Using FHRP for GRE redundancy

Using the following topology:

In this lab I’m going to configure GRE tunnel between R5 to R1-R2 HSRP VIP for redundancy purposes, if R1, which is the active router, fails R2 will establish the tunnel with R5. 

Also I will use OSPF as a dynamic routing protocol between R1-R2-R5.

First let’s start with the FHRP configuration, here is the relevant configuration of R1:

interface FastEthernet0/0  ip address 10.1.123.2 255.255.255.0  duplex auto  speed auto ! interface FastEthernet0/1  ip address 10.1.124.1 255.255.255.0  standby version 2  standby 1 ip 10.1.124.254  standby 1 priority 150  standby 1 preempt  duplex auto  speed auto

And R2:

interface FastEthernet0/0  ip address 10.1.123.2 255.255.255.0  duplex auto  speed auto ! interface FastEthernet0/1  ip address 10.1.124.2 255.255.255.0  standby version 2  standby 1 ip 10.1.124.254  standby 1 priority 110  standby 1 preempt  duplex auto  speed auto

A GRE tunnel is configured between R1 and R2 to R5, here is R1 configuration:

interface Tunnel1  ip address 172.16.0.1 255.255.255.0  ip mtu 1476  ip ospf network point-to-multipoint  ip ospf dead-interval 6  ip ospf hello-interval 2  keepalive 2 4  tunnel source 10.1.124.254  tunnel destination 10.1.45.5  tunnel path-mtu-discovery

And R2:

interface Tunnel1  ip address 172.16.0.2 255.255.255.0  ip mtu 1476  ip ospf network point-to-multipoint  ip ospf dead-interval 6  ip ospf hello-interval 2  keepalive 2 4  tunnel source 10.1.124.254  tunnel destination 10.1.45.5  tunnel path-mtu-discovery

Note that both routers are using the HSRP VIP as tunnel source for the GRE tunnel.

R5 configuration:

interface Tunnel1  ip address 172.16.0.5 255.255.255.0  ip mtu 1476  ip ospf network point-to-multipoint  ip ospf dead-interval 6  ip ospf hello-interval 2  keepalive 2 4  tunnel source FastEthernet0/1  tunnel destination 10.1.124.254  tunnel path-mtu-discovery

Tunnel destination on R5 is pointing R1-R2 HSRP VIP.

Now few more notes regarding the tunnels configuration, first all tunnel interfaces are using 1476 bytes as the correct MTU value (1500-24 (GRE+IP)), then I have configured keepalive for tunnel failure detection, I also changed OSPF hello and dead-interval values for fast re-convergence.

Now let’s configure the routing protocol - OSPF is configured on the tunnel interfaces using point-to-multipoint network mode, R5 advertise network 192.168.51.0/24 while R3 advertise network 192.168.31.0/24, this is the OSPF configuration:

R1:

router ospf 1  router-id 1.1.1.1  network 10.1.123.1 0.0.0.0 area 0  network 172.16.0.1 0.0.0.0 area 0

R2:

router ospf 1  router-id 2.2.2.2  network 10.1.123.2 0.0.0.0 area 0  network 172.16.0.2 0.0.0.0 area 0

R3:

router ospf 1  router-id 3.3.3.3  network 10.1.123.3 0.0.0.0 area 0  network 192.168.31.1 0.0.0.0 area 0

R5:

router ospf 1  router-id 5.5.5.5  network 192.168.51.1 0.0.0.0 area 0  network 172.16.0.5 0.0.0.0 area 0

R5 establish OSPF adjacency with R1 but not with R2 due to tunnel keepalive which prevents R2 to respond to the keepalive hellos:

R5#show ip ospf neighbor Neighbor ID     Pri   State           Dead Time   Address         Interface 1.1.1.1           0   FULL/  -        00:00:04    172.16.0.1      Tunnel1

R1 establish adjacency with R5 through the tunnel interface and with R2 and R3 through the internal network:

R1#show ip ospf neighbor Neighbor ID     Pri   State           Dead Time   Address         Interface 5.5.5.5           0   FULL/  -        00:00:05    172.16.0.5      Tunnel1 2.2.2.2           1   FULL/DROTHER    00:00:39    10.1.123.2      FastEthernet0/0 192.168.31.1      1   FULL/DR         00:00:39    10.1.123.3      FastEthernet0/0

Now let’s start continues ping from R5 loopback 1 to R3 loopback 1 while disconnecting R1 Fa0/1 in the middle:

R5#ping 192.168.31.1 source lo1 repeat 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 192.168.31.1, timeout is 2 seconds: Packet sent with a source address of 192.168.51.1 !!!!!!!!!!!!!!!!!!!!!!!!!!... *Dec  3 12:28:57.311: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired.. *Dec  3 12:29:00.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down... *Dec  3 12:29:06.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up *Dec  3 12:29:07.143: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done........!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!. Success rate is 80 percent (68/85), round-trip min/avg/max = 88/200/368 ms

As we can see R5 has lost some packets but then re-establish OSPF adjacency with R2 and continue to ping R3 loopback 1. We can fine tune HSRP and OSPF timers to sub-second and to make the switchover much quicker.

Cisco HSRP state monitor using PRTG

Here is a post which describes how to monitor HSRP state using PRTG network monitor.

Add SNMP custom (see this post for screenshots: http://www.madari.co.il/2014/04/prtg-monitors-pps-on-cisco-routers.html) with the following SNMP OID:

1.3.6.1.4.1.9.9.106.1.2.1.1.15.1.1

The sensor will retrieve integer value which will represent the state of the HSRP group.

And the result:

As we can see the router returns the value “6” which means that he is in active state, a value of “5” will indicate that he is in standby state.

Here is the SNMP object information taken from Cisco SNMP Object Navigator:

Object  cHsrpGrpStandbyState OID        1.3.6.1.4.1.9.9.106.1.2.1.1.15 Type      HsrpState 1:initial 2:learn 3:listen 4:speak 5:standby 6:active Permission          read-only Status   current MIB        CISCO-HSRP-MIB ;   -   View Supporting Images  this link will generate a new window Description         The current HSRP state of this group on this interface.

Separate companies - redundant topology

This one is real life scenario where two companies, which owns two Ethernet lines (50Mb each), want to get separate but keep load-balance, on regular basis, and redundant path in case of failure, for each one of them.

I will use the following topology:

Network setup:

      -          Each Ethernet line is provided with two separate VLAN’s from the service provider

      -          CPE1 represent the companies physical location, two LAN’s, one for each company 

             (Company 1-192.168.11.0/24 and Company 2-192.168.12.0/24)

      -          CPE2 represent some sort of data center where servers, firewalls and internet exit 

             located (Company 1-192.168.21.0/24 and Company 2-192.168.22.0/24)

      -          BGP is used as routing protocol (real customer demand) while I would prefer OSPF or  

            EIGRP which were much suitable for this topology.

      -     HSRP is used between CPE and routers for keeping the default route

I had to use  VRF lite in order to separate the routing tables for each company

After I finished configuring the interfaces, in their correct VRF, I started to configure the BGP and noticed that no neighbor had come up and I started to get the following messages:

*Mar  1 18:14:48.719: %BGP-4-NORTRID: BGP could not pick a router-id. Please configure manually.

And:

R4#sh ip bgp
% BGP cannot run because the router-id is not configured

After a little investigation I saw that the routers don’t have router-ID:

R4#sh ip bgp vpnv4 vrf CO1
% BGP cannot run because the router-id is not configured

BGP table version is 1, local router ID is 0.0.0.0
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf CO1)
*  10.1.34.0/24     0.0.0.0                  0         32768 i
*  192.168.21.0     10.1.34.254              0         32768 i

And this is my conclusion although I didn’t check it for sure so I may be wrong:

The routing process should take the highest IP (first loopbacks the interfaces) as the router-ID, in this situation he couldn’t use any IP because there were in VRF and not in the global routing table.

After configuring  a loopback interface is solved this problem.

the rest of this lab, along with configs and NET map, can be found in the following link:

http://www.4shared.com/rar/2NVMjzxb/CONFIG.html