Cisco Labs – Redundant and Resilient networks (4) – HSRP – Host Standby Router Protocol – authentication, load balancing


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test First Hop Redundancy Protocols (FHRP) , Any Transport over MPLS (AToM) and Border Gateway Protocol (BGP) on Cisco platform. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Skydrive

ZIP file contains:

  • *.HTML file – complete step by step guide how to perform the task
  • *.PNG – pictures with topology and others
  • *_preconf.txt – file with basic configuration of topology to be able to focus on task goal (IP addresses, interfaces and so on)
  • *_end.txt – file with complete configuration. Once put to the routers, you will get working task
  • *.dia – Topology in free DIA editor
  • *.XML – topology in XML format

To complete the task:

  • Connect your environment accorrding the topology
  • open the file *_preconf.txt from ZIP file with complete task and configure your environment with basic settings so you can start with the task.



HSRP – Authentication, load balancing

Title: HSRP – Authentication, load balancing

Goal:

  • Configure Hot Standby Router Protocol with authentication on 192.168.1.0/24 network segment. Two groups of hosts reside on network segment.
  • PC1 represents group 1 and its default gateway is 192.168.1.1/24. Group 1 is authenticated by text string.
  • PC3 represents group 2 and its default gateway is 192.168.1.10/24. Group 2 is not authenticated.
  • Configure authentication and interface status tracking for HSRP protocol and test functionality.
  • Test load balancing by using RLB2 as active router for group 2 and RLB1 as active router for group 1 and test functionality.

Required time: 120 minutes

Theoretical background:

Links related to this task:

Topology:

HSRP-Authentication,load_balancing

Configuration:

 

1) Basic IP settings

PC1

      pc1:~#ifconfig eth0 192.168.1.20 netmask 255.255.255.0; set IP address for PCx
      pc1:~#route add default gw 192.168.1.1; set default gateway to load balanced virtual IP address

PC2

      pc2:~#ifconfig eth0 20.0.0.2 netmask 255.0.0.0; set IP address for PCx
      pc2:~#route add default gw 20.0.0.1; set default gateway to IP address of EDGE router

PC3

      pc3:~#ifconfig eth0 192.168.1.120 netmask 255.255.255.0; set IP address for PCx
      pc3:~#route add default gw 192.168.1.10; set default gateway to load balanced virtual IP address

Router RLB1

      RLB1(config)#interface #RLB1:RLB1-SW1#; configure physical interface IP address for load balancing interface
      RLB1(config-if)#ip address 192.168.1.253 255.255.255.0
      RLB1(config-if)#no shutdown
      
      RLB1(config)#interface #RLB1:EDGE-RLB1#; configure interface facing to the external network
      RLB1(config-if)#ip address 172.16.1.1 255.255.0.0
      RLB1(config-if)#clockrate 64000
      RLB1(config-if)#no shutdown
      
      RLB1(config)#router ospf 1 ; configure routing protocol for internal and external network
      RLB1(config-router)#network 172.16.1.0 0.0.255.255 area 0
      RLB1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Router RLB2

Apply analogical settings for the router RLB2.

      RLB2(config)#interface #RLB2:RLB2-SW1#
      RLB2(config-if)#ip address 192.168.1.254 255.255.255.0
      RLB2(config-if)#no shutdown
      
      RLB2(config)#interface #RLB2:EDGE-RLB2#
      RLB2(config-if)#ip address 172.17.1.1 255.255.0.0
      RLB2(config-if)#clockrate 64000
      RLB2(config-if)#no shutdown
      
      RLB2(config)#router ospf 1
      RLB2(config-router)#network 172.17.1.0 0.0.255.255 area 0
      RLB2(config-router)#network 192.168.1.0 0.0.0.255 area 0

Router EDGE

      EDGE(config)#interface #EDGE:PC2-EDGE# ; this network simulates the Internet
      EDGE(config-if)#ip address 20.0.0.1 255.0.0.0 
      EDGE(config-if)#no shutdown
      
      EDGE(config)#interface #EDGE:EDGE-RLB2# ; configure IP address for interface facing from load balanced routers to external network
      EDGE(config-if)#ip address 172.17.1.2 255.255.0.0
      EDGE(config-if)#clockrate 64000
      EDGE(config-if)#no shutdown
      
      EDGE(config)#interface #EDGE:EDGE-RLB1# ; configure IP address for interface facing from load balanced routers to external network
      EDGE(config-if)#ip address 172.16.1.2 255.255.0.0
      EDGE(config-if)#clockrate 64000
      EDGE(config-if)#no shutdown
      
      EDGE(config)#router ospf 1 ; configure routing protocol 
      EDGE(config-router)#network 172.16.1.0 0.0.255.255 area 0
      EDGE(config-router)#network 172.17.1.0 0.0.255.255 area 0
      EDGE(config-router)#network 20.0.0.0 0.0.0.255 area 0

2) PC1,PC3 -> PC2 connectivity test

Use following command to test connectivity.

      pc1:~#ping 20.0.0.2; ping command is unsuccessful

3) HSRP settings with load balancing

Load balancing for HSRP could be made by using two or more groups of hosts. Second group of hosts will have RLB2 router configured as active.

Router RLB1

      RLB1(config)#interface #RLB1:RLB1-SW1# ; enter physical internal interface configuration mode
      RLB1(config-if)#standby 1 ip 192.168.1.1 ; set NLB virtual gateway IP address for standby group 1
      RLB1(config-if)#standby 1 preempt delay minimum 1; set minimum delay to initiate overthrow router with higher priority one
      RLB1(config-if)#standby 1 track #RLB1:RLB1-SW1# ; interface #RLB1:RLB1-SW1# status will be tracked by HSRP
      RLB1(config-if)#standby 1 priority 100 ; configure standby priority - higher value means higher priority, RLB1 will be active router because RLB2 has priority 50
      RLB1(config-if)#standby 1 authentication mode text AuthText ; HSRP messages from both active and standby RLB will be authenticated using text "AuthText" 
      RLB1(config-if)#standby 1 timers 10 15 advertise 20 ; specify timers for HSRP protocol communication between nodes: 10-hello timer, 15-hold time and redundancy advertisement time 20, all in sec.
      
      RLB1(config-if)#standby 2 ip 192.168.1.10 ; set NLB virtual gateway IP address for standby group 2
      RLB1(config-if)#standby 2 preempt delay minimum 1; set minimum delay to initiate overthrow router with higher priority one
      RLB1(config-if)#standby 2 track #RLB1:RLB1-SW1# ; interface #RLB1:RLB1-SW1# status will be tracked by HSRP
      RLB1(config-if)#standby 2 priority 50 ; configure standby priority - higher value means higher priority, RLB2 will be active router because RLB1 has priority 50
      RLB1(config-if)#standby 2 timers 10 15 advertise 20 ; specify timers for HSRP protocol communication between nodes: 10-hello timer, 15-hold time and redundancy advertisement time 20, all in sec.

Router RLB2

      RLB2(config)#interface #RLB2:RLB2-SW1#
      RLB2(config-if)#standby 1 ip 192.168.1.1
      RLB2(config-if)#standby 1 preempt delay minimum 1
      RLB2(config-if)#standby 1 track #RLB1:RLB1-SW1#
      RLB2(config-if)#standby 1 priority 50
      RLB2(config-if)#standby 1 authentication mode text AuthText
      RLB2(config-if)#standby 1 timers 10 15 advertise 20
      
      RLB2(config-if)#standby 2 ip 192.168.1.10
      RLB2(config-if)#standby 2 preempt delay minimum 1
      RLB2(config-if)#standby 2 track #RLB1:RLB1-SW1#
      RLB2(config-if)#standby 2 priority 100
      RLB2(config-if)#standby 2 timers 10 15 advertise 20

Function test:

1) test ping from PC1,PC3 to PC2

      pc1:~#ping 20.0.0.2; ping command is successful - GW could be found as virtual address 192.168.1.1
      pc3:~#ping 20.0.0.2; ping command is successful - GW could be found as virtual address 192.168.1.10

2) Display standby information

      RLB1# sh standby; see result, this router is active for group 1 and standby for group 2
      RLB1# debug standby; debug will show HSRP protocol communication between nodes
     
      RLB2# sh standby; see result, this router is standby for group 1 and active for group 2

3) Change priority for RLB2

Once priority is changed from lower value (50 < 100) to higher value 150, active router will be switched from RLB1 to RLB2. Watch debug on RLB1.

      RLB2(config)#interface #RLB2:RLB2-SW1#
      RLB2(config-if)#standby 1 priority 150

4) Display standby information after priority change

      RLB1# sh standby; see result, this router is standby for both groups
     
      RLB2# sh standby; see result, this router is active for both groups

5) Turn off internal ethernet interface on RLB2 (active) to initiate failover to standby router RLB1

      RLB2(config)#interface #RLB2:RLB2-SW1#
      RLB2(config-if)#shutdown

6) See result on RLB1

      RLB1# sh standby; see result, this router is active for both groups

7) Turn interface back on RLB2

After interface is turned on, router become active since it has higher standby priority.

      RLB2# sh standby; see result, this router is active

8) Turn interface back on RLB2

After interface is turned on, router become active since it has higher standby priority.

      RLB2# sh standby; see result, this router is active

9) Modify authentication text

If authentication text differs, router with higher priority become active and standby router become unknown and not authenticated.

      RLB2# sh standby; see result

10) test connectivity using traceroute command

Note first hop address.

      PC1,3#tracert 20.0.0.2 ; see result

Optional:

Use http://www.ciscoblog.com/docstore/haiphsrp.pdf to configure and test more HSRP features, use other types of authentication and test functionality.

Example of authentication using chain strings

    key chain hsrp1
    key 1
    key-string 54321098452103ab
    interface Ethernet0/1
    standby 1 authentication md5 key-chain hsrp1

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s