Solved: theory about hsrp in cisco book does not match the practical.

sarahr202 · ‎01-19-2009

HI every body!

Please consider the following network:

I performed a simple lab with routers D4,C3 ,B2 and switch and window xp host

.D4' e0 is connected to sw,D4's0 is connected to s0 of B2, the router C3 's e0 is connected to switch and C3's s0 to s1 of B2.

s0 ----------------------s0B2s1-----------s0

D4 e0------------------sw-------------e0C3

where:

D4 e0 is 196.196.196.4

D4 s0 is 199.199.199.4

C3 e0 is 196.196.196.3

C3 s0 is 198.198.198.3

B2 s0 is 199.199.199.2

B2 s1 is 198.198.198.2

----------------------------------------------------------------------------------------------------------------------------------------------------

I have few questions about the hsrp in cisco press book.I will quote from the book for easy reference.

" Hsrp messages are sent with a plain-text key string as a simple method to authenticate hsrp peers.If the key string in a message matches the key configured on an hrsp peer, the message is accepted"

I performed the lab, configuring plain text string on D4 and C3, and i find the messages were accepted because the D4 knows about standby router which contradicts the book . Below is the config:

d4:

nterface Ethernet0

ip address 196.196.196.4 255.255.255.0

no ip redirects

standby 1 priority 200

standby 1 preempt

standby 1 authentication mysarah

standby 1 ip 196.196.196.10

C3:

terface Ethernet0

ip address 196.196.196.3 255.255.255.0

no ip redirects

standby 1 priority 100

standby 1 authentication mygigi

standby 1 ip 196.196.196.10

D4# show standby

Local state is Active, priority 200, may preempt

Hellotime 3 holdtime 10

Next hello sent in 00:00:00

Hot standby IP address is 196.196.196.10 configured

Active router is local

Standby router is 196.196.196.3 expires in 00:00:07

%STANDBY-3-BADAUTH: Bad authentication from 196.196.196.3, remote state Standby

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

" keep in mind that the actual interface address and the virtual(standby) address must be configured to be in same ip subnet"

I changed the hot standby ip address on d4 as follows:

D4:

nterface Ethernet0

ip address 196.196.196.4 255.255.255.0

no ip redirects

standby 1 priority 200

standby 1 preempt

standby 1 authentication mygigi

standby 1 ip 150.150.150.150

D4# show standby

local state is Active, priority 200, may preempt

Hellotime 3 holdtime 10

Next hello sent in 00:00:01

Hot standby IP address is 150.150.150.150 configured

Active router is local

Standby router is 196.196.196.3 expires in 00:00:08

Now i pointed the host connected to switch to 150.150.150.150 and ping 199.199.199.2 which is ip address of B2 's0 connected to D4.

Below is the ouput:

Microsoft Windows XP [Version 5.1.2600]

C:\Documents and Settings\zee>ping 199.199.199.2

Pinging 199.199.199.2 with 32 bytes of data:

Reply from 199.199.199.2: bytes=32 time=29ms TTL=254

Reply from 199.199.199.2: bytes=32 time=22ms TTL=254

-----------------------------------------------------------------------------------------

Here again this contradicts the book

Any insight?

thanks a lot!

Richard Burts · ‎01-20-2009

Sarah

There is another possibility to consider about why the ping worked. If the PC sends an ARP request for the destination address and if the router has proxy arp enabled (and it is enabled by default) then the router can respond to the arp request and provide a MAC address to be used to forward the packet toward its destination.

[edit] as I re-read the posts I also recognize that you changed the standby address on D4 but you do not describe changing the standby address on C3. If it is still configured with:standby 1 ip 196.196.196.10, the 196.196.196.10 is still a valid gateway address.

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎01-20-2009

Sarah

What devices are you using in your test. I have just run the initial test against a couple of 3550 switches and every time i change the authentication text so that the 2 3550 switches do not match within 10 seconds each switch is reporting the standby router as unknown -

SW1

interface Vlan2

ip address 192.168.1.120 255.255.255.0

standby 10 ip 192.168.1.124

standby 10 priority 200

standby 10 preempt

standby 10 authentication jon1

SW2

interface Vlan2

ip address 192.168.1.121 255.255.255.0

standby 10 ip 192.168.1.124

standby 10 authentication jon1

SW1#sh standby br

P indicates configured to preempt.

|

Interface Grp Prio P State Active Standby Virtual IP

Vl2 10 200 P Active local 192.168.1.121 192.168.1.124

then on SW2 change auth to jon2

SW2(config)#int vlan 2

SW2(config-if)#standby 10 authentication jon2

wait 10 seconds then on SW1

SW1#sh standby br

P indicates configured to preempt.

|

Interface Grp Prio P State Active Standby Virtual IP

Vl2 10 200 P Active local unknown 192.168.1.124

I need to setup the other test but i need to dig out my router for that so i can have a 3rd device.

Jon

View solution in original post

lejoe.thomas · ‎01-21-2009

Hi Sarah,

I just did simple test setting HSRP virtual IP to a subnet different from the interface address

platform:3640

IOS:12.4-10a

3640a#sh run int e0/0

Building configuration...

interface Ethernet0/0

ip address 172.168.1.2 255.255.255.0

no ip proxy-arp

3640a(config)#int e0/0

3640a(config-if)#standby 1 ip 150.150.150.150

% warning: address is not within a subnet on this interface

As you can see the IOS does warn you about it

3640a#sh standby all

Ethernet0/0 - Group 1

State is Disabled

Virtual IP address is 150.150.150.150 (wrong subnet for this interface)

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

IP redundancy name is "hsrp-Et0/0-1" (default)

And you can see the state is always going to remain disabled for obvious reasons.

After setting default gateway to 150.150.150.150 (pointless, but for the test)

Windows

C:\Users\sty>ping 150.150.150.150

Pinging 150.150.150.150 with 32 bytes of data:

Reply from 172.168.1.3: Destination host unreachable.

So it depends on your router platform and IOS. It has nothing do with the L3 or L2 switch, the switch is transparent, provided the router and the host are on the same VLAN.

HTH

Lejoe

View solution in original post

lejoe.thomas · ‎01-20-2009

Hi Sarah,

For the first case, did you wait for 10 seconds (holddown timer). Since the keystrings dont match C3 would be removed from the standby router status for that group.

I am guessing you configured the keystrings, once the HSRP active(D4) and standby routers(C3) came to know of each other.

For the second case, true it does allow you to define virtual IP that does not belong to same subnet as the interface. However, did you check the default gateway on your Windows XP machine. Iam sure it would belong to 196.196.196.0/24 major network.

HTH

Lejoe

sarahr202 · ‎01-20-2009

for the first case, yes i waited for 15min but got the same result.

for the second case, i did configure the window xp with 150.150.150.150 as default gateway.

thanks a lot Lejoe!

roussillon · ‎01-20-2009

Hi.

- In the first part, the text strings are not the same:

d4:

.

..

standby 1 authentication mysarah

standby 1 ip 196.196.196.10

C3:

.

..

standby 1 authentication mygigi

standby 1 ip 196.196.196.10

-In the second part, you changed standby ip but also the text string. That is why standby is active.

You did not say wath is the ip configuration of xp host. I think it is something like 150.150.150.XX

D4 know how to reach 150.150.150.150 cause hi knows 150.150.150.150 's MAC address wich is in the network segment.

Read this (taken from http://www.ietf.org/rfc/rfc2281.txt)

.

..

The IP address "SHOULD" belong to

the primary subnet in use on the LAN, but MUST differ from the

addresses allocated as interface addresses on all routers and hosts

on the LAN, including virtual IP addresses assigned to other HSRP

groups.

..

.

It is writen "SHOULD" not " MUST"

So it could be posible that 199.199.199.2 can be reached from your XP Host.

Thanks

Richard Burts · ‎01-20-2009

Sarah

There is another possibility to consider about why the ping worked. If the PC sends an ARP request for the destination address and if the router has proxy arp enabled (and it is enabled by default) then the router can respond to the arp request and provide a MAC address to be used to forward the packet toward its destination.

[edit] as I re-read the posts I also recognize that you changed the standby address on D4 but you do not describe changing the standby address on C3. If it is still configured with:standby 1 ip 196.196.196.10, the 196.196.196.10 is still a valid gateway address.

HTH

Rick

HTH

Rick

sarahr202 · ‎01-20-2009

I only make changes on active router while the c3 was shutdown, i configured the standby 1 ip 150.150.150.150 on d4( active router) , then i powered up the c3, c3 learns the new hrsp address as 150.150.150.150.

thanks a lot!

sarahr202 · ‎01-21-2009

Hi Rick!

You raised a very good point. Indeed proxy arp was enabled. But I turned it off and performed my test and get the same result.

Below is the detail of my test.

s0----------------s0B2 s1--------------s0

D4 e0----------------sw---------------e0C3

where D4 e0 196.196.196.196.4, s0 199.199.199.4

C3 e0 196.196.196.3,s0 198.198.198.3

host(xp) has ip address 196.196.196.1

default gateway 150.150.150.150

B2 s0 199.199.199.2, s1 198.198.198.2

-----------------------------------------------------------------------------------------------------------------------------

D4( disabling proxy arp)

4(config)#int e0

D4(config-if)#ip proxy-arpndby

D4(config-if)#no ip proxy-arp

show stand by on D4

#show standby

%SYS-5-CONFIG_I: Configured from console by consolew standby

Ethernet0 - Group 1

Local state is Active, priority 200, may preempt

Hellotime 3 holdtime 10

Next hello sent in 00:00:01

Hot standby IP address is 196.196.196.10 configured

Active router is local

Standby router is 196.196.196.3 expires in 00:00:09

Disabling proxy arp on C3

3(config)#int e0

C3(config-if)#no ip proxy-arp

C3(config-if)#exit

C3(config)#exit

Show stand by on C3

3#show standby

Ethernet0 - Group 1

Local state is Standby, priority 100

Hellotime 3 holdtime 10

Next hello sent in 00:00:00.000

Hot standby IP address is 150.150.150.150 configured

Active router is 196.196.196.4 expires in 00:00:08

Standby router is local

Now we change the hotstandby ip address to 150.150.150.150 on D4 andC3

C3

C3(config)#int e0

C3(config-if)#standby 1 ip 150.150.150.150

C3(config-if)#exit

D4

ig)#int e0

D4(config-if)#standby 1 ip 150.150.150.150

D4(config-if)#exit

show standby on C3 and D4

D4#show standby

Ethernet0 - Group 1

Local state is Active, priority 200, may preempt

Hellotime 3 holdtime 10

Next hello sent in 00:00:02

Hot standby IP address is 150.150.150.150 configured

Active router is local

Standby router is 196.196.196.3 expires in 00:00:08

C3#show standby

Ethernet0 - Group 1

Local state is Standby, priority 100

Hellotime 3 holdtime 10

Next hello sent in 00:00:00.152

Hot standby IP address is 150.150.150.150 configured

Active router is 196.196.196.4 expires in 00:00:08

Standby router is local

Now i pointed the window xp host connected to layer 2 switch to 150.150.150.150

\Documents and Settings\zee>ipconfig

:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 196.196.196.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 150.150.150.150

Now I ping the !99.199.199.2 , the ip address of s0 of B2 which is connected to So of D4.

C:\Documents and Settings\zee>ping 199.199.199.2

Pinging 199.199.199.2 with 32 bytes of data:

Reply from 199.199.199.2: bytes=32 time=52ms TTL=254

Reply from 199.199.199.2: bytes=32 time=22ms TTL=254

Ping statistics for 199.199.199.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 22ms, Maximum = 52ms, Average = 29ms

..

---------------------------------------------

Is it platform dependent behavior?

I was just wondering how the multilayer switches will behave in the similar scenario.

Thanks a lot!

lejoe.thomas · ‎01-21-2009

Hi Sarah,

I just did simple test setting HSRP virtual IP to a subnet different from the interface address

platform:3640

IOS:12.4-10a

3640a#sh run int e0/0

Building configuration...

interface Ethernet0/0

ip address 172.168.1.2 255.255.255.0

no ip proxy-arp

3640a(config)#int e0/0

3640a(config-if)#standby 1 ip 150.150.150.150

% warning: address is not within a subnet on this interface

As you can see the IOS does warn you about it

3640a#sh standby all

Ethernet0/0 - Group 1

State is Disabled

Virtual IP address is 150.150.150.150 (wrong subnet for this interface)

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

IP redundancy name is "hsrp-Et0/0-1" (default)

And you can see the state is always going to remain disabled for obvious reasons.

After setting default gateway to 150.150.150.150 (pointless, but for the test)

Windows

C:\Users\sty>ping 150.150.150.150

Pinging 150.150.150.150 with 32 bytes of data:

Reply from 172.168.1.3: Destination host unreachable.

So it depends on your router platform and IOS. It has nothing do with the L3 or L2 switch, the switch is transparent, provided the router and the host are on the same VLAN.

HTH

Lejoe

sarahr202 · ‎01-21-2009

thanks a lot Lejoe!

sarahr202 · ‎01-20-2009

yes for the second part, after 15 min, i did change the string to avoid syslog messages " bad authentication from 196.196.196.3 remote router"

But even before i changed the string, the active router and standby router were there, .

Then i performed the second lab to demonstatre that indeed hot standby address can be on different subnet.

Jon Marshall · ‎01-20-2009

Sarah

What devices are you using in your test. I have just run the initial test against a couple of 3550 switches and every time i change the authentication text so that the 2 3550 switches do not match within 10 seconds each switch is reporting the standby router as unknown -

SW1

interface Vlan2

ip address 192.168.1.120 255.255.255.0

standby 10 ip 192.168.1.124

standby 10 priority 200

standby 10 preempt

standby 10 authentication jon1

SW2

interface Vlan2

ip address 192.168.1.121 255.255.255.0

standby 10 ip 192.168.1.124

standby 10 authentication jon1

SW1#sh standby br

P indicates configured to preempt.

|

Interface Grp Prio P State Active Standby Virtual IP

Vl2 10 200 P Active local 192.168.1.121 192.168.1.124

then on SW2 change auth to jon2

SW2(config)#int vlan 2

SW2(config-if)#standby 10 authentication jon2

wait 10 seconds then on SW1

SW1#sh standby br

P indicates configured to preempt.

|

Interface Grp Prio P State Active Standby Virtual IP

Vl2 10 200 P Active local unknown 192.168.1.124

I need to setup the other test but i need to dig out my router for that so i can have a 3rd device.

Jon

sarahr202 · ‎01-20-2009

let me run my test again Jon, i will get back to you with results. I am using Cisco 2500 series routers.

Thanks a lot Jon!

sarahr202 · ‎01-20-2009

Hi Jon ,Lejoe,Rick and languedoc!

Here is the fresh test.

D4e0----------------------------sw------------------------------e0C3

Router C3:

:

nterface Ethernet0

ip address 196.196.196.3 255.255.255.0

no ip redirects

standby 1 priority 100

standby 1 ip 196.196.196.10

Router D4:

nterface Ethernet0

ip address 196.196.196.4 255.255.255.0

no ip redirects

standby 1 priority 200

standby 1 preempt

standby 1 ip 196.196.196.10

Show standby on D4

Ethernet 0-group 1

Local state is Active, priority 200, may preempt

Hellotime 3 holdtime 10

Next hello sent in 00:00:01

Hot standby IP address is 196.196.196.10 configured

Active router is local

Standby router is 196.196.196.3 expires in 00:00:08

Show standby on C3

Ethernet0 - Group 1

Local state is Standby, priority 100

Hellotime 3 holdtime 10

Next hello sent in 00:00:02.636

Hot standby IP address is 196.196.196.10 configured

Active router is 196.196.196.4 expires in 00:00:09

Standby router is local

Now I configured the authentication " sarah1" on D4 ( active router)

g-if)#standby 1 authentication sarah1

D4(config-if)#e

%STANDBY-3-BADAUTH: Bad authentication from 196.196.196.3, remote state Standbyx

it

D4(config)#

%STANDBY-3-BADAUTH: Bad authentication from 196.196.196.3, remote state Standby

Now wait for 20 seconds.

We use standby on D4 after 40 seconds.

hernet0 - Group 1

Local state is Active, priority 200, may preempt

Hellotime 3 holdtime 10

Next hello sent in 00:00:01

Hot standby IP address is 196.196.196.10 configured

Active router is local

Standby router is 196.196.196.3 expires in 00:00:08

D4#

%STANDBY-3-BADAUTH: Bad authentication from 196.196.196.3, remote state Standby

Though D4 is showing " bad authentication from 196.196.196.3,remote state standby" but D4 is receiving the messages as can be seen that D4 still knows the standby router is 196.196.196.3

Jon I think this behavior is platform dependent.