Explanation

Although we have redundant distribution layer devices, our PCs cannot support multiple gateways. That forces us to configure a single gateway address on the PC and if the gateway fails, the PC will lose connectivity.

The solution is to configure the two distribution layer routers for HSRP (Hot Standby Routing Protocol). HSRP creates a virtual router whose functionality is provided by the physical routers. If a physical router fails, the standby router will provide the services of the virtual router. As the virtual router has a consistent IP and MAC address, any change in the availability of the physical routers is invisible to the PC.

It is important to understand that the HSRP region extends between the distribution layer devices and the host PC. All of the components will be in the same subnet and VLAN. The distribution layer devices perform interVLAN routing, and so the router interfaces are VLAN interfaces (not physical port numbers). When you configure HSRP, you must apply it to the VLAN interfaces on the distribution layer device. This is a subtle but important difference between the lab (where we used dedicated routers) and the case study where we are using layer 3 switches with SVI (Switch Virtual Interfaces).

What you need to do

The requirements list the following:

  • Configure inter-VLAN routing on all DL switches.
    • Staff should use DL1 as their default gateway.
    • Guests should use DL2 as their default gateway.
    • Use HSRP with the active router for staff and guests being on a different router.

At this stage, each router should already have a physical IP address and be configured for interVLAN routing. So what remains is purely the HSRP configuration on the VLAN interfaces and an adjustment to the default gateway on the hosts to point them to the virtual router IP address.

Your VLAN interfaces should currently look something like this (PerDL shown as an example):

interface Vlan10
 no shutdown
 description Perth Staff
 ip address 10.1.128.2 255.255.255.0

As an example on the STaff VLAN, adding the following command activates HSRP:

interface Vlan1000
 standby 1 ip 10.1.128.1

Once this has been applied to both distribution routers the two DL routers on VLAN10 will negotiate so that one of the DL routers will be the HSRP active router and provide services for the virtual router. The other router will be the standby router and will take over the role of the active router should it fail.

By setting the gateway on our hosts to the IP address of the virtual router (.1) we provide the host with a more reliable and consistent gateway.

Remember, each VLAN constitutes a different subnet, and as a result, you need a virtual router with an appropriate IP address on each VLAN.

The big picture

Even though we have a virtual router, you should be conscious that packet traffic physically moves via the active router even though the hosts are not aware of its existence. Also, The physical links taken to get to the gateway are governed by the path defined by the spanning tree protocol. (A lot is going on here, take your time to think through this). This is the reason we made the Distribution layer devices the STP root for particular VLANs.

Creating a network that functions is one thing. Optimising the traffic paths is an additional and often overlooked stage. The general rule is that the distribution switch/router that acts as the active HSRP router should also be the STP root bridge.

You can choose which router becomes active for HSRP using the priority command. The default priority is 100, and the highest priority device within a group/VLAN will be the active router.

As an example, if we add the following command to one of the HSRP instances, that router will become the active router.

 interface Vlan1000
  standby 1 priority 105
  • Given the requirement that staff use the DL1 router, you should ensure the priority on the DL1 router in the DL1 Staff VLAN is higher than on the DL2 Staff VLAN.
  • Given the requirement that Guests use the DL2 router, you should ensure the priority on the DL2 router in the DL2 Guest VLANs are higher than those on the DL1 Guest VLANs.

The 1 in this example is the group number. It must match the number on configured on both DL routers in a VLAN, and it tells HSRP that the two devices are acting as part of a group. These only really become significant if you want to create more than one virtual router within a VLAN (we are not). I recommend making this number 1 to signify the first virtual router in each VLAN.

The default behaviour of HSRP is for an active router to remain active even if a new router with a better priority is introduced to the network. Suppose you power up all devices in a network at once (power restored after an outage). In that case, all devices tend to elect the HSRP active router simultaneously, and thus the highest priority wins. However, if you reboot an active router and another takes over, when the first router comes back online, it will not challenge the new active router even if that router has a lower priority.

You can change this behaviour with the preempt command. Preempt tells the routers to participate in an election even if there is already a router in the network. Using preempt makes HSRP more predictable, and it ensures the wishes you have expressed with the priority command are honoured. Unless you have s specific desire to avoid re-elections (minor interruption), I would suggest adding the preempt command to all VLAN interfaces.

interface vlan 10
  standby 1 preempt

How will you know it is configured correctly?

In terms of configuration, you should have the following:

  • Every VLAN interface on the distribution routers should have a standby IP address that corresponds to the first host (.1) on the same subnet as the IP address of the VLAN interface.
  • The standby IP address on a VLAN on distribution 1 should match the standby IP address on Distribution 2 because these two devices work together to make the virtual router available.

The most useful command will be show standby which will display the status for all HSRP devices on a router. All the configured information is displayed, and it will tell you about both the active and standby routers as well as identifying the current router role.

 Vlan1 - Group 1
   State is Active
     2 state changes, last state change 00:42:53
   Virtual IP address is 10.1.128.1
   Active virtual MAC address is 0000.0c07.ac01 (MAC In Use)
     Local virtual MAC address is 0000.0c07.ac01 (v1 default)
   Hello time 3 sec, hold time 10 sec
     Next hello sent in 0.096 secs
   Preemption enabled
  Active router is local
   Standby router is 10.1.128.3, priority 100 (expires in 11.184 sec)
   Priority 105 (configured 105)
     Track object 1 state Up decrement 10
   Group name is "hsrp-Vl10-10" (default)
 Vlan1000 - Group 1000
   State is Active

You can also use the traceroute command to see the path your packets are taking through the network from the host devices. Trace normally displays the physical router IP addresses, so you will be able to identify the real router acting as the gateway and check that against the requirements.

 PC> traceroute 1.2.3.4
 trace to 1.2.3.4, 8 hops max, press Ctrl+C to stop
  1   10.1.128.2   4.549 ms  2.150 ms  2.951 ms   <--- PerDL1 acting as the '''active''' router.
  2   10.1.255.2   3.283 ms  3.498 ms  3.028 ms
  3   *200.100.50.129   11.660 ms (ICMP type:3, code:3, Destination port unreachable)  *
  • You also need to set the gateway address on each host to point to the IP address of the virtual router to benefit from it.

Redundancy

Remember, the whole point of HSRP is that we should be able to lose a distribution router and still maintain connectivity.

  • After exporting your configuration, shut down one of your DL routers and confirm you still have connectivity (convergence may take a minute).
  • Restore the router to confirm that proper operation resumes (packets travel over the correct path).
  • Repeat for the other distribution router at both sites.

What questions could I see on the practical exam?

  • You could be asked to identify the active HSRP router or report on the routers HSRP role in particular VLANs.
  • You could be asked to change the active router to a different device.
  • A host may not be pointing to the correct gateway, and you may need to troubleshoot the problem.
  • HSRP could be misconfigured, and you need to fix it.