Thursday, September 22, 2016

1 comment

HSRP Configuration

                   We want Switch SW2 to be Active HSRP Router for this Topology, and The Virtual IP address that’s we gonna be servicing is, I assumed that we configured the interfaces with ip address and Protocol.

HSRP initial Configuration on Multilayer Switch SW2: -   
Ø  SW2(config)#interface fastethernet 0/3
Ø  SW2(config-if)#description CONNECTED WITH SW1
Ø  SW2(config-if)#standby 10 ip
ü  10 :- HSRP Group Number
ü IP Address
ü  That will educate this interface about the Virtual IP address
Ø  SW2(config-if)#standby 10 priority 110
ü  Setting “Higher Priority” on SW2 will Active Router
Ø  SW2(config-if)#standby 10 preempt
ü  If I lose whatever reason in my Active Role but then condition that caused me to lose that Active Role was fixed it got repaired, am ready to become Active Router again. I want to Reclaim my Active Role, and make that happen we need to use “Preempt Option”

HSRP initial Configuration on Multilayer Switch SW3: -   
Ø  SW3(config)#interface fastEthernet 0/3
Ø  SW3(config-if)#description CONNECTED WITH SW1
Ø  SW3(config-if)#standby 10 ip
Ø  SW3(config-if)#standby 10 preempt
Now We done with initial HSRP Configuration

Verification: -
    1.      First use “tracert” Command on PC1 for verify the Path
    2.      Then run Continues Ping on PC using “ping -t
    3.      Third Step Shutdown the Port on “SW2 fastetherent0/3
    4.      And then feel the change using “ping and tracert”

Troubleshooting and Verification command: -
    Ø  SW#show standby brief
    Ø  SW#show standby fastethernet 0/3
    Ø  SW#debug standby terse        -For enabling the command
ü  SW# undebug all         -Disable the Debug Command

HSRP State: -

   Ø  Initial State: -The HSRP State of an interface after it first comes up or has undergone a configuration change.
   Ø  Listen State: -The HSRP State of an interface after the router knows the Virtual IP address, and the interface is listening to Hello messages.
   Ø  Speak State: -The HSRP State of an interface when it is sending Hello message and is participating in the Active/Standby Election.
   Ø  Standby State: -The HSRP State on an interface when it is the candidate to become the next router, and its sending Hello message.
   Ø  Active Router: -The HSRP State on an interface when it is actively forwarding packet for the Virtual IP address and the Virtual MAC address, and it’s also sending Hello messages.

How to Change HSRP Hello Timer: -
   Ø  SW2(config)#interface fastethernet 0/3
   Ø  SW2(config-if)#standby version 2
ü  HSRP Timer Change works on HSRP Version 2
   Ø  SW2(config-if)#standby 10 timers msec 200 600
ü  Hello Timer is 200 msec and Hold Timer at least to be 3-time greater then Hello 

Same Timers Configuration on SW3: -
   Ø  SW3(config)#interface fastethernet 0/3
   Ø  SW3(config-if)#standby version 2
   Ø  SW3(config-if)#standby 10 timers msec 200 600

Now we running HSRP Version 2, we have different MAC Address
HSRP (v1) MAC Address: -
MAC Address   0000.0c07.acXX

Cisco Vendor ID
HSRP Version 1 ID
HSRP(v1) Group Number

HSRP (v2) MAC Address: -
MAC Address     0000.0c9f.fXXX

Cisco Vendor ID
HSRP Version 2 ID
HSRP(v2) Group Number

The Multicast address used to send HSRP messages has now changed
 HSRP Version
Multicast Address
HSRP Version 2
Support IPv6

Next Let’s Demonstrate a feature that we talk about earlier called “Interface Tracking”.
                                      Notice on Picture that, if Switch SW2 were to lose fastethernet 0/1.Then it would not be the best choice to get out to the internet. However, SW2 would still be able to send SW3 Hello messages. And the result it will still be the Active Router. What we can do is, tell HSRP to track the state of that interface, and that interface goes down. We want to decrement our Priority, remember we got Priority of 110, we can say “if this interface state goes down, then decrement the priority by 20”, that would takes us from 110 down to 90, which would be lower than the Priority of Switch SW3.Here how we do that.

   Ø  SW2(config)#interface fastethernet 0/3
   Ø  SW2(config-if)#description CONNECTED WITH SW1
   Ø  SW2(config-if)#standby 10 track fastEthernet 0/1 20
ü  20 :- Decrement Value

Verification: -
   Ø  SW1(config)#interface fastethernet 0/1
   Ø  SW1(config-if)#shutdown
   Ø  SW1(config-if)#do show standby brief
“As the Result we are now in “Standby State”.

                 Switch SW3 is now taken over as the Active Router because that interface going out to the internet went down.                                                                                                                      
 There is more Advance type of Tracking is called “Enhanced Object Tracking
             It let’s do thing like, decrement the Priority in the event of a certain network conditioned. Such as “Route” disappearing from the IP Routing Table. We’re having the Metric of Route exceeding the certain value. Let’s see how setup.

   Ø  SW2(config)#track 2 ip route reachability
ü  2:- Track Number (any number)
ü - A Route for an Example
ü  Reachability: - means it’s reachable or not

                              Now link to HSRP Process
   Ø  SW2(config)#interface fastethernet 0/3
   Ø  SW2(config-if)#standby 10 track 2 decrement 20
ü  10:- HSRP(Standby)Group Number
ü  2:- Track Number
ü  20:- Decrement Value
                              “If Tracking Object number 2, which is checking the Reachability of the Route ( Network for e.g.). if that has down condition, my Priority is gonna be decrement by 20”.

Verification: -
   Ø  SW2#show standby fastetherent 0/3
                            If we lost that “Route ( for e.g.)’ from our IP Routing Table. Then will automatically decrement our Priority, and that’s means we are not gonna be Active Router. We will in Standby State. And The Active Will Switch SW3.
                            In this Point we seen the basic of HSRP, what is to prevent somebody from adding a “Rough HSRP Router” to our network, setting the Priority Really High, and then taking over the Active Role causing traffic flow through their device. But this point nothings prevent that happening. To Do We can enable Authentication for an HSRP Group. Let set it up between Switches SW2 and SW3.

HSRP Support couple of Authentication
   1.      Plain Text
   2.      MD5
                  We probably do not be sending plain text Authentication across the network, because if somebody capture those packets, can clearly read that packet.
                 Usually better to MD5 because that’s gonna run a “Hashing Algorithm” on the string, and each side runs the “Hashing Algorithm”, and they compare Hash Values. If the Hash values equal, then they have some assurance that the other side or device has the same string. Let’s set this up on Switch SW2.
   Ø  SW2(config)#interface fastetherent 0/3
   Ø  SW2(config-if)#standby 10 authentication md5 key-string $3cr3T
ü  $3cr3T:- it is a Password

SW3 Authentication Configuration: -
   Ø  SW3(config)#interface fastetherent 0/3
   Ø  SW3(config-if)#standby 10 authentication md5 key-string $3cr3T

Verification: -
   Ø  SW#show standby fastethernet 0/3
                         Now Wrap up this Topic using our Network Architecture. Let’s think about couple of design issue surroundings HSRP.
   1.      Let’s think about the interaction between “HSRP and STP (Spanning Tree Protocol)”, if we have switches interconnected and redundant fashion where we are running STP, we need to realize that STP has no knowledge of HSRP, and it possible to have STP blocking the link that is our best path, link that leave directly to our Active HSRP Router, and that could cause our traffic to take a suboptimal path to get to that Active Router. So here is Cisco Best Practicing Recommendation

                      Cisco Says let’s make Layer 3 Switch, that acting as “HSRP Active Router” for a VLAN, Let’s make that the same Switch that acting as the “Spanning Tree Protocol Root Bridge” for that VLAN.Actuallly were traffic that vlan and optimal path to get to HSRP Active Router.
    2.       HSRP Load-Balancing: We know what “Per-Vlan Spanning Tree Protocol” is allow us to have different STP instances for the different VLANs.

                            Well similarly we can have different “HSRP groups for different VLANS”. That give us some sort of Load-Balancing. For example, we might assign interface “VLAN 100 to HSRP group 100”, and interface “Vlan 200 to HSRP group 200”. Then we can have “1 Switch the Active Router for the HSRP group 100”, and the other Switch which would be “Active Router for a HSRP Group 200”, and that can let both of these Layer 3 Switches actively be forwarding traffic, instead of having one of them just standing be waiting for the other to fail.

If You Like the Post. Don’t forget to “Subscribe/Share/Comment”. Thank You.

1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Security Projects

    JavaScript Training in Chennai


    Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals,

    Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer.

    Angular Training