None
High Availability at digidraft.net

High Availability

2017-06-21

Leveraging Logical Switches

StackWise

    The same daisy-chain scheme can be used to connect up to nine physical switches. The ring can be broken to add or remove a switch, but the remaining switches stay connected over the rest of the ring. In other words, you can make changes to the stack without interrupting its operation.

Virtual Switching System

    With platforms like the Cisco Catalyst 4500R, 6500, and 8500, you can configure two identical chassis to work as one logical switch. This is known as a Virtual Switching System (VSS), often called a VSS pair. To build the logical switch, the two chassis must be linked together by multiple interfaces that have been configured as a virtual switch link (VSL).

    VSS1440 refers to the VSS formed by two Cisco Catalyst 6500 Series Switches with the Virtual Switching Supervisor 720-10GE. In a VSS, the data plane and switch fabric with capacity of 720 Gbps of supervisor engine in each chassis are active at the same time on both chassis, combining for an active 1400-Gbps switching capacity per VSS. Only one of the virtual switch members has the active control plane. Both chassis are kept in sync with the interchassis Stateful Switchover (SSO) mechanism along with Nonstop Forwarding (NSF) to provide nonstop communication even in the event of failure of one of the member supervisor engines or chassis.

Redundant Switch Supervisors

  • Route processor redundancy (RPR) - the redundant supervisor is only partially booted and initialized. When the active module fails, the standby module must reload every other module in the switch and then initialize all the supervisor functions
  • Route processor redundancy plus (RPR+) - the redundant supervisor is booted, allowing the supervisor and route engine to initialize. No Layer 2 or Layer 3 func tions are started, however. When the active module fails, the standby module finishes initializing without reloading other switch modules. This allows switch ports to retain their state
  • Stateful switchover (SSO) - the redundant supervisor is fully booted and initialized. Both the startup and running configuration contents are synchronized between the supervisor modules. Layer 2 information is maintained on both supervisors so that hardware switching can continue during a failover. The state of the switch interfaces is also maintained on both supervisors so that links do not flap during a failover

    Sometimes the redundancy mode terminology can be confusing. In addition to the RPR, RPR+, and SSO terms, you might see single-router mode (SRM) and dual-router mode (DRM). SRM simply means that two route processors (integrated into the supervisors) are being used, but only one of them is active at any time. In DRM, two route processors are active at all times. HSRP usually is used to provide redundancy in DRM. Although RPR and RPR+ have only one active supervisor, the route processor portion is not initialized on the standby unit. Therefore, SRM is not compatible with RPR or RPR+. SRM is inherent with SSO, which brings up the standby route processor. You usually will find the two redundancy terms together, as “SRM with SSO.”

Mode Failover Time
RPR > 2 minutes
RPR+ > 30 seconds
SSO > 1 second

Standby Supervisor Readiness as a Function of Redundancy Mode

RPR RPR+ SSO
Supervisor Bootstrap
Image Loaded
Supervisor Bootstrap
Image Loaded
Supervisor Bootstrap
Image Loaded
IOS Image Loaded IOS Image Loaded IOS Image Loaded
Sync Startup-Config Sync Startup-Config Sync Startup-Config
Supervisor Diagnostics Supervisor Diagnostics Supervisor Diagnostics
All Switch Modules
Reloaded
   
Route Engine
Initialized
Route Engine
Initialized
Route Engine
Initialized
Layer 2 Protocols
Initialized
Layer 2 Protocols
Initialized
Layer 2 Protocols
Initialized
    FIB Table
Synchronized
Layer 3 Protocols
Initialized
Layer 3 Protocols
Initialized
Layer 3 Protocols
Initialized
NSF
(Optional
Optimization)
Routing Protocols
Converge
Routing Protocols
Converge
Routing Protocols
Converge
FIB Table Flushed
and Re-Created
FIB Table Flushed
and Re-Created
FIB Table Updated

Configuring the Redundancy Mode

Switch(config)# redundancy
Switch(config-red)# mode { rpr | rpr-plus | sso }

    If you configure RPR+ with the rpr-plus keyword, the supervisor attempts to bring up RPR+ with its peer module. The IOS images must be of exactly the same release before RPR+ will work. If the images differ, the supervisor automatically falls back to RPR mode instead.

Configuring Supervisor Synchronization

By default, the active supervisor synchronizes its startup configuration and configuration register values with the standby supervisor. You also can specify other information that should be synchronized.

Switch(config)# redundancy
Switch(config-red)# main-cpu
Switch(config-r-mc)# auto-sync { startup-config | config-register | bootvar }

    Virtual switch link (VSL): 10 Gigabit Ethernet connections (up to eight using EtherChannel) between the virtual switch members. Multichassis EtherChannel (MEC) is a Layer 2 multipathing technology. This form of EtherChannel allows a connected node to terminate the EtherChannel across the two physical Cisco Catalyst 6500 Series Switches that make up the VSS leading to creating simplified loop-free Layer 2 topology. Using MEC in VSS topology results in all links being active and at the same time provides for a highly available topology without the dependency of Spanning Tree Protocol. With the introduction of 12.2(33)SXI, the virtual switching system supports a maximum number of 512 MECs.

    VSLs can be configured with up to eight links between the two switches across any combination of line cards or supervisor ports to provide a high level of redundancy. If for some rare reason all VSL connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

    In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Nonstop Forwarding

    Nonstop forwarding (NSF) is an interactive method that focuses on quickly rebuilding the RIB table after a supervisor switchover. Instead of waiting on any configured Layer 3 routing protocols to converge and rebuild the FIB, a router can use NSF to get assistance from other NSF-aware neighbors. The neighbors then can provide routing information to the standby supervisor, allowing the routing tables to be assembled quickly. In a nutshell, the Cisco proprietary NSF functions must be built in to the routing protocols on both the router that will need assistance and the router that will provide assistance.

Switch(config)# router bgp as-number
Switch(config-router)# bgp graceful-restart
Switch(config)# router eigrp as-number
Switch(config-router)# nsf
Switch(config)# router ospf process-id
Switch(config-router)# nsf
Switch(config)# router isis [ tag ]
Switch(config-router)# nsf [ cisco | ietf ]
Switch(config-router)# nsf interval [ minutes ]
Switch(config-router)# nsf t3 {manual [ seconds ] | adjacency }
Switch(config-router)# nsf interface wait seconds

Layer 3 High Availability

Hot Standby Router Protocol

    Each of the routers that provides redundancy for a given gateway address is assigned to a common HSRP group. One router is elected as the primary, or active , HSRP router; another is elected as the standby HSRP router; and all the others remain in the listen HSRP state. The routers exchange HSRP hello messages at regular intervals.

    HSRP Group 1 on interface VLAN 10 is unique and independent from HSRP Group 1 on interface VLAN 11.

    HSRP states

  • Disabled
  • Init
  • Listen
  • Speak
  • Standby
  • Active

    Only the standby router monitors the hello messages from the active router. By default, hellos are sent every 3 seconds, Hold-Time timer - 10 seconds.

Switch(config-if)# standby group timers [ msec ] hello [ msec ] holdtime

    By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group.

Switch(config-if)# standby group priority priority

    Normally, after the active router fails and the standby becomes active, the original active router cannot immediately become active when it is restored. In other words, if a router is not already active, it cannot become active again until the current active router fails even if its priority is higher than that of the active router. The first router to bring up its interface becomes the HSRP active router, even if it has the lowest priority of all.

Switch(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]]
  • Add the minimum keyword to force the router to wait for seconds (0 to 3600 seconds) before attempting to overthrow an active router with a lower priority.
  • Add the reload keyword to force the router to wait for seconds (0 to 3600 seconds) after it has been reloaded or restarted. This is handy if there are routing protocols that need time to converge.

Plain-Text HSRP Authentication

    Cisco devices use cisco as the default key string.

Switch(config-if)# standby group authentication string

MD5 Authentication

    By default, the key string (up to 64 characters) is given as plain text. This is the same as specifying the 0 keyword. After the key string is entered, it is shown as an encrypted value in the switch configuration. You also can copy and paste an encrypted key string value into this command by preceding the string with the 7 keyword.

Switch(config-if)# standby group authentication md5 key-string [ 0 | 7 ] string

    Alternatively, you can define an MD5 key string as a key on a key chain.

Switch(config)# key chain chain-name
Switch(config-keychain)# key key-number
Switch(config-keychain-key)# key-string [ 0 | 7 ] string
Switch(config)# interface type mod/num
Switch(config-if)# standby group authentication md5 key-chain chain-name

Conceding the Election

    HSRP has a mechanism for detecting link failures and swaying the election, giving another router an opportunity to take over the active role. By default, the decrementvalue for an interface is 10.

Switch(config-if)# standby group track type mod/num [ decrementvalue ]

HSRP Gateway Addressing

    Each router in an HSRP group has its own unique IP address assigned to an interface. This address is used for all routing protocol and management traffic initiated by or destined to the router.

   For the virtual router address, HSRP defines a special MAC address of the form 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value. For example, HSRP Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10, and so on.

Improving CPU and Network Performance with HSRP Multiple Group Optimization.

    The standby follow command configures an HSRP group to become a slave of another HSRP group.

Switch-(config-if)# standby group-number follow group-name

    Use the standby mac-refresh seconds command to directly change the HSRP client group refresh interval. The default interval is 10 seconds and can be configured to as much as 255 seconds.

Load Balancing with HSRP

    The trick is to use two HSRP groups: one group assigns an active router to one switch, the other group assigns another active router to the other switch.

Switch-A(config)# interface vlan 50
Switch-A(config-if)# ip address 192.168.1.10 255.255.255.0
Switch-A(config-if)# standby 1 priority 200
Switch-A(config-if)# standby 1 preempt
Switch-A(config-if)# standby 1 ip 192.168.1.1
Switch-A(config-if)# standby 1 authentication MyKey
Switch-A(config-if)# standby 2 priority 100
Switch-A(config-if)# standby 2 ip 192.168.1.2
Switch-A(config-if)# standby 2 authentication MyKey
Switch-B(config)# interface vlan 50
Switch-B(config-if)# ip address 192.168.1.11 255.255.255.0
Switch-B(config-if)# standby 1 priority 100
Switch-B(config-if)# standby 1 ip 192.168.1.1
Switch-B(config-if)# standby 1 authentication MyKey
Switch-B(config-if)# standby 2 priority 200
Switch-B(config-if)# standby 2 preempt
Switch-B(config-if)# standby 2 ip 192.168.1.2
Switch-B(config-if)# standby 2 authentication MyKey

Virtual Router Redundancy Protocol (RFC 2338)

    VRRP provides one redundant gateway address from a group of routers. The active router is called the master router , whereas all others are in the backup state . The master router is the one with the highest router priority in the VRRP group.

    The virtual router MAC address is of the form 0000.5e00.01xx, where xx is a two-digit hex VRRP group number. VRRP advertisements are sent at 1-second intervals.

    VRRP sends its advertisements to the multicast destination address 224.0.0.18 (VRRP), using IP protocol 112.

Switch(config-if)# vrrp group priority level
Switch(config-if)# vrrp group timers advertise [ msec ] interval
Switch(config-if)# vrrp group timers learn
Switch(config-if)# no vrrp group preempt
Switch(config-if)# vrrp group preempt [ delay seconds ]
Switch(config-if)# vrrp group authentication string
Switch(config-if)# vrrp group ip ip-address [ secondary ]
Switch(config-if)# vrrp group track object number [ decrement priority ]

Gateway Load Balancing Protocol

    The load balancing is provided completely through the use of virtual router MAC addresses in ARP replies returned to the clients. As a client sends an ARP request looking for the virtual router address, GLBP sends back an ARP reply with the virtual MAC address of a selected router in the group.

Active Virtual Gateway

    One router is elected the active virtual gateway (AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest priority. Up to four virtual MAC addresses can be used in any group. Each of these routers is referred to as an active virtual forwarder (AVF), forwarding traffic received on its virtual MAC address. Other routers in the group serve as backup or secondary virtual forwarders, in case the AVF fails.

Switch(config-if)# glbp group priority level

    GLBP group numbers range from 0 to 1023. The router priority can be 1 to 255 (255 is the highest priority), defaulting to 100. 

Switch(config-if)# glbp group preempt [ delay minimum seconds ]

    Hello messages are sent at hellotime intervals, with a default of 3 seconds. If hellos are not received from a peer within a holdtime , defaulting to 10 seconds, that peer is presumed to have failed.

Switch(config-if)# glbp group timers [msec ] hellotime [ msec ] holdtime

Although you can use the previous command to configure the GLBP timers on each peer router, it is not necessary. Instead, just configure the timers on the router you have identified as the AVG. The AVG will advertise the timer values it is using, and every other peer will learn those values if they have not already been explicitly set. 

Active Virtual Forwarder

    Each router participating in the GLBP group can become an AVF, if the AVG assigns it that role, along with a virtual MAC address. The virtual MAC addresses always have the form 0007.b4xx.xxyy. The 16-bit value denoted by xx.xx represents six 0 bits followed by a 10-bit GLBP group number. The 8-bit yy value is the virtual forwarder number.

    Naturally, the router that is given the new AVF role might already be an AVF for a different virtual MAC address. Although a router can masquerade as two different virtual MAC addresses to support the two AVF functions, it does not make much sense to continue doing that for a long period of time. The AVG maintains two timers that help resolve this condition.

  • the redirect timer is used to determine when the AVG will stop using the old virtual MAC address in ARP replies. The AVF corresponding to the old address continues to act as a gateway for any clients that try to use it. Default is 600 seconds (10 minutes) and can range from 0 to 3600 seconds (1 hour)
  • when the timeout timer expires, the old MAC address and the virtual forwarder using it are flushed from all the GLBP peers. The AVG assumes that the previously failed AVF will not return to service, so the resources assigned to it must be reclaimed. At this point, clients still using the old MAC address in their ARP caches must refresh the entry to obtai the new virtual MAC address. Default to 14,400 seconds (4 hours) and can range from 700 to 64,800 seconds (18 hours)
Switch(config-if)# glbp group timers redirect redirect timeout

    GLBP also can use a weighting function to determine which router becomes the AVF for a virtual MAC address in a group. Each router begins with a maximum weight value (1 to 254). As specific interfaces go down, the weight is decreased by a configured amount. GLBP uses thresholds to determine when a router can and cannot be the AVF. If the weight falls below the lower threshold, the router must give up its AVF role. When the weight rises above the upper threshold, the router can resume its AVF role.

    By default, a router receives a maximum weight of 100. If you want to make a dynamic weighting adjustment, GLBP must know which interfaces to track and how to adjust the weight.

Switch(config)# track object-number interface type member/module/number { line-protocol | ip routing }
Switch(config-if)# glbp group weighting maximum [ lower lower ] [ upper upper ]
Switch(config-if)# glbp group weighting track object-number [ decrement value ]

    When the tracked object fails, the weighting is decremented by value (1 to 254, default 10).

GLBP Load Balancing

  • round robin - each new ARP request for the virtual router address receives the next available virtual MAC address in reply. Traffic load is distributed evenly across all routers participating as AVFs in the group, assuming that each of the clients sends and receives the same amount of traffic. This is the default method used by GLBP
  • weighted - the GLBP group interface’s weighting value determines the proportion of traffic that should be sent to that AVF. A higher weighting results in more frequent ARP replies containing the virtual MAC address of that router. If interface tracking is not configured, the maximum weighting value configured is used to set the relative proportions among AVFs
  • host dependent - each client that generates an ARP request for the virtual router address always receives the same virtual MAC address in reply. This method is used if the clients have a need for a consistent gateway MAC address. (Otherwise, a client could receive replies with different MAC addresses for the router over time, depending on the load-balancing method in use.)
Switch(config-if)# glbp group load-balancing [ round-robin | weighted | host-dependent ]

Enabling GLBP

Switch(config-if)# glbp group ip [ ip-address [ secondary ]]

    If the ip-address is not given in the command, it is learned from another router in the group. 

Leave a Comment: