Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813....
Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813.
1. Welcome to Cisco Switch: Watch Me First! (17 min)
2. The Switches Domain: Core Concepts and Design (42 min)
3. VLANs: Configuration and Verification (13 min)
4. VLANs: In-Depth Trunking (35 min)
5. VLANs: VLAN Trunking Protocol (33 min)
6. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1 (23 min)
7. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2 (34 min)
8. STP: Rapid Spanning Tree Concepts and Configuration (24 min)
9. EtherChannel: Aggregating Redundant Links (24 min)
10. L3 Switching: InterVLAN Routing Extraordinaire (28 min)
11. L3 Switching: Understanding CEF Optimization (16 min)
12. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1 (43 min)
13. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2 (23 min)
14. Campus Security: Basic Port Security and 802.1x (32 min)
15. Campus Security: VLAN and Spoofing Attacks (31 min)
16. Campus Security: STP Attacks and Other Security Considerations (15 min)
17. Campus VoIP: Overview, Considerations, and AutoQoS (44 min)
18. Wireless LAN: Foundation Concepts and Design Part 1 (26 min)
19. Wireless LAN: Foundation Concepts and Design Part 2 (22 min)
20. Wireless LAN: Frequencies and 802.11 Standards (34 min)
21. Wireless LAN: Understanding the Hardware (30 min)
22. The Switches Domain: Additional Life-Saving Technology (22 min)
23. Monitoring: Your Pulse on the Network (45 min)
24. Campus Security: VACLs (14 min)

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

00:00:00

It's time to make our campus redundant by using HSRP, VRRP and GLBP, hopefully not all at the same time because I can't imagine saying those acronyms. This is one of my favorite sections of the whole series. In my opinion, it's just awesome. To be able to set up your network to where if any single piece of equipment fails, everybody just kind of is like, oop, failure, let's reroute around it or reswitch around it as we look at the switching environment. We're going to look at how we can apply

00:00:33

redundancy to our switches, but the same concept will apply directly to routers, even though this is a series focused on nothing, but Cisco switches. So the first thing we're going to talk about is redundancy is good. Right? I mean, it's good to have redundant

00:00:48

connections, just like down here we have these two little critters and they're redundant. It's good to have two critters, until you find out those critters are responsible for dismembering a 50 year old woman in Colorado this last weekend. Actually, that's not true at all, I don't know where that came from. But

00:01:06

in our campus networks for sure redundancy is good. You want redundant devices, redundant routing. We'll, then look at the protocols that you see up there. I'm not going to go through all the acronyms again. What's the difference between all of these? The only thing they have in common it seems like is that "P" at the very end. Configuring and tuning HSRP will be our

00:01:24

focus of the final piece of this video and I really want to emphasize that understanding HSRP is kind of the key to understanding the other two, VRRP and GLBP, which we're going to talk about in Part 2, so that's going to be a critical piece of looking at setting up redundant connections in the campus networks. Let's

00:01:43

get going. I doubt that I really even need to make the argument that redundancy is good, rather just present to you that there are redundant forms of networks all around. We can have redundant routers connected to the internet, so if one of those ISPs or maybe one of those routers fails or a link to the router or just about anywhere in the network fails, we have some other backup path out this other router. Now, over here we have redundant core switches

00:02:13

or distribution layer switches. So if maybe we've got our clients down here or our server farm down here that's coming up to the switch, they have multiple paths that they can go through to reach other VLANs and I guess you could combine these models and say reach the internet if we have redundant connections up here to our routers that gets off to our internet. If one of

00:02:34

our core switches fail, we can always route over to the other one. So redundancy is a good thing, but now how do we make this all possible? I mean, how do we set this up in a way that allows this router to fail and auto magically this client says, oh well, I'll use this router or this router suddenly takes over for that client and likewise, if this core switch goes down, all of these guys will be using the other core switch. I mean, if you think

00:03:00

about it, it's not like we can run around to the network and change everybody's default Gateway to a new IP address or assign a new DHCP scope, this has to be automatic, so the network should recover when one of these pieces of equipment fail. This opens the door to a whole bunch of questions that you might have with redundancy, as in how fast can this fail over happen? How fast can this router say, I'll take over for you when that one goes down and how does it even know it goes down or what if for instance the LAN interfaces are fine on both of these routers, but the WAN link goes down? How does this one know that that router's WAN link went down and know to take over when it's not directed to the WAN, it is not like it can send hello messages over to that WAN link. So how does it know when it fails? That's

00:03:52

the last question I have in that list. How does the client know? For example, how does the client know that I should stop using that router and start using that router? Or if this is some kind of shared IP address thing, where maybe we just have both of these routers responding to we'll say 191268.1.1, then there has to be a Mac address that maps to that IP address when this one goes down that Mac address is going to be in everybody's cache. So that immediately tells you that you've got five, 10 minutes of outage right there while everybody figures out that Mac address is no longer available, let's time out the ARP Cache and fail over to here. So how do we fix all of that? I mean all

00:04:36

of these are questions that deal with that redundancy and that's what we're going to answer right now. There are three protocols that make redundancy happen: HSRP, VRRP and GLBP. Don't let this slide scare you because it's really just a laundry list dump of all the facts about these protocols. We're going to spend

00:04:56

the rest of this video and the next exploring each of these in depth. Overall, HSRP was the first, Cisco was the first to gain with this with hot standby routing protocol or router protocol. Now this was originally designed for routers because it came out back in 1994 before layer three switching was really mainstream or actually I don't even know if layer three switching was around back then, that was maybe the newest thing on the market, if so. But this

00:05:26

uses something known as a hello timer of every three seconds. So every three seconds the routers or now layer three switches say hello to each other. And if the switch or router doesn't say hello within 10 seconds, the other one's like, well, he's dead and I'll take over for all the clients. And I know we still

00:05:44

have questions on that and that's going to be answered as we dive into these. The virtual router redundancy protocol, or VRRP, came out in 1999, so five years later the other vendors caught up, meaning that this is now an industry standard protocol. And I shouldn't say

00:06:02

the other vendors caught up, I'll sure everybody had their own little proprietary version of this, but this protocol now allows this concept, this redundancy to work if you've got a Cisco router and some other brand router sitting next to each other, they can communicate and be redundant for each other. Now the cool

00:06:20

thing about VRRP is since it came out in 1999, the timers are much faster, meaning the bandwidth that was available in '99 was much more than it was in 1994, so by default the timers can recover and find a failure much faster and you can see hello timer of one second and a hold timer or dead timer of three seconds, plus a little bit more and we'll talk about that when we get there. The last one came out in 2005, GLBP by Cisco for Cisco. It's Cisco proprietary. Does the same

00:06:54

thing as these other two, except allows load balancing. That is pretty cool to where both routers can be forwarding traffic at the same time or both layer three switches can be accepting traffic at the same time and load balancing between each other. Now when you think about them sharing an

00:07:13

IP address this starts blowing your mind even more. I mean it's like the questions abound when you get to GLBP. You got to stay tuned for that one because just the whole concept of how that happens will blow your mind away. It's just awesome. So let's start off with HSRP.

00:07:30

As you just saw, the hot standby routing protocol or HSRP was the first protocol that did this redundancy thing. And since this is a switching course, I'm going to focus now on the switches in layer three switch capabilities, rather than talking about routers. But do keep in mind that these same concepts that we're

00:07:49

talking about now can apply to routers just as well. HSRP allows the Gateways to be organized and to stand by groups. Now when we're talking layer three switches, we're typically talking VLAN interfaces. For example, let me dive a little bit into the demonstration

00:08:07

I'm going to do for you in just a moment. These routers have VLAN 70. The VLAN 70 interface and that interface is assigned this IP address. That is the real VLAN address, VLAN 70 interface and this IP address. So those are assigned to their interfaces, but HSRP allows me to organize these layer three switches into standby groups. Now they both share the same group number. For

00:08:36

example, I might say this is HSRP group 5 and both of these interfaces are placed into standby group 5. Now when I do that, I will generate a standby or virtual IP address and get this, get this, a virtual Mac address. Brilliant, isn't it? So right down here you see VIP, that's my virtual IP address and a virtual Mac address, that has a specific format and we're going to talk about that in just a second that both switches respond to. But make sure you catch this, that HSRP

00:09:13

is not a load balancing thing like that one protocol GLBP. This is more of an active standby system, so one of these routers, the primary one, will be active in responding to this IP address and this Mac address and if this ever goes offline, the standby or other layer three switches, they're all in standby, there could be more than one standby switch or layer 3 switch, but they're going to take over and start being the active router for that VLAN interface and it will respond to this virtual IP address and virtual Mac address. Now the good news, the reason

00:09:50

I get so psyched about that virtual IP and Mac is because that means nothing has to change on our clients or our servers right here. They have their default Gateway of 172.30.70.1, and they have their Mac address and their ARP cache and that's one of the problems we talked about, it's in the ARP cache of 00000C07ACL1, that's my Mac address that I have right here. So if one of these fails as long as this one takes over for it and starts responding for this Mac address and IP address, the servers won't notice any different. The cool new system they can send

00:10:28

a little gratuitous art message on here, so these switches will immediately divert traffic to that Mac address from this port out that port. And they can do that very quickly, just by receiving that gratuitous art message. Now by default, hello messages are sent once every three seconds and a Gateway is dead after 10 seconds. What that means I've got all this chicken scratch up here, let me just wipe that clean real quick. This

00:11:00

primary Gateway, if this is the one, is saying, hello, hello, hello, every three seconds and this one even though it's the stand by is saying hello every three seconds. So if it stops receiving hello messages for 10 seconds and the reason it's 10 instead of nine is because if it was nine, then you'd never really count that third hello. Right? If you missed two hellos, you

00:11:21

would consider them down right as the third hello is getting there. Just multiply three times three and you'll find that out. So they add a bonus second, and the 10 second for some latency reason and that is why this one knows to take over because if it's missed that many hellos, this guy might be down. So what

00:11:41

was I going to say on that? Oh, timers. Those timers aren't very quick, meaning that those timers were designed for networks back in 1994, as I was mentioning. So they are tunable to be equal to VRRP, which is the newer of the two protocols, so it can converge just as fast, but remember HSRP's only weakness at that point is that it is Cisco proprietary.

00:12:07

I say that because a lot of people might just be anxious to move to VRRP, not realizing they're not getting any other benefit other than multi vendor compatibility. And I'm not saying this just because I'm a Cisco guy, but usually when you have Cisco routers and you want them to be redundant, they're going to be Cisco routers. It's very rare that you're going to mix a Cisco

00:12:29

router with an HP router for redundancy purposes or a pick a vendor, I just threw HP out there. So HSRP can do the same thing as VRRP, it just takes a little more tuning. Now there is a specific structure to this virtual Mac address that I want to mention to you. Right here oh, let me just fix that real quick. This

00:12:50

virtual Mac address is generated when I create that standby group, meaning if I chose standby group number five that both these layer three switches respond to, it automatically will generate this well known Mac address. The first section of that Mac address

00:13:06

all zeros and then 0C is Cisco's vendor ID. When you get pools of Mac addresses, you have to go to the great Mac address Gods in the sky and say, please grant me a range and they will say, why yes, you have this range. So Cisco got 000.0C as one of their ranges and that's what they chose for HSRP.

00:13:27

By seeing 07AC as the second group of digits there, you're going to immediately know that this is HSRP. It's good to know because you can be on a network and just do an ARP A command from a Windows command line or I think that works in Linux, and you are going to find out we're using HSRP, without even having to go to the router because you can recognize that Mac address. The last two digits will

00:13:55

be the HSRP standby group number. For instance, if I had chose 5, it would be 05 for that Mac address. Actually this doesn't match to my scenario, this one would be group number 1 that I would have chosen rather than 5. And that is in hexa decimal. If I choose group number 10 it is going to be 0A. Well let's get this set up and I'd like to start by getting familiar with the topology of this lab environment here. I have two layer

00:14:21

three switches, switch A and switch C, they're 3550 series and they are routing right now for VLAN 70. One of them is assigned 172.30.70.2 and the other is 70.3, switch A and switch C. As of right now I have them connected to 2950 here, actually two of them, but I don't have the second one connected. Switch B is I guess physically

00:14:46

this is what it looks like, but if we wanted true redundancy, we would want two switches here and by the way, I don't have all of the necessary connections just because it got too messy when I had that with all the texts, but to have true redundancy, you want a connection here, you want a connection here and you want a connection here between these switches and why not just go and throw in another one for good measure. But that's what

00:15:07

a truly redundant network looks like, it's just hard to read all the text. But with that in mind, we have just one switch, 2950 here, that is connected to a server. Now as of right now, this isn't set up for redundancy, meaning the server is configured to 172.30.70.3 as its default gateway. Let me goat you familiar with the server,

00:15:30

this is it. I'm going to do an IP config here. All of these adapters, but really only one of them are active. You can see 170.30.70.50 and it is hard coded to a default Gateway of 70.3, which is that switch right there. So it's using switch C. Just to prove

00:15:48

that we can get out there, I'm going to do a ping, 172.30.70.3, at the default Gateway. We're getting there and it can ping.2, I thought wait an sec, it should be. Oh, okay there we go, it just took an sec. It should be able to ping 70.2, so they're both right there, both switches are responding, it's just as of right now since the default Gateway is hard coded to .3, if A goes down, there's no redundancy, so we need to set up a standby group. I've got my virtual IP address 172.30.70.1, that I want to use and I want these two switches to share it.

00:16:28

Now I want let's see, what do I want? Hmmm. I would like switch A, to be the primary switch on this and I'd like Switch C to be the standby. So switch A should respond to the Ping messages while it's online, but if it goes offline then I want switch C to take over and carry the burden, so here's how we do it.

00:16:52

I don't need that window right now, I need this one. I'm on switch A. I'm going to go just do a show IP interface brief and you can verify that right there is my VLAN 70 interface, with the .2 address assigned. Now my server is plugged into oh, the 2950 below. These are my trunk links that are connected to the 29.50 and the 35.50. All right. So I'm going to go into interface VLAN 70. So I'm in the routed interface and make sure you distinguish going into VLAN 70 is much different from going into interface VLAN 70. Just VLAN 70 is the layer 2 VLAN, that's how you segment your ports. Interface VLAN 70 is the routed interface for that VLAN. The command I'm going to type is standby followed by my

00:17:39

group number. By the way, there is no HSRP command, whenever you type standby that tells the switch or router you're after HSRP. Now there's a lot of options, here we're going to go through each one of them, but I'm going to start off with the group number because we have to set up the group. So I'm going to say standby

00:17:59

let's do a group number of 1, just use real nice generic one. Once we type in the group number, it's going to ask us, well, what sort of IP address do you want that as the virtual IP address? Or do you want to have preemption enabled? And we'll talk about all of those. First step, as you can see right here, create the

00:18:18

standby group and reassign the IP address, so that means I need to create group 1 and set up this virtual IP. It's almost like step 1 and step 2 are one and the same except when I was meaning reassign IP address, I meant on the client. So I'm going to type

00:18:33

in standby 1 IP and then what is my virtual IP address? 70.1. By the way, some people call this a phantom IP address. I think it's older terminology. People used to call the virtual IP like a phantom IP because it emulated like there's this phantom router in the middle, but that's it. Believe it or not, that's all I need to do to set

00:19:02

up HSRP, at least on switch A. So that's not running and my standby group is operating. Now I'm going to introduce one more command at this point. I was going to introduce in the next slide, but I think it's so important that I'll say it now. It is the priority.

00:19:20

Standby 1 priority and then a number. Now by default every single router will have a default priority of 100. Now when you think priority you should think higher is better. I mean if you are a higher priority dinner guest you are going to go in first, right? So the higher your priority, the better you are. Since everything is a default of 100, we need to adjust switch A, if we want to make sure that it becomes the HSRP active router at the time. If you don't adjust it, everybody

00:19:54

will be 100 and it just relies on the highest IP address to break the tie, in which switch C would become the active router because it's got the higher IP address. So I'm going to come into here and say, priority and let's just say 150. Now these are arbitrary values. It's not like I can say 150 is always great. It's all relative based on what you've set up on

00:20:15

the rest of your switches. So this point I now have HSRP configured on switch A. Let me configure it on switch C, and then we'll do some verification. Let me go into global config, interface VLAN 70 and I'll do. Let me type in do terminal monitor just so we can see some of the status messages that happen. I'm

00:20:36

going to type in standby group number 1, looks like I've got a more recent IOS version on this, I've got some more commands. Standby group 1 and I'll put the IP address and this is going to be the same as it was on the other. 172.30.70.1. That is the virtual or phantom IP address I want this to respond to. So at this point, this will have the default priority of

00:21:04

100. So I don't need to worry about setting this any higher or lower because 150 is going to be the King of the Hill. Now before we verify this on the switches, I want to verify it from the client itself. Let me bring that prompt back up. Now again I just want to make sure and let me shrink this down a little bit so you can see the IP addresses here. Right about there. All

00:21:30

right. To a clear screen. I'm going to make sure I can still ping 172.30.70.3. Sure enough I can and this is from the client, remember, I'm not on a switch here. I'm going to see if I can ping 172.30.70.2, and I can. That's switch A. Now let's see if we can ping that

00:21:50

new virtual IP address 172.30.70.1. We can. Interesting. Now let's check this out. I'm going to telenet to 172.30.70.3, that's switch C. You can see that. Telenet 172.30.70.2, that is switch A and let's telenet to 172.30.70.1, the virtual IP address. Look at that, I'm on switch A. Is that

00:22:19

the respected or I should see there? Yeah. You bet it is. Because switch A, is the active router at this time for that network. Let's go ahead and do the verification from the switch and I don't need my terit term, I am there now. Let me just do a show standby. By the way, this is about the only command

00:22:41

you usually use. Show stand by will show right there VLAN 70 group 1, the local state is active, it has a priority of 150. Hello timer is three seconds, as we know, hold down timer is 10 seconds. The next hello will be sent in 2.196 seconds. The virtual IP address is this. Standby router, look at that. It

00:23:04

even tells us who this standby router will be, that's switch C. 172.30.70.3 over there. And it's going to die in eight seconds flat. Meaning that that's the countdown, the 10 second count down, if it doesn't keep getting hellos from the standby, it's going to assume it's dead. Now right there is the Mac address and remember those pieces

00:23:24

let me get right here, 0000C, is Cisco's vendor ID, 07AC means you're running HSRP and 01 is your group number. Isn't that cool? So this point we actually have a redundant setup. Now let's verify this from switch C's perspective. I'm going to telenet over to switch C to show standby over here. Now look at what switch C sees. Huh.

00:23:55

The state is standby. So if you remember, the state on the other oh, it erases the screen, I can't scroll back, was active. It sees the virtual IP address, it sees the active Mac address. It sees who the active router is that would be switch A, 172.30.70.2, priority 150. Expires in nine seconds. So you know standby router is me, local, and my priority is 100, that is what we expected to see because that is the default. Now what I would then do

00:24:27

if I was doing a full blown network config here, I would go to the client and I would set up this client to use a default Gateway of 30.70.1. And I'm done at that point, at least with the primary pieces, because the virtual IP address is set up. So really it's two commands. Standby, group

00:24:51

number and the IP address, followed by standby, group number, priority, to set the priority of who's going to be the active router. Now before we move on to the tuning and optimizing HSRP, let's do a little test. I'm going to do a ping, 172.30.70.1 t. So I'm going to have this ping going and let me tell you my

00:25:12

thought process before I do it. I'm going to kill the connection to the active router, I'm just tracing a cable as I'm talking now to see which one to pull. Okay. Got it. I'm going to kill the connection to the active router from this client, so let's see how long it takes the standby router to fill over. So I'm

00:25:33

going to start the ping. There it goes. I'm pulling the cable now. The cable is down. Holy cow, did you see that? That was amazing. Hang on. Did I pull the right cable? Oh, you know what, I'll bet you I did pull the right cable. I'm going to telenet over to 70.1. No, I pulled the wrong cable. Horrible. Did I really? I must

00:26:00

have. 70.1 what cable did I pull? Oh, I know why. You know why? Because I pulled this cable from switch B, but by the way I really have a connection like this. I pulled this cable right here, this was brilliant. Jeremy, simply brilliant. I pulled this cable

00:26:22

and you can see, let me plug that cable back in. You can see that that's no worries, right? Because switch B is like, that's great, I'm running rapid spanning tree, I'm going to fail over to switch C and just use this redundant connection over to switch A. So it was still using switch A. All right, hang on. I got

00:26:39

to build this up again. We need some dramatic music here, going to exit out, do a clear screen. Drrrr. What am I going to kill? I'm going to kill both I'm going to kill every cable I have connected to switch A, because I don't really have that much going on, on switch A. It's my redundant

00:26:59

router. So here is what I'm going to do. I'm going to start the ping again. Sorry, I got to make sure this works right. I'm going to start the ping again. I'm going to pull all the cables, meaning this one right here. Choo, choo. And this one right here to switch

00:27:17

A. And then I have a connection like that. We'll see how long it takes switch B, to fail over to the it shouldn't be switch B, for HSRP to fill over to BC as the active router. So much explanation. Good grief, let's just pull some cables here. I've got my pings going, I'm pulling them now. Much better. That is

00:27:37

what I expected to see. Okay. So at that point, the active HSRP switch has failed. The standby is missing hellos at this point. Oh, you see it? Right there, the standby took over and kicked on. Now if I tell net over to 172.30.70.1, I should arrive at which switch? C, right? And sure enough, I do. I do a show standby and you can see right here, it is now

00:28:05

switch C, is now the active one. It flipped over to become the active. It's now acting as the virtual IP and virtual Mac address. Standby routers unknown because it has taken over and switch A is currently down. Now that was pretty cool. Right? We've got

00:28:26

HSRP recovering failing over right before our very eyes, but we can make it even better by tuning and optimizing HSRP. And nothing has changed except the slide, I flipped it over. I've still got the same configuration, I just actually I reconnected the cables to switch A. And I want to show you something. I'm

00:28:44

telenetted into switch C right now. I'll do a show standby and I want to show you that as of right now, switch C is still the active router. Because you know even though I've reconnected switch A, it by the way it sees itself as the active router, but it sees switch A, as the standby router. Now here is the

00:29:05

irony of the whole thing, it says: Yeah, yeah, my priority is 100, and my standby router's priority is 150. The reason for that is because HSRP is kind of a one fail over deal, meaning once switch A over here, I think I remove my switch numbers. Once switch A failed and it went over to switch C, as

00:29:28

the active router, switch C remains the active router until switch C fails and then it will fail over again to switch A. That is unless you configure preemption. Now priority, we've already talked about, we did that a little bit early. Preemption is configured

00:29:43

that says, if you are a higher priority, then kind of kick the other guy back down. When you come back online, say that's me. Now the thing you've got to be careful of with preemption is if you have a router that's kind of flapping, meaning maybe it's got some IOS glitch or some hardware failure, and it's constantly rebooting, maybe once every couple minutes, well, it's going to constantly kick the other one back down, cause a temporarily a few seconds outage and then fail again and another 10 seconds outage while HSRP fails over again to the other one and all the magic happens. So be careful with preemption. Sometimes it's

00:30:21

good for it to stay with the backup until you can come over and find out why it failed. But if you want to set up preemption, here is how you do it. Now I'm on switch C right now, so let me open another command prompt and telenet over to switch A. Oops. 70.2. All right. I'm on switch A. I'm keeping both windows here for

00:30:46

a reason. We go into global config, interface VLAN 170. It's one command, stand by group 1 and then you can see it right there, preempt. I love the description, overthrow domination. Preempt. Enter. And at that point, this now says I will overthrow the router with the lower priority and I'll just hit the Up arrow.

00:31:10

You see what happened? It says connection to host lost because I was telenetted to the HSRP router and of course as soon as I typed in preempt, switch C is no longer the HSRP virtual IP address and switch A took over. So I guess if I just telenet to that,

00:31:27

that will verify it, I'm on switch A, now because it is the active router. So that is the idea of preempt. Now interface tracking is pretty powerful. What this one does, is answer the question that we had of remember I had the two routers in a picture and I had them going to the switches? And I said, well, what if what if, you know, these guys are sending hellos back and forth, but then the serial link goes down, but since the hellos are still going back and forth, nothing is going to change. This one is

00:32:00

still going to think, yeah, that guy is just an okay because you know he is still sending hellos. It is kind of like a happy face with glasses right there. The hellos are still coming. Well, that's where interface tracking can come into play. Interface tracking says if this interface goes down, I will decrement my priority, subtract a certain number off my priority that is specified by you, the administrator. So if fails

00:32:30

maybe I'll take off 51 for my priority, kind of our example right here. So my priority will drop to 99. Now this feature has to be configured with preemption, of course, right? Because if the priority drops to 99, but this is the active router, well, preemption is not set up, this won't say, well, I'm going to overthrow you because my priority is 100. So those two features tie hand in hand. Here is how you set up tracking.

00:32:59

Just clear off my gibberish here. I'm going to bring up actually let me resize my window for a second. There we go. Okay. Here is what I'm going to do. I'm going to take this switch ooh, I got a good idea here. I'm going to take this switch right here, which is currently the active. It's got the priority,

00:33:23

I'll put priority 150 on this switch. And I'm going to set up interface tracking because remember our topology looks like that, that if this one fails, we won't have the problem that we had when I first tried to demonstrate HSRP. Remember where it stayed

00:33:38

the active router, it's just this guy went that way to get to it? That's why we didn't have any interruption on our ping. So here's what I'm going to do. I'm going to set up tracking to where if this interface fails, then I'm going to decrement my priority by let's do 60. I'll say subtract 60 from your priority so you will end up becoming hang on, this is switch A, this is switch C. You will end up

00:34:05

becoming the standby router as long as switch C is considered for preemption. Actually, let's do that first. Going to telenet over to switch C. 230.70.3. And go into interface VLAN 70 and do standby group 1 preempt. So it's set up for preemption, verify to show standby.

00:34:29

And correct, preemption is enabled, you can see it right there. It is still the standby router, priority is 100 and the primary priority is still 150. So let's exit out here and I'm going to on switch A, let me clear my screen. I'm going to go into global config mode and I'm going to go under interface VLAN 70. I set it up from the same place. I'm going to say for the standby group 1, I want to set up tracking where if my fast ethernet. Let's see which one is that? This

00:35:05

link here is 0 0/23, where if FA0/23 goes down, we don't have to type in goes down, it just we identify it. Track this interface. And If that one goes down, I'm going to decrement my priority by 60, thus making me a priority of 90 and the other switch to take over. So oh, let's see, how do I want to demonstrate

00:35:32

this. This will this could be cool. Mmm. Let's do the ping again. Um, I'm going to stay telenetted over to let me exit out here. Oh that was great. Let me I'm going to telenet over to switch C. Here is what happens. I get so excited to show this stuff and I'm going to do a terminal monitor. All my windows

00:35:59

start closing on me. All right, so I'm going to do terminal monitor on switch C. I'm going to bring up my terminal prompt and I'm just going to do a ping, 172.30.70.1. Are you following what I'm doing here? I know I'm just flying all over the place, as of right now I'm going to ping this and I'm going to down the tracked interface, 0/23. Right now. How is it? Do you see that? Did you see that? Right there. No pings at all

00:36:33

failed. Right there. It immediately went standby to active. Now I'm sitting on switch C. I'm going to type in show standby, and it's active. Now you might be thinking well, why did that happen? I expected did you expect some timeouts there with that ping? I mean, nothing happened at all. It was immediate. Well, remember

00:36:54

how this happened. The first time we caused the failure, I literally severed all ties to switch A. It's down. And that's where we saw the 10 second timer kick in before switch C became the active router. Well in this case, I just killed this link to switch

00:37:10

A, and as soon as that link went down, I mean instantaneously, like the millisecond it happened, switch A said, I am no longer the active router because I subtracted 60. Switch C, which is configured for preemption said I'm a priority of 100 and you're 90, so immediately I'm booting you down. Now the time is taking me to explain this is far less time than it actually took to happen. I mean, we're talking milliseconds here, right? So switch

00:37:38

C took over as the active router. Switch A, demoted itself until that interface goes back online and we did not miss a single ping at all because of that instantaneous transition. We didn't have to wait for those hello timers to time out. Speaking of timers, that's the last thing we need to talk about. How we can

00:37:58

tune HSRP to be fast, even when a fail over occurs, meaning a complete fail over like we talked about before. Well, watch this. There's a couple timers that you can tune and you can make HSRP scream. I'm going to go into switch C, that's the switch I'm on right now. Get into interface VLAN 70 and actually before I talk about making HSRP extremely fast, let me talk about an important timer, deals with preemption. I'm going to type in

00:38:26

standby 1 preempt, and that is what we talked about before, to turn on preemption, this will become King of the Hill once it reboots and it finds it's a higher priority. But there's some timers that you can adjust on preemption, you can see you have a delay before preempting. Now notice there's a few of them that

00:38:46

says minimum reload or sync that says, wait wait at least this long before you preempt across the board. Wait after you reload or wait for the clients to sync up with you, you know, this long wait until clients are accessing you for this long before you preempt and become HSRP. The activate

00:39:07

HSRP router. The two most often used one are these two and I would highly recommend using the reload. Because if your switch is rebooting, you usually don't want it as soon as it comes back online to be active right away or that goes for routers, too. And the reason why is because when the router boots, it's kind of, you know, learning routing tables. It's learning

00:39:32

routing tables, it's doing CDP, it's finishing the process that occurred to boot. When it booted, so the processor time is more utilized. Think of it when you boot a windows PC, and you log in, right? You kind of just sit there for a couple minutes, at least I do on my slow computer, because it's loading all these other processes and I know if I do anything, it's just going to kind of hang there and be really slow acting. So it's the

00:39:57

same way with a router. So you might say, delay after reload, you know, maybe 180 seconds. So it's going to wait. If this is the primary router, it will wait three minutes before it says, okay, I'm up and I've been stable long enough for me to become active, now I will preempt and become King of the Hill. Now I'll

00:40:19

talk about how to make HSRP scream. I can type, not literally, I can type in standby 1 timers and then how I want to tune down my timers. Now we know that the default timers in HSRP is hello once every 3 seconds, dead after 10. I can tune that down, I'll say first off to equal VRRP, the latest and greatest ones. I just type in timers one to say hello once

00:40:48

every second, and then three to say, you're dead if you don't respond after three seconds, and you're good to go and actually do four, so you get three missed hellos before that happens. Now that kind of makes it compete with VRRP, but why compete when you can do better? Did you notice this one right here? Oh, yeah. Timers in milliseconds and I can have it say, hello. Now

00:41:15

I wouldn't recommend 15 there, that's a little crazy. But I can say, you know, maybe send a hello message once every 150 milliseconds and consider somebody dead in we have to type in the milliseconds both times, consider somebody dead after we'll say 700 milliseconds. At that point, your layer three devices, routers or switches, will converge in less than a second when a major failure has occurred. Now that's good news

00:41:49

because less than a second convergence means most likely nobody notices because it transitions that process as fast as you can snap your finger. Now there are other criteria that have to go in with that nobody notices like statefulnat(ph) and so on. But

00:42:07

that is a way that you can allow HSRP to start moving very fast. Now the only drawback to doing that is do realize that now your switch is generating what would that be? Like seven, eight packets a second of hellos for HSRP. So not only does your network bandwidth

00:42:26

go up and I would say that's the least of the concerns since usually you've got gig uplinks between the switches, what I would say to watch out for is your processor cycles because now both switches are having to generate and receive potentially eight or nine hello messages every single second for HSRP and there's always an interrupt associated with that to the processor.

00:42:50

On our newer switches, though, I wouldn't consider that much of a problem because their processors are usually pretty heavy, especially with those soup modules, soup 720 or whatever else we've got in our 6500 series switches nowadays. So let's wrap this up. It's been ooh, I'm out of breath after this one. Good

00:43:09

stuff. HSRP in action. We did see of course redundancy is good, having two puppies is better than one. HSRP VRR, GLBP, what's the difference between them all? We had kind of the cram section slide of that, but really focused in this video on HSRP, everything about it. Part 2 of this is going to focus on the other two protocols, VRRP and GLBP. I hope this has been informative for you and I'd

00:43:35

like to thank you for viewing. It's time to make our campus redundant by using HSRP, VRRP and GLBP, hopefully not all at the same time because I can't imagine saying those acronyms. This is one of my favorite sections of the whole series. In my opinion, it's just awesome.

00:00:19

To be able to set up your network to where if any single piece of equipment fails, everybody just kind of is like, oop, failure, let's reroute around it or reswitch around it as we look at the switching environment. We're going to look at how we can apply

00:00:33

redundancy to our switches, but the same concept will apply directly to routers, even though this is a series focused on nothing, but Cisco switches. So the first thing we're going to talk about is redundancy is good. Right? I mean, it's good to have redundant

00:00:48

connections, just like down here we have these two little critters and they're redundant. It's good to have two critters, until you find out those critters are responsible for dismembering a 50 year old woman in Colorado this last weekend. Actually, that's not true at all, I don't know where that came from. But

00:01:06

in our campus networks for sure redundancy is good. You want redundant devices, redundant routing. We'll, then look at the protocols that you see up there. I'm not going to go through all the acronyms again. What's the difference between all of these? The only thing they have in common it seems like is that "P" at the very end. Configuring and tuning HSRP will be our

00:01:24

focus of the final piece of this video and I really want to emphasize that understanding HSRP is kind of the key to understanding the other two, VRRP and GLBP, which we're going to talk about in Part 2, so that's going to be a critical piece of looking at setting up redundant connections in the campus networks. Let's

00:01:43

get going. I doubt that I really even need to make the argument that redundancy is good, rather just present to you that there are redundant forms of networks all around. We can have redundant routers connected to the internet, so if one of those ISPs or maybe one of those routers fails or a link to the router or just about anywhere in the network fails, we have some other backup path out this other router. Now, over here we have redundant core switches

00:02:13

or distribution layer switches. So if maybe we've got our clients down here or our server farm down here that's coming up to the switch, they have multiple paths that they can go through to reach other VLANs and I guess you could combine these models and say reach the internet if we have redundant connections up here to our routers that gets off to our internet. If one of

00:02:34

our core switches fail, we can always route over to the other one. So redundancy is a good thing, but now how do we make this all possible? I mean, how do we set this up in a way that allows this router to fail and auto magically this client says, oh well, I'll use this router or this router suddenly takes over for that client and likewise, if this core switch goes down, all of these guys will be using the other core switch. I mean, if you think

00:03:00

about it, it's not like we can run around to the network and change everybody's default Gateway to a new IP address or assign a new DHCP scope, this has to be automatic, so the network should recover when one of these pieces of equipment fail. This opens the door to a whole bunch of questions that you might have with redundancy, as in how fast can this fail over happen? How fast can this router say, I'll take over for you when that one goes down and how does it even know it goes down or what if for instance the LAN interfaces are fine on both of these routers, but the WAN link goes down? How does this one know that that router's WAN link went down and know to take over when it's not directed to the WAN, it is not like it can send hello messages over to that WAN link. So how does it know when it fails? That's

00:03:52

the last question I have in that list. How does the client know? For example, how does the client know that I should stop using that router and start using that router? Or if this is some kind of shared IP address thing, where maybe we just have both of these routers responding to we'll say 191268.1.1, then there has to be a Mac address that maps to that IP address when this one goes down that Mac address is going to be in everybody's cache. So that immediately tells you that you've got five, 10 minutes of outage right there while everybody figures out that Mac address is no longer available, let's time out the ARP Cache and fail over to here. So how do we fix all of that? I mean all

00:04:36

of these are questions that deal with that redundancy and that's what we're going to answer right now. There are three protocols that make redundancy happen: HSRP, VRRP and GLBP. Don't let this slide scare you because it's really just a laundry list dump of all the facts about these protocols. We're going to spend

00:04:56

the rest of this video and the next exploring each of these in depth. Overall, HSRP was the first, Cisco was the first to gain with this with hot standby routing protocol or router protocol. Now this was originally designed for routers because it came out back in 1994 before layer three switching was really mainstream or actually I don't even know if layer three switching was around back then, that was maybe the newest thing on the market, if so. But this

00:05:26

uses something known as a hello timer of every three seconds. So every three seconds the routers or now layer three switches say hello to each other. And if the switch or router doesn't say hello within 10 seconds, the other one's like, well, he's dead and I'll take over for all the clients. And I know we still

00:05:44

have questions on that and that's going to be answered as we dive into these. The virtual router redundancy protocol, or VRRP, came out in 1999, so five years later the other vendors caught up, meaning that this is now an industry standard protocol. And I shouldn't say

00:06:02

the other vendors caught up, I'll sure everybody had their own little proprietary version of this, but this protocol now allows this concept, this redundancy to work if you've got a Cisco router and some other brand router sitting next to each other, they can communicate and be redundant for each other. Now the cool

00:06:20

thing about VRRP is since it came out in 1999, the timers are much faster, meaning the bandwidth that was available in '99 was much more than it was in 1994, so by default the timers can recover and find a failure much faster and you can see hello timer of one second and a hold timer or dead timer of three seconds, plus a little bit more and we'll talk about that when we get there. The last one came out in 2005, GLBP by Cisco for Cisco. It's Cisco proprietary. Does the same

00:06:54

thing as these other two, except allows load balancing. That is pretty cool to where both routers can be forwarding traffic at the same time or both layer three switches can be accepting traffic at the same time and load balancing between each other. Now when you think about them sharing an

00:07:13

IP address this starts blowing your mind even more. I mean it's like the questions abound when you get to GLBP. You got to stay tuned for that one because just the whole concept of how that happens will blow your mind away. It's just awesome. So let's start off with HSRP.

00:07:30

As you just saw, the hot standby routing protocol or HSRP was the first protocol that did this redundancy thing. And since this is a switching course, I'm going to focus now on the switches in layer three switch capabilities, rather than talking about routers. But do keep in mind that these same concepts that we're

00:07:49

talking about now can apply to routers just as well. HSRP allows the Gateways to be organized and to stand by groups. Now when we're talking layer three switches, we're typically talking VLAN interfaces. For example, let me dive a little bit into the demonstration

00:08:07

I'm going to do for you in just a moment. These routers have VLAN 70. The VLAN 70 interface and that interface is assigned this IP address. That is the real VLAN address, VLAN 70 interface and this IP address. So those are assigned to their interfaces, but HSRP allows me to organize these layer three switches into standby groups. Now they both share the same group number. For

00:08:36

example, I might say this is HSRP group 5 and both of these interfaces are placed into standby group 5. Now when I do that, I will generate a standby or virtual IP address and get this, get this, a virtual Mac address. Brilliant, isn't it? So right down here you see VIP, that's my virtual IP address and a virtual Mac address, that has a specific format and we're going to talk about that in just a second that both switches respond to. But make sure you catch this, that HSRP

00:09:13

is not a load balancing thing like that one protocol GLBP. This is more of an active standby system, so one of these routers, the primary one, will be active in responding to this IP address and this Mac address and if this ever goes offline, the standby or other layer three switches, they're all in standby, there could be more than one standby switch or layer 3 switch, but they're going to take over and start being the active router for that VLAN interface and it will respond to this virtual IP address and virtual Mac address. Now the good news, the reason

00:09:50

I get so psyched about that virtual IP and Mac is because that means nothing has to change on our clients or our servers right here. They have their default Gateway of 172.30.70.1, and they have their Mac address and their ARP cache and that's one of the problems we talked about, it's in the ARP cache of 00000C07ACL1, that's my Mac address that I have right here. So if one of these fails as long as this one takes over for it and starts responding for this Mac address and IP address, the servers won't notice any different. The cool new system they can send

00:10:28

a little gratuitous art message on here, so these switches will immediately divert traffic to that Mac address from this port out that port. And they can do that very quickly, just by receiving that gratuitous art message. Now by default, hello messages are sent once every three seconds and a Gateway is dead after 10 seconds. What that means I've got all this chicken scratch up here, let me just wipe that clean real quick. This

00:11:00

primary Gateway, if this is the one, is saying, hello, hello, hello, every three seconds and this one even though it's the stand by is saying hello every three seconds. So if it stops receiving hello messages for 10 seconds and the reason it's 10 instead of nine is because if it was nine, then you'd never really count that third hello. Right? If you missed two hellos, you

00:11:21

would consider them down right as the third hello is getting there. Just multiply three times three and you'll find that out. So they add a bonus second, and the 10 second for some latency reason and that is why this one knows to take over because if it's missed that many hellos, this guy might be down. So what

00:11:41

was I going to say on that? Oh, timers. Those timers aren't very quick, meaning that those timers were designed for networks back in 1994, as I was mentioning. So they are tunable to be equal to VRRP, which is the newer of the two protocols, so it can converge just as fast, but remember HSRP's only weakness at that point is that it is Cisco proprietary.

00:12:07

I say that because a lot of people might just be anxious to move to VRRP, not realizing they're not getting any other benefit other than multi vendor compatibility. And I'm not saying this just because I'm a Cisco guy, but usually when you have Cisco routers and you want them to be redundant, they're going to be Cisco routers. It's very rare that you're going to mix a Cisco

00:12:29

router with an HP router for redundancy purposes or a pick a vendor, I just threw HP out there. So HSRP can do the same thing as VRRP, it just takes a little more tuning. Now there is a specific structure to this virtual Mac address that I want to mention to you. Right here oh, let me just fix that real quick. This

00:12:50

virtual Mac address is generated when I create that standby group, meaning if I chose standby group number five that both these layer three switches respond to, it automatically will generate this well known Mac address. The first section of that Mac address

00:13:06

all zeros and then 0C is Cisco's vendor ID. When you get pools of Mac addresses, you have to go to the great Mac address Gods in the sky and say, please grant me a range and they will say, why yes, you have this range. So Cisco got 000.0C as one of their ranges and that's what they chose for HSRP.

00:13:27

By seeing 07AC as the second group of digits there, you're going to immediately know that this is HSRP. It's good to know because you can be on a network and just do an ARP A command from a Windows command line or I think that works in Linux, and you are going to find out we're using HSRP, without even having to go to the router because you can recognize that Mac address. The last two digits will

00:13:55

be the HSRP standby group number. For instance, if I had chose 5, it would be 05 for that Mac address. Actually this doesn't match to my scenario, this one would be group number 1 that I would have chosen rather than 5. And that is in hexa decimal. If I choose group number 10 it is going to be 0A. Well let's get this set up and I'd like to start by getting familiar with the topology of this lab environment here. I have two layer

00:14:21

three switches, switch A and switch C, they're 3550 series and they are routing right now for VLAN 70. One of them is assigned 172.30.70.2 and the other is 70.3, switch A and switch C. As of right now I have them connected to 2950 here, actually two of them, but I don't have the second one connected. Switch B is I guess physically

00:14:46

this is what it looks like, but if we wanted true redundancy, we would want two switches here and by the way, I don't have all of the necessary connections just because it got too messy when I had that with all the texts, but to have true redundancy, you want a connection here, you want a connection here and you want a connection here between these switches and why not just go and throw in another one for good measure. But that's what

00:15:07

a truly redundant network looks like, it's just hard to read all the text. But with that in mind, we have just one switch, 2950 here, that is connected to a server. Now as of right now, this isn't set up for redundancy, meaning the server is configured to 172.30.70.3 as its default gateway. Let me goat you familiar with the server,

00:15:30

this is it. I'm going to do an IP config here. All of these adapters, but really only one of them are active. You can see 170.30.70.50 and it is hard coded to a default Gateway of 70.3, which is that switch right there. So it's using switch C. Just to prove

00:15:48

that we can get out there, I'm going to do a ping, 172.30.70.3, at the default Gateway. We're getting there and it can ping .2, I thought wait an sec, it should be. Oh, okay there we go, it just took an sec. It should be able to ping 70.2, so they're both right there, both switches are responding, it's just as of right now since the default Gateway is hard coded to .3, if A goes down, there's no redundancy, so we need to set up a standby group. I've got my virtual IP address 172.30.70.1, that I want to use and I want these two switches to share it.

00:16:28

Now I want let's see, what do I want? Hmmm. I would like switch A, to be the primary switch on this and I'd like Switch C to be the standby. So switch A should respond to the Ping messages while it's online, but if it goes offline then I want switch C to take over and carry the burden, so here's how we do it.

00:16:52

I don't need that window right now, I need this one. I'm on switch A. I'm going to go just do a show IP interface brief and you can verify that right there is my VLAN 70 interface, with the .2 address assigned. Now my server is plugged into oh, the 2950 below. These are my trunk links that are connected to the 29.50 and the 35.50. All right. So I'm going to go into interface VLAN 70. So I'm in the routed interface and make sure you distinguish going into VLAN 70 is much different from going into interface VLAN 70. Just VLAN 70 is the layer 2 VLAN, that's how you segment your ports. Interface VLAN 70 is the routed interface for that VLAN. The command I'm going to type is standby followed by my

00:17:39

group number. By the way, there is no HSRP command, whenever you type standby that tells the switch or router you're after HSRP. Now there's a lot of options, here we're going to go through each one of them, but I'm going to start off with the group number because we have to set up the group. So I'm going to say standby

00:17:59

let's do a group number of 1, just use real nice generic one. Once we type in the group number, it's going to ask us, well, what sort of IP address do you want that as the virtual IP address? Or do you want to have preemption enabled? And we'll talk about all of those. First step, as you can see right here, create the

00:18:18

standby group and reassign the IP address, so that means I need to create group 1 and set up this virtual IP. It's almost like step 1 and step 2 are one and the same except when I was meaning reassign IP address, I meant on the client. So I'm going to type

00:18:33

in standby 1 IP and then what is my virtual IP address? 70.1. By the way, some people call this a phantom IP address. I think it's older terminology. People used to call the virtual IP like a phantom IP because it emulated like there's this phantom router in the middle, but that's it. Believe it or not, that's all I need to do to set

00:19:02

up HSRP, at least on switch A. So that's not running and my standby group is operating. Now I'm going to introduce one more command at this point. I was going to introduce in the next slide, but I think it's so important that I'll say it now. It is the priority.

00:19:20

Standby 1 priority and then a number. Now by default every single router will have a default priority of 100. Now when you think priority you should think higher is better. I mean if you are a higher priority dinner guest you are going to go in first, right? So the higher your priority, the better you are. Since everything is a default of 100, we need to adjust switch A, if we want to make sure that it becomes the HSRP active router at the time. If you don't adjust it, everybody

00:19:54

will be 100 and it just relies on the highest IP address to break the tie, in which switch C would become the active router because it's got the higher IP address. So I'm going to come into here and say, priority and let's just say 150. Now these are arbitrary values. It's not like I can say 150 is always great. It's all relative based on what you've set up on

00:20:15

the rest of your switches. So this point I now have HSRP configured on switch A. Let me configure it on switch C, and then we'll do some verification. Let me go into global config, interface VLAN 70 and I'll do. Let me type in do terminal monitor just so we can see some of the status messages that happen. I'm

00:20:36

going to type in standby group number 1, looks like I've got a more recent IOS version on this, I've got some more commands. Standby group 1 and I'll put the IP address and this is going to be the same as it was on the other. 172.30.70.1. That is the virtual or phantom IP address I want this to respond to. So at this point, this will have the default priority of

00:21:04

100. So I don't need to worry about setting this any higher or lower because 150 is going to be the King of the Hill. Now before we verify this on the switches, I want to verify it from the client itself. Let me bring that prompt back up. Now again I just want to make sure and let me shrink this down a little bit so you can see the IP addresses here. Right about there. All

00:21:30

right. To a clear screen. I'm going to make sure I can still ping 172.30.70.3. Sure enough I can and this is from the client, remember, I'm not on a switch here. I'm going to see if I can ping 172.30.70.2, and I can. That's switch A. Now let's see if we can ping that

00:21:50

new virtual IP address 172.30.70.1. We can. Interesting. Now let's check this out. I'm going to telenet to 172.30.70.3, that's switch C. You can see that. Telenet 172.30.70.2, that is switch A and let's telenet to 172.30.70.1, the virtual IP address. Look at that, I'm on switch A. Is that

00:22:19

the respected or I should see there? Yeah. You bet it is. Because switch A, is the active router at this time for that network. Let's go ahead and do the verification from the switch and I don't need my terit term, I am there now. Let me just do a show standby. By the way, this is about the only command

00:22:41

you usually use. Show stand by will show right there VLAN 70 group 1, the local state is active, it has a priority of 150. Hello timer is three seconds, as we know, hold down timer is 10 seconds. The next hello will be sent in 2.196 seconds. The virtual IP address is this. Standby router, look at that. It

00:23:04

even tells us who this standby router will be, that's switch C. 172.30.70.3 over there. And it's going to die in eight seconds flat. Meaning that that's the countdown, the 10 second count down, if it doesn't keep getting hellos from the standby, it's going to assume it's dead. Now right there is the Mac address and remember those pieces

00:23:24

let me get right here, 0000C, is Cisco's vendor ID, 07AC means you're running HSRP and 01 is your group number. Isn't that cool? So this point we actually have a redundant setup. Now let's verify this from switch C's perspective. I'm going to telenet over to switch C to show standby over here. Now look at what switch C sees. Huh.

00:23:55

The state is standby. So if you remember, the state on the other oh, it erases the screen, I can't scroll back, was active. It sees the virtual IP address, it sees the active Mac address. It sees who the active router is that would be switch A, 172.30.70.2, priority 150. Expires in nine seconds. So you know standby router is me, local, and my priority is 100, that is what we expected to see because that is the default. Now what I would then do

00:24:27

if I was doing a full blown network config here, I would go to the client and I would set up this client to use a default Gateway of 30.70.1. And I'm done at that point, at least with the primary pieces, because the virtual IP address is set up. So really it's two commands. Standby, group

00:24:51

number and the IP address, followed by standby, group number, priority, to set the priority of who's going to be the active router. Now before we move on to the tuning and optimizing HSRP, let's do a little test. I'm going to do a ping, 172.30.70.1 t. So I'm going to have this ping going and let me tell you my

00:25:12

thought process before I do it. I'm going to kill the connection to the active router, I'm just tracing a cable as I'm talking now to see which one to pull. Okay. Got it. I'm going to kill the connection to the active router from this client, so let's see how long it takes the standby router to fill over. So I'm

00:25:33

going to start the ping. There it goes. I'm pulling the cable now. The cable is down. Holy cow, did you see that? That was amazing. Hang on. Did I pull the right cable? Oh, you know what, I'll bet you I did pull the right cable. I'm going to telenet over to 70.1. No, I pulled the wrong cable. Horrible. Did I really? I must

00:26:00

have. 70.1 what cable did I pull? Oh, I know why. You know why? Because I pulled this cable from switch B, but by the way I really have a connection like this. I pulled this cable right here, this was brilliant. Jeremy, simply brilliant. I pulled this cable

00:26:22

and you can see, let me plug that cable back in. You can see that that's no worries, right? Because switch B is like, that's great, I'm running rapid spanning tree, I'm going to fail over to switch C and just use this redundant connection over to switch A. So it was still using switch A. All right, hang on. I got

00:26:39

to build this up again. We need some dramatic music here, going to exit out, do a clear screen. Drrrr. What am I going to kill? I'm going to kill both I'm going to kill every cable I have connected to switch A, because I don't really have that much going on, on switch A. It's my redundant

00:26:59

router. So here is what I'm going to do. I'm going to start the ping again. Sorry, I got to make sure this works right. I'm going to start the ping again. I'm going to pull all the cables, meaning this one right here. Choo, choo. And this one right here to switch

00:27:17

A. And then I have a connection like that. We'll see how long it takes switch B, to fail over to the it shouldn't be switch B, for HSRP to fill over to BC as the active router. So much explanation. Good grief, let's just pull some cables here. I've got my pings going, I'm pulling them now. Much better. That is

00:27:37

what I expected to see. Okay. So at that point, the active HSRP switch has failed. The standby is missing hellos at this point. Oh, you see it? Right there, the standby took over and kicked on. Now if I tell net over to 172.30.70.1, I should arrive at which switch? C, right? And sure enough, I do. I do a show standby and you can see right here, it is now

00:28:05

switch C, is now the active one. It flipped over to become the active. It's now acting as the virtual IP and virtual Mac address. Standby routers unknown because it has taken over and switch A is currently down. Now that was pretty cool. Right? We've got

00:28:26

HSRP recovering failing over right before our very eyes, but we can make it even better by tuning and optimizing HSRP. And nothing has changed except the slide, I flipped it over. I've still got the same configuration, I just actually I reconnected the cables to switch A. And I want to show you something. I'm

00:28:44

telenetted into switch C right now. I'll do a show standby and I want to show you that as of right now, switch C is still the active router. Because you know even though I've reconnected switch A, it by the way it sees itself as the active router, but it sees switch A, as the standby router. Now here is the

00:29:05

irony of the whole thing, it says: Yeah, yeah, my priority is 100, and my standby router's priority is 150. The reason for that is because HSRP is kind of a one fail over deal, meaning once switch A over here, I think I remove my switch numbers. Once switch A failed and it went over to switch C, as

00:29:28

the active router, switch C remains the active router until switch C fails and then it will fail over again to switch A. That is unless you configure preemption. Now priority, we've already talked about, we did that a little bit early. Preemption is configured

00:29:43

that says, if you are a higher priority, then kind of kick the other guy back down. When you come back online, say that's me. Now the thing you've got to be careful of with preemption is if you have a router that's kind of flapping, meaning maybe it's got some IOS glitch or some hardware failure, and it's constantly rebooting, maybe once every couple minutes, well, it's going to constantly kick the other one back down, cause a temporarily a few seconds outage and then fail again and another 10 seconds outage while HSRP fails over again to the other one and all the magic happens. So be careful with preemption. Sometimes it's

00:30:21

good for it to stay with the backup until you can come over and find out why it failed. But if you want to set up preemption, here is how you do it. Now I'm on switch C right now, so let me open another command prompt and telenet over to switch A. Oops. 70.2. All right. I'm on switch A. I'm keeping both windows here for

00:30:46

a reason. We go into global config, interface VLAN 170. It's one command, stand by group 1 and then you can see it right there, preempt. I love the description, overthrow domination. Preempt. Enter. And at that point, this now says I will overthrow the router with the lower priority and I'll just hit the Up arrow.

00:31:10

You see what happened? It says connection to host lost because I was telenetted to the HSRP router and of course as soon as I typed in preempt, switch C is no longer the HSRP virtual IP address and switch A took over. So I guess if I just telenet to that,

00:31:27

that will verify it, I'm on switch A, now because it is the active router. So that is the idea of preempt. Now interface tracking is pretty powerful. What this one does, is answer the question that we had of remember I had the two routers in a picture and I had them going to the switches? And I said, well, what if what if, you know, these guys are sending hellos back and forth, but then the serial link goes down, but since the hellos are still going back and forth, nothing is going to change. This one is

00:32:00

still going to think, yeah, that guy is just an okay because you know he is still sending hellos. It is kind of like a happy face with glasses right there. The hellos are still coming. Well, that's where interface tracking can come into play. Interface tracking says if this interface goes down, I will decrement my priority, subtract a certain number off my priority that is specified by you, the administrator. So if fails

00:32:30

maybe I'll take off 51 for my priority, kind of our example right here. So my priority will drop to 99. Now this feature has to be configured with preemption, of course, right? Because if the priority drops to 99, but this is the active router, well, preemption is not set up, this won't say, well, I'm going to overthrow you because my priority is 100. So those two features tie hand in hand. Here is how you set up tracking.

00:32:59

Just clear off my gibberish here. I'm going to bring up actually let me resize my window for a second. There we go. Okay. Here is what I'm going to do. I'm going to take this switch ooh, I got a good idea here. I'm going to take this switch right here, which is currently the active. It's got the priority,

00:33:23

I'll put priority 150 on this switch. And I'm going to set up interface tracking because remember our topology looks like that, that if this one fails, we won't have the problem that we had when I first tried to demonstrate HSRP. Remember where it stayed

00:33:38

the active router, it's just this guy went that way to get to it? That's why we didn't have any interruption on our ping. So here's what I'm going to do. I'm going to set up tracking to where if this interface fails, then I'm going to decrement my priority by let's do 60. I'll say subtract 60 from your priority so you will end up becoming hang on, this is switch A, this is switch C. You will end up

00:34:05

becoming the standby router as long as switch C is considered for preemption. Actually, let's do that first. Going to telenet over to switch C. 230.70.3. And go into interface VLAN 70 and do standby group 1 preempt. So it's set up for preemption, verify to show standby.

00:34:29

And correct, preemption is enabled, you can see it right there. It is still the standby router, priority is 100 and the primary priority is still 150. So let's exit out here and I'm going to on switch A, let me clear my screen. I'm going to go into global config mode and I'm going to go under interface VLAN 70. I set it up from the same place. I'm going to say for the standby group 1, I want to set up tracking where if my fast ethernet. Let's see which one is that? This

00:35:05

link here is 0 0/23, where if FA0/23 goes down, we don't have to type in goes down, it just we identify it. Track this interface. And If that one goes down, I'm going to decrement my priority by 60, thus making me a priority of 90 and the other switch to take over. So oh, let's see, how do I want to demonstrate

00:35:32

this. This will this could be cool. Mmm. Let's do the ping again. Um, I'm going to stay telenetted over to let me exit out here. Oh that was great. Let me I'm going to telenet over to switch C. Here is what happens. I get so excited to show this stuff and I'm going to do a terminal monitor. All my windows

00:35:59

start closing on me. All right, so I'm going to do terminal monitor on switch C. I'm going to bring up my terminal prompt and I'm just going to do a ping, 172.30.70.1. Are you following what I'm doing here? I know I'm just flying all over the place, as of right now I'm going to ping this and I'm going to down the tracked interface, 0/23. Right now. How is it? Do you see that? Did you see that? Right there. No pings at all

00:36:33

failed. Right there. It immediately went standby to active. Now I'm sitting on switch C. I'm going to type in show standby, and it's active. Now you might be thinking well, why did that happen? I expected did you expect some timeouts there with that ping? I mean, nothing happened at all. It was immediate. Well, remember

00:36:54

how this happened. The first time we caused the failure, I literally severed all ties to switch A. It's down. And that's where we saw the 10 second timer kick in before switch C became the active router. Well in this case, I just killed this link to switch

00:37:10

A, and as soon as that link went down, I mean instantaneously, like the millisecond it happened, switch A said, I am no longer the active router because I subtracted 60. Switch C, which is configured for preemption said I'm a priority of 100 and you're 90, so immediately I'm booting you down. Now the time is taking me to explain this is far less time than it actually took to happen. I mean, we're talking milliseconds here, right? So switch

00:37:38

C took over as the active router. Switch A, demoted itself until that interface goes back online and we did not miss a single ping at all because of that instantaneous transition. We didn't have to wait for those hello timers to time out. Speaking of timers, that's the last thing we need to talk about. How we can

00:37:58

tune HSRP to be fast, even when a fail over occurs, meaning a complete fail over like we talked about before. Well, watch this. There's a couple timers that you can tune and you can make HSRP scream. I'm going to go into switch C, that's the switch I'm on right now. Get into interface VLAN 70 and actually before I talk about making HSRP extremely fast, let me talk about an important timer, deals with preemption. I'm going to type in

00:38:26

standby 1 preempt, and that is what we talked about before, to turn on preemption, this will become King of the Hill once it reboots and it finds it's a higher priority. But there's some timers that you can adjust on preemption, you can see you have a delay before preempting. Now notice there's a few of them that

00:38:46

says minimum reload or sync that says, wait wait at least this long before you preempt across the board. Wait after you reload or wait for the clients to sync up with you, you know, this long wait until clients are accessing you for this long before you preempt and become HSRP. The activate

00:39:07

HSRP router. The two most often used one are these two and I would highly recommend using the reload. Because if your switch is rebooting, you usually don't want it as soon as it comes back online to be active right away or that goes for routers, too. And the reason why is because when the router boots, it's kind of, you know, learning routing tables. It's learning

00:39:32

routing tables, it's doing CDP, it's finishing the process that occurred to boot. When it booted, so the processor time is more utilized. Think of it when you boot a windows PC, and you log in, right? You kind of just sit there for a couple minutes, at least I do on my slow computer, because it's loading all these other processes and I know if I do anything, it's just going to kind of hang there and be really slow acting. So it's the

00:39:57

same way with a router. So you might say, delay after reload, you know, maybe 180 seconds. So it's going to wait. If this is the primary router, it will wait three minutes before it says, okay, I'm up and I've been stable long enough for me to become active, now I will preempt and become King of the Hill. Now I'll

00:40:19

talk about how to make HSRP scream. I can type, not literally, I can type in standby 1 timers and then how I want to tune down my timers. Now we know that the default timers in HSRP is hello once every 3 seconds, dead after 10. I can tune that down, I'll say first off to equal VRRP, the latest and greatest ones. I just type in timers one to say hello once

00:40:48

every second, and then three to say, you're dead if you don't respond after three seconds, and you're good to go and actually do four, so you get three missed hellos before that happens. Now that kind of makes it compete with VRRP, but why compete when you can do better? Did you notice this one right here? Oh, yeah. Timers in milliseconds and I can have it say, hello. Now

00:41:15

I wouldn't recommend 15 there, that's a little crazy. But I can say, you know, maybe send a hello message once every 150 milliseconds and consider somebody dead in we have to type in the milliseconds both times, consider somebody dead after we'll say 700 milliseconds. At that point, your layer three devices, routers or switches, will converge in less than a second when a major failure has occurred. Now that's good news

00:41:49

because less than a second convergence means most likely nobody notices because it transitions that process as fast as you can snap your finger. Now there are other criteria that have to go in with that nobody notices like statefulnat(ph) and so on. But

00:42:07

that is a way that you can allow HSRP to start moving very fast. Now the only drawback to doing that is do realize that now your switch is generating what would that be? Like seven, eight packets a second of hellos for HSRP. So not only does your network bandwidth

00:42:26

go up and I would say that's the least of the concerns since usually you've got gig uplinks between the switches, what I would say to watch out for is your processor cycles because now both switches are having to generate and receive potentially eight or nine hello messages every single second for HSRP and there's always an interrupt associated with that to the processor.

00:42:50

On our newer switches, though, I wouldn't consider that much of a problem because their processors are usually pretty heavy, especially with those soup modules, soup 720 or whatever else we've got in our 6500 series switches nowadays. So let's wrap this up. It's been ooh, I'm out of breath after this one. Good

00:43:09

stuff. HSRP in action. We did see of course redundancy is good, having two puppies is better than one. HSRP VRR, GLBP, what's the difference between them all? We had kind of the cram section slide of that, but really focused in this video on HSRP, everything about it. Part 2 of this is going to focus on the other two protocols, VRRP and GLBP. I hope this has been informative for you and I'd

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Intermediate 11 hrs 24 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003