Cisco CCNP SWITCH 642-813

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

00:00:00 - We are continuing on to make our campus network redundant by
00:00:04 - using VRRP and GLBP. We are going to pick up here were we left
00:00:10 - off in the previous video. Wrapping up HSRP and moving into VRRP,
00:00:15 - essentially the same thing as HSRP, with a couple different commands.
00:00:19 - And then we will look at what's different in GLBP. This is the
00:00:23 - newest protocol on the block that allows the load balancing.
00:00:26 - Of course, as always, we will be doing the configuration and
00:00:29 - verification of all of these protocols.
00:00:33 - VRRP, or the virtual router redundancy protocol, is a good place
00:00:38 - to start because as I mentioned this one is nearly identical
00:00:42 - to HSRP with different terms, that's my side title, terminology
00:00:47 - shift and just a couple slightly different features. So first
00:00:52 - off active standby. Meaning in HSRP we have an active router
00:00:56 - and standby routers. The new terms are master and backup. If
00:01:00 - you remember we had VLAN-70 or interface VLAN-70 configured.
00:01:04 - This one was .2 over here. This one was VLAN-70 and this was
00:01:10 - .3. And this was in the previous HSRP video I am getting all
00:01:13 - this from. This I made the .2
00:01:16 - the active HSRP router and this one the standby. Now I just call
00:01:20 - it the master and the backup. The standby group, that's how we
00:01:25 - configured it in HSRP, now becomes the VRRP group, so slight
00:01:29 - terminology shift there. This one, the third one, is a feature.
00:01:33 - The master router can share the virtual IP address. So in HSRP
00:01:39 - we had .2 and .3 and they both responded for .1, this one being
00:01:45 - the active and this one being the standby. But in VRRP you can
00:01:49 - actually set it up to where the master, or the active router,
00:01:52 - the number one router on the block, uses .1 as its actual IP
00:01:59 - address. The other's will have their IP addresses and take over
00:02:03 - for the .1 IP address if this one should go offline. Of course
00:02:07 - it is going to have that virtual MAC address in the same way.
00:02:10 - So they all take over for the MAC address not to cause any ARP
00:02:13 - cache timer issues as well. So I don't know if I like that or
00:02:18 - not, but it's a cool feature. I guess you don't have to use it,
00:02:21 - but it's there for you to actual assign the virtual IP as the
00:02:26 - real IP address for one of the routers; the one that is the master,
00:02:30 - or the top dog on the stack. Last one is that VRRP came out five
00:02:36 - years later than HSRP. So it has better timers by default. A
00:02:42 - one second hello time and then three times a hello is the downtime,
00:02:46 - plus what's know as the skew. So, if you remember in
00:02:52 - HSRP I was saying by default it was once every three seconds.
00:02:56 - Then I said, "Well you can tune it down to a 1 second hello"
00:02:58 - and I recommended a 4 second down time or hold down timer because
00:03:05 - that will allow you to miss three full hello's before taking
00:03:09 - over and considering them down; because if we said 3 second was
00:03:12 - the down timer than we would only be able to miss two hellos.
00:03:16 - So VRRP made it a little better by adding this think known as
00:03:20 - the skew timer. This is weird; the formula for it. But what it
00:03:25 - is you have the dead timer, or hold down time, being three times
00:03:31 - the hello. So that's 3 seconds for the dead timer, plus the skew
00:03:36 - which is 256
00:03:39 - minus the priority of the router. So we will say default priority
00:03:43 - of 100 so that's 156
00:03:46 - divided by 256.
00:03:51 - And by the way all of these are in milliseconds.
00:03:54 - So, that would be 156 milliseconds divided by 256 equals some
00:04:00 - random number that it adds on to the timer. It would be some
00:04:04 - partial millisecond value of, you know I will just throw one
00:04:07 - out there, .015
00:04:10 - or something like that. So it actually waits slightly longer
00:04:14 - than 3 seconds before considering somebody down, allowing that
00:04:17 - third hello the time to get in and make its way in there and
00:04:21 - be processed before it takes over as the master router.
00:04:27 - To demonstrate VRRP I am going to be using my 2800 series router
00:04:31 - because Cisco decided not to implement VRRP or GLBP for that
00:04:37 - matter on the 3550 series switches; again, one of those good
00:04:40 - reasons to know about HSRP, because it is supported on about
00:04:44 - all Cisco platforms. So three steps and they are nearly identical
00:04:50 - to HSRP. We configure a VRRP group just like a standby group.
00:04:55 - Optimize the settings that deal with the timers and so on. It's
00:04:58 - a little easier than VRRP and I will show you that. And then
00:05:01 - we can verify those settings. So let me bring up my router. I
00:05:03 - am just going to go under, and remember on a router it is the
00:05:07 - same exact thing as a switch. It's just we are using a real interface
00:05:11 - instead of a virtual one. So I am going to go under my fastethernet0/0
00:05:15 - and let me just do a VRRP. And we type in our group number just
00:05:20 - like HSRP. So I will say VRRP 20, group number 20. And then underneath
00:05:27 - there, just about the same settings you can see event tracking.
00:05:30 - That's for our interface tracking. Shutdown to turn it off, IP
00:05:34 - preempt priority, same commands. So I am just going to type in
00:05:38 - IP address and let's do 172.30.4.90
00:05:45 - enter. And that creates the VRRP group. From there we can set
00:05:51 - our preempt, you know VRRP 20 preempt
00:05:56 - options. We can set our priorities exactly the same as HSRP.
00:05:59 - I don't want to repeat too much of the information so let me
00:06:01 - show you what's different; the timers in VRRP. If I type in VRRP
00:06:08 - 20 timers you are going to see that we have two settings, advertise
00:06:13 - and learn. Now we just saw in the previous slides that VVRP's
00:06:19 - hello timer by default is once every second and the dead timer
00:06:23 - is once ever, well I should day, once every three times the hello
00:06:28 - timer right. The reason it is that is because you can't actually
00:06:32 - set the down timer. Meaning when we were playing with HSRP we
00:06:37 - had the option to go in and say I will set the hello timer and
00:06:41 - I will set my hold down timer or dead timer. And VVRP you don't
00:06:46 - have that option. We just set the hello timer and it figures
00:06:50 - out the dead timer based on what we said. Furthermore we have
00:06:54 - two options: advertise and learn. The good news is we only have
00:06:58 - to set the timers
00:07:01 - on the master device, meaning the one that is the primary for
00:07:06 - the group. All the other's by default are set to learn so they
00:07:10 - will learn their hello timer and figure out their dead timer
00:07:13 - based on what the master is using. That is a bonus compared to
00:07:18 - HSRP because in HSRP you have to go and make sure the timers
00:07:21 - are the same on all the routers. So let me just show you. If
00:07:25 - this is the master router I just say, "Advertise". We have our
00:07:28 - option of using seconds or we can drop down to the milliseconds.
00:07:31 - So I will say "Advertise in milliseconds". And then I can type
00:07:34 - in how, what my low level milliseconds are. Oh, take a look
00:07:38 - at that; can't go as low as HSRP, that's 15 milliseconds. So
00:07:42 - we will say, you know, once ever 100 milliseconds it's going
00:07:45 - to send out a hello. And notice no option for a hold down timer.
00:07:49 - We just hit enter and it figures out the hold down timer for
00:07:52 - us. Likewise all the other's default states are on learn as I
00:07:56 - was mentioning. So they are going to learn that hello timer from
00:07:59 - the master. To verify this I can just go back and do a show VRRP
00:08:04 - and that's it. Similar output to HSRP. You can see the state
00:08:08 - is master instead of the active router. Virtual IP address, virtual
00:08:13 - MAC address. Different group of MAC addresses that it is using.
00:08:16 - Advertisement interval is right there. The preemption is turned
00:08:20 - on by default. I didn't uh, did I type that in? Wait a second.
00:08:25 - Yes I did type that in. Because I was thinking, "That's not on
00:08:28 - by default". So it is on by default, priority master router.
00:08:32 - That's me, priority is this and I am advertising once every this
00:08:36 - number of seconds. And the down timer is .909
00:08:41 - seconds. Now I know I was saying it's three times the hello timer
00:08:44 - and it is. This is just he master saying, "If I'm finding that
00:08:48 - some process has crashed on me in less than a second, I am going
00:08:53 - to, uh,
00:08:55 - adjust, adjust my priority and let somebody else take over".
00:08:59 - This is a cool feature
00:09:01 - of VRRP. If, if the
00:09:05 - master notices one if it's tracked interfaces goes down. For
00:09:10 - instance, we talked about interface tracking and HSRP when we
00:09:15 - said that it decrements the priority. When we are running in
00:09:19 - VRRP it will actually set its priority to zero. That's one of
00:09:23 - the options we can do which immediately all the other routers
00:09:26 - are going to see the priority completely zero out on the master
00:09:30 - and the next one up in line is going to take over immediately.
00:09:33 - So again, just like we saw when we demonstrated HSRP it was a
00:09:37 - flawless transition between routers.
00:09:40 - That's the scoop with VRRP. And I don't want to go too long on
00:09:44 - that just because it is nearly identical to HSRP in the config.
00:09:48 - GLBP, the Gateway Load Balancing Protocol on the other hand,
00:09:53 - is a little bit different. So it merits some discussion of what
00:09:57 - those differences are. In GLBP we have the ability to load balance
00:10:03 - between our gateways. Instead of having one active and one standby,
00:10:07 - or in the VRRP terms, one master and the other's backup. The
00:10:13 - GLBP can have a multi active scenario where both of them are
00:10:16 - responding to requests. Now that can be completely equal load
00:10:21 - balancing like you take 50 and I'll take 50. Or we could end
00:10:24 - up having unequal load balancing. For example maybe, I know this
00:10:29 - is a switch so it's kind of hard to compare on this one. But
00:10:31 - if we were in a routed world, maybe you had one with a T, a dual
00:10:36 - T1 line, how's that, or two T1 lines that are bound together
00:10:39 - through multi-link PPP? A backup router has a single T1 line
00:10:44 - that is just straight to the internet. Well what we can do is
00:10:47 - set up GLBP to where it will naturally load balance essentially
00:10:51 - two-thirds of the traffic to the dual T1 connection and a third
00:10:55 - of the traffic over to the single T1. So you can do some intelligent
00:10:59 - load balancing here. And the way it works is its awesome, check
00:11:03 - this out. When GLBP is set up you set up a single VIP with multiple
00:11:09 - MAC addresses. Now right there that's a difference from the VRRP
00:11:14 - and HSRP that we saw before. In that world we had a single VIP
00:11:19 - and a single virtual MAC address as well. That everybody kind
00:11:23 - of took the responsibility for as routers dropped off. So if
00:11:27 - the master died the backup would take over the master's IP and
00:11:31 - MAC address, not so here. Look at the picture. We have a single
00:11:35 - virtual IP, 70.1.
00:11:39 - Multiple virtual MAC addresses representing the different routers.
00:11:44 - Now this is the way it works. You will have a single active virtual
00:11:50 - gateway or an AVG that acts as the point man for the network.
00:11:54 - Now let me explain what the point man does. The point man manages
00:11:59 - the MAC address pools. It knows about all the other virtual MAC
00:12:04 - addresses that the, I guess you could call them "backup routers"
00:12:08 - are using. Now they are not really backup routers anymore because
00:12:11 - they are actively forwarding traffic so let me follow through
00:12:14 - with a packet trace here. Let's say this guy's default gateway;
00:12:18 - this server right here is set to 70.1. The first time he accesses
00:12:23 - an internet destination it's going to send out a what? ARP message
00:12:26 - right, who is 172.30.70.1?
00:12:30 - This router gets the ARP message and say's, "Oh that's me, let
00:12:34 - me send you my virtual MAC address". Now this is the AVG, the
00:12:39 - active virtual gateway for the network. So it sends back the
00:12:43 - virtual MAC address for itself. Meanwhile this server over here
00:12:47 - says, "I want to access the internet ARP to what 70.1". It goes
00:12:51 - to the active virtual gateway again. So, the follow, I guess
00:12:55 - follow my arrow here. It is coming over here because this is
00:12:58 - the router taking responsibility for that single virtual IP address,
00:13:03 - but when it replies to the ARP message. Are you seeing what direction
00:13:07 - we are going here? It's going to give the virtual MAC address
00:13:11 - of its buddy. It's going to be like, "Hey I am, swoosh" and it
00:13:15 - just shuffles over to the virtual MAC address of one of the load
00:13:17 - balance gateway's. It will naturally do that based on the scale
00:13:22 - that you have set up. Meaning you can just use a Round Robin
00:13:25 - system. Maybe, you know, this one goes first. This one goes second.
00:13:30 - You have got a third one that goes third. Then it loops back
00:13:31 - around, first one, second one, third one. Just go in a completely
00:13:34 - Round Robin. We could set it up in a host dependent system to
00:13:39 - where it's based on the MAC addresses of the host trying to make
00:13:43 - sure every MAC address that requests gets a different virtual
00:13:47 - MAC address. For instance, this came from one MAC address and
00:13:50 - it's going to go up to this host. And then maybe the next MAC
00:13:54 - address goes to the next host. So it differentiates based on
00:13:57 - the MAC address that is asking for the virtual MAC of GLBP. Or
00:14:04 - you could do a weighted load balancing algorithm. You could just
00:14:08 - say, "I want two thirds of the MAC addresses to be returned to
00:14:13 - be this one, and one third to be returned to this one". And naturally
00:14:18 - do some unequal load balancing between your gateways and that
00:14:21 - goes back to my scenario with the two T1 lines on the one router.
00:14:24 - And the one T1 line on the other. Now I am sure if you think
00:14:28 - through it you are going to go, "Well, is that really exact load
00:14:33 - balancing"? No, no it's not at all. Because for instance, you
00:14:37 - know, maybe the one-third
00:14:40 - group or the single T1 line returned to its MAC address to some
00:14:45 - host that's just going to hammer it. I mean they are going to
00:14:47 - do a five 5 GB file transfer over that T1 line, meanwhile this
00:14:52 - one just sent two responses to two MAC addresses that were going
00:14:56 - to look at USA Today.com and just view the website. I mean there
00:15:01 - is obviously going to be a skew in the traffic requests in that
00:15:04 - case, but it is a type of load balancing. You are going to get
00:15:09 - utilization on all of those T1 interfaces verses if we had VRRP
00:15:15 - or, or HSRP. The
00:15:19 - other one would just sit there being idle until, until the primary
00:15:23 - one failed. So I would argue in that sense GLBP is a little bit
00:15:27 - better. Now the other routers in this scenario, just to define
00:15:32 - the rest of the terms, are considered Active Virtual Forwarder's
00:15:36 - or AVF's. So you have one
00:15:39 - AVG for the network and all the rest will be considered AVF's.
00:15:42 - I love these acronyms. It reminds me of like, uh, some kind of
00:15:46 - big gun. Would you take a look at this AVG that I got here? That's
00:15:51 - pretty cool Bob. I mean, I don't know why. Those, those acronyms
00:15:54 - just kind of hit me, as like, just a cool man acronym.
00:16:00 - Anyway, AVG's are backed up. That's your AVG there. It is backed
00:16:05 - up so you have backup routers in the picture that will take over
00:16:09 - that role if the AVG does die. Again it's a priority based system
00:16:14 - so if a AVG goes down the next one in line will take over the
00:16:18 - function and start dishing out the virtual MAC addresses as needed.
00:16:23 - Oh, I am sorry for getting so excited about this stuff. It's
00:16:26 - just, it's really neat. I mean, when you think about the concepts
00:16:29 - about how they are working it is just like brilliant. Who would
00:16:31 - have thought of that? So anyway, to set up GLBP, I am going to
00:16:35 - use my 2800 series router again because the 3550 switches don't
00:16:39 - support it. They are HSRP only. So let me jump into the 2,800,
00:16:44 - 2801 router I have got running right here. And I am going to
00:16:48 - go under the interface fastethernet0/0.
00:16:51 - Now I have turned off VRRP since we don't need it anymore. GLBP
00:16:55 - as you might imagine is enabled. Just like VRRP, GLBP followed
00:17:00 - by a group number. You can see we can have a large number of
00:17:04 - groups. I can't imagine using that many. We will just use group
00:17:08 - number one for this example. Similar commands to VRRP and HSRP.
00:17:12 - I just type in, for instance, I start off with the IP address,
00:17:16 - uh, and we will say 17230.4.70
00:17:23 - on this router. I am on a different subnet over here. So this
00:17:26 - is going to be the virtual IP that all the host's share and respond
00:17:30 - for. Now a couple of different paradigm shifts I am going to
00:17:33 - need you to make. We're used to typing in priority to say this
00:17:37 - is the active router. This is the backup router or master and
00:17:42 - backup, or active and standby I should say. So in this sense
00:17:46 - there is no active router or standby router because all of them
00:17:51 - are participating. They are load balancing. So the priority as
00:17:55 - it relates to GLBP elects who will be
00:18:00 - the AVG. I got your AVG right there, AVG 300. Now the higher
00:18:05 - priority, the better your are, so let's say we put 150. Everybody
00:18:09 - else is the default of 100 so they will become the active virtual
00:18:13 - forwards whereas this one will become the active virtual gateway
00:18:17 - that dishes out the MAC addresses to everybody else. If this
00:18:20 - router goes down the next highest priority will take over. If
00:18:24 - there is a time priority the next highest IP address ends up
00:18:27 - winning that time. A similar thing for the timers; GLBP 1 timers,
00:18:33 - then we have our hello timers and, um, uh, down timers that we
00:18:38 - can set with GLBP. You see one more option on there. The redirect
00:18:42 - which is a timeout value for failed forwarders. Meaning if we,
00:18:46 - uh, have MAC addresses for forwarders, active virtual forwarders
00:18:51 - that are no longer online this is how long it will take us to
00:18:54 - time them out and stop giving out their MAC addresses. And, and
00:19:01 - essentially cause them to not be used by the host anymore to
00:19:05 - time out of their ARP cache and so on. So, hello interval, dead
00:19:08 - interval, milliseconds, seconds. Same thing as before. Um, one
00:19:13 - other option that we have of course is IPV6. This is kind of
00:19:15 - cool. Since this protocol was released in 2005 IPV6 was becoming
00:19:21 - more and more viable by then so now it is an option. You can
00:19:24 - use it for IPV6, but look at this; load balancing.
00:19:29 - By default GLBP uses the Round Robin load balancing algorithm.
00:19:35 - So we will give the first MAC address to the first host, second
00:19:38 - MAC address to the second host and so on through that list. I
00:19:41 - mentioned these before, but just to highlight them: host dependent
00:19:45 - means that the same MAC address will always go to the same virtual
00:19:48 - forwarder. For instance if a host with MAC address of all zeros
00:19:54 - 11AA comes in he is guaranteed to always get the same virtual
00:19:58 - forwarder to access the internet. Verses Round Robin if we use
00:20:03 - this one and that MAC address came in maybe the first time he
00:20:05 - will get one router and then the second time after his ARP cache
00:20:10 - has timed out he is going to get the second router, or the third
00:20:12 - router. You know, going down the line because it's Round Robin.
00:20:16 - Weighted is where you can proportion what balance of MAC addresses
00:20:21 - will be sent for certain forwarders in the network. Now if you
00:20:24 - use weighted, that's, that's were I am going to draw the line
00:20:27 - here because you will have to set up your weighting algorithm.
00:20:31 - Actually all of these options I am talking about right now are
00:20:35 - not even part of the official,
00:20:39 - uh, BCMSN
00:20:42 - test objectives if you will. You just need to know what GLBP
00:20:45 - is and how to turn it on to do its default load balancing with
00:20:49 - Round Robin. But all of these other options I wanted to show
00:20:53 - you. But when you get into the weighting that's where it gets
00:20:55 - a little bit sticky because you need to go through and set up
00:20:59 - weighting maximum values, certain tracking for the interfaces
00:21:03 - and if, if this interface fails how much less weight are you
00:21:06 - going to end up taking or if another router fails how much weight
00:21:10 - are you going to take. You have an upper and a lower balance
00:21:14 - on your weight. So there is a lot of criteria that you go into
00:21:17 - and set up for this weighting. So I will just leave that for
00:21:20 - your own self study on that. Most likely you are going to be
00:21:23 - using the Round Robin or host dependent options anyway. So once
00:21:29 - GLP, GLBP has been set up you just exit out to global config
00:21:34 - mode and type in show GLBP. Very similar to what it was with
00:21:39 - VRRP and HSRP. You can see the default timers. I haven't changed
00:21:43 - them. Since Cisco created this it is the same as HSRP. You can
00:21:47 - tune those down if you feel comfortable. You can see, you know,
00:21:51 - all of the redirect timers. What group members there are and
00:21:54 - if you have more than one group member you are going to see the
00:21:57 - other virtual MAC addresses that it's created for them. Um, information
00:22:02 - about me, forwarder one state is active. I am the one forwarding
00:22:06 - that, so as more routers join this group the output will just
00:22:10 - grow to reflect more group members. And depending on what load
00:22:15 - balancing I am using it's going to load balance between those
00:22:18 - group members differently. I hope that paints a good picture
00:22:22 - for you of how to set up redundancy in the campus. Either on
00:22:25 - your layer three switches or as you just saw me doing, on Cisco
00:22:29 - routers. So to hit the high points and I guess wrap up both parts
00:22:34 - of the series. We talked about how good redundancy is that it's
00:22:37 - of course great to have that. But what protocol should you use,
00:22:43 - HSRP, VRRP, GLBP? Um, well as you can see, number one look at
00:22:47 - what your equipment supports. Just about all Cisco devices support
00:22:51 - HSRP. Uh, the upper end ones or the brand new equipment will
00:22:54 - support the newer protocol such as VRRP and GLBP. Uh,
00:22:59 - choosing a protocol isn't as important when you are looking between
00:23:03 - HSRP and VRRP as choosing what devices you have, because both
00:23:09 - of those protocols can do the same things, its just ones Cisco
00:23:13 - proprietary. When it comes to GLBP, that's the unique one of
00:23:16 - the bunch where you have the load balancing capability that you
00:23:19 - can set up between your devices, again we are in a Cisco proprietary
00:23:23 - world when you move that direction because it was just released
00:23:26 - a few years back. So we looked at the config of all of those
00:23:31 - and uh, set them up. I hope this has been informative for you
00:23:35 - and I would like to thank you for viewing.
00:00:00 - We are continuing on to make our campus network redundant by
00:00:04 - using VRRP and GLBP. We are going to pick up here were we left
00:00:10 - off in the previous video. Wrapping up HSRP and moving into VRRP,
00:00:15 - essentially the same thing as HSRP, with a couple different commands.
00:00:19 - And then we will look at what's different in GLBP. This is the
00:00:23 - newest protocol on the block that allows the load balancing.
00:00:26 - Of course, as always, we will be doing the configuration and
00:00:29 - verification of all of these protocols.
00:00:33 - VRRP, or the virtual router redundancy protocol, is a good place
00:00:38 - to start because as I mentioned this one is nearly identical
00:00:42 - to HSRP with different terms, that's my side title, terminology
00:00:47 - shift and just a couple slightly different features. So first
00:00:52 - off active standby. Meaning in HSRP we have an active router
00:00:56 - and standby routers. The new terms are master and backup. If
00:01:00 - you remember we had VLAN-70 or interface VLAN-70 configured.
00:01:04 - This one was .2 over here. This one was VLAN-70 and this was
00:01:10 - .3. And this was in the previous HSRP video I am getting all
00:01:13 - this from. This I made the .2
00:01:16 - the active HSRP router and this one the standby. Now I just call
00:01:20 - it the master and the backup. The standby group, that's how we
00:01:25 - configured it in HSRP, now becomes the VRRP group, so slight
00:01:29 - terminology shift there. This one, the third one, is a feature.
00:01:33 - The master router can share the virtual IP address. So in HSRP
00:01:39 - we had .2 and .3 and they both responded for .1, this one being
00:01:45 - the active and this one being the standby. But in VRRP you can
00:01:49 - actually set it up to where the master, or the active router,
00:01:52 - the number one router on the block, uses .1 as its actual IP
00:01:59 - address. The other's will have their IP addresses and take over
00:02:03 - for the .1 IP address if this one should go offline. Of course
00:02:07 - it is going to have that virtual MAC address in the same way.
00:02:10 - So they all take over for the MAC address not to cause any ARP
00:02:13 - cache timer issues as well. So I don't know if I like that or
00:02:18 - not, but it's a cool feature. I guess you don't have to use it,
00:02:21 - but it's there for you to actual assign the virtual IP as the
00:02:26 - real IP address for one of the routers; the one that is the master,
00:02:30 - or the top dog on the stack. Last one is that VRRP came out five
00:02:36 - years later than HSRP. So it has better timers by default. A
00:02:42 - one second hello time and then three times a hello is the downtime,
00:02:46 - plus what's know as the skew. So, if you remember in
00:02:52 - HSRP I was saying by default it was once every three seconds.
00:02:56 - Then I said, "Well you can tune it down to a 1 second hello"
00:02:58 - and I recommended a 4 second down time or hold down timer because
00:03:05 - that will allow you to miss three full hello's before taking
00:03:09 - over and considering them down; because if we said 3 second was
00:03:12 - the down timer than we would only be able to miss two hellos.
00:03:16 - So VRRP made it a little better by adding this think known as
00:03:20 - the skew timer. This is weird; the formula for it. But what it
00:03:25 - is you have the dead timer, or hold down time, being three times
00:03:31 - the hello. So that's 3 seconds for the dead timer, plus the skew
00:03:36 - which is 256
00:03:39 - minus the priority of the router. So we will say default priority
00:03:43 - of 100 so that's 156
00:03:46 - divided by 256.
00:03:51 - And by the way all of these are in milliseconds.
00:03:54 - So, that would be 156 milliseconds divided by 256 equals some
00:04:00 - random number that it adds on to the timer. It would be some
00:04:04 - partial millisecond value of, you know I will just throw one
00:04:07 - out there, .015
00:04:10 - or something like that. So it actually waits slightly longer
00:04:14 - than 3 seconds before considering somebody down, allowing that
00:04:17 - third hello the time to get in and make its way in there and
00:04:21 - be processed before it takes over as the master router.
00:04:27 - To demonstrate VRRP I am going to be using my 2800 series router
00:04:31 - because Cisco decided not to implement VRRP or GLBP for that
00:04:37 - matter on the 3550 series switches; again, one of those good
00:04:40 - reasons to know about HSRP, because it is supported on about
00:04:44 - all Cisco platforms. So three steps and they are nearly identical
00:04:50 - to HSRP. We configure a VRRP group just like a standby group.
00:04:55 - Optimize the settings that deal with the timers and so on. It's
00:04:58 - a little easier than VRRP and I will show you that. And then
00:05:01 - we can verify those settings. So let me bring up my router. I
00:05:03 - am just going to go under, and remember on a router it is the
00:05:07 - same exact thing as a switch. It's just we are using a real interface
00:05:11 - instead of a virtual one. So I am going to go under my fastethernet0/0
00:05:15 - and let me just do a VRRP. And we type in our group number just
00:05:20 - like HSRP. So I will say VRRP 20, group number 20. And then underneath
00:05:27 - there, just about the same settings you can see event tracking.
00:05:30 - That's for our interface tracking. Shutdown to turn it off, IP
00:05:34 - preempt priority, same commands. So I am just going to type in
00:05:38 - IP address and let's do 172.30.4.90
00:05:45 - enter. And that creates the VRRP group. From there we can set
00:05:51 - our preempt, you know VRRP 20 preempt
00:05:56 - options. We can set our priorities exactly the same as HSRP.
00:05:59 - I don't want to repeat too much of the information so let me
00:06:01 - show you what's different; the timers in VRRP. If I type in VRRP
00:06:08 - 20 timers you are going to see that we have two settings, advertise
00:06:13 - and learn. Now we just saw in the previous slides that VVRP's
00:06:19 - hello timer by default is once every second and the dead timer
00:06:23 - is once ever, well I should day, once every three times the hello
00:06:28 - timer right. The reason it is that is because you can't actually
00:06:32 - set the down timer. Meaning when we were playing with HSRP we
00:06:37 - had the option to go in and say I will set the hello timer and
00:06:41 - I will set my hold down timer or dead timer. And VVRP you don't
00:06:46 - have that option. We just set the hello timer and it figures
00:06:50 - out the dead timer based on what we said. Furthermore we have
00:06:54 - two options: advertise and learn. The good news is we only have
00:06:58 - to set the timers
00:07:01 - on the master device, meaning the one that is the primary for
00:07:06 - the group. All the other's by default are set to learn so they
00:07:10 - will learn their hello timer and figure out their dead timer
00:07:13 - based on what the master is using. That is a bonus compared to
00:07:18 - HSRP because in HSRP you have to go and make sure the timers
00:07:21 - are the same on all the routers. So let me just show you. If
00:07:25 - this is the master router I just say, "Advertise". We have our
00:07:28 - option of using seconds or we can drop down to the milliseconds.
00:07:31 - So I will say "Advertise in milliseconds". And then I can type
00:07:34 - in how, what my low level milliseconds are. Oh, take a look
00:07:38 - at that; can't go as low as HSRP, that's 15 milliseconds. So
00:07:42 - we will say, you know, once ever 100 milliseconds it's going
00:07:45 - to send out a hello. And notice no option for a hold down timer.
00:07:49 - We just hit enter and it figures out the hold down timer for
00:07:52 - us. Likewise all the other's default states are on learn as I
00:07:56 - was mentioning. So they are going to learn that hello timer from
00:07:59 - the master. To verify this I can just go back and do a show VRRP
00:08:04 - and that's it. Similar output to HSRP. You can see the state
00:08:08 - is master instead of the active router. Virtual IP address, virtual
00:08:13 - MAC address. Different group of MAC addresses that it is using.
00:08:16 - Advertisement interval is right there. The preemption is turned
00:08:20 - on by default. I didn't uh, did I type that in? Wait a second.
00:08:25 - Yes I did type that in. Because I was thinking, "That's not on
00:08:28 - by default". So it is on by default, priority master router.
00:08:32 - That's me, priority is this and I am advertising once every this
00:08:36 - number of seconds. And the down timer is .909
00:08:41 - seconds. Now I know I was saying it's three times the hello timer
00:08:44 - and it is. This is just he master saying, "If I'm finding that
00:08:48 - some process has crashed on me in less than a second, I am going
00:08:53 - to, uh,
00:08:55 - adjust, adjust my priority and let somebody else take over".
00:08:59 - This is a cool feature
00:09:01 - of VRRP. If, if the
00:09:05 - master notices one if it's tracked interfaces goes down. For
00:09:10 - instance, we talked about interface tracking and HSRP when we
00:09:15 - said that it decrements the priority. When we are running in
00:09:19 - VRRP it will actually set its priority to zero. That's one of
00:09:23 - the options we can do which immediately all the other routers
00:09:26 - are going to see the priority completely zero out on the master
00:09:30 - and the next one up in line is going to take over immediately.
00:09:33 - So again, just like we saw when we demonstrated HSRP it was a
00:09:37 - flawless transition between routers.
00:09:40 - That's the scoop with VRRP. And I don't want to go too long on
00:09:44 - that just because it is nearly identical to HSRP in the config.
00:09:48 - GLBP, the Gateway Load Balancing Protocol on the other hand,
00:09:53 - is a little bit different. So it merits some discussion of what
00:09:57 - those differences are. In GLBP we have the ability to load balance
00:10:03 - between our gateways. Instead of having one active and one standby,
00:10:07 - or in the VRRP terms, one master and the other's backup. The
00:10:13 - GLBP can have a multi active scenario where both of them are
00:10:16 - responding to requests. Now that can be completely equal load
00:10:21 - balancing like you take 50 and I'll take 50. Or we could end
00:10:24 - up having unequal load balancing. For example maybe, I know this
00:10:29 - is a switch so it's kind of hard to compare on this one. But
00:10:31 - if we were in a routed world, maybe you had one with a T, a dual
00:10:36 - T1 line, how's that, or two T1 lines that are bound together
00:10:39 - through multi-link PPP? A backup router has a single T1 line
00:10:44 - that is just straight to the internet. Well what we can do is
00:10:47 - set up GLBP to where it will naturally load balance essentially
00:10:51 - two-thirds of the traffic to the dual T1 connection and a third
00:10:55 - of the traffic over to the single T1. So you can do some intelligent
00:10:59 - load balancing here. And the way it works is its awesome, check
00:11:03 - this out. When GLBP is set up you set up a single VIP with multiple
00:11:09 - MAC addresses. Now right there that's a difference from the VRRP
00:11:14 - and HSRP that we saw before. In that world we had a single VIP
00:11:19 - and a single virtual MAC address as well. That everybody kind
00:11:23 - of took the responsibility for as routers dropped off. So if
00:11:27 - the master died the backup would take over the master's IP and
00:11:31 - MAC address, not so here. Look at the picture. We have a single
00:11:35 - virtual IP, 70.1.
00:11:39 - Multiple virtual MAC addresses representing the different routers.
00:11:44 - Now this is the way it works. You will have a single active virtual
00:11:50 - gateway or an AVG that acts as the point man for the network.
00:11:54 - Now let me explain what the point man does. The point man manages
00:11:59 - the MAC address pools. It knows about all the other virtual MAC
00:12:04 - addresses that the, I guess you could call them "backup routers"
00:12:08 - are using. Now they are not really backup routers anymore because
00:12:11 - they are actively forwarding traffic so let me follow through
00:12:14 - with a packet trace here. Let's say this guy's default gateway;
00:12:18 - this server right here is set to 70.1. The first time he accesses
00:12:23 - an internet destination it's going to send out a what? ARP message
00:12:26 - right, who is 172.30.70.1?
00:12:30 - This router gets the ARP message and say's, "Oh that's me, let
00:12:34 - me send you my virtual MAC address". Now this is the AVG, the
00:12:39 - active virtual gateway for the network. So it sends back the
00:12:43 - virtual MAC address for itself. Meanwhile this server over here
00:12:47 - says, "I want to access the internet ARP to what 70.1". It goes
00:12:51 - to the active virtual gateway again. So, the follow, I guess
00:12:55 - follow my arrow here. It is coming over here because this is
00:12:58 - the router taking responsibility for that single virtual IP address,
00:13:03 - but when it replies to the ARP message. Are you seeing what direction
00:13:07 - we are going here? It's going to give the virtual MAC address
00:13:11 - of its buddy. It's going to be like, "Hey I am, swoosh" and it
00:13:15 - just shuffles over to the virtual MAC address of one of the load
00:13:17 - balance gateway's. It will naturally do that based on the scale
00:13:22 - that you have set up. Meaning you can just use a Round Robin
00:13:25 - system. Maybe, you know, this one goes first. This one goes second.
00:13:30 - You have got a third one that goes third. Then it loops back
00:13:31 - around, first one, second one, third one. Just go in a completely
00:13:34 - Round Robin. We could set it up in a host dependent system to
00:13:39 - where it's based on the MAC addresses of the host trying to make
00:13:43 - sure every MAC address that requests gets a different virtual
00:13:47 - MAC address. For instance, this came from one MAC address and
00:13:50 - it's going to go up to this host. And then maybe the next MAC
00:13:54 - address goes to the next host. So it differentiates based on
00:13:57 - the MAC address that is asking for the virtual MAC of GLBP. Or
00:14:04 - you could do a weighted load balancing algorithm. You could just
00:14:08 - say, "I want two thirds of the MAC addresses to be returned to
00:14:13 - be this one, and one third to be returned to this one". And naturally
00:14:18 - do some unequal load balancing between your gateways and that
00:14:21 - goes back to my scenario with the two T1 lines on the one router.
00:14:24 - And the one T1 line on the other. Now I am sure if you think
00:14:28 - through it you are going to go, "Well, is that really exact load
00:14:33 - balancing"? No, no it's not at all. Because for instance, you
00:14:37 - know, maybe the one-third
00:14:40 - group or the single T1 line returned to its MAC address to some
00:14:45 - host that's just going to hammer it. I mean they are going to
00:14:47 - do a five 5 GB file transfer over that T1 line, meanwhile this
00:14:52 - one just sent two responses to two MAC addresses that were going
00:14:56 - to look at USA Today.com and just view the website. I mean there
00:15:01 - is obviously going to be a skew in the traffic requests in that
00:15:04 - case, but it is a type of load balancing. You are going to get
00:15:09 - utilization on all of those T1 interfaces verses if we had VRRP
00:15:15 - or, or HSRP. The
00:15:19 - other one would just sit there being idle until, until the primary
00:15:23 - one failed. So I would argue in that sense GLBP is a little bit
00:15:27 - better. Now the other routers in this scenario, just to define
00:15:32 - the rest of the terms, are considered Active Virtual Forwarder's
00:15:36 - or AVF's. So you have one
00:15:39 - AVG for the network and all the rest will be considered AVF's.
00:15:42 - I love these acronyms. It reminds me of like, uh, some kind of
00:15:46 - big gun. Would you take a look at this AVG that I got here? That's
00:15:51 - pretty cool Bob. I mean, I don't know why. Those, those acronyms
00:15:54 - just kind of hit me, as like, just a cool man acronym.
00:16:00 - Anyway, AVG's are backed up. That's your AVG there. It is backed
00:16:05 - up so you have backup routers in the picture that will take over
00:16:09 - that role if the AVG does die. Again it's a priority based system
00:16:14 - so if a AVG goes down the next one in line will take over the
00:16:18 - function and start dishing out the virtual MAC addresses as needed.
00:16:23 - Oh, I am sorry for getting so excited about this stuff. It's
00:16:26 - just, it's really neat. I mean, when you think about the concepts
00:16:29 - about how they are working it is just like brilliant. Who would
00:16:31 - have thought of that? So anyway, to set up GLBP, I am going to
00:16:35 - use my 2800 series router again because the 3550 switches don't
00:16:39 - support it. They are HSRP only. So let me jump into the 2,800,
00:16:44 - 2801 router I have got running right here. And I am going to
00:16:48 - go under the interface fastethernet0/0.
00:16:51 - Now I have turned off VRRP since we don't need it anymore. GLBP
00:16:55 - as you might imagine is enabled. Just like VRRP, GLBP followed
00:17:00 - by a group number. You can see we can have a large number of
00:17:04 - groups. I can't imagine using that many. We will just use group
00:17:08 - number one for this example. Similar commands to VRRP and HSRP.
00:17:12 - I just type in, for instance, I start off with the IP address,
00:17:16 - uh, and we will say 17230.4.70
00:17:23 - on this router. I am on a different subnet over here. So this
00:17:26 - is going to be the virtual IP that all the host's share and respond
00:17:30 - for. Now a couple of different paradigm shifts I am going to
00:17:33 - need you to make. We're used to typing in priority to say this
00:17:37 - is the active router. This is the backup router or master and
00:17:42 - backup, or active and standby I should say. So in this sense
00:17:46 - there is no active router or standby router because all of them
00:17:51 - are participating. They are load balancing. So the priority as
00:17:55 - it relates to GLBP elects who will be
00:18:00 - the AVG. I got your AVG right there, AVG 300. Now the higher
00:18:05 - priority, the better your are, so let's say we put 150. Everybody
00:18:09 - else is the default of 100 so they will become the active virtual
00:18:13 - forwards whereas this one will become the active virtual gateway
00:18:17 - that dishes out the MAC addresses to everybody else. If this
00:18:20 - router goes down the next highest priority will take over. If
00:18:24 - there is a time priority the next highest IP address ends up
00:18:27 - winning that time. A similar thing for the timers; GLBP 1 timers,
00:18:33 - then we have our hello timers and, um, uh, down timers that we
00:18:38 - can set with GLBP. You see one more option on there. The redirect
00:18:42 - which is a timeout value for failed forwarders. Meaning if we,
00:18:46 - uh, have MAC addresses for forwarders, active virtual forwarders
00:18:51 - that are no longer online this is how long it will take us to
00:18:54 - time them out and stop giving out their MAC addresses. And, and
00:19:01 - essentially cause them to not be used by the host anymore to
00:19:05 - time out of their ARP cache and so on. So, hello interval, dead
00:19:08 - interval, milliseconds, seconds. Same thing as before. Um, one
00:19:13 - other option that we have of course is IPV6. This is kind of
00:19:15 - cool. Since this protocol was released in 2005 IPV6 was becoming
00:19:21 - more and more viable by then so now it is an option. You can
00:19:24 - use it for IPV6, but look at this; load balancing.
00:19:29 - By default GLBP uses the Round Robin load balancing algorithm.
00:19:35 - So we will give the first MAC address to the first host, second
00:19:38 - MAC address to the second host and so on through that list. I
00:19:41 - mentioned these before, but just to highlight them: host dependent
00:19:45 - means that the same MAC address will always go to the same virtual
00:19:48 - forwarder. For instance if a host with MAC address of all zeros
00:19:54 - 11AA comes in he is guaranteed to always get the same virtual
00:19:58 - forwarder to access the internet. Verses Round Robin if we use
00:20:03 - this one and that MAC address came in maybe the first time he
00:20:05 - will get one router and then the second time after his ARP cache
00:20:10 - has timed out he is going to get the second router, or the third
00:20:12 - router. You know, going down the line because it's Round Robin.
00:20:16 - Weighted is where you can proportion what balance of MAC addresses
00:20:21 - will be sent for certain forwarders in the network. Now if you
00:20:24 - use weighted, that's, that's were I am going to draw the line
00:20:27 - here because you will have to set up your weighting algorithm.
00:20:31 - Actually all of these options I am talking about right now are
00:20:35 - not even part of the official,
00:20:39 - uh, BCMSN
00:20:42 - test objectives if you will. You just need to know what GLBP
00:20:45 - is and how to turn it on to do its default load balancing with
00:20:49 - Round Robin. But all of these other options I wanted to show
00:20:53 - you. But when you get into the weighting that's where it gets
00:20:55 - a little bit sticky because you need to go through and set up
00:20:59 - weighting maximum values, certain tracking for the interfaces
00:21:03 - and if, if this interface fails how much less weight are you
00:21:06 - going to end up taking or if another router fails how much weight
00:21:10 - are you going to take. You have an upper and a lower balance
00:21:14 - on your weight. So there is a lot of criteria that you go into
00:21:17 - and set up for this weighting. So I will just leave that for
00:21:20 - your own self study on that. Most likely you are going to be
00:21:23 - using the Round Robin or host dependent options anyway. So once
00:21:29 - GLP, GLBP has been set up you just exit out to global config
00:21:34 - mode and type in show GLBP. Very similar to what it was with
00:21:39 - VRRP and HSRP. You can see the default timers. I haven't changed
00:21:43 - them. Since Cisco created this it is the same as HSRP. You can
00:21:47 - tune those down if you feel comfortable. You can see, you know,
00:21:51 - all of the redirect timers. What group members there are and
00:21:54 - if you have more than one group member you are going to see the
00:21:57 - other virtual MAC addresses that it's created for them. Um, information
00:22:02 - about me, forwarder one state is active. I am the one forwarding
00:22:06 - that, so as more routers join this group the output will just
00:22:10 - grow to reflect more group members. And depending on what load
00:22:15 - balancing I am using it's going to load balance between those
00:22:18 - group members differently. I hope that paints a good picture
00:22:22 - for you of how to set up redundancy in the campus. Either on
00:22:25 - your layer three switches or as you just saw me doing, on Cisco
00:22:29 - routers. So to hit the high points and I guess wrap up both parts
00:22:34 - of the series. We talked about how good redundancy is that it's
00:22:37 - of course great to have that. But what protocol should you use,
00:22:43 - HSRP, VRRP, GLBP? Um, well as you can see, number one look at
00:22:47 - what your equipment supports. Just about all Cisco devices support
00:22:51 - HSRP. Uh, the upper end ones or the brand new equipment will
00:22:54 - support the newer protocol such as VRRP and GLBP. Uh,
00:22:59 - choosing a protocol isn't as important when you are looking between
00:23:03 - HSRP and VRRP as choosing what devices you have, because both
00:23:09 - of those protocols can do the same things, its just ones Cisco
00:23:13 - proprietary. When it comes to GLBP, that's the unique one of
00:23:16 - the bunch where you have the load balancing capability that you
00:23:19 - can set up between your devices, again we are in a Cisco proprietary
00:23:23 - world when you move that direction because it was just released
00:23:26 - a few years back. So we looked at the config of all of those
00:23:31 - and uh, set them up. I hope this has been informative for you
00:23:35 - and I would like to thank you for viewing.

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.

Bookmarks

Pick up where you left off watching a video.

Notes

Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Certifications:
Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.


Stay Connected

Get the latest updates on the subjects you choose.


  © 2014 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS