CCNP 300-115 Switch study Part 1/2

How to determine the root bridge?

SW# show spanning-tree vlan 192

Indicated as “This bridge is the root“.
All the port Roles are Desg (designated port)

 

Make this switch a root bridge

SW250(config)# spanning-tree vlan 192 priority 0

 

CAM (Content Addressable Memory)

A term used synonymously with MAC Address Table that refers to a switch table containing port number to MAC address mappings.

TCAM

Ternary Content Addressable Memory (TCAM) Table.
Security ACL & Quality of Service ACL

Mac address table

SW250# show mac address-table ?
SW250# show mac address-table dynamic
SW252# show mac address-table interface Fa0/1
SW250# show mac address-table aging-time

SW250# show mac address-table count 
SW250# show mac address-table count vlan 192

ARP

show arp

SDM (Switch Database Management) Templates

Collections of settings that can allocate a switch’s resources
(e.g TCAM resources) in different ways, depending on the role of the switch

Show existing SDM setting

SW250#show sdm prefer

Turn on ipv6

SW250(config)# sdm prefer dual-ipv4-and-ipv6 default
SW250(config)# end
SW250# reload
SW250# ipv6 unicast-routing

show Current TCAM utilization

SW250#show platform tcam utilization

 

CDP vs LLDP

CDP (Cisco Discovery Protocol)
A Cisco-proprietary protocol that allows Cisco devices to dynamically discover other Cisco devices that are Layer 2 adjacent.

LLDP (Link Layer Discovery Protocol).
An industry standard protocol that allows network devices supporting LLDP (that are Layer 2 adjacent) to dynamically discover one another.

TLV (Type-Length-Value)
Information about a specific characteristic of an LLDP-speaking device, which can be advertised to a neighboring LLDP-speaking device.

Show neighbors

SW1# show cdp neighbors

Enable LLDP

SW1# show lldp
SW1(config)# lldp run
SW1(config)# end
SW1# show lldp neighbors

No LLDP on interface

SW1(config)# int gi1/0/1
SW1(config-if)# no lldp ?
SW1(config-if)# no lldp receive
SW1(config-if)# no lldp transmit

 

POE (Power over Ethernet)

PSE (Power Source Equipment)

PD (Powered Device) e.g CCTV, Access Points & IP phones

Cisco Inline Power (7.7 Watts)

IEEE 802.3af (15.4 Watts)

IEEE 802.3at PoE+ (25.5 Watts)

SW250(config)# int range Gi1/0/1-24
SW250(config)# power inline auto
SW250(config)# show power inline

UDLD (Unidirectional Link Detection)

Normal Mode

Aggressive Mode (recommended)

Turn on UDLD globally (only fiber ports)

SW250(config)# udld aggressive

Turn on UDLD on interface

SW250(config)# int gi1/0/1
SW250(config-if)# udld port aggressive

SW250# show udld

Recover ports disabled by UDLD

SW250# udld reset

 

SPAN (Switched Port Analyzer) – local

Turn on local SPAN

SW250(config)# monitor session 1 source interface Gi1/0/1
SW250(config)# monitor session 1 destination interface Gi1/0/11
SW250(config)# show monitor

 

SPAN (Switched Port Analyzer) – Remote

Turn on remote SPAN (on SW1, capture Gi1/0/2)

SW1(config)# vlan 50
SW1(config-vlan)# name RSPAN
SW1(config-vlan)# remote-span
SW1(config-vlan)# end
SW1(config)# monitor session 2 source interface Gi1/0/2
SW1(config)# monitor session 2 destination remote vlan 50

SW1: Remote Source Session

Turn on remote SPAN (on SW2 to sniff)

SW2(config)# monitor session 2 source remote vlan 50
SW2(config)# monitor session 2 destination interface Fa0/20
SW2(config)# end
SW2# show monitor

SW2: Remote Destination Session

StackWise

(Cisco Catalyst 3750-E & Cisco Catalyst 3750-X)

  • As many as 9 switches in a stack
  • Single management IP address
  • Redundant interconnect cable connection

StackWise Plus

Cisco Catalyst 3850

 

StackWise-480

Cisco Catalyst 3850

 

FlexStack (max 4 unit)

Cisco Catalyst 2960-S

SW250# show switch
SW250# show switch stack-ports
SW250# show platform stack manager all

 

VLAN = Subnet = Broadcast Domain

VLANs created in the range of 1006-4094 are called Extended VLANs

SW250# show vlan brief

Create VLAN

SW250(config)# vlan 192
SW250(config-vlan)# name HOME

Delete VLAN

SW250(config)# no vlan 192

Wipe config (this does not remove VLAN config)

SW250# write erase

Wipe VLAN config

SW250# delete flash:/vlan.dat

VLAN config is stored separately in flash:/vlan.dat

Assign vlan 192 to interfaces

SW250(config)# int range Gi1/0/1 - 28
SW250(config-if-range)# switchport access vlan 192

ISL (Inter-Switch Link)

A Cisco-proprietary Ethernet trunking type, which adds 30 Bytes of header (26 Bytes of payload and 4 Bytes of checksum) to each trunk frame.

IEEE 802.1Q (Cisco recommends this. AKA dot1Q)

An industry-standard Ethernet trunking type, which adds 4 Tag Bytes to each trunk frame, except to frames belonging to the Native VLAN.

  • 12 bits indicate VLAN ID
  • 3 bits (the Class of Service or CoS bits) indicate the frame’s priority

Native VLAN

A VLAN in an IEEE 802.1Q trunk that is not tagged.

DTP (Dynamic Trunking Protocol)

A Cisco-properietary protocol that allows a switch port to dynamically negotiate the formation of a trunk between two switches.

Trunk

Setup Trunk on interface

SW250(config-if)# switchport trunk encapsulation dot1q
SW250(config-if)# switchport trunk native vlan 192
SW250(config-if)# switchport mode dynamic desirable

VLAN Pruning

SW252(config-if)# switchport trunk allowed vlan 192,200

VTP (VLAN Trunking Protocol)

Server mode

  • Can be used to create/delete/modify VLANs
  • Updates its VLAN database based on rcvd advertisements
  • Forwards received VTP messages
  • Can originate VTP advertisements

Client mode

  • Cannot be used to create/delete/modify VLANs
  • Updates its VLAN database based on rcvd advertisements
  • Forwards rcvd VTP messages
  • Can originate VTP advertisements

Transparent mode

  • Can be used to create/delete/modify VLANS
  • Does not update its VLAN database based on rcvd advertisements
  • Forwards rcvd VTP messages
  • Does not originate VTP advertisements

Configuration Revision Number

A value advertised via VTP indicting the version of a switch’s VLAN database which gets incremented by one for every change made to that VLAN database.

VTP Requirement

  • Same VTP domain (case senstive)
  • Only flow on Trunk port (does not work on Access port)
  • VTP versions
  • Password (this is optional)
  • VTP Client must have trunk port

VTP Version

  • Version 1
  • Version 2 (automatic update based on rcvd VTP domain name. Very risky)
  • Version 3 (Better secures vtp password. Supports MST)

VTP Pruning

  • Stops unnecessary vlans traffic on the Trunk

VTP setting & status

SW250(config)# vtp mode server
SW250(config)# vtp version 2
SW250(config)# vtp pruning
SW250(config)# vtp password XXX
SW250(config)# vtp domain www.domain.com
SW250# show vtp status

VTP Client

VTP VLAN configuration not allowed when device is in CLIENT mode.

VTP revision number reset (when introducing new switch)

Reset Configuration Revision number to: 0

SW250(config)# vtp mode transparent
SW250(config)# vtp mode server

Not necessary but can delete vlan.dat

SW250# delete flash:vlan.dat

Voice VLAN

A VLAN that can be configured on a Cisco Catalyst switch for the purpose of carrying voice packets to and from IP phones.

  • Single VLAN Access Port
    Useful for 3rd party IP phones
    IP phone & PC are on the same VLAN. Allows IP phones to mark IEEE 802.1p marking.
  • Multi VLAN Access Port
    (e.g Voice VLAN 400 & Data VLAN 300)
    Must be CDP version 2. Frames look like dot1Q trunk frames.
    Does not work with LLDP-MED (Link Layer Discovery Protocol – Media Endpoint Discovery)
  • Trunk Port
    (e.g Voice VLAN 400 & Data VLAN 300)
    Compatible with both CDP and LLDP-MED
    Frames are dot1Q trunk frames
    Unneeded VLANs should be pruned for security reasons

Cos (Class of Service)

A Layer 2 quality of service (Qos) marking sent over a trunk in the range 0-7 (where 6 and 7 are reserved for network use). Cisco IP phones automatically set the CoS of voice frames to 5.

 

Voice configuration (Single VLAN)

SW250(config)# int gi1/0/24
SW250(config-if)# switchport mode access
SW250(config-if)# switchport voice vlan dot1p

Voice configuration (Multi VLAN)

SW250(config)# int gi1/0/24
SW250(config-if)# switchport mode access
SW250(config-if)# switchport access vlan 192
SW250(config-if)# switchport voice vlan 400

Voice configuration (Trunk)

SW250(config)# int gi1/0/24
SW250(config-if)# switchport trunk encapsulation dot1q
SW250(config-if)# switchport mode trunk
SW250(config-if)# switchport voice vlan 400
SW250(config-if)# switchport trunk allowed vlan 192,400

#Not sure if i need below#
SW250(config-if)# switchport trunk native vlan 192

Verify the interface

SW250# show int Gi1/0/3 switchport

SW250# show int trunk

STP (Spanning Tree Protocol)

  • On Switch L2 (Frame)
  • On Router L3 (Packet)
  • Broadcast Storm
    A broadcast frame (e.g a frame destined for FFFF.FFFF.FFFF) circulates endlessly around a Layer 2 topology because the frame has no TTL field
  • TTL (Time-to-Live)
    A value in an IP packet’s header that is decremented by one each time the packet enters a router interface
  • Root Bridge
    An STP topology has a single root bridge. The bridge (or switch) with the lowest bridge ID (BID) is elected as the root bridge.
  • Default Priority 32768 (Range 0-61440)
  • Mac Address with the lower number will be the root bridge if priority is same (eg 32768)

Port States

  • Root Port (switch ports connected directly(cheapest cost) to Root Bridge)
    When equal cost, interface ID of Root Bridge determines the Root Port.
  • Designated Port (Forwarding)
  • Non-Designated Port (blocked to preserve loop-free L2 topology)
    The switch with the highest value will put its port to blocking state.

    Blocking is determined by the Sender’s PORT ID (Higher one blocks)

  • Disabled Port (Administratively shut down)

Root Bridge does not have Root Port

  • Root Bridge only has Designated Ports
  • The switch closest to the Root Bridge has Root Ports
  • Port Speed and STP cost
    10Mbps 100
    100Mbps 19
    1Gbps 4
    10Gbps 2

STP Convergence Times (IEEE 802.1D)

  • BPDU
    Bridge Protocol Data Unit (BPDU).
    A type of packet exchanged in an STP topology that is used to determine which switch is the root bridge
  • Blocking (20 sec)
    Blocking port is determined by the Sender’s PORT ID
  • Listening (15 sec)
  • Learning  (15 sec)
  • Forwarding (Takes total 50 sec to transition)
  • All VLANs use a common STP topology
  • CST (Common Spanning Tree)

PVST (Per VLAN Spanning Tree used over ISL trunks)

Allow Root Bridges to different VLAN

PVST+ (Per VLAN Spanning Tree Plus used over IEEE 802.1Q trunk)

Also allow Root Bridges to different VLANs

MISTP (Multiple Instances Spanning Tree Protocol)

MISTP = MSTP = MST

 

RSTP (Rapid Spanning Tree Protocol – IEEE 802.1W)

  • RSTP considers Topology change only when Non-Edge port transitions to forwarding state.
  • There is no point updating Topology when as Failed port can’t forward frames

 

Rapid PVST+ (Rapid Per VLAN Spanning Tree)

  • Root Bridge
    The switch in a topology with the lowest Bridge ID (BID)
    Root Bridge has all designated ports

 

  • Root Port
    Ports on Non-Root bridge (other switches) closest to the root (directly connected to root)

 

  • Designated Port
    Ports on a network segment that is closest to the root, in terms of cost.
    Non-Root bridge (other switches) may also have Designated Port but blocked by the opposite end.

 

  • Alternate Port (Blocked port)
    A port discarding data frames but could provide an alternate path to the Root Bridge.

 

  • Backup Port
    A port discarding data frames. It’s redundant link to a shared segment.
    Only when connected to a HUB

 

Rapid PVST Port States

  • Discarding
    Data not being forwarded (e.g Alternate, Backup and Disabled ports)

 

  • Learning
    Learning MAC addresses available off the port

 

  • Forwarding
    Data being forwarded (e.g Root and Designated ports)

 

Rapid PVST Link Types

  • P2p (Point-to-Point)
    Running in Full-duplex mode.
    Switch to Switch

 

  • Shared
    Running in Half-duplex mode
    Switch to Hub

 

  • Edge Port
    Endpoint (e.g User PC)

 

Exercise to find Root, Designated & Blocked ports.

 

Change interface Port Priority

SW251(config)# int fa0/15
SW251(config-if)# spanning-tree port-priority 128

Change Port Priority of the Sender’s interface to influence Blocking

 

Change interface Cost manually

SW252(config)# int fa0/15
SW252(config-if)# spanning-tree cost 18
SW252# show spanning-tree vlan 192

Change Root Bridge manually

SW250(config)# spanning-tree vlan 192 root primary
SW251(config)# spanning-tree vlan 192 root secondary

 

MSTP (Multiple Spanning Trees Protocol – IEEE 802.1S)

  • Also known as MST (Multiple Spanning Tree) protocol
  • IEEE 802.1S (being updated to 802.1Q)
  • MSTP Instance
    An STP process that can be shared by multiple VLANs.
  • For huge number of VLANs
  • MSTP Region
    A group of switches, sharing Region Name, Revision Number, VLAN Mapping table.
    Requires manual setup on each switch
  • Do not prune any VLANs for MSTP

MST Configuration

Requires manual setup on each switches (network will be down until other switches are done)

SW250# conf t
SW250(config)# spanning-tree mst configuration
SW250(config-mst)# instance 1 vlan 192,172

SW250

SW251

SW252

MST (make root primary & secondary)

Spanning tree mode to MST. This command brings network down.

SW_ANY(config)# spanning-tree mode mst

SW250 (going to be root primary for vlan 192 & 172. Secondary or vlan 200)

SW250# conf t
SW250(config)# spanning-tree mst 1 root primary
SW250(config)# spanning-tree mst 2 root secondary
SW250(config)# spanning-tree mode mst

SW251 (going to be root primary for vlan 200. Secondary for vlan 192, 172)

SW251#conf t
SW251(config)# spanning-tree mst 2 root primary
SW251(config)# spanning-tree mst 1 root secondary
SW251(config)# spanning-tree mode mst

Notice other switches are still using PVST

SW250# show spanning-tree

Confirm we are the Root Bridge

SW250# show spanning-tree summary

Show MST configuration

Configure MST Revision number

SW250# conf t
SW250(config)# spanning-tree mst configuration
SW250(config-mst)# name HOME_SWITCH_NETWORK

Check new revision

Confirm we are the root for vlan 192

SW250# show spanning-tree vlan 192

This switch is also Root Bridge for vlan 172 as both VLANs 192 & 172 are instance of MST 1

 

Show MST Digest and compare with other switches to ensure they are having same config

SW250# show spanning-tree mst configuration digest

 

Rapid PVST configuration

Causes network down during configuration (Rapid doesn’t work with MST)

SW250# conf t
SW250(config)# spanning-tree mode rapid-pvst
SW250# show spanning-tree summary

If trunk is in Dot1Q, it’s Rapid PVST+

 

Rapid PVST configuration – make me Root bridge

SW250# conf t
SW250(config)# spanning-tree vlan 192 root primary

Can select multiple VLANs

SW250(config)# spanning-tree vlan 192, 172 root primary

 

Change Link-Type for spanning tree manually to Shared

SW251# conf t
SW251(config)# int Gi1/0/23
SW251(config-if)# spanning-tree link-type shared
SW251# show spanning-tree

Achieve the same thing.

SW251(config-if)# duplex half

Change Link-Type for spanning tree manually to P2p Edge

SW251# conf t
SW251(config)# int fa0/5
SW251(config-if)# spanning-tree portfast

Confirm P2p Edge

 

Features that Decrease STP Convergence Time

  • Uplink Fast (not required on Rapid STP)
    Typically used on Access Layer switches to quickly reconverge
    Globally enabled on a switch

 

  • Backbone Fast (not required on Rapid STP)
    Allows a switch to initiate re-convergence in the event of an indirect link failure
    Typically configured on all network switches
    Globally enabled on a switch
    Reacts to an indirect link failure
    Inferior BPDU
    RLQ (Root Link Query and Reply)

 

  • PortFast (works well with Rapid STP)
    Allows a switch port to transition to Forwarding state almost immediately
    Can be enabled globally or individually (port-by-port basis)
    PortFast is inactive on Trunk port

UplinkFast configuration

Not required on Rapid STP. Usually setup on the switch lower or further away from Root bridge.

SW252# conf t
SW252(config)# spanning-tree uplinkfast
SW252# show spanning-tree uplinkfast

 

BackboneFast configuration

SW252# conf t
SW252(config)# spanning-tree backbonefast
SW252# show spanning-tree backbonefast

 

 

PortFast configuration globally

SW252# conf t
SW252(config)# spanning-tree portfast default

Verify PortFast on interface

SW252# show spanning-tree int fa0/8 portfast

Increase STP stability

  • BPDU Guard
    Put a port into an error-disabled state if a BPDU is rcvd
    Only switch sends BPDU. End user devices don’t send BPDU.
    E.g PortFast is enabled but switch is connected.
    Can be enabled globally or individually (port-by-port basis)

 

  • BPDU Filter
    Suppressing the transmission of BPDU
    Can be enabled globally or individually (port-by-port basis)
    Caution. Only use when necessary.
    Most dangerous when enabled at the port level

 

  • Root Guard
    Only possible on port level.
    Put a port into a Root inconsistent state if superior BPDU arrives on a port off of which root bridge is not expected. Basically telling the switch not to believe root bridge signal on that port.

 

  • Loop Guard
    Can be enabled globally or individually (port-by-port basis)
    Put a port into an Loop inconsistent state if Non-designated (Blocked port) stops receiving BPDUs.

 

BPDUGuard (Globally & individually)

Apply BPDU guard globally

SW252# conf t
SW252(config)# spanning-tree portfast bpduguard default
SW252(config)# int fa0/29
SW252(config-if)# spanning-tree bpduguard enable

Apply BPDU guard individually

SW252# conf t
SW252(config)# int fa0/29
SW252(config-if)# spanning-tree bpduguard enable

Check BPDU guard status

SW252# show spanning-tree summary

BPDUFilter (individual level)

On individual level, do not send BPDU and ignore any BDPU rcvd.

Most dangerous when enabled at the port level. 

SW252# conf t
SW252(config)# int fa0/29
SW252(config-if)# spanning-tree bpdufilter enable

 

Check BPDU filter on interface

SW252# show spanning-tree interface Fa0/29 detail

 

BPDUFilter (Globally)

Switch acts more cautious.

SW252# conf t
SW252(config)# spanning-tree portfast bpdufilter default

Confirm global BPDU filter setting

SW252# show spanning-tree summary

 

RootGuard

Prevent port from responding to superior BPDU. Basically ignores and put the port into a Root inconsistent state.

SW252# conf t
SW252(config)# int Fa0/29
SW252(config-if)# spanning-tree guard root

Show inconsistent ports

SW252# show spanning-tree inconsistentports

 

LoopGuard

Loop Guard Individually

SW252# conf t
SW252(config)# int Fa0/29
SW252(config-if)# spanning-tree guard loop

Loop Guard Globally

SW252# conf t
SW252(config)# spanning-tree loopguard default

Check Global setting of Loop Guard

SW252# show spanning-tree summary

 

EtherChannel (IEEE 802.3AD)

  • Allows multiple physical links to be logically bundled together into a virtual port channel interface

 

  • Allows higher bandwidth between switches

 

  • Provides load-balancing

 

  • Creates redundant links

 

EtherChannel Load-Balancing

  • Dst-ip
  • Dst-mac
  • src-dst-ip
  • src-dst-mac
  • src-ip
  • src-mac

 

PAgP (Port Aggregation Protocol) – Cisco proprietary

 

LACP (Link Aggregation Control Protocols)

 

 

 

 

 

 

 

MDI-X (Medium Dependent Interface Crossover)

A feature that allows a switch port to determine which pins on an RJ-45 port should be used for transmission and which sould be used for reception

SW251(config-if)# mdix auto

Layer 2 EtherChannel

A connection make up of a logical grouping of ports into a virtual interface that is configurable as a Layer 2 interface

SW251

SW251# conf t
SW251(config)# int range fa0/30-31
SW251(config-if-range)# speed auto
SW251(config-if-range)# duplex auto
SW251(config-if-range)# mdix auto
SW251(config-if-range)# channel-group 1 mode desirable
SW251(config-if-range)# end

SW251#conf t
SW251(config)# int port-channel 1
SW251(config-if)# switchport trunk encapsulation dot1q
SW251(config-if)# switchport mode trunk

SW252

SW252# conf t
SW252(config)# int range fa0/30-31
SW252(config-if-range)# speed auto
SW252(config-if-range)# duplex auto
SW252(config-if-range)# mdix auto
SW252(config-if-range)# channel-group 1 mode auto
SW252(config-if-range)# end

SW252# conf t
SW252(config)# int port-channel 1
SW252(config-if)# switchport trunk encapsulation dot1q
SW252(config-if)# switchport mode trunk

Verify new interface port-channel 1

SW252# show ip int br | i Port-channel
SW252# show int trunk
SW252# show etherchannel summary

 

 

Layer 3 EtherChannel

A connection make up of a logical grouping of ports into a virtual interface that is configurable as a routed interface.

SW251

SW251# conf t
SW251(config)# int range fa0/30-31
SW251(config-if-range)# speed auto
SW251(config-if-range)# duplex auto
SW251(config-if-range)# mdix auto
SW251(config-if-range)# no switchport
SW252(config-if-range)# no shutdown
SW251(config-if-range)# channel-group 1 mode on
SW251(config-if-range)# end

SW251#conf t
SW251(config)# int port-channel 1
SW251(config-if)# no switchport
SW251(config-if)# ip address 10.1.1.1 255.255.255.252

SW252

SW252# conf t
SW252(config)# int range fa0/30-31
SW252(config-if-range)# speed auto
SW252(config-if-range)# duplex auto
SW252(config-if-range)# mdix auto
SW252(config-if-range)# no switchport
SW252(config-if-range)# no shutdown
SW252(config-if-range)# channel-group 1 mode on
SW252(config-if-range)# end

SW252# conf t
SW252(config)# int port-channel 1
SW252(config-if)# no switchport
SW252(config-if)# ip address 10.1.1.2 255.255.255.252

Verify Layer 3 connectivity

Basic routing (without OSPF)

SW251# conf t
SW251(config)# int loopback 0
SW251(config-if)# ip address 1.1.1.1 255.255.255.255
SW251(config-if)#exit
SW251(config)#ip routing

 

EtherChannel troubleshooting

SW252# show etherchannel summary

SW252# show etherchannel port-channel

EtherChannel Guard

A feature that can detect mismatched channel parameters between switches, generate an error message and place a port into an Error Disabled state.

EtherChannel Guard is enabled by Default

SW250# show spanning-tree summary

To disable (You don’t want to disable it)

SW250(config)# no spanning-tree etherchannel guard misconfig

EtherChannel Load-balancing algorithm

Default load-balancing: src-mac

SW251# show etherchannel load-balance

If you notice poor performance in EtherChannel. Change load-balance algorithm to “Src-dst-ip”

SW251# conf t
SW251(config)# port-channel load-balance src-dst-ip

Confirm new load-balancing algorithm

SW251# show etherchannel load-balance

 

XOR (Exclusive OR)

A Boolean operation that compares two binary values and results in a 1 if the values are different, but results in a 0 if the values are the same.

 

HSRP

  • Hot Standby Router Protocol (HSRP)

 

  • A Cisco-proprietary First Hope Redundancy Protocol (FHRP)

 

  • Hello Message every 3 sec by default
    Used to elect an Active Router and to let the Standby Router know the Active Router is still available

 

  • Holdtime
    A time after which the Standby Router becomes the Active Router.
    Note: The Holdtime must be at least 3x the Hello interval.

 

  • Interface Tracking
    Monitors the status of an interface and can decrement a priority value if that interface goes down

 

  • Active Router Election
    The router with the highest priority is elected as the Active Router
    Note: The default priority is 100

 

  • Default setting is to stay standby even when the original Active (master) is back online
    Even when the priority is recovered and higher, the original Active (master) will stay standby.

 

  • Preempt Option
    Allows a router that was previously the Active Router to reclaim its role as the Active Router, if it goes down and comes backup, or if its priority gets increased to the highest value.
    Preempt = “I’m back and I want my job back!”

 

  • Enhanced Object Tracking
    Allows a priority value to be decremented based on a variety of network conditions.
    E.g: ISP is down or router no longer appearing in a router’s IP routing table.

 

HSRP states

  • Initial State
    The HSRP state of an interface after it first comes up or has undergone a configuration change

 

  • Listen State
    The HSRP state of an interface after the router knows the virtual IP address and the interface is listening to Hello messages

 

  • Speak State
    The HSRP state of an interface when it is sending Hello messages and is participating in the Active/Standby router election

 

  • Standby State
    The HSRP state of an interface when it is the candidate to become the next Active router and it is sending Hello messages

 

  • Active State
    The HSRP state of an interface when it is actively forwarding packets for the virtual IP address and the virtual MAC address, and also sending Hello messages

HSRP configuration

SW1 (HSRP Active)

SW1# conf t
SW1(config)# int fa0/1
SW1(config-if)# standby 10 ip 10.1.1.1
SW1(config-if)# standby 10 priority 110
SW1(config-if)# standby 10 preempt

SW2 (HSRP Standby)

SW2# conf t
SW2(config)# int fa0/1
SW2(config-if)# standby 10 ip 10.1.1.1
SW2(config-if)# standby 10 preempt

Default priority is 100.

Check and confirm if HSRP is working well.

SW2# debug standby terse
SW2# undebug all

 

Verify HSRP setting is all good

SW1# show standby brief
SW1# show standby Fa0/1
SW2# show standby brief
SW2# show standby Fa0/1

MAC address 0000.0c07.ac0a is HSRP version 1
MAC address 0000.0c9f.f00a  is HSRP version 2

Speed up HSRP

SW1 (Active)

SW1# conf t
SW1(config)# do show standby brief
SW1(config)# int Fa0/1
SW1(config-if)# standby version 2
SW1(config-if)# standby 10 timers msec 200 msec 900

SW2 (Standby)

SW2# conf t
SW2(config)# do show standby brief
SW2(config)# int Fa0/1
SW2(config-if)# standby version 2
SW2(config-if)# standby 10 timers msec 200 msec 900

HSRP version 1 & 2

MAC address 0000.0c07.ac0a is HSRP version 1


MAC address 0000.0c9f.f00a  is HSRP version 2

HSRP Version 1

  • MAC address 0000.0c07.ac0a
  • Sends multicast messages to the 224.0.0.2 (e.g all routers) multicast group

HSRP Version 2

  • MAC address 0000.0c9f.f00a
  • Sends multicast messages to the 224.0.0.102
  • Supports IPv6

 

HSRP interface tracking

SW1 (Active)

SW1# conf t
SW1(config)# do show standby brief
SW1(config)# int Fa0/1
SW1(config-if)# do show ip int brief
SW1(config-if)# standby 10 track Fa0/0 20

Check and confirm if interface tracking is working
Go to the tracking interface Fa0/0 (WAN) and shutdown it down.

SW1# conf t
SW1(config)# int Fa0/0
SW1(config-if)# do show standby brief
SW1(config-if)# shutdown
SW1(config-if)# do show standby brief

Notice the Priority decrement of 20 (from 110 to 90)

Do the same for SW2

 

HSRP Enhanced Object Tracking

Check and see existing tracking

SW1# show run | i track

Create a tracking for next hop and decrement 20 if not reachable

SW1# conf t
SW1(config)# track 2 ip route 192.168.32.0/24 reachability
SW1(config-track)# do show standby br
SW1(config-track)# int Fa0/1
SW1(config-if)# standby 10 track 2 decrement 20

Check and confirm that enhanced object tracking is working

Bring down all route to prevent reachability

SW1# conf t
SW1(config)# no router ospf 1

Check priority for configured & new value after decrement by 20

Put back the route and confirm new priority

SW1# conf t
SW1(config)# router ospf 1
SW1(config-router)# network 0.0.0.0 0.0.0.0 area 0

SW1(config-router)# do show standby br
SW1(config-router)# do show standby Fa0/1

SW1 took over the role of Active router and Priority is back to 110

Do the same for SW2

 

HSRP Authentication Types

  • Plain Text
  • MD5

Let’s increase security for HSRP with password cisco

SW1# conf t
SW1(config)# do show standby
SW1(config)# int Fa0/1
SW1(config-if)# standby 10 authentication md5 key-string cisco

HSRP Design Recommendation #1

STP has no knowledge about HSRP.

  • Make the Layer 3 switch acting as a VLAN’s Active HSRP Router, the STP Root Bridge for that same VLAN.

HSRP Design Recommendation #2

  • When two HSRP Layer 3 switches are servicing more than one VLAN, configure each Layer 3 switch to be the HSRP Active Router for a subset of the VLANs.
  • E.g
    Router1 as Active router for VLAN 100
    Router2 as Active router for VLAN 200
    This way no one router is idling. Both are working at the same time and when 1 router failure occurs, the remaining router take over the load for both VLAN 100 & 200.

 

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *