The following content is taken from the author's publishedCisco/H3C switch advanced configuration and management technical manualA book. Http://product.dangdang.com/product.aspx? Product_id = 22621538
2.1.1 HSRP OverviewThe condition for implementing HSRP is that there are multiple routers in the system and they form a "hot backup group", which forms a virtual router.
At any time, only one vro in A group is active.And it will forward data packets. If the active router fails, a backup router will be selected to replace the active router, but in the view of the hosts in the network, the virtual router has not changed. Therefore, the host is still connected and is not affected by the fault. This effectively solves the data loss problem caused by vro switching in the traditional mode.
1. Basic working principle of HSRP
The HSRP Protocol provides a mechanism for deciding whether to use the active router or back up the router, and designate a virtual IP address as the default gateway address of the network system. If the Active Router fails, the Standby Router automatically takes over all tasks of the Active Router without interrupting the connection of the host. When HSRP is configured in the network or CIDR block, a virtual MAC address and virtual IP address shared by each vro In the HSRP router group are provided.HoweverHSRPVro GroupThe source address of the router forwarding Protocol packet is still the actual address on the physical router interface.IPAddress, not virtualIPAddress. Because of this, routers in the HSRP group can recognize each other.
Vrouters In the HSRP group are identified by VRRP Hello broadcast packets. HSRP runs on UDP. The port number used to send HSRP notification packets is UDP 1985. To reduce network data traffic, after setting Active Routers and backup routers,
Only the active router sends a scheduled message to the backup router
HSRP
PacketsThe backup router does not send HSRP messages to the active router. If the active router fails, the backup router takes over as the new active router. If the backup router fails or becomes an active router, another router is selected as the backup router. HSRP is designed to work in Ethernet networks that support multi-channel access, multicast, and broadcast, rather than replacing the existing dynamic routing protocol.
2. HSRP versionCurrently, some Cisco IOS switches support two HSRP versions: HSRPv1 and HSRPv2. The default version is v1. In HSRPv1, the backup group number ranges from 0 ~ 255. The virtual MAC address is 109109c07.ac ?? "?" Is the HSRPv1 group number ). HSRPv1 uses the multicast IP address 224.0.0.2 to send the hello packet. This will conflict with CGMPCisco Group Management Protocol and Cisco Group Management Protocol that use the same multicast IP address, therefore, you cannot enable HSRPv1 and CGMP at the same time.
The Group ID of the HSRPv2 backup group can be matched with the vlan id of the sub-interface. The value range is 0 ~ 4095. The value range of the virtual MAC address is too large c9f.f000 ~ Too many c9f.ffff. HSRPv2 uses the multicast IP address 224.0.0.102 to send the Hello packet, so that it does not conflict with CGMP. You can enable both Protocols at the same time.
In addition, the packages of HSRPv2 and HSRPv1 are in different formats. The switch running HSRPv1 cannot identify the physical router that sends the hello packet because the source MAC address in the packet is a virtual MAC address. The HSRPv2 package uses the TLVtype-length-value) format and has a 6-byte identifier Field with the MAC address of the physical router that sends the hello packet. If the interface running HSRPv1 receives an HSRPv2 package, the type field is ignored. In a Specific Lan, multiple hot backup groups may coexist or overlap. This is the MHSRP multi-HSRP we will introduce below ). Each hot backup group is simulated as a virtual router and has a Well-known MAC address and an IP address. The IP address, the interface address of the vro in the group, and the host are in the same subnet, but cannot be the same. When multiple hot backup groups exist on a LAN, the hosts are distributed to different hot backup groups to achieve load sharing. Note: The router in the HSRP backup group can be any router interface that supports HSRP, including the router port and vlan svi interface. However, for a vswitch, this vswitch cannot run the LAN Base feature set.
2.1.2 how HSRP worksMost IP hosts have an IP address that uses a single router as the default gateway. When HSRP is used, the default gateway of the IP host replaces the IP address of the physical router interface with the virtual IP address of the HSRP group. HSRP provides redundant IP communication routes for hosts in the network to achieve high network availability.
1. Two vro roles in the HSRP Group
The routers in the HSRP Router group are divided into two roles: Active Router (Active Router) and backup Router (Standby Router) to form a virtual Router. The active Router performs routing packet forwarding. The backup router takes over the active router only when the active router fails or meets certain conditions. HSRP cannot be used in the selected vro or switch to the host network of the new vro when it is disabled. Because after HSRP is enabled, the existing TCP session can continue to avoid interruption, And the next hop is selected for the host dynamically to resume IP Route communication.
The router running HSRP sends and receives UDP-based multicast Hello messages to detect router failures, specifying Active Routers and backup routers. When the active router does not send a Hello packet during the configured Period, the backup router with the highest priority will become the new active router, data communication between all hosts in the network will be switched to the new active router at the same time.
2. Virtual MAC addresses and virtual IP addresses in the HSRP GroupAfter HSRP is configured for a CIDR block, it provides a virtual MAC address shared by each member router in the vro group that runs HSRP.
Virtual MAC address) And virtual IP Address
Virtual IP address), The HSRP backup group IP address of each router must be set to this virtual IP address. In these routers, A vro is selected as the active router, and the active router receives and routes the packet to the virtual MAC address of the vro group. When the active router fails, HSRP detects that a backup router is selected to control the virtual MAC address and virtual IP address of the vro group. By sharing a virtual MAC address and a virtual IP address, two or more routers can act as one virtual router. The virtual router does not actually exist, but it serves as a public default gateway for the routers that are backed up in the HSRP group. You do not need to use the physical interface IP address of the active router in the network to configure the default gateway for the host, but use the virtual IP address of the virtual router as the default gateway of the host. If the active router does not send a Hello packet within the configured delay period, the backup router determines that the active router has expired and a new router is elected as the new active router between the backup routers, control the use of virtual IP addresses.
3. HSRP priorityHSRP also uses the priority mechanism to determine which HSRP router is the default active router. To configure a vro as an active router, You need to assign a higher priority than other vrouters in the group. The default priority is 100, so if you configure only one vro with a higher priority than the 100 value, the higher the priority), this vro will become the default vro.
4. MHSRPYou can configure multiple vro backup groups between multiple vswitches or switch stacks, and specify a group number for each backup group. This is MHSRP multiple HSRP ). For example, you can configure an interface on switch 1 as an active router and an interface on switch 2 as a backup router, at the same time, you can configure another interface on switch 2 as the active router, and configure another interface on switch 1 as the backup router. The detailed working principles of MHSRP will be introduced in the next section.
5. HSRP exampleFigure 2-1 shows the HSRP configuration of a network segment. There are two vrouters in the backup group, Rouer A is an active vro, and Rouer B is A backup vro. They form a vro together. Each vro is configured with the MAC address and IP address of the vro.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/020A015Y-0.png "border =" 0 "alt =" "/>
Figure 2-1 Typical HSRP topology example in this example, the default gateway configuration of the host in the network points to the virtual Router IP address, rather than to Router A or Router B. When Host C sends a packet to Host B, it first sends the packet to the vro using the MAC address of the vro as the source MAC address. Under normal circumstances, it must be through Router A to respond to Host C requests, because it is the active Router of the backup group. For some reason, If Router A stops working, Router B will respond with the MAC address and IP address ARP ing TABLE OF THE vro and become an active Router. Then, Host C sends data packets to Host B using the virtual Router IP address in the ARP response packet of Router B. When Rouer B receives the packet, it forwards it to Host B. Until Router A resumes normal operation, HSRP allows Router B to provide uninterrupted services for users who have reached the CIDR block of Host B in the CIDR block of Host B, at the same time, it is still responsible for the normal user communication between Host A and Host B.
2.3.2 overview of main VRRP featuresThe most important features of VRRP include: 1) VRRP router priority and preemption; 2) VRRP announcement; 3) VRRP authentication; 4) VRRP object tracking.
1. VRRP router priority and preemptionAn important feature of the VRRP redundancy solution is the priority of the VRRP router. The priority determines the role that each VRPP router can assume when the vro master fails. If the IP address of the physical interface of a VRRP router is the same as that of the vro, The vro。 automatically becomes the IP address owner of the vro. The priority of the VRRP router also determines the order in which the backup router may become the new vro master when the vro master fails. You can use
Vrrp priorityCommand to configure 1 ~ for each backup router ~ 254 priority. Because 255 is the highest priority, it is the priority of the virtual router IP address owner and cannot be changed. For example. If the current vrouter master Router A becomes invalid, A new vro master election will be held between the two backup routers, Router B and Router C. If Router B and Router C are configured with priority 101 and 100 respectively, then Router B will be elected as a new vro master because it has a higher priority. If both Router B and Router C have a priority of 100, you must consider the IP Address Configuration of the two routers. If the IP address is large, it will become the new vro master. By default, a backup router with a higher priority can take over the current vro master and become a new vro master. You can use
No vrrp preemptCommand to disable the preemptible function of the vrpp router. If the preemption function is disabled, the backup router elected as the new vro master will keep the vro master role until the original vro master recovers and becomes the vro master again.
2. VRRP announcementAfter VRRP is enabled, the vro master sends a VRRP notification to other VRRP routers, and transmits the priority and status of the vro master to other routers. VRRP notifications are encapsulated in an IP packet and sent with the multicast IP address assigned to the VRRP group. The VRRP announcement will send a configuration-based sending interval to each backup router in the VRRP group. Although VRRP does not support millisecond-level timers according to RFC 3786, you are still allowed to configure a millisecond-level timer in a Cisco router. You need to manually configure a millisecond-level timer on the vro master and backup vro. Note that the vro master advertised timer value displayed by using the show vrrp command on the backup router is always 1 second, because the backup router does not accept the millisecond time value.
3. VRRP Object TrackingObject tracing is a process that independently manages the creation, monitoring, and deletion of tracked objects, such as interface line protocol statuses. HSRP, GLBPGateway Load Balancing Protocol, Gateway Load Balancing Protocol) and VRRP clients register the tracked objects and take corresponding actions when their statuses change. Each tracked object is identified by a unique number. VRRP, HSRP, and GLBP use this number to track the object, this is the same as the HSRP Object Tracking Method in the new IOS version. The tracing process cyclically rotates the tracked objects and pays attention to changes in any of their parameter values. Once the tracked object changes, VRRP, HSRP, or GLBP will be notified. VRRP can also trace only specific objects, such as interface status, line protocol, IP Route status, and route accessibility. Each VRRP group can trace multiple objects that may affect the priority of VRRP routers. You only need to specify the objects to be tracked. VRRP will be notified of any changes to the objects to be tracked, then, VRPP decreases or increases the priority of the vro Based on the status changes.
4. VRRP AuthenticationVRRP ignores unauthenticated VRPP messages. The default authentication type is text authentication, but you can also configure simple MD5 authentication using the key string or MD5 authentication key chain. MD5 authentication provides higher security than plain text authentication. MD5 authentication allows each VRRP router group member to use an encryption key to generate an encrypted MD5 hash value and use it as part of the outbound packet. The inbound packet from other VRRP routers also generates an encrypted MD5 hash value. If the hash value in the inbound packet is inconsistent with that in the outbound packet of the VRRP router, the inbound package is ignored. The MD5 hash value can be provided directly in the configuration using the key string, or indirectly through the key chain. The VRRP router ignores VRRP packets sent from VRRP routers that are not configured with the same authentication.
2.3.3 basic working principle of VRRPFigure 2-4 shows a LAN topology with VRRP configured. In this example, Router A, Router B, and Router C are members of VRRP routers that constitute VRPP vrouters. The vro IP address is the same as the IP address of Router A -- the virtual IP address in 10.0.0.1HSRP cannot be the same as the IP address of the physical Router ).
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/020A045Z-1.png "border =" 0 "alt =" "/>
Figure 2-4 Basic VRRP topology because the virtual Router uses the physical interface IP address on Router A, Router A automatically becomes the primary role of the virtual Router and becomes the owner of the virtual IP address. As the vro master, Router A controls the IP address of the vro and responds to the packets forwarded to the VIP address. In this example, Client 1 ~ 3. Configure the IP address 10.0.0.1 of Router A as the default gateway. In this case, Router B and Router C are used as vro backups. If vro master Router A) fails, the higher priority of Router B and Router C will become the new vro master, providing uninterrupted services for hosts in the LAN. When Router A recovers, it becomes the vro master. Figure 2-5 shows a lan topology with two VRRP groups configured. Router A and Router B arrive at the same time, or from Client 1 ~ 4 load, Router A and Router B for mutual backup relationship, because the two routers have created two VRPP groups, and the two routers are the vro master in the two VRRP groups. In this example, there are two VRPP vrouters. For VRRP group 1, Router A is the owner of the virtual IP address 10.0.0.1 and automatically becomes the vro master. Router B acts as the backup Router. Client 1 and Client 2 use virtual IP addresses as the default gateway. In VRRP group 2, Router B is the owner of the virtual IP address 10.0.0.2 and automatically becomes the vro master. Router A is used as the backup Router. Client 3 and Client 4 use virtual IP addresses as the default gateway.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/020A03529-2.png "border =" 0 "alt =" "/>
Figure 2-5 topology example of dual VRRP group load sharing
This article is from the "Wang da blog" blog. For more information, contact the author!