Wednesday, October 24, 2012

MULTICAST COMMAND REVIEW


Multicast Command Review

224.0.0.0/4 (224.0.0.0- 239.255.255.255)

224.0.0.0/24 – link local

232.0.0.0/8- ssm

239.0.0.0/8 – private/admin scope


ip pim rp-address 1.1.1.1 (ACL) (override) - the acl list the groups that are mapped to this particular rp overide is to override dynamic

ip pim spt-threshold (rate in kbps|infinity) what rate it wills switchover to spt if inifinity does not switchover. This is done on the first hop router of the reciever.

no ip dm-fallback - put on pim sparse dense mode routers to prevent fallback to dense mode for groups

pim assert- done on multiaccess segments when two or more routers are delivering the mcast stream invokes an election to get on router elected to service segement election based on lowest admin distance if tied lowest metric to source if same highest ip

ip pim accept rp "rp address" "acl of groups"- filtering done on non rp's tp which rp they will accept for which group


pim dr election- decides who will do registered on shared segement traffic has to be incoming if priority is the same highest ip

ip pim dr-priority “ priority” - used to change the priority of an interface


sh ip pim interface - will show priority of interface


ip pim accept register "extended ACl| route-map" - the access-list goes like this

ip access-list REGISTER permit ip "source-ip" "source-wildcard" "group-address" " group-wildcard" - the purpose of the pim accept register is to filter on the rp what sources are allowed to register for what groups

In multicast tunnelling - we need to ensure the tunnel interface have lower admin distance and or metric than the underlying network or use static mroutes to ensure passing rpf check

ip pim nbma mode - only works with sparse mode it treats the frame relay multipoint interface as a collection of point to point it does so by tracking the pim joins. These gets around issue of all host not recieveing pim message such assets on nbma media

ip pim send-rp-annouce <interface> scope <TTL> (group-list "std acl") - this command is used for advertising in autorp a candidate rp to the mapping agent the group list is a standard acl used to limit what group serviced by RP. RP advertisement sent to 224.0.1.39

ip pim send-rp-discovery<interface>scope <TTL>- this command is used to set a router as ma it listens for candidate rp on 224.0.1.39 and advertises to all mcast pim routers on 224.0.1.40. If multiple ma in network they hear each other every one will cease sending discovery apart from MA with highest ip.

MA Rules

  • Recieves announcement for group from 2 or more candidate rp it will select rp with hightest ip
  • Recieves announcement for 2 different groups one is a subset of the other it will send both rp

For Autorp

Need ip pim sparse dense mode or ip pim autorp listner – used to propgate the 224.0.1.39/224.0.1.40. As of the 224.0.1.39/224.0.1.40 being dense groups


Sh ip pim rp mapping- used to see rp mappings

ip pim rp-announce-filter {group-list <access-list> | rp-list <access-list> {group-list <access-list} – used to filter on ma the incoming rp it will accept for what groups

ip pim send-rp-discovery lo0 scope 4 orcan be used to limit the size and set boundary for mcast domain

ip multicast boundary <access-list><filter-autorp> - if standard acl the acl inspecting for any pim/igmp messages to group see if there is match on group if match it is allowed if not disallowed. For extended acl both source and destination is inpected for match. If using filter-autorp it will inspect autorp messages if not matching group they are filtered.The acl has to be standard if using filter autorp


ip pim rp-candidate <pim-enabled-interface> [group-list <standard-ACL>] [interval (seconds) [priority <0-255> - advertise a candidate rp for BSR group list filters what groups it will service priority is used when multiple rp. Lowest priority is preferred default is 0.

ip pim bsr-candidate <interface>[hash-mask-lenght][priority] – setting a router as a bsr candidate the higher priority the more preferred the bsr-candidate. When bsr recieves advertisement for multiple rp unlike autorp it does not elect the rp for a router it sends out the multiple rp to each router. The router decides which rp to use for which group. A hashing procedure is done by the pim routers to ensure that the rp are decided deterministectly this to ensure we do not have say the source picking one rp and the receiver selecting another.


Ip pim bsr-border - this is used on interface to stop flooding of pim messages. Used at network boundaries.


R1

Int fa0/1

ip igmp helper-address <1550.1.0.5> - stub router with little memory

r2

access-list 22 deny 155.1.0.3

access-list 22 permit any

int s0/0

ip pim sparse-mode

ip pim neighbor-filter 33

The above config is used for setting up stub router first part of sub router used igmp helper-address to forward the mcast igmp joins. On r2 the router that is processing igmp for the stub we need to ensure that it does not form pim adj with r1 so we do a ip pim neighbor filter. R1 is configure with pim dense mode to ensure it flood all mcast traffic received to the segment.


Ip igmp limit “number” – can be applied globally or interface level. Interface level limits number of igmp groups joined on the interface. Applied globally it will limit the number of groups joined by directly connected recievers.

ip access-list standard IGMP_Filter

permit 239.1.1.0 0.0.0.255

int fa0/1

ip igmp access-group "acl" – used to filter igmp join to group in this case on int fa0/1

sh ip igmp int

ip igmp query-interval “seconds” - used on multiaccess segments one router is elect designated querier by lowest ip other router on the segement listen for queries set by the query-interval. Also used to query for group membership

ip igmp querier-timeout <seconds> - this sets the timeout before the other router on segment will take over the querier role

ip igmp query-max-response-time <seconds>– this is the maximum time we will wait for a reciever to express interest in group before we close it off.

Ip igmp last-member-query-count & ip igmp last-member-query-interval “milliseconds” - In igmpv2 we had the intro of leave message when host leave a group. The querier on receiving will generate a last-member query to check if anyone is still interested in the group. The query count is how many queries it will send without response before closing off the group.

Ip igmp immediate-leave group-list “access-list” – this covers a situation whereby you know you only have 1 source on the interface so if you receive a leave you want to close the group off rather than doing last member queries.

Below is an example converting a bcast to mcast then receiving on another remote segement converting back to bcast


Router On Segmenet recieving initial broacast converting to mcast address


ip forward-protocol udp 5000

ip access-list extended Traffic

permit udp any any eq 5000

int fa0/0

ip multicast helper-map broadcast 239.1.1.100 Traffic



Router on Remote Segement converting Mcast back to Bcast



ip forward-protocol udp 5000

ip access-list extended Traffic

permit udp any any eq 5000

int fa0/0

ip directed-broadcast

ip broadcast-address 155.1.37.255

int s1/0.1

ip mutlicast helper-map 239.1.1.100 155.1.37.255 Traffic


Notable things done with the multicast helper broadcast we convert broadcast which restricted down to bcase on port 5000 via the access list traffic and we convert them to 239.1.1.100

On router 2 we receive mcast 239.1.1.100 convert it to 155.1.37.255 we limit down to port 5000 with access-list traffic then to specify the bcast address as 155.1.37.255 we use ip broadcast-address 155.1.37.255 otherwise it assume bcast of 255.255.255.255. We could customise other address rather than 155.1.37.255


Debug ip mroute – to debug mcast traffic

No ip mroute cache – on interfaces similar to changing to fast switching to view debug traffic of transit traffic

Ip multicast rate-limite {in|out} [group-list <acl>] [source-list “acl”] [limit in kbps] – used to rate limit multicast you could by using group list limit particular groups or you could limit by source list particular sources. So you could have one rate limit for a group a and another different one for group b

Ip pim bidir-enable- enables bidirectional pim only (*,G) no (S,G) traffic always flows through RP no switchover to SPT traffic can go bidirectionally for many sources to many recievers enviorment

ip pim rp-address <ip><acl> bidir - statically configuring an rp address for bidir


ip pim send-rp-announce <interface> scope <ttl> group-list <Acl> bidir - using autorp for rp candidate bidir


ip pim rp-candidate <interface>group-list <ACL> bidir - using bsr for rp candidate bidir

ip pim ssm range {default|range "acl"}- global command. enable source specfic multicast on a router if you say default it use the defaultrange for ssm of 232.0.0.0/8 while if you say range you specify an acl for the ssm addresses. SSM do not create (*,G) only (S,G)and do not need rp + need igmp version 3 to be running

ip igmp version 3- enable igmp v3 on interface

ip igmp join “group address “ source “source address” – specify an interface to join a igmp multicast address

ip msdp peer 150.1.1.1 connect-source lo0 - used when multiple rps to keep them in synch as regards registers from sources and joins from recievers

ip msdp mesh-group GROUP1 150.1.1.1- used when rps are meshed and we get into scenerio where rp advertises group for example other rp recieves advertise to other rp who sends it back to original rp this will be ok as rpf check will eventually get rid but to optimize we can use mesh groups

sh ip msdp sa-cache- to view mulitcast group cache on rp running msdp

access-list 150 deny ip any 239.0.0.0 0.255.255.255

access-list 150 permit ip any any

ip msdp sa-filter out 150.1.1.1 list 150 – so this filters any private admin scope sa advertisement been sent out

when running multicast across AS we can run into rpf check issues to get around it was brought in multicast bgp when we enable mcast bgp when doing the rpf check we first check the static mrouter then bgp table then unicast table. So we get around rpf issues with using bgp routing. We can inflience paths taking using typical bgp mechanism weight/local pref/ med/as path

router bgp 1

address-family ipv4 multicast

neighbor 155.1.3.2 activate

network 150.1.29.1 mask 255.255.255.0

anycast rp is two or more rp advertising the same int address so say 1.1.1.1 on loopback been advertised

anycast run msdp between each other clients register with closest rp and we have redudancy

ip igmp snooping – typically switches flood all mcast traffic to all ports treats as unknown bcast with igmp snooping the switch keeps track of all igmp joins it reads the mcast packets and creates a mcast cam so we can send just to interested reciever rather than all ports. It is on by default

we can be specfic and turn it off generally and on for particular vlan

ip igmp snooping vlan “xx”

ip igm snooping vlan “xx” static “group address” interface “int” - enabling static join for a port

ip igmp snooping tcn flood query count “ count” - if it host changes port generates a tcn this will flood mcast traffic for the period of the count

no ip igmp snooping tcn flood – to disable this flooding behaviour

ip igmp profile 1

permit/deny

range 239.0.0.0

int fa0/1

ip igmp profile – used for filtering igmp at layer 2 port they are either permit or deny permit allows the group but only that group deny disallows the specfied group but allows all others

ip igmp max-group “nn” - limits the number of groups allowed to join on interface

ip igmp max-groups action deny | replace – so new groups either the denied if reach max or replaced if reaches max

mvr

mvr vlan “xx”

mvr group “group address”

mvr query time 15 - so mcast floods to specfic vlan then when joins are sent from ports on different ports on different vlans they intercepted and get access to mvr traffic vlan and recieve mcast flow Multicast does not have enabled on switch used alot in metro ethernet enviorment

for source ports we

mvr type source for reciever ports in other vlans mvr type reciever

Ipv6 multicast uses reserved range Ffxy::/8

where x = flags y = scope

scope are 1=node 2= link 5=site 8=organisation E= global



sample address are ff02::1 – all nodes ff02::2 – all routers

ff05::2 all routers ff05::1:3 all dhcp servers



ipv6 multicast-routing – enables pim on all interfaces by default to turn off go to interface and do

no ipv6 pim

sh ipv6 mld interface- replaces igmp mld mldv1 copies igmp v2 mld v2 copies igmpv3

ipv6 mld limit “number” - limit number groups on interface that can be joined

ipv6 mld query-interval- mld query interval fro groups

ipv6 mld querier timeout

ipv6 mld query-max-response-time

ipv6 mld access-group - all same functions as igmp equivlant

ipv6 pim rp-address “ipv6”- manually specify rp address on pim rrouters

ipv6 pim bsr candidate rp <ipv6> - candidate rp for bsr no autorp in ipv6

ipv6 pim bsr candidate bsr <ipv6> - candidate bsr

ipv6 pim bsr announced rp “ipv6” - statically configure a rp address on bsr for distribution

show ipv6 pim range-list – replacement for sh ip pim rp-mapping

sh ipv6 pim neighbors – instead of sh ip pim neighbors

int fa0/1

ipv6 mld join ff0e::1 – manually join an interfaces

sh ipv6 bsr election – view the multiple candidate rp on bsr



ff7Y:0ill <64bit rp prefix>:<32 bit group id> - embedded rp address

Y = scope ll= 8 bit rp address prefix lenght i = 4 interface id

e.g

rp address 2001:150:1:4::4/64 becomes



ff7E:0440:2001:150:1:4::1

so to break it up



ff 7 E is the scope 04 – 4 is interface id 40 is /64 is in hex 2001:150:1:4:: is the ipv6 address















Sunday, September 30, 2012

PFR REVIEW QUESTIONS

PFR
What is the difference between load balancing and load sharing?
What is the job of the mc in pfr?
What is the job if border routers?
what are the requirements for pft as regards internal and external interface?
Is this requirement per device?
what happens if pfr is not specfied on interface?
what is the requirement for routing in pfr?
how would you define a border router connecting to master of 2.2.2.2?
How could you define a md5 authentication for this?
what do we need to define on mc for border router r1 1.1.1.1 and border router 3.3.3.3
how can you check on the master if the connections have been successifully established?
what would you use to define max difference of 20 percent in utilization?
What is different between passive and active mode + which existing ios features do the use?
What is the default monitoring in pfr??
How could we say to only monitor utilization?
what is the default mode control for pfr?
How can we change this to be active in routing?
What is the backoff value in pfr?
how would set pfr to automatic learning based on throughput
how would set so it continiously monitors does not stop and take breaks
What is the default high utilization?
What tag does pfr assign the static routes?
what can we use this tag for ??
how could we tell under the auto learn so that evaluates bgp table rather then the cef fib?
What is the parent route issue in pfr??
What types of routes can parent routes be?
how could we tell pfr to only auto learn www?
How could we in auto learn tell pfr to only looking icmp traffic destined to 5.5.5.5?
how do you turn on logging for pfr?
how can we disable auto learn
how could we tell pfr to aggregate /24
what is a learn list + how do we define it
How can we use pbr mode?
how do we match traffic in pbr mode?
what is important about the acl in pbr mode?
what must we set?
how do you view the pbr route map on the border routers?
what are the requirement when we have multiple border routers?
what do we need to define on the oer master for this interface?
how could we change pfr only to account for delay not throught put?
what is the difference betweeen the relative delay threshold vs the abosultes?
what is the mode fast?
what is a link group + how do we define links groups?
what is flexible netflow?
what 4 steps to we need to take to apply a flexible netflow?
What are the difference between a match and collect statment?
how can we define flexible netflow to integrate with pfr

Wednesday, September 26, 2012

Security Review

Security Review
How would we set authentication to the console to use the local configured username + password??
How could we configure authentication by telnet to only need a password?
How could we configure user trying to go into enable mode to be autheticated by tacacs and fall back to local?
How could we configure a failed login to generate Sorry Authentication failed?
How do we define tacacs server with a password of cisco which use source int lo0?
how could we authorize the console connections by tacacs then fall back to local?
how could we authorize locally all ip options on interface to user with privelege level 6
How can we use rbac to give a specfic access to a user named EOghan to allow him run all debug commands??
How do you combine rbac access??
how can we do lock out after 3 attempts??
What is quietmode and how can we configure away around it?
how could we get a failure logon every 3 attempts
how could we delay each login attempt by 4 tries to prevent dictionary attacks?
Limit a user named Eoghan so he can only telnet from a router to 1.1.1.1 port 80?
Limit telent sessions inbound to router only from 2.2.2.2?
how would you match even 2 octet out of these 5 address 112.1.0.0 112.2.0.0 112.3.0.0 112.4.0.0 112.4.0.0 112.4.0.0 112.5.0.0?
What are the traceroute udp ports?
What is used path mtu discovery process what message is generated?
What error/return message are generated by icmp?
How can you chance the logging of an access list to log every 4th hit?
How can you stop icmp from sending back unreachable info?
How could you drop traffic if entered a specfic interface and leaving on another sepcfic interface so limit traffic to say enters s0/0 and leaves fa0/0 only?
How can we allow return traffic using reflexive accesslist say icmp?
When denying traffic inbound what must we take into account?
why do we not need to take this into account outbound?
If i ping from a router which has a reflect access list how can i account for this with reflect acl?
I want to give access to http server 1.1.1.1 but only if user authenticated to a router 2.2.2.2 how would i configure?
I want to set so the connection timeout every 15 min?
i want to limit access to the web server 1.1.1.1 from a user in 3.3.3.3 subnet to weekdays 6pm to 9am?
If i have 4 (1 to 4) switches connected in full mesh i want to implement vlan access map to filter where should i implement this??
how could create a vlan access map to allow tcp but deny everything else and apply to vlan 20??
In port security what do we need to watch out for with sub interfaces in different vlans?
How do you set an time out on port security enteries??
How do you set port security mode whether it shutdown port etc?
Which action logs and which action does not log when port-security rejects?
How can we configure auto recover for port security shutdown ports?
Where do you enable dhcp snooping trust?
How can we protect dhcp database again reboot??
How could i limit request on a non trusted port?
What does dhcp snooping do with giaddr?
what issues does it cause and how can we resolve?
How do we put a static entry for 150.1.1.1 to mac 000d.2fee.bcef.0000 in arp inspection and when would we do this?
how do we enable arp inspection and include the static entry?
What is ip source guard for?
How do we create a static entry for 150.2.2.2 in ip source guard?
how do we enable ip source guard?
On layer 2 port appy a filter to int gi1/0/1 only allow ethertype 0x806 and icmp?
what is the command to put a port under 802.1x control at interface mode and at global config mode?
how would set 802.1x to send request to radius server?
how could we limit icmp to 100 pps in CPP?
what the differences between cpp and cppr?
What are the 3 interfaces CPR?
How could we match all closed ports with CPPR?
What is notable about routing protocols and ports?
How could we apply que limit to http of 50?
is there a way of globally not allowing ip options?
How could we interface level disallow ip source routing?

using nbar match any http request which end .pfd or .txt and drop?
What is the difference between URPF strict and loose mode?
Why would we use loose?
what the command to configure each?
What modes are in tcp intercept + how do they difffer?
how could you configure a passive mode to limit icomplete connections to 100 if they drop below 80 reallow?
Also set connection timeout?
how could allow return traffic for ftp using cbac what is special about ftp that reflexive would not work?
How can we set a global setting for CBAC for dns timeout 10 seconds compared to interface specfic??
How would account for custom ports in cbac say 8008 for internet ?
How do we apply a cbac to an interface?
how do you define secuirty zone and inside zone?
how could we allow return traffic zbfw?
how do we assign an interface to a zone?
can inside speak to outside by default?
can outside speak to inside by default ?
how would we allow outside transit traffic into inside?
How do apply a parameter map + what is it?
why would we need a key for cisco ips defentions?
what if the key was on another router how could we copy it accoss?

how could we limit ips to check traffic to host 5.5.5.5

how could we tell ips to syslog violations
how could we disable all signatures + why would we do this?
how can we enable individual signature
how do we apply to interface ips
how do you copy a .pkg into your ips database?
how can we make event action in ips?
if all host are in vlan 20 which is isolated can they communicate to each other?
if all host are in vlan 30 which is communtity can they speak to each other + can they speak to communtiy vlan 40?
how would assign primary vlan?
how can you configure the above vlan 10 the primary port?
what is limit with protected ports?
when unkown traffic comes in will it floood out on protect port + could another protected recieve how do we get around this
problem?
how do you cofigure storm control to lime unicast to 80 percent of the bw ??



Tuesday, September 18, 2012

QOS REVIEW QUESTIONS




QOS REVIEW QUESTIONS

what is the formula for IOS weight for WFQ??
What is the virtual scheduling time + how is calculated??
What is the queue tail time for new packet in new flow??
What is CDT in wfq??
How do we enable wfq on interface??
Using legacy tools  how would reserve 128kb for ports 16384 to 32766?
what weight does reserve get in fair que??
Where would you see weighting in the cli?
with legacy tools how would priorise 128 kb for ports 16384 to 32766?
DO legacy custom que to allow for 3 protocols rtp (60 byte packets) icmp (100 byte packets) TCP 160 byte packets
Rtp should get 30 percent icmp should get 10 % tcp should 60 percent??
What is assigned to que 0 in custom queing??
How do we assign a priority que to the legacy custom que??
How do we legacy priority queing giving we want udp rip as the top http in middle lowest would be traffic going to 10.229.11.11
How does priority queing work as regards allocation to ques?
Enable legacy wred the weight constant should be 4 it should start dropping at 11 packets and tail drop 12 for prec 6
What is flow based wred and how do we enable?
What goes to the spd extended headroom que?
what goes to spd headroom que??
what happens if either que fills??
How would you set threshold for spd?
What is the difference between spd in normal mode and spd in aggressive mode?
What payload compression uses min cpu but high memory + how do you configure?
what payload compression uses high cpu but little memory + how do you configure
How do you enable payload compression of particular dlici??
How could we get around an issue with small packets + large packet headers for both tcp and rtp??
How do you apply this and how do you limit connections??
How do we configure multilink and interleave to max delay of 10ms for packets
What is the formula for fragment size?
How do you configure legacy traffic shaping first effecting all traffic and secondly affecting subset?
Whats the bc in GTS if you have CIR 128k and TC 10 ms?
WHat is the problem with setting bc 1000 bytes if your average packet is 1500 bytes?? How does IOS get around this
problem?
What is solution to deal with under sending as periods of quietness is the transmission?
Maximum  Burst for BE??
What is BE set to in GTS if it is not specfied?
How can we use legacy rate limiting to limit access to a host 150.1.1.1 to 256000 if the traffic confirms it should
be set to prec 1 if it does not it is set to prec 0
What is the bc in legacy rate limiting for 128kb at 10ms TC??
What is bc when we use the drop option in legacy car??
If we do not specify bc in legacy car what is set to?
What would be usual be value?
how could you with 1 line match ip prec 4 and 6 in car?
What is fecn??
What is becn??
How do we enable router to use fecn??
how do we enable gts on frame relay interface
what is the min rate + how to we enable?
How would we traffic shape a particular dlci using legacy commands?
How could we get the router to use fecn and becn on a singular dlci?
How could we change vc to use fair que using legacy commands?
How could we use pq at per vc level using legacy commands?
How could we use cq at per vc level using legacy commands?
How can we fragment at per vc level using legacy??
how do you work out the size of the fragment using legacy??
How do you apply per vc rtp priority using legacy??
How do Apply tcp header compression to multiple dlci bar one using legacy??
How do you limit the frame relay pseudo bcast que?
what is the legacy way of setting de marking say for all packets gt 64?
How would you match icmp with packet lenght of 1001 using mqc??
What is the policed rate for bandwidth 128 reservation??
What weight do specfic classes get in cbwfq?
How could we make template of bandwidth reservation given we have multiple different speed intefaces?
How would apply priority for traffic class and give all the remaining bw to another class??
How does priority reservation behave during congestion vs when network is not conjested
How do you apply mqc wred?
How would change a class default que to be fifo??
what is ecn and how to we apply it??
Create MQC GTS with CIR 384k and TC 20 MS?
WHat is BE if not specfied in MQC GTS?
If we are using CBWFQ bw reservation etc and we want to shape to 384k cir how would we do it?
Police http to 128000 with 200 ms tc if it keeps to cir set prec 0 if it goes over set prec 0 if it goes over burst drop it?
What type of policer is the above?
How does be behave in this type of policing?

OK we have 3 router on lan segment r1 r2 and r3. R1 wants to limit overall traffic to 128k and it also when to limit r2 64000 and r3 6400
how would we configure?
We have been told by our provider our CIR 64k and PIR is 128k. Our cir burst is 300 mbs while our PIR bust is 400 ms
How are the CIR and PIR buckets filled??
SHape http traffic to a peak rate of 128k?
What is the formula for PIR in shaping?
We want to do a template for MQC policing to apply to different speed interfaces how do we do this?
How do we account for tcp small payloads with large packet headers is there way optimize using mqc?
How do shape a singular dlci using mqc and no legacy commands??
in the above set de on all traffic?
how can we use mqc with legacy frts?
how can we set fragment of 480 on interface?
We have guaranteed rate of 128k and pir rate of 192k on our frame relay circuit. The only delay sensitive traffic we send is voice. But we do not
want to shape to 128k just to keep voice in the cir. We only want to shape to 128k when voice is in the que how can we do
this?
How do you fragment and interleaving with mqc??
How can you ensure gre traffic is not considered just one flow by mqc and recieves proper qos treatment?

How does rsvp router reserve from host x to host y what messages does it use?
reserve 64k of 96k link using rsvp?
what weight does rsvp?
How can we keep track of rsvp on shared ethernet segment?
what weight does rsvp get?
What is AF13 in decimal?
What is AF13 ip precedence value
What is drop preference?
how can we map cos - dscp on ethernet switches? so that cos 2 is changed to dscp26
how can we map ip prec- dscp so that ip prec 5 is dscp 46?
what is the default incoming marking action when mls qos is not enabled?
What is the default incoming marking action when mls qos is enabled?
how could we trust dscp in from a router on the switch?
How could we remark all cos values to 4 coming in an interface?
How could we trust ip prec but remark all cos to 4?
For untagged packets how can we mark cos 1?
How can we reset dscp but pass cos??
how do you read sh mls qos int fa0/16 stats?
how would you at layer 2 Set ipx traffic to dscp ef??
We want to apply a qos policy to all ports in vlan what is the best way to do this and how would you configure?
Apply policing at layer 2 to police to cir 128k
what command do you need to do to allow setting cos in mqc class map??
If traffic exceeds we do not want to drop but remark to CS2 how do we do that?
S1 and S2 are connected and we have set to trust dscp incoming on the port connected to a router on s1 when it
gets to s2 it has default marking what is the problem?
We want to limit all classes in mqc to 128k shaped how do we do that?
How many ingress que are there on 3560 switch interface?
how can we assign cos 5 to que 1 and all other cos values to que 2 on ingress ques?
How can we set a pq?
How does the pq work with bw assigned??
what configurable threshold are there on ingress?
How many ques are there on egress interface on 3560?
what is difference between shaped round robin and shared round robin?
How do you enable shaped round robin?
how do you set a pq on 3560 and what que number is it?
how can we limit egress sending rate?
how can we map dscp/cos values to ques on egress?
What is queue set how do you configure it?
how on input could we change cs 0 to cs 1?
How could we match .txt or text with nbar?





 

Route Redistribution EEM Multicast Review Questions

Route Redistribution
what routes are redistributed??
When do we need to further investigate route redistribution parameters?
How does OSPF prevent issues inbuilt??
When do we generally have issue with redistribution??
What are the rules for redistribution (4 rules)
How do you verify with TCLSH??

EEMHow do you see what version of EEM you are running?

Write an applet that will not allow in the cli eigrp or ospf when user attempts it should write a message saying
" no eigrp or ospf" it should then send a mail to the admin via the mail server 10.0.0.100 the sendername should
r5@ine.com the email address it is sending to dropboX@ine.com

Write an applet that restores the startup config when a user types help it should also say "have no fear"

Write an applet that hides all i in the running config when user types sh run

Write an applet that when the interface usuage hits 100 percent it applies a prefconfigured control plane policy. Called
ICMP in the inbound direction

Wirte an applet that when user creates a loopback interface it accepts it but puts the loopback into the shutdown state
It should then save the config. Then it should write a message that "lox" loopback command executed" where x is the loopback
number?

Multicast
What is the full mcast address class??
What is the link local range??
what is the source specfic range??
what  is the admin scope??
What protocol number is IGMP?
What are the igmpv1 messages?
What did igmpv2 add to igmpv1??
What did igmpv3 add ??
How does the rpf check work??
What is the difference between the source and the oil interfaces??
What mcast address does pim use??
What are the dense mode messages + how do they work
How do (*,G) and (S,G) work in dense mode??
When does a prune occur in dense mode??
Does (S,g) remain after prune
What is default dense mode flood interval??
How do prune work on multiaccess segmenets where one souce wants traffic and other does not??
What is pim assert + how does the election elect??
What is state refresh??
How can you see briefly how many packets where recieved+ how many were forwarded in mcast??
What mcast address does igmpv3 use??
What is T bit meaning in mcast?
What does a null outgoin interface in dense mode??
Describe the dense mode from igmp join??
What is the difference between source based tree and shared based tree?
What is the RP job in sparse mode?
What will the first hop router do in sparse mode when it hears mcast traffic from a source??
In the above case what will be the state of (S,G) and (*,G) on all the routers
How is the DR elected and what is it function in sparse mode??
What does the last hop router do when it receives an IGMP Join??
What routers will know of the (S,G) and (*,G) when an IGMP Join is recieved and processed (in the case there is no sender??
How does the switchover to the shortest path tree work??
Can we configure not to switchover + how + where to we configure??
Limit this to only the admin scope address to not to switch to shortest path tree?
How do you statically configure RP address??
How do you view the configured RP address for groups??
How can you change the PIM DR priority for an interface??
In the case we have no source but recievers what will the incoming interface and outgoing interface list be on the RP?
How do we specify a potential RP in Autorp??
How do we specify a mapping agent in AutoRP + what is it role??
How could we allow for redudancy not using anyrp??
How do We assign a mapping agent??
What mulitcast address do RP use to communicate to the mapping agent in AUtoRP?
What address does the MA use to speak to all PIM routers??
WHat is the recursive issue in AUtorp??
How do we resolve this issue 2 solutions??
IF MA recieves multiple RP how does it decide which to use??
What is mtrace??
What issue can we face when testing by ping "group" from a router on segment?
Do a config so that we split the group serviced by RP from R4 services 224.0.0.0 - 231.255.255.255
R6 services 232-239.255.255.255? The config should be done on each rp
DO a config on the MA so we will only advertise 224-231-255.255.255 out for R4 RP and 239.255.255.255 out for R6
all other RP attempting to service any groups should denied
What is a BSR router and how do you enable a BSR router?
How do advertise a RP in BSR?
How do you create boundary in BSR
How do you create a Boundary in AutoRP
When you do debug what do you need to do on the interfaces so you can see  mcast traffic transiting the device??
How do frame-relay main interfaces process multicast/bcast??
WHat happens on nmba partial mesh when a spoke sends a join??
What happens on nbma partial mesh when one spoke prunes in dense mode?
What happens when one spoke is the source of the traffic and the other spoke is listner??
How can you overcome these issues + how does it work + has it limitations??
When would you use bidirectional PIM??
When souce comes online in Bidirectional PIM what are (S,G) (*,G) enteries we will see in the transit path
How does bidirectional pim prevent loops??
What is the df in bidrectional pim + how is it elected??
How do we enable bidirectional pim
What routers do we need to enable it on??
What is SSM??
How does it work what are it requirements??
How do you enable RP in SSM??
What is address range for SSM??
What will be the state of (S,G) (*,G) in the transite path of routers when recievers senders come on line
How do you enable SSM??
How would you enable SSM with different range than default??
How do you test SSM from the source?? 
What is MSDP??
How do you enable msdp??
How do you optimize but potential lose redudancy in MSDP?
What will rp do if it has no reciever and it recieves a SA + how can we see this on the cli?
How does multicast BGP work??
How do you configure MULTICAST BGP??
How can you view mcast bgp routes?
R1 is originating mcast traffic in AS1 and the reciever is in AS3 R3. R3 shortest path to AS1 is direct it also has another
option of going through AS2 how would we influence the mcast traffic to go the longer path via AS1 without interupting any other
normal traffic flow??
How does anycast RP work??
What is requirement for anycast RP to ensure that rp are kept in synch??
What default time it takes is 1 RP goes down that the other RP will service the group??
What address should the mcast routers point at for RP??
How can we get around having non mcast routers in the transit path between 2 multicast routers??
What do we need to configure to enable this??
What is there to watch out for re the RP address and reachability?
When you have rpf failures what is wrong with just doing ip mroute 0.0.0.0 0.0.0.0 pointing at the interface you want to recieve on?
What is the difference between igmp static group and igmp join? When should each be used + what are the commands?
What would you do if you required to recieve mcast on segment but you had a bad connection and low end router?? + How do you
configure?
You have an old udp application that broadcast it needs to be recieved on vlan downstream do this without bridging it should
be recieved on the segmenet as broadcast? UDP port 2222
How can we limit who a router forms pim adjacency with??
how can we limit on non rp what rp address it will use for specfic group??
How can we limit the bw for a feed to 239.0.0.1?
What is the mac address range for mulitcast??
What bits are fixed and what are availible for multicast groups?
How do switches treat multicast traffic?
How does igmp snooping work?? How would we put it on only for a specfic vlan?
How do we statically join a port to a group in igmp snooping??
If reciever moves port at layer 2 how will igmp snooping react??
How can we stop this reaction if neccessary??
Limit via IGMP to permit the range 239.0.0.0??
Limit via IGMP to allow 2 groups max to be joined on interface?? if a new group comes online it should replace an existing group?
Use a technology on switches to allow a specfic vlan to be used for mcast that does not require mcast layer 3 routing to function
Use vlan 30 and the mcast group should be 239.1.1.12??
What is the IPV6 reserved for mcast address range??
What are the flags in ipv6?
What are the scopes ipv6 + are they auto enabled?
What is the all  local node address in ipv6 mcast?
What is the ospf dr address in ipv6?
What is the all routers address??
What is the first two bytes of ipv6 multicast address?
How do you enable ivp6 multicasting??
How do you enable ipv6 pim dense mode??
What is MLD??
What are it equivlant in ipv4?
How do we limit what groups in mld??
How do we change the query-interval in mld?
What is the tunnel in ipv6 mcast on the rp used for??
How do we statically configure an RP address in IPV6 mcast?
How do we configure a potential rp and bsr in IPV6?
What is the ipv6 equivlant to sh ip pim rp-mapping
what is the ipv6 equivant to ip igmp join-group "group address"
How do we assign an embedded RP address if the rp address is
200:1234:5678:ABCD::6/64
Do the config for the rp for embedded rp and also the sender/reciever??
How do we do a mroute in ipv6??
 





Saturday, February 25, 2012

DHCP and DNS

DHCP

  • Extension to BOOTP for automatic host configuration
  • Provide ip addressing netmask and default gw bootfile etc to end hosts
  • Broadcast UDP packets source port BOOTP 68 destination port BOOTPS 67
  • Host sends DHCP Discover (broadcast) server sends DHCP offer (unicast) host sends dhcp request (broadcast) server sends dhcpack (unicast)
  • Server should be in the same broadcast domain if not dhcp relay must be used
  • IOS SUPPORTS the following DHCP Server, DHCP client,DHCP Proxye.g translate IPCP request into DHCP used for PPP links,DHCP relaying
  • DHCP can supports option82 which a option added by the relay to be more specfic on the port the end host is connected to
  • Some end host vendors use there own specfic options to this
  • option 82 is automatically enabled when you configure dhcp snooping
  • DHCP Server is configured with DHCP Pools each pool has an ip subnet for allocation
  • host pools are supported

DHCP POOL SELECTION

Server may have multiple address pool
Pool is selected based on
-DHCP Client id (could be any string)
  - supplied by windows client but not linux
  -DHCP Hardware address if ID is missing
  -relaying gateway ip address
  - recieving interface ip subnet if no matching pool found and no relay ip address present

DHCP Relaying

Broadcast can be relayed to unicast destination
ip helper-address "ip" interface command

In case of DHCP relaying router inserts interface IP address
- known as "giaddres" of gateway address
- other options could be inserted e.g the information option 82

Commands

Server

service dhcp - enables dhcp ios
ip dhcp pool vlan 58
network 155.0.58.0/24
default-router 155.0.58.1
dns-server 1.1.1.1
lease 0 1 58

Client

int fa0/0
ip address dhcp





LAB
----
Ok so s2 is the dhcp client
r5 will be dhcp relay
r6 will be the dhcp server

r6
---

r6(config)#service dhcp - enable dhcp server

r6(config)#ip dhcp pool VLAN58     - create a pool and options
r6(dhcp-config)#network 155.0.58.0 /24
r6(dhcp-config)#default-router 155.0.58.5
r6(dhcp-config)#dns-server 1.1.1.1
r6(dhcp-config)#lease?
lease
r6(dhcp-config)#lease ?
  <0-365>   Days
  infinite  Infinite lease
r6(dhcp-config)#lease 0 ?
  <0-23>  Hours
  <cr>
r6(dhcp-config)#lease 0 1 ?
  <0-59>  Minutes
  <cr>

r6#debug ip dhcp server events

r5
---
r5(config)#int fa0/0
r5(config-if)#ip helper-address 6.6.6.6   this will forward broadcast on the fa0/0 segement
to the dhcp server 6.6.6.6


s2
---
s2(config-if)#int vlan 58
s2(config-if)#ip address dhcp

s2(config)#int vlan 58
s2(config-if)#ip dhcp ?
  client  DHCP client configuration
  relay   DHCP relay configuration parameters
s2(config-if)#ip dhcp client ?
  class-id   Specify Class-ID to use
  client-id  Specify Client-ID to use
  hostname   Specify hostname to use
  lease      Requested address lease time
  request    Specify options (not) to request
  route      Options for routes installed by dhcp
s2(config-if)#ip dhcp client

we have a few options to specify class id etc if we wanted

we can see we have learnt the address via dhcp
155.0.58.1

s2#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  administratively down down
Vlan58                 155.0.58.1      YES DHCP   up                    up

r6
---
r6#sh log
Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 44 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 17 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
No active filter modules.
    Trap logging: level informational, 32 message lines logged
Log Buffer (99999 bytes):
*Feb 25 18:02:18.275: DHCPD: checking for expired leases.
*Feb 25 18:02:42.663: DHCPD: Sending notification of DISCOVER:
*Feb 25 18:02:42.663:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:42.663:   DHCPD: remote id 020a00009b00920600000092
*Feb 25 18:02:42.663:   DHCPD: circuit id 00000000
*Feb 25 18:02:42.663: DHCPD: Seeing if there is an internally specified pool class:
*Feb 25 18:02:42.663:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:42.663:   DHCPD: remote id 020a00009b00920600000092
*Feb 25 18:02:42.663:   DHCPD: circuit id 00000000
*Feb 25 18:02:44.663: DHCPD: Adding binding to radix tree (155.0.58.1)
*Feb 25 18:02:44.663: DHCPD: Adding binding to hash tree
*Feb 25 18:02:44.663: DHCPD: assigned IP address 155.0.58.1 to client
0063.6973.636f.2d30.3031.622e.3262.6563.2e38.3363.342d.566c.3538.
*Feb 25 18:02:44.939: DHCPD: Sending notification of ASSIGNMENT:
*Feb 25 18:02:44.943:  DHCPD: address 155.0.58.1 mask 255.255.255.0
*Feb 25 18:02:44.943:   DHCPD: htype 1 chaddr 001b.2bec.83c4
*Feb 25 18:02:44.943:   DHCPD: lease time remaining (secs) = 3600

we can see the request and assignment

r6#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
155.0.58.1          0063.6973.636f.2d30.    Feb 25 2012 07:02 PM    Automatic
                    3031.622e.3262.6563.
                    2e38.3363.342d.566c.
                    3538

say if wanted r6 to give s2 an ip by dhcp but it to be reserved than no one else could have
this ip we could create a specfic poool based on s2 client id

r6
---
r6(config)#ip dhcp pool SW2-CLIENT-POOL
r6(dhcp-config)#host 155.28.58.100
r6(dhcp-config)#client-id 0063.6973.636f.2d30.3031.622e.3262.6563.2e38.3363.34

in order to do this we need to know the client id windows give certain ones linux gives other
so vendor specfic
??? not working need to complete

DNS

  • IOS has DNS client enable by default  that is why if we miss enter a command it can take a few minutes for it throw up an error
  • we can disable this behaviour we no ip domain-lookup
  • We could specify a dns server with ip name-server "ip" on the client and leave on ip domain-lookup
  • For configuring IOS as a server we do no ip domain-lookup  and specify ourselve as the name server ip name-server "my ip"
  • To create host records  ip host "hostname" "host ip"
  • We can configure dns server ip in cisco ios dhcp as above



LAB
r1
---
ok we will configure r1 as dns server

r1(config)#ip dns server
r1(config)#ip host R3 3.3.3.3
r1(config)#

WE have added a record for 3.3.3.3 for r3
s2
---
s2(config)#ip domain lookup
s2(config)#ip name-server 1.1.1.1
s2(config)#

s2#ping R3
Translating "R3"...domain server (1.1.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/65/67 ms
s2#


NAT

NAT

  • Network Address translation rewrite sources ip address in packet normally to hide private ip address
  • Also used in case where we have overlapping subnets maybe a merger of networks
  • static translation is 1 to 1 translation guaranteed same ip everytime
  • dynamic translation is 1 to 1 done dynamically so not guaranteed same ip every time
  • Port address translation is many to one translation based on tcp/udp ports common for overloading scenerios
  • Inside local is inside ip before translation
  • inside global is inside ip after translation
  • outside global is original outside ip address
  • outside local is outside ip after translation as seen on inside
  • Major thing in nat is the order of operations when going from inside to outside routing takes place before nat when coming from outside to inside routing takes place after nat.

Commands

 Static Nat

ip nat inside source static 10.10.10.1   30.30.30.30 - this going out
ip nat outside source static 30.30.30.30 10.10.10.1- this is coming in
int fa0/0
ip nat inside
int s0/0
ip nat outside

Dynamic Nat

ip nat pool 'name of pool' "start ip" "end ip"netmask "mask"
access-list "aclno" permit "source ip"
ip nat inside source-list "acl no" pool " name of pool"

int fa0/0
ip nat inside
int s0/0
ip nat outside

PAT

To the source list command we just need to add the keyword overload so we could define a smaller pool and choose overload when the pool runs out it will overload the last ip?



LAB
----
For the LAB sw2 and R5 are inside the network r5 is the border router + will do the nat
The rest of router are outside they do not have a route to inside address 10.164.48.0/24


s2
----
s2(config)#int vlan 58
s2(config-if)#ip address 10.164.48.2 255.255.255.0
s2(config-if)#e
00:09:37: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.58.5 (Vlan58) is down: interface downxit
s2(config)#ip route 0.0.0.0 0.0.0.0 10.164.48.5

r5
---
r5(config)#int fa0/0
r5(config-if)#ip address 10.164.48.5 255.255.255.0
r5(config-if)#no shut
r5(config-if)#


The first thing we will do is define a pool for the nat address
r5(config)#do sh run | begin ip nate
r5(config)#do sh run | begin ip nat
ip nat pool INSIDE-GLOBAL 155.28.254.0 155.28.254.254 prefix-length 24 add-route

what this command is saying that we will use a pool 155.28.254.0-254 with mask /24 the add route is to add static route to nv0 - the nat interface so we can use to advertise out to external networks

r5(config)#router eigrp 1
r5(config-router)#redistribute static 1 1 1 1 1 1
                                      ^
% Invalid input detected at '^' marker.
r5(config-router)#redistribute static metric 1 1 1 1 1

Next step we will define an access-list of what we are going to NAT
5(config)#access-list 1 permit 10.164.48.0 0.0.0.255

so we will nat address in 10.164.48.0- this important step we can have problems if start doing ip any any like control plane traffic can end up getting natted and just unexpected results it is better to limit down to our specfic networks

Next step is the actual nat command

r5(config)#ip nat source list 1 pool INSIDE-GLOBAL overload

ok so this is saying source list 1 is anything matched in the acl 1 and we will use the pool INSIDE-GLOBAL with port overload if we run address we can use port numbers to do many to one translations
ok next is to enable on the interfaces
r5(config)#int fa0/0
r5(config-if)#ip nat enable

r5(config-if)#int s0/0/0
r5(config-if)#ip nat enable


s1
---

s2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 67/67/67 ms
i can ping 1.1.1.1 sucessifully

r5
---
r5#sh ip nat tran
Pro Inside global      Inside local       Outside local      Outside global
r5#sh ip nat nvi tran
Pro Source global      Source local       Destin  local      Destin  global
icmp 155.28.254.1:5    10.164.48.2:5      1.1.1.1:5          1.1.1.1:5
r5#

we are getting translated from 10.164.48.2 to 155.28.254.1 port 5


r1
---
we can see this traffic been sent back from src1 dst 155.28.254.1
when this gets to r5. R5 checks its state table above and will forward the reply back to 10.164.48.2

*Mar  1 03:00:16.795: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.859: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.927: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:16.995: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.063: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.131: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.199: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.263: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.331: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.399: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.467: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.531: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.599: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.667: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.735: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar  1 03:00:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1


r1
---
r1#ping 155.28.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.28.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#telnet 155.28.254.1
Trying 155.28.254.1 ...

i can not ping or telnet this is because there is no way for r5 to know to forward this to 10.164.48.2 as there is no state information from and outbound packet
we can create a static entry for 

r5
----
r5(config)#ip nat source static tcp 10.164.48.2 23 interface s0/0/0 8080

bascially this command is saying anything coming on port 8080 on interface s0/0/0 will be redirected to 10.164.48.2 on port 23
r5#clear ip nat nvi translation *


r1
---
r1#
r1#telnet 155.0.0.5 8080
Trying 155.0.0.5, 8080 ... Open

User Access Verification
Username: cisco
Password:
s2>

working as expected

GLBP

GLBP

  • Gateway load balancing Protocol  Cisco Propetiary
  • Extends HRSP functionality to natively support load balancing
  • We can load balance in VRRP or HRSP by configuring multiple groups on interfaces
  • But GLBP provides native inbuilt load balancing forUp to 4 devices
  • There is 2 election first election is for AVG (Active Virtual Gateway) this is based on priority and highest ip as tie breaker
  • The AVG will then look at all possible forwarders if there is more than 4 it will elect forwarders and standby devices.
  • This election is based on weight. The weight will also decipher traffic share of load balancing given to each gateway. It is not exact but provides some level of weight
  • When a client arp for the gateway address the AVG will reply with the mac of one of the forwarder it will go throught them in weighted round robin way
  • As client keep arp cache and will not arp every time for the gateway address so the load balancing is not exact
  • By default, GLBP routers use the local multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP 3222 (source and destination)
  • We can manipulate to weight in conjuction with the likes of ip sla and enhanced object tracking to say if a particualr happens the weight will be decremented.
  • We configure upper and lower limit if we go below the lower limit we lose our avf status the upper limit is the weight we must be at the regain our avf status
  • default priority is 100
Commands

int fa0/0
glbp 10 ip 10.10.10.1
glbp 10 priority 110
glbp 10 weighting 110 lower 85 upper 105
glbp 10 track 20 decrement 30

ip sla 18
icmp echo 10.9.9.9
ip sla schedule 18 start now life forever

track 20 rtr 18 state

so in the abover we track the reachability from this layer 3 switch to 10.9.9.9 if it is not reachable we decrement our weight by 30 this would have us at weight 80 below the lower limit so we would lose our avf status

LAB
----

r6
---
r6(config-subif)#int fa0/0.146
r6(config-subif)#glbp 10 ip 155.0.146.254
r6(config-subif)#
*Feb 25 13:48:26.962: GLBP: joining IPv4 multicast on Fa0/0.146
*Feb 25 13:48:26.962: GLBP: joining IPv6 multicast on Fa0/0.146
*Feb 25 13:48:26.962: GLBP: Fa0/0.146 API 155.0.146.254 is not a GLBP address in table 0
*Feb 25 13:48:26.962: GLBP: Fa0/0.146 10 Disabled: a/GLBP IP address configured
*Feb 25 13:48:26.962: GLBP: Fa0/0.146 10 Disabled -> Init
r6(config-subif)#
*Feb 25 13:48:36.966: GLBP: Fa0/0.146 Interface up
*Feb 25 13:48:36.966: GLBP: Fa0/0.146 10 Init: d/GLBP enabled
*Feb 25 13:48:36.966: GLBP: Fa0/0.146 10 Init -> Listen
*Feb 25 13:48:39.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Listen  pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:39.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:39.966:     UDP src=3222, dst=3222
*Feb 25 13:48:42.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Listen  pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:42.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:42.966:     UDP src=3222, dst=3222
*Feb 25 13:48:45.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Listen  pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:45.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:45.966:     UDP src=3222, dst=3222
*Feb 25 13:48:46.966: GLBP: Fa0/0.146 10 Listen: g/Active timer expired (unknown)
*Feb 25 13:48:46.966: GLBP: Fa0/0.146 10 Listen -> Speak
*Feb 25 13:48:46.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:46.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:46.966:     UDP src=3222, dst=3222
*Feb 25 13:48:49.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:49.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:49.966:     UDP src=3222, dst=3222
*Feb 25 13:48:52.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:52.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:52.966:     UDP src=3222, dst=3222
*Feb 25 13:48:55.874: IP: s=155.0.67.1 (FastEthernet0/0.67), d=224.0.0.1, len 28, rcvd 0, proto=2
*Feb 25 13:48:55.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Speak   pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:55.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:55.966:     UDP src=3222, dst=3222
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Speak: f/Standby timer expired (unknown)
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby router is local
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Speak -> Standby
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 Grp 10 Hello  out VG Standby pri 100 vIP 155.0.146.254 hello 3000, hold 10000
*Feb 25 13:48:56.966: IP: s=155.0.146.6 (local), d=224.0.0.102 (FastEthernet0/0.146), len 68, sending broad/multicast
*Feb 25 13:48:56.966:     UDP src=3222, dst=3222
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby: g/Active timer expired (unknown)
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Active router IP is local
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby router is unknown, was local
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10 Standby -> Active
*Feb 25 13:48:56.966: %GLBP-6-STATECHANGE: FastEthernet0/0.146 Grp 10 state Standby -> Active
*Feb 25 13:48:56.966: GLBP: Fa0/0.146 10.1 Disabled: a/Forwarder MAC address acquired

we can see we are multicasting out 224.0.0.102 over protocol udp 3222
we go through VG (virtual gateway) listen and speak this is where would be doing the election if other gateways where online none are so we become active as the AVG


r6#sh glbp
FastEthernet0/0.146 - Group 10
  State is Active
    2 state changes, last state change 00:02:54
  Virtual IP address is 155.0.146.254
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.308 secs
  Redirect time 600 sec, forwarder time-out 14400 sec
  Preemption disabled
  Active is local
  Standby is unknown
  Priority 100 (default)
  Weighting 100 (default 100), thresholds: lower 1, upper 100
  Load balancing: round-robin
  Group members:
    0013.80e4.901a (155.0.146.6) local
  There is 1 forwarder (1 active)
  Forwarder 1
    State is Active
      1 state change, last state change 00:02:44
    MAC address is 0007.b400.0a01 (default)
    Owner ID is 0013.80e4.901a
    Redirection enabled
    Preemption enabled, min delay 30 sec
    Active is local, weighting 100
r6#

There is 2 parts to this output mainly the first part is referencing the active gateway and the 2nd part is refernecing the forwarders


r4
---
r4(config)#int fa0/1
r4(config-if)#glbp 10 ip 155.0.146.254


r4#sh glbp
FastEthernet0/1 - Group 10
  State is Standby
    1 state change, last state change 00:00:01
  Virtual IP address is 155.0.146.254
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.572 secs
  Redirect time 600 sec, forwarder time-out 14400 sec
  Preemption disabled
  Active is 155.0.146.6, priority 100 (expires in 9.928 sec)
  Standby is local
  Priority 100 (default)
  Weighting 100 (default 100), thresholds: lower 1, upper 100
  Load balancing: round-robin
  Group members:
    0012.d993.728d (155.0.146.4) local
    0013.80e4.901a (155.0.146.6)
  There are 2 forwarders (1 active)
  Forwarder 1
    State is Listen
    MAC address is 0007.b400.0a01 (learnt)
    Owner ID is 0013.80e4.901a
    Time to live: 14399.928 sec (maximum 14400 sec)
    Preemption enabled, min delay 30 sec
    Active is 155.0.146.6 (primary), weighting 100 (expires in 9.452 sec)
  Forwarder 2
    State is Active
      1 state change, last state change 00:00:11
    MAC address is 0007.b400.0a02 (default)
    Owner ID is 0012.d993.728d
    Preemption enabled, min delay 30 sec
    Active is local, weighting 100
r4#
so we are in standby for the AVG as r6 is the AVG
there is 2 forwarders on the link

r6
---
r6(config-subif)#int fa0/0.146
r6(config-subif)#glbp 10 priority 90

the priority is in relation to active gateway not forwarding
preemption is disabled by default

r4
----
r4(config)#int fa0/1
r4(config-if)#glbp 10 preempt
r4(config-if)#
*Feb 25 13:45:44.866: %GLBP-6-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active

now i am the active gateway so i am responding to the arp request

if we look at this command on r4
r4(config)#int fa0/1
r4(config-if)#glbp 10 weighting 110 lower 85 upper 105

so the lower limit if my weighting goes below 85 i will no longer forward for the segement
but if my weighting comes back up to 105 i will be allowed forward for the segment
r4(config-if)#glbp 1 weighting track 1

We can get into complex ip sla so say if one ip is unreachable decrement 20 if another is down decrement by 10 so like we can be very specfic on what conditions we forwarder undert by messing around with the weights

we also tell r4 we want to load balance based on weighting
r4(config-if)#glbp 10 load-balancing weighted

VRRP

VRRP

  • IETF alternative to HRSP
  • Use terms master/backup as opposed to primary and standby
  • Concepts are nearly identical
  • Vrrp has preemt on by default
  • Also lower default timers 1 hello 3 dead
  • It uses a virtual mac of 0000.5E00.01xx where xx is the group
  • uses vrrp interface command instead of standby
  • It has it own dedicated protocol number so not using udp the vrrp protocol number is 112
  • Also it has it own dedicated multicast group 224.0.0.18
  • it can only object track it does not have the track interface option compared to hrsp but in general track object like ip sla is the better choice as track interface is depending on line protocol
  • it supports md5 authentication implented the same with key chain and key string same as hrsp
  • it also support plain text authentication
Commands

int fa0/1
vrrp 10 ip 155.0.0.10
vrrp 10 authentication md5 key-chain cisco
or
vrrp 10 authentication key-string 'cisco'
vrrp prempt delay 10 - wait 10 seconds before preempting


LAB

As this almost identical to hrsp i will just do a quick lab and then do lab on authentication
this authentication would work on both hrsp or vrrp of glbp



r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 ip 155.0.146.254
r6(config-subif)#
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Create -> Disable
*Feb 25 12:54:13.795: VRRP: Grp 10 Event - primary IP configured
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Disable -> Init
*Feb 25 12:54:13.795: VRRP: vrrp_interface_state: Fa0/0.146 is Up
*Feb 25 12:54:13.795: VRRP: Grp 10 Event - Interface UP
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Init -> Backup
*Feb 25 12:54:17.407: VRRP: Grp 10 Event - Master down timer expired
*Feb 25 12:54:17.407: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Backup -> Master
*Feb 25 12:54:17.407: VRRP: tbridge_smf_update failed
*Feb 25 12:54:17.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:17.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:18.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:18.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:19.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:19.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:20.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:20.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:21.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:21.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:22.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:22.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:23.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:23.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:24.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:24.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:25.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:25.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:26.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:26.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
ok so we can see that it started in disabled went to init then backup then to master then it
started sending to the multicast group 224.0.0.18 and it has it own protocol 112 it is not
using udp 1985 like hrsp was


r4
---
r4#sh run int fa0/1
Building configuration...
Current configuration : 142 bytes
!
interface FastEthernet0/1
 ip address 155.0.146.4 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
 vrrp 10 ip 155.0.146.254
end
r4#
one of the first things noticed is preempt is on by default

r4(config)#int fa0/1
r4(config-if)#vrrp 10 priority 105
r4(config-if)#
*Feb 25 12:44:25.875: %VRRP-6-STATECHANGE: Fa0/1 Grp 10 state Backup -> Master

so i do not need to configure preempt

next i will do a config of enable authentication on r4

on r4 i will enable authentication
r4(config)#int fa0/1
r4(config-if)#vrrp 10 authentication ?
  WORD  Plain text authentication string
  md5   Use MD5 authentication
  text  Plain text authentication
r4(config-if)#vrrp 10 authentication md5 ?
  key-chain   Set key chain
  key-string  Set key string
r4(config-if)#vrrp 10 authentication md5 key-string PASSWORD

r4#sh vrrp
FastEthernet0/1 - Group 10
  State is Master
  Virtual IP address is 155.0.146.254
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 105
  Authentication MD5, key-string "PASSWORD"
  Master Router is 155.0.146.4 (local), priority is 105
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.589 sec
r4#

if we go to r6

r6#sh vrrp
FastEthernet0/0.146 - Group 10
  State is Master
  Virtual IP address is 155.0.146.254
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 155.0.146.6 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec
r6#

effectively vrrp is not working both routers think they are masters

basically r4 is rejecting r6 vrrp packets
*Feb 25 12:53:11.875: VRRP: Grp 10 sending Advertisement checksum 2B15u
*Feb 25 12:53:12.487: VRRP: Grp 10 Advertisement from 155.0.146.6 has incorrect
                authentication type 0 expected 254
*Feb 25 12:53:12.875: VRRP: Grp 10 sending MD5 digest:

as of incorrect authentication so then r6 does not recieve reply from r4 so it believes it is
 the only vrrp router on the segment so it goes to the master state
on r6
------

r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 authentication md5 key-string PASSWORD

r6#sh vrrp
FastEthernet0/0.146 - Group 10
  State is Backup
  Virtual IP address is 155.0.146.254
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Authentication MD5, key-string "PASSWORD"
  Master Router is 155.0.146.4, priority is 105
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 3.349 sec)

has gone to backup and we are back in proper vrrp config

we could also specify a key chain if we wanted to do
r6(config)#do sh run | sec key chain
key chain VRRP-KEY
 key 1
  key-string PASSWORD
  accept-lifetime 00:00:00 Jan 1 1993 infinite
r6(config)#
r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 authentication md5 key-chain VRRP-KEY

another option for preempt in both hrsp glbp and vrrp
r6(config-subif)#int fa0/0.146
r6(config-subif)#vrrp 10 preempt delay minimum 10

we can configure that when a router finds out it has higher priority we can do a delay of a
few seconds so it does not preempt

HRSP

HRSP (Hot Router Standy Protocol)

  • Cisco Propetiary
  • elects gateway based on highest priority 100 is default 255 is maximum tie breaker is highest ip
  • default is no preempt
  • uses udp multicast 224.0.0.2 (all routers) on port 1985
  • arp response contains virtual mac of 0000.0c07.acxx where xx is the group number
  • can user clear text or md5 authentication
  • default hello is 3 and dead 10
  • speak router is router that is not elected primary or standby
  • 256 hrsp groups is the limit
  • It does not support ddr
  • standby use bia - uses the burnt in address of the switch instead of the well known mac
  • NAT is supported but can have issues when standy takes over as state table is not maintained
  • In radius and tacas hrsp routers appear as 1 and the primary sends info to radius server
  • it is not possible to track a gre interface
  • it is possible to run hrsp for primary and secondary subnet
  • hrspv2 support millisecond timers
  • there is 255 groups in v1 there 4095 in v2
  • hrspv2 uses a different mac 000.0c95.Fyyy where y is the group
  • hrspv2 multicast to 224.0.0.12
  • Supports multiple groups per interface so we can have a few groups configured and potential load balance
  • can integrate with ip sla via enhance object tracking
  • technically standby only needs to be configured on standby router but it should be configured on both for when the primary route comes back avalible
HRSP STATES

Initial
Listen
Speak
Standby
Active

Commands

int fa0/0
standby 1 ip 155.0.0.1
standby 1 preempt
standby 1 priority 120
standby version 1/2

sh standby

LAB

Ok so for the lab r1 will be end host with default gateway of 155.0.146.254 r4 and r6 will
use hrsp with the 155.0.146.254 being virtual default gateway

r1
---
so i am setting r1 not to do routing and to have a default gateway of 155.0.146.254
r1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#no ip routing
*Mar  1 02:55:51.199: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.146.4
(FastEthernet0/0) is down: interface down
*Mar  1 02:55:51.203: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.146.6
(FastEthernet0/0) is down: interface down
r1(config)#
r1(config)#ip default-gateway 155.0.146.254

r4
---

i will create an acl
r4(config)#access-list 112 deny eigrp any any
r4(config)#access-list 112 deny pim?
pim
r4(config)#access-list 112 deny pim  any any
r4(config)#access-list 112 permit ip any any
this will be applied to our debug to keep it cleaner
r4#debug ip packet detail 112
IP packet debugging is on (detailed) for access list 112
r4#

r4#debug standby
HSRP debugging is on
r4#config t
Enter configurat


r4(config)#int fa0/1
r4(config-if)#standby 10 ip 155.0.146.254
r4(config-if)#
*Feb 25 10:14:46.535: HSRP: Fa0/1 Starting minimum interface delay (1 secs)
*Feb 25 10:14:46.535: HSRP: Fa0/1 Grp 10 Disabled -> Init
*Feb 25 10:14:46.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Disabled -> Init
*Feb 25 10:14:46.539: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Disabled -> Init
*Feb 25 10:14:46.539: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" added
*Feb 25 10:14:47.535: HSRP: Fa0/1 Interface min delay expired
*Feb 25 10:14:47.535: HSRP: Fa0/1 Grp 10 Init: a/HSRP enabled
*Feb 25 10:14:47.535: HSRP: Fa0/1 Grp 10 Init -> Listen
*Feb 25 10:14:47.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Init -> Backup
*Feb 25 10:14:47.535: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Init -> Backup
*Feb 25 10:14:47.535: HSRP: Fa0/1 Redirect adv out, Passive, active 0 passive 1
*Feb 25 10:14:47.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 44,
sending broad/multicast
*Feb 25 10:14:47.535:     UDP src=1985, dst=1985
*Feb 25 10:14:53.571: IP: s=155.0.146.1 (FastEthernet0/1), d=224.0.0.1, len 28, rcvd 0,
proto=2
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Listen: c/Active timer expired (unknown)
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Listen -> Speak
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Backup -> Speak
*Feb 25 10:14:57.535: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Backup -> Speak
*Feb 25 10:14:57.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:14:57.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:14:57.535:     UDP src=1985, dst=1985
*Feb 25 10:14:59.667: IP: s=155.0.146.4 (local), d=224.0.1.40 (FastEthernet0/1), len 28,
sending broad/multicast, proto=2
*Feb 25 10:15:00.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:15:00.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:00.535:     UDP src=1985, dst=1985
*Feb 25 10:15:03.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:15:03.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:03.535:     UDP src=1985, dst=1985
*Feb 25 10:15:06.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:15:06.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:06.535:     UDP src=1985, dst=1985
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Speak: d/Standby timer expired (unknown)
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Standby router is local
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Speak -> Standby
*Feb 25 10:15:07.535: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Speak -> Standby
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Speak -> Standby
*Feb 25 10:15:07.535: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Speak -> Standby
*Feb 25 10:15:07.535: HSRP: Fa0/1 Grp 10 Hello  out 155.0.146.4 Standby pri 100 vIP
155.0.146.254
*Feb 25 10:15:07.535: IP: s=155.0.146.4 (local), d=224.0.0.2 (FastEthernet0/1), len 48,
sending broad/multicast
*Feb 25 10:15:07.535:     UDP src=1985, dst=1985
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Standby: c/Active timer expired (unknown)
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Active router is local
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Standby router is unknown, was local
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Standby -> Active
*Feb 25 10:15:08.035: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active
*Feb 25 10:15:08.035: HSRP: Fa0/1 Grp 10 Redundancy "hsrp-Fa0/1-10" state Standby -> Active
*Feb 25 10:15:08.035: HSRP: Fa0/1 Redundancy server "hsrp-Fa0/1-10" update, Standby -> Active

from the output we can see that by enabling hrsp we started sending traffic to 224.0.0.2 (all
routers multicast address on source and destination of 1985 we can see we went from initial
to listen just waiting to see could we hear any other routers on the segment then we went to
speak we generated our hrsp info waiting for an election we then went into standby then into
active.

If both routers on the segement went to active you know that you have some transport issue
underlying the first thing you really should do before config ensure layer 2 connectivity
between all hrsp routers

r6
--
we can see we are recieving the hrsp related packets in

i have enabled
r6#sh run int fa0/0.146
Building configuration...
Current configuration : 149 bytes
!
interface FastEthernet0/0.146
 encapsulation dot1Q 146
 ip address 155.0.146.6 255.255.255.0
 ip pim sparse-mode
 standby 10 ip 155.0.146.254
end


Feb 25 10:38:42.475: HSRP: Fa0/0.146 Starting minimum interface delay (1 secs)
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Grp 10 Disabled -> Init
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Disabled ->
Init
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Disabled
-> Init
*Feb 25 10:38:42.479: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" added
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Interface min delay expired
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Grp 10 Init: a/HSRP enabled
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Grp 10 Init -> Listen
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Init ->
Backup
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Init ->
Backup
*Feb 25 10:38:43.475: HSRP: Fa0/0.146 Redirect adv out, Passive, active 0 passive 1
*Feb 25 10:38:43.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 44,
sending broad/multicast
*Feb 25 10:38:43.475:     UDP src=1985, dst=1985
*Feb 25 10:38:44.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:44.267:     UDP src=1985, dst=1985
*Feb 25 10:38:44.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:44.267: HSRP: Fa0/0.146 Grp 10 Active router is 155.0.146.4
*Feb 25 10:38:44.267: HSRP: Fa0/0.146 Redirect adv out, Passive, active 0 passive 1
*Feb 25 10:38:44.267: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 44,
sending broad/multicast
*Feb 25 10:38:44.267:     UDP src=1985, dst=1985
*Feb 25 10:38:47.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:47.267:     UDP src=1985, dst=1985
*Feb 25 10:38:47.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:48.287: IP: s=155.0.67.1 (FastEthernet0/0.67), d=224.0.1.40, len 28, rcvd 0,
proto=2
*Feb 25 10:38:50.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:50.267:     UDP src=1985, dst=1985
*Feb 25 10:38:50.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:50.571: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:50.571:     UDP src=1985, dst=1985
*Feb 25 10:38:50.571: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:53.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:53.267:     UDP src=1985, dst=1985
*Feb 25 10:38:53.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Listen: d/Standby timer expired (unknown)
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Listen -> Speak
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Backup ->
Speak
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Backup ->
Speak
*Feb 25 10:38:53.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:38:53.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:38:53.475:     UDP src=1985, dst=1985
*Feb 25 10:38:56.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:56.267:     UDP src=1985, dst=1985
*Feb 25 10:38:56.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:56.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:38:56.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:38:56.475:     UDP src=1985, dst=1985
*Feb 25 10:38:59.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:38:59.267:     UDP src=1985, dst=1985
*Feb 25 10:38:59.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:38:59.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:38:59.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:38:59.475:     UDP src=1985, dst=1985
*Feb 25 10:39:00.535: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:39:00.535:     UDP src=1985, dst=1985
*Feb 25 10:39:00.535: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254u a
*Feb 25 10:39:02.267: IP: s=155.0.146.4 (FastEthernet0/0.146), d=224.0.0.2, len 48, rcvd 0
*Feb 25 10:39:02.267:     UDP src=1985, dst=1985
*Feb 25 10:39:02.267: HSRP: Fa0/0.146 Grp 10 Hello  in  155.0.146.4 Active  pri 100 vIP
155.0.146.254
*Feb 25 10:39:02.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Speak   pri 100 vIP
155.0.146.254
*Feb 25 10:39:02.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:39:02.475:     UDP src=1985, dst=1985ll
                 ^
% Invalid input detected at '^' marker.
r6(config-subif)#
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Speak: d/Standby timer expired (unknown)
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Standby router is local
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Speak -> Standby
*Feb 25 10:39:03.475: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Speak -> Standbye
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Redundancy "hsrp-Fa0/0.146-10" state Speak ->
Standby
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Redundancy server "hsrp-Fa0/0.146-10" update, Speak ->
Standby
*Feb 25 10:39:03.475: HSRP: Fa0/0.146 Grp 10 Hello  out 155.0.146.6 Standby pri 100 vIP
155.0.146.254
*Feb 25 10:39:03.475: IP: s=155.0.146.6 (local), d=224.0.0.2 (FastEthernet0/0.146), len 48,
sending broad/multicast
*Feb 25 10:39:03.475:     UDP src=1985, dst=1985xit

we can see that we go through the states but we will stick at standby realistically if we had
the election we should became hrsp active as we both default priority and r6 has the higher
ip but once a router is online as active there is no election and no preempt by default  so
like the ospf dr etc it really comes down to who boots up first

we can see from the
r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Standby
    1 state change, last state change 00:05:45
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.164 secs
  Preemption disabled
  Active router is 155.0.146.4, priority 100 (expires in 8.768 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#

that we are standby virtual ip is 155.0.146.254 active and local virtual mac is 000.0c07.ac-a
we can see our timers
we can see premption is disabled and our default priority is 100
lets change preempt
r6(config)#int fa0/0.146
r6(config-subif)#standby 10 preempt
Now we have enabled preemption we will not preempt based on highest ip it does not go through
the election process we will only preempt based on priority

r6(config)#int fa0/0.146
r6(config-subif)#standby 10 priority 110
r6(config-subif)#
*Feb 25 10:47:50.263: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Standby -> Active

higher priority is better i configured preemption and higher priority i am now in the active
state
Lets look another command
notice this command is not group specfic like the other commands
r6(config-subif)#int fa0/0.146
r6(config-subif)#standby use-bia

r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Active
    2 state changes, last state change 00:02:55
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0013.80e4.901a
    Local virtual MAC address is 0013.80e4.901a (bia)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.572 secs
  Preemption enabled
  Active router is local
  Standby router is 155.0.146.4, priority 100 (expires in 9.564 sec)
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#

notice the active virtual mac address has changed to the bia of r6 this is for situation
maybe you have port security you do not want the additional virtual mac on the port

r4
---
r4#sh st
*Feb 25 10:34:05.891: %SYS-5-CONFIG_I: Configured from console by consoleandby
FastEthernet0/1 - Group 10
  State is Standby
    4 state changes, last state change 00:03:29
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0013.80e4.901a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.432 secs
  Preemption disabled
  Active router is 155.0.146.6, priority 110 (expires in 9.432 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/1-10" (default)
r4#

r6
---
r6(config)#int fa0/0.146
r6(config-subif)#shut
r6(config-subif)#


r4
---
r4#sh standby
FastEthernet0/1 - Group 10
  State is Active
    5 state changes, last state change 00:00:34
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.384 secs
  Preemption disabled
  Active router is local
  Standby router is unknown
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/1-10" (default)
r4#
goes back to using the typical hrsp address as we did not configure the command on r4
it will send a arp reply even though it was not requested saying the new mac for
155.0.146.254 is 0000.0c07.ac0a

r6
---
i will bring backup r6 and take off use bia

r6#sh st
*Feb 25 10:57:04.951: %SYS-5-CONFIG_I: Configured from console by consoleandby
FastEthernet0/0.146 - Group 10
  State is Active
    4 state changes, last state change 00:00:45
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.372 secs
  Preemption enabled
  Active router is local
  Standby router is 155.0.146.4, priority 100 (expires in 7.368 sec)
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#

one things we notice is the timers are quite high

r6(config)#int f0/0.146
r6(config-subif)#standby 10 timers 1 3

we can change them or we can also use bfd in here ios version my version does not currently
support

Ok I am going make r4 active so preemtion is configured the other

r4
--
on r4 i will enable preemption it is still at the defaul priority of 100 so will not preempt
r4(config)#int fa0/1
r4(config-if)#standby 10 preempt

r6
---
We will looking tracking
r6(config-subif)#int fa0/0.146
r6(config-subif)#standby 10 track fa0/1 120
r6(config-subif)#

so this basically say if r6 int fa0/1 goes down bring down my priority by 120
this would then mean that r6 has lower priority than r4 so r4 would take over as now it has
preempt configured

r6(config)#int fa0/1
r6(config-if)#shut
r6(config-if)#
*Feb 25 11:25:40.375: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Active -> Speak
*Feb 25 11:25:41.655: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to
administratively down
*Feb 25 11:25:42.655: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
*Feb 25 11:25:43.375: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Speak -> Standby

we can see this is indeed what happens

now as we know tracking interface may not be the best way to tell for upstream reachability
just because our local interface is up does not mean the service provider may have internal
issues
so another more used option is tracking with ip sla
so i will just change r6 back

r6(config)#int fa0/1
r6(config-if)#no shut
r6(config-if)#
*Feb 25 11:27:02.875: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Standby -> Active
*Feb 25 11:27:04.767: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Feb 25 11:27:05.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to u

so bb2 has a loopback of 11.2.2.2
r6#ping 11.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r6#

which i can reach from r6 so lets use this
r6(config)#ip sla 1
r6(config-ip-sla)#icmp echo 11.2.2.2
r6(config-ip-sla)#icmp-echo 11.2.2.2
r6(config-ip-sla-echo)#frequency 5
r6(config-ip-sla-echo)#timeout 2000
r6(config-ip-sla-echo)#exit
r6(config)#ip sla schedule 1 start-time now life forever

r6(config)#track 2 rtr 1

r6#sh track
Track 2
  Response Time Reporter 1 state
  State is Up
    1 change, last change 00:00:32
  Latest operation return code: OK
  Latest RTT (millisecs) 1
r6#

r6(config)#int fa0/0.146
r6(config-subif)#standby 10 track 2
r6(config-subif)#standby 10 track 2 decrement 120
at the moment
r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Active
    10 state changes, last state change 00:07:45
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.032 secs
  Preemption enabled
  Active router is local
  Standby router is 155.0.146.4, priority 100 (expires in 2.008 sec)
  Priority 110 (configured 110)
    Track interface FastEthernet0/1 state Up decrement 120
    Track object 2 state Up decrement 120
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)

BB2
---
bb2#config t
Enter configuration commands, one per line.  End with CNTL/Z.
bb2(config)#int lo0
bb2(config-if)#shut
bb2(config-if)#
access#5
r6
----
r6#
*Feb 25 11:35:31.895: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Active -> Speak

r6#sh standby
FastEthernet0/0.146 - Group 10
  State is Standby
    12 state changes, last state change 00:00:27
  Virtual IP address is 155.0.146.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.556 secs
  Preemption enabled
  Active router is 155.0.146.4, priority 100 (expires in 2.560 sec)
  Standby router is local
  Priority 0 (configured 110)
    Track interface FastEthernet0/1 state Up decrement 120
    Track object 2 state Down decrement 120
  IP redundancy name is "hsrp-Fa0/0.146-10" (default)
r6#
*Feb 25 11:35:34.895: %HSRP-5-STATECHANGE: FastEthernet0/0.146 Grp 10 state Speak -> Standby