With the increasing popularity of the Internet, people are increasingly dependent on the network. At the same time, this puts forward higher requirements on Network stability. People naturally think of a device-based backup structure, just like using a dual hard disk structure on servers to improve data security. Vro is the core and heart of the entire network. If a fatal fault occurs on the vro, it will paralyze the local network. If it is a backbone router, the impact scope will be greater, the loss is hard to estimate. Therefore, using hot backup for routers is an inevitable choice to improve the network robustness (robust. When a router is completely unable to work, all its functions will be taken over by another backup router in the system until the faulty router returns to normal, this is the problem to be solved by Cisco's Hot Standby Routing Protocol (HSRP.
1. HSRP protocol Overview
---- The condition for HSRP implementation is that there are multiple routers in the system and they form a "hot wait group", which forms a virtual router. At any time, only one vro in A group is active and forwards data packets. If the active vro fails, a waiting vro is selected to replace the active vro, however, in the view of hosts in the network, the virtual router has not changed. As a result, the host still maintains the connection and is not affected by the fault, which effectively solves the problem of router switching.
---- To reduce the data traffic of the network, after setting the active router and waiting for the router, only the active router and waiting for the router to send the HSRP packet regularly. If the active router fails, wait until the router takes over as the active router. If a vro fails or becomes an active vro, the other vro is selected as the waiting vro.
---- In a specific LAN, multiple hot wait groups may coexist or overlap. Each hot wait group imitates a virtual router, which has a Well-known-MAC address and an IP address. The IP address, the interface address of the vro in the group, and the host are in the same subnet, but cannot be the same. When multiple hot wait groups exist on a LAN, distributing hosts to different hot wait groups can share the load.
Ii. HSRP Protocol packet format
---- In the hot wait group, the router regularly broadcasts status information with different types of data packets. The protocol runs on UDP. The port number is 1985, the destination address is 224.0.0.2, And the TTL value is 1. The source address of the packet is the actual IP address of the sender router, rather than the virtual address. This can be used to mark different routers. The UDP format 1 is shown in.
Iii. vro status and status TRANSITION IN HSRP
---- In a hot wait group, each vro runs a simple state machine, which is converted to a different state by triggering the current state and event. These include the following statuses.
---- 1. The initial status of HSRP when it is started. HSRP is not running yet. Generally, it is entered when the configuration is changed or the port is just started.
---- 2. In this status, the vro has not decided on the virtual IP address, nor has it seen the authenticated HELLO packets from the active vro. The router is still waiting for the HELLO message sent from the active router.
---- 3. The vro In the listener status has obtained a virtual IP address, but it is neither an active router nor a waiting router. It monitors the HELLO messages sent from the active router and waiting for the router.
---- 4. In this status, the vro regularly sends HELLO messages and actively participates in the active vro or waits for the election of the vro.
---- 5. The waiting vro in this status is the next candidate active vro, which regularly sends HELLO messages.
---- 6. A vro in the active state is responsible for packet forwarding tasks. These packets are sent to the virtual MAC address of the group. It regularly sends HELLO messages.
---- In addition, each vro has three Timers: Active timer, wait timer, and call timer.
---- State changes are caused by events. Different events act on different states, and different actions, such as starting a timer and sending a message, are generated.
IV. Implementation of HSRP in Campus Network
---- The Campus Network of East China Normal University is large, and there are many hosts accessing the internet. There are 16 class C addresses in total. To ensure data security and broadcast storms and improve network performance, the campus network is divided into 60 subnets. In the network center, the Cisco system company Catalyst 5509 is used as the central switch, and the router with RSM as the VLAN is used, and a Cisco 7000 series router and RSM are used. Both support VLAN and HSRP on VLAN. 2.
There is an HSRP group in each virtual LAN. Logically, the RSM of Cisco 7010 and Cisco 5509 has a LAN interface on each virtual LAN and an IP address is configured, configure a virtual address as the gateway of all hosts in the virtual LAN. The following uses VLAN 9 as an example. The configuration of VLAN 9 in RSM is as follows:
---- Interface Vlan9
---- Description surportcenter
---- Ip address 202.120.95.66 too large
IP address and mask of the router interface on the VLAN9
No ip redirects
No ip directed-broadcast
No ip route-cache cef
Standby 9 timers 3 250
Defines the number of the hot wait group as 9, and the hello message is exchanged every 3 seconds. 250 switches on if no hello message is received
Standby? 150? Priority? 110
Define the weight of a vro. A larger value leads to a larger desire to become an active vro.
Standby 9 preempt
Enable the HSRP preemption function of this group. Whoever has a high weight can immediately become an active router.
Standby 9 ip address 202.120.95.65
The virtual IP address of the group, used as the gateway address of the host in the VLAN
The interface configuration in the Cisco 7010 router is as follows:
Interface FastEthernet0/0.9
Description surportcenter
Ip address 202.120.95.67 too many requests
The IP address and mask of the cisco7010 interface on VLAN9. The IP address and the IP address in the RSM must belong to the same subnet and be different.
No ip redirects
Encapsulation is l 9
The Virtual LAN protocol used
Standby 9 timers 3 250
The meaning is the same as in RSM and must be the same
Standby 9 priority 100
Smaller than the value in RSM, so RSM is active in this VLAN
Standby 9 preempt
The meaning is the same as that in RSM.
Standby 9 ip address 202.120.95.65
The virtual IP address of the group, which must be the same as that in RSM.
---- For the purpose of load balancing, Cisco 5509 RSM and Cisco 7010 should assume roughly the same load. Our approach is that in RSM, the weights from VLAN 1 to VLAN 30 are 110, and from VLAN 31 to VLAN 60 are 100. In Cisco 7010, the weights from VLAN 1 to VLAN 30 are 100, the weights from VLAN 31 to VLAN 60 are 100. In this way, under normal circumstances, the RSM of Cisco 5509 is responsible for the routing from VLAN 1 to VLAN 30, and Cisco 7010 is responsible for the routing from VLAN 31 to VLAN 60. If one party fails, the other party will load all routing work.
V. Problems with HSRP
---- For the HSRP protocol, the biggest problem is that security protection is not provided. In a LAN, it is easy to launch attacks on routers in the LAN by sending fake UDP multicast packets, this causes Packet Black Hole and Denial-of-Service Attack attacks ). Generally, attacks cannot be carried out from outside a LAN, because most routers do not forward the destination address as the multicast address (224.0.0.2) of all routers ).
---- HSRP only implements smooth vro switching, so that users do not feel this switching, ensuring network stability. However, vrouters in an HSRP group cannot interwork with other network configurations, such as the access control list. Therefore, in management implementation management, to ensure consistency, they must be modified in the same way, increasing the management complexity. This may be the price to improve performance.
---- Operation code: it is used to describe the type of packets. The possible values are 0, 1, and 2, as shown in table 1.
---- Version: indicates the version of the heat map.
Status: describes the current status of the router that sends the message. All routers in a hot wait group run such a state machine. The following six statuses are available, as shown in table 2.
---- Call time: it is meaningful only in the call message, indicating the interval between the router and the scheduled sending of the call message, in seconds. If this parameter is not configured on the vro, it may be learned from the active vro. If no configuration is available, we recommend that you use the default value 3.
---- Retention time: valid only in the call message. The received router is used to determine whether the call message is valid. The unit is seconds, and the value is at least three times the call time. If this parameter is not configured, you can also learn from the active router. The active router cannot learn the call time and hold time from the waiting router. It can only continue to use the value learned from the previous active router. The Recommended default value is 10.
---- Priority: this parameter is used to select Active Routers and wait routers. Two routers with different priority levels will become active routers. Two routers with the same priority will become active routers with high IP addresses.
---- Group: used to mark the hot wait Group of the router. Valid values for a ring are 0, 1, and 2. Valid values for other types of networks are 0 to 2 ~ 255.
---- Authentication code: contains 8 characters in plain text as the password. If not configured, the default value is 0x63 0x69 0x73 0x63 0 x 6F 0x00 0x00 0x00.
---- Virtual IP Address: four eight-bit groups are used to specify the virtual IP address of the hot wait group. It can be learned from the call message of the active router. If the address is not configured and the call message needs to be recognized, you can only learn through the active router.
---- Assign a value to the preceding Field When configuring the router or Route Switch Module (RSM.
Note: (author's address: Network Information Center, East China Normal University, first floor, old library, No. 3663 Zhongshan North Road, Shanghai, 200062)