failure, where one failed device or design element brings down service.

Technology (HW/SW features)
Several Cisco routing continuity options such as Cisco Nonstop Forwarding (NSF) and Stateful Switchover (SSO) exist, and graceful restart capabilities improve availability. These technologies allow processor failover without a link flap, continued fowarding of packets, and maintenance of BGP adjacencies.

People
Redundant equipment and links and advanced technology are just the beginning of high availability. In PPDIOO, the people component is vitally important too. Staff work habits and skills can impact high availability.

Processes
Sound, repeatable processes can lead to high availability. Continual process improvement as part of PPDIOO plays a role in achieving high availability.

Tools
Use tools that provide performance thresholds and reporting to get a good understanding of how the network behaves in a good state. Also use tools for monitoring network uptime, with triggers that activate in the event of a service or device failure.

Cisco NSF (NonStop Forwarding) with SSO (Stateful SwitchOver)
All you probably need to know is that it’s a supervisor redundancy mechanism in IOS that allows a standby RP (Route Processor) to take over the device after a hardware or software fault on the Active RP. Works at layers 2-4.

Implementing Network Monitoring

This can be through:
– SNMP
– Syslog
– IP SLA

Syslog
If you’ve ever used a cisco device, you should know what syslog is. Important things to note for it are that you can modify the event/reporting level, where messages are reported to (local buffer, console, tty or remote syslog server).

Learn the Syslog severity levels for the exam
It’s the type of thing a question will probably be on. Level 0 = highest severity. Level 7 = Lowest.

Level 0 – Emergency
Level 1 – Alert
Level 2 – Critical
Level 3 – Error
Level 4 – Warning
Level 5 – Notice
Level 6 – Informational
Level 7 – Debug

Emerald Alley Cats Enjoy Whiskas Naturally Insightful Dinners

To time stamp log messages: conf t, service time-stamps [debug|log|datetime uptime|localtime|msec|show-timezone|year]

Configuring Syslog
To configure a syslog server: logging x.x.x.x
To configure which severity gets logged: logging trap ____
To configure local logs: logging buffered

SNMP

– Only disadvantage the book says is that there is a delay between the time that an event occurs and the time that it is noticed by the NMS. There is a trade-off between polling frequency and badwidth usage.
– SNMP uses UDP

SNMP Versions

– Version 1 and 2 both lack security
– Version 3 has security

SNMP Message types

1. Get Request – Retrieves value of specific MIB variable
2. Get Next Request – Retrieves next issuance of MIB variable
3. Set Request – Modifies the value of a MIB variable.
4. Get Response – Contains values of requested variable.
5. Trap – Transmits an unsolicited alarm condition

New SNMP Message types in version 2
– Get Bulk Request – Reduces repetitive requests/replies and improves performance when retrieving large amounts of data (e.g. tables)
– Inform Request – Alert SNMP manager of specific conditions (differs from SNMP traps as traps are udp and Inform request actually gets an ACK from the NMS)

SNMPv3 adds
NoAuthNoPriv – no authentication required
authNoPriv – Authentication with either HMAC-MD5 or HMAC-SHA
authPriv – CVC-DES encryption

Configuring SNMP

1. Configure SNMP access lists (So only authorised hosts have access)
2. Configure SNMP community strings
3. Configure SNMP trap receiver
4. Configure SNMPv3 user

S1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any
S1(config)#snmp-server community RO-PASSWORD RO 100
S1(config)#snmp-server community RW-PASSWORD RW 100
S1(config)#snmp-server trap 10.1.1.50

IP Service Level Agreement

An SLA is a contract between the network provider and its customers, or between a network department and internal corporate customers. It provides a form of guarantee to customers about the level of user experience.

Typically, the technical components of an SLA contain a guarantee level for network availability, network performance, in terms of route-trip time, and network response in terms of latency, jitter, and packet loss.

Common types of monitoring used by IP SLAs
– Edge to edge network availability monitoring
– Network performance monitoring and network performance visibility
– VoIP, video, and VPN monitoring
– IP service network health readiness or assessment
– MPLS network monitoring
– Troubleshooting of network operation

IP SLA Operations

– Network admin configures a target device, protocol, and UDP or TCP port numbers on the IP SLA source for each operation
– Operation can be encrypted with MD5
-Target could be DNS or HTTP, with the device being any suitable computer.

While the target can be “anything” as such, measurement accuracy is improved with an IP SLA Responder. An IP SLA responder is a device that runs IOS and is configured as an IP SLA reasurement responder with the command “ip sla monitor responder”

Operation with Responder

1. At the start of the control phase, the IP SLA source sends a control message with the configured IP SLA operation information to IP SLA control port UDP 1967 on the target router. The control message carries information such as protocol, port number, duration, and if configured, MD5 authentication.
2. If the responder processes the control message, it sends an OK message to the source router and listens on the port specified in the control message for a specified duration.
3. If the return code of control message is OK, the IP SLA operation moves ot the proving phase, where it sends one or more test packets to the responder for response time computations. Use “Show ip sla statistics” to view.
4. The responder accepts the test packets and responds. Based on the type of operation, the responder might add an “in” timestamp and an “out” timestamp in the response payload to account for CPU time spent in measuring 1-way packet loss, latency, and jitter. These timestamps help the IP SLA source to make accurate assessments on one-way delay, and the processing time in the target routers.

So basically, it’s two stages, initially setting up with the control phase (asks target to open port, target responses) and Probing Phase (Sends test IP SLA packet, responder accepts and responds).

IP SLA Timestamps
IP SLA source uses four time stamps for the round-trip time (RTT) calculation. The IP SLA source sends a test packet at time T1. The IP SLA responder includes both the receipt time (T2) and the transmitted time (T3). Because of other high-priority processes, routers can take tens of milliseconds to process incoming packets. The delay affects the response times because the reply to the test packets might be sitting in a queue while waiting to be processed.

The delta value is then subtracted from the overall RTT.

Configuring IP SLA

1. Configure IP SLA probe.
2. Activate probe.
3. Configure tracking object.
4. Configure action on tracking object.

Example
S1(config)#ip sla monitor 11
S1(config-sla)#type echo prot ipIcmpEcho 10.1.1.1 source-int fa0/1
S1(config-sla)#frequency 10
S1(config-sla)#exit
S1(config-sla)#ip sla monitor schedule 11 life forever start-time now
S1(config-sla)#track 1 ip sla 11 reachability

S2(config)#ip sla responder

Verify: show ip sla statistics, show ip sla configuration

Implementing Redundant Supervisor Engines in Catalyst Switches
The next 8ish pages is on this. I’m pretty confident the exam won’t have anything on this, so hardly any notes.

– Found in Calalyst 4500 and 6500.

Supports:
– RPR (Route Processor Redundancy) and RPR+

No longer preferred option. NSF with SSO = best.

– SSO (Stateful Switch Over)
– NSF (Non-stop Forwarding) with SSO.

NSF Offers:
– Improved network availability: NSF continues forwarding network traffic and application state information so that user traffic is not interrupted after a Supervisor switchover.
– Overall network stability: Improved by maintaining routing protocol neighbor relationships during Supervisor failover.

Understanding First Hop Redundancy Protocols

Refers to Default Gateway redundancy.

Covers:
– HSRP
– VRRP
– GLBP

Proxy ARP
Before default gateway was supported on most IP clients, networks were relying on the proxy ARP feature to reach IP devices outside the IP client subnet.

From wikipedia: Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic’s destination, and offers its own MAC address in reply, effectively saying, “send it to me, and I’ll get it to where it needs to go.” Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy.

Static Default Gateway
Now that a default gateway is configured on most devices, the Proxy ARP feature is not used anymore. Nevertheless, each client receives only one default gateway; there is not means by which to configure a secondary gateway, even if a second route exists to carry packets off the local segment.

Hot Standby Router Protocol (HSRP)
– Cisco Proprietary

With HSRP configured between a set of routers, they work in concert to present the appearance of a single virtual router to the hosts on the LAN.

The IP address of the virtual router will be configured as the default gateway for the workstations on a specific IP segment. When frames are to be sent from the host to the default GW, the host uses ARP to resolve the MAC address associated with the IP address of the default gateway. The ARP resolution returns the MAC address of the virtual router.

HSRP active and standby routers send hello messages to multicast address 224.0.0.2:1985 UDP.

All HSRP routers need to be L2 adjacent to that hello packets can be exchanged.

HSRP Roles:
Virtual Router – IP and MAC address pair that end devices have configured as their default GW.

Active Router – Within an HSRP group, one router is elected to be the active router. The active router physically forwards packets sent to the MAC address of the virtual router. There is one active router in an HSRP group.

Standby Router – Listens for periodic hello messages. If it fails to receive a hello, the standby router then assumes the role of the active router. There is one standby router in an HSRP group.

Other Routers – There can be more than two routers in an HSRP group, but only one active and one standby router. All routers in the group contend for the active and standby roles.

HSRP States

Initial
Beginning state. Indicates that HSRP does not run. This state is entered via a config change, or when the associated interface first comes up.
Listen
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers.
Speak
Router sends periodic hello messages and actively participates in the election of the active or standby router.
Standby
The router is a candidate to become the next active router and sends periodic hello messages.
Active
The router is currently forwarding packets that are sent to the group virtual MAC address. Router sends periodic hello messages.

When two routers participate in an election process, a priority can be configured to determine which router should be active. Without specific priority configuration, each router has a default priority of 100, and the router with the highest IP address is elected as the active router.

When STP is configured in the network, ensure that the active HSRP router is also the STP Root bridge, otherwise sub-optimal routing may occur.

Configuring HSRP
S1(config-if)#standby X ip x.x.x.x ← Group is optional. If none specific, 0 is used.

HSRP Priority and Preempt
S1(config-if)#standby x priority x ← Priority can be 0-255. Default = 100. Highest = best.

If the routers do not have preempt configured, a router that boots up significantly faster than the others in the standby group becomes the active router, regardless of the configured priority. The former active router can be configured to resume the forwarding router role by preempting a router with a lower priority.

S1(config-if)#standby x preempt {delay} [minimum delay]

HSRP Authentication
S1(config-if)#standby x authentication xxxxxxxx

HSRP Timers
By default, HSRP hellotime is 3 seconds, and hold time is 10 seconds, which means that failover time could be as much as 10 seconds for clients to start communicating with the new default GW.

The hold time value should be at least 3 times the value of the helllo time. To tune the timers:

S1(config-if)#standby x timers [msec] hellotime holdtime

As mentioned earlier, preempt is an important feature of HSRP that enables the primary router to resume the active role when it comes back online after failure or maintenance event.

If modifying the preempt timer, the rec for it should be the value of 50% greater than the device boot time.

S1(config-if)#standby 10 preempt delay minimum x

HSRP Versions

2 versions exist. Not backwards compatible.

HSRP Interface Tracking
Interface tracking enables the priority of a standby group router to be automatically adjusted, based on the availability of the router interfaces. When a tracked interface becomes unavailable, the HSRP priority of the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with an unavailable key interface will relinquish the active router role.

In other words, if the active HSRP router loses it’s own router uplink, tracking ensures that the standby HSRP router’s priority is increased and takes over the active role.

To configure:

1. Configure the standby group.
2. Configure priority (default 100).
3. Configure preempt on all devices within the HSRP group.
4. Configure the tracked interfaces and decrement (default decrement 10).

S1(config-if)standby X track interface [interface-priority]

HSRP Object Tracking

HSRP also offers tracking by an object, such as:
– An interface – Like above
– IP route
– A list of different objects
– IP SLA

Multiple HSRP Groups
Multigroup HSRP enables routers to simultaneously provide redundant backup and perform load sharing across different IP subnets. In other words, if at the access layer you have two VLANs, configure each distribution layer switch to be in different HSRP Groups, so each of your distribution switches is a HSRP active device for each vlan.

HSRP Monitoring

– Show standby brief
– Show standby
– Show standby neighbor vlanX

Virtual Router Redundancy Protocol (VRRP)
IEEE version of HSRP

Comparison with HSRP
– A HSRP group has one active router, one standby router, and potentially many listeners
– A VRRP group has one master router, and one or more backup routers.
– HSRP has max 16 Groups. VRRP is 255.
– In HSRP, the Virtual IP is different from Active and Standby routers real IP addresses. In VRRP, the Virtual IP can be the same as one of the group members real IP addresses.
– HSRP uses 224.0.0.2 for hello packets. VRRP uses 224.0.0.18
– VRRP timers are a lot shorter by default.
– HSRP can track interfaces or objects. VRRP can only track objects.

VRRP features

– VRRP provides redundancy for the real IP address of a router or for a virtual IP address shared among the VRRP group members.
– If a real IP address is used, the router with that address becomes the master. If a virtual IP address is used, the master is the router with the highest priority.
– A VRRP group has one master router and one or more backup routers. The master router uses VRRP messages to inform group members that it is the master.

– If the Virtual IP is set to that of a physical interface, the router with that config is set to the VRRP Master with a priority of 255. Default backup priority is 100.

– The priority value 0 can not be configured, and indicates that the current master has stopped participating in VRRP. This setting is used to trigger backup routers to quickly transition to the master without having to wait for the current master to time out.

– With VRRP, only the master sends out hellos.

VRRP Transition Process
– 3 timers: Advertisement interval (1 second), Master Down interval(3x Advertisement = 3 seconds), and skew time (256 – priority / 256. Ensures that the backup router with highest priority wins).

In the case of an orderly shutdown of the VRRP Master, it sends an advertisement with a priority of 0. This priority setting then triggers the backup router to take over quicker by waiting only the skew time instead of the master down interval.

VRRP Configuration

S1(config-if)#vrrp group ip virtual-gw-ip
S1(config-if)#vrrp X priority x
S1(config-if)#vrrp x timers advertise X
S1(config-if)#vrrp x timers learn ←Learns the timers from the VRRP Master

Verify:
Show vrrp interface vlan x

The main different between VRRP and HSRP, is the backup router does not send advertisements. Therefore, the VRRP Master is not aware of the current backup router.

Gateway Load Balancing Protocol

Cisco Proprietary solution created to enable automatic selection and simultaneous use of multiple available gateways in addition to automatic failover between those gateways.

HSRP is typically used in CIsco networks as usually there are only two gateways for any subnet. GLBP can be used if more than two gateways exist for subnets to load share across the gateways.

GLBP Functions

– GLBP active virtual gateway (AVG) – Members of a GLBP group elect one gateway to be the AVG for that group.

– GLBP active virtual forwarder (AVF) – Each gateway assumes responsibility for forwarding packets that are sent to the virtual MAC address assigned to that gateway by the AVG. These gateways are known as AVFs for their virtual MAC address

– GLBP communication: GLVP members send hello messages to eachover via multicast 224.0.0.102 every 3 seconds.

GLBP Features

– Load sharing
Multiple routers can share traffic from LAN clients

– Multiple virtual routers
Supports up to 1024 virtual routers (groups) on each physical interface and up to four virtual forwarders per group.

– Preemption
Enables you to preempt an AVG with a higher priority backup virtual gateway that has become available.

– Efficient resource utilization
Makes it possible for any router in a group to server as a backup, which eliminates the need for a dedicated backup router.

GLBP Operations

– Each member of the GLBP group elect one gateway to be the AVG for that group. Other members of the group provide backup for the AVG if it becomes unavailable.
– The AVG assigns a virtual MAC address to each member of the GLBP group. All routers become AVFs for frames addressed to that virtual MAC address.
– As clients send ARP requests for the address of the default gateway, the AFG sends these virtual MAC address in the ARP replies.
– A GLBP group can have up to 4 group members.

Load Balancing Methods

– Weighted load-balancing algorithm
– Host-dependent load-balancing algorithm
– Round-robin load-balancing algorithm – default

GLBP, like HSRP, is also capable of being configured using interface tracking.

GLBP Weighting Mechanism

– Differs from HSRP/VRRP.
– With GLBP, two thresholds are defined.
– 1 lower threshold that applies when the router loses weight.
– 1 upper threshold when the router regains weight.
– This double threshold mechanism enables more flexibility than the single threshold system.

Do a google if you want to know more on this. I’m taking a bet it won’t be in the exam.

GLBP Configuration

S1(config-if)#glbp X ip X
S1(config-if)#glbp x priority x ← highest wins. default 100
S1(config-if)# x timers x x

Cisco IOS Server Load Balancing

– layer 4 – 7 switching feature
– Again, I doubt this is in the exam so haven’t made any notes on it.