Implementing High Availability
Options in MLS with HSRP
CIS 187 Multilayer Switched Networks
CCNP 3 version 4
Rick Graziani
Fall 2006
Rick Graziani 2
Implementing High Availability
•
To achieve high network availability, the following network
components are required:
•
Reliable, fault-tolerant network devices— Hardware and
software reliability to automatically identify and overcome
failures.
•
Device and link redundancy— Entire devices may be redundant
or modules within devices may be redundant. Links may also
be redundant.
•
Resilient network technologies— Intelligence that ensures
fast recovery around any device or link failure.
•
Optimized network design— Well-defined network topologies
and configurations designed to ensure that there is no
single point of failure.
•
Best practices— Documented procedures for deploying and
maintaining a robust e-commerce network infrastructure.
•
Change control— Better control over changes made to network

devices and maintenance of documentation regarding those
changes.
Rick Graziani 3
High Availability: 6 Years and counting
Rick Graziani 4
Single Forwarding Path vs Redundancy
Rick Graziani 5
Implementing High Availability
•
The network devices that provide redundancy do not
need to be co-located in the same physical location.
•
This reduces the probability that problems with the
physical environment, such as a power outage or
other environmental issue, will interrupt service.
•
Paraphrasing Jim Warner, Network Engineer at UCSC,
‘When adding redundancy, know what you are trying to
protect yourself from. It doesn’t help to have
redundant devices when there is a power failure, or
redundant links when the cables laid in the same
conduit.’
Rick Graziani 6
Redundancy can be used for load balancing
•
With appropriate resiliency features combined with
careful design and configuration, the traffic load
between the respective layers of the network
topology (that is, Building Access submodule to
Building Distribution submodule) can be shared

between the primary and secondary forwarding paths.
•
Therefore, network-level redundancy can also provide
increased aggregate performance and capacity.
HSRP Load
Balancing
Rick Graziani 7
Implementing Default Gateway Router
Redundancy in Multilayer Switched Networks
Rick Graziani 8
Implementing Default Gateway Router
Redundancy in Multilayer Switched Networks
•
The availability of a default gateway router is a must for
hosts in a multilayer switched network.
•
There are several ways a LAN host can determine which router
should be the first hop to a particular remote destination.
•
The host can use a dynamic process or static configuration.
•
Examples of dynamic router discovery are as follows:
•
Proxy ARP— The host uses Address Resolution Protocol (ARP) to
determine the next-hop MAC address for off-network
destinations. Local routers respond to the ARP request with
their own MAC address.
•
Routing protocol— The host listens to dynamic routing
protocol updates (for example, Routing Information Protocol

[RIP]) and forms its own routing table.
•
ICMP Router Discovery Protocol (IRDP) client— The host runs
an Internet Control Message Protocol (ICMP) router discovery
client.
•
Static/DHCP – Host is statically configured or uses DHCP.
Rick Graziani 9
Proxy ARP
Rick Graziani 10
Proxy ARP
•
The Host A (172.16.10.100)
on Subnet A needs to send
packets to Host D
(172.16.20.200) on Subnet B.
•
Host A has a /16 subnet
mask.
•
Host A believes that it is
directly connected to all of
network 172.16.0.0.
•
Host A is really on the
172.16.10.0/24 network, as
segmented by the router, but
Host A does not know that.
•
When Host A needs to

communicate with any devices
it believes are directly
connected, it will send an
ARP request to the
destination.
•
Therefore, when Host A needs
to send a packet to Host D,
Host A believes that Host D
is directly connected, so it
sends an ARP request to Host
D.
I am on the 172.16.0.0/16
network so I can reach
172.16.20.200!
Rick Graziani 11
Proxy ARP
•
To reach Host D
(172.16.20.200), Host A
needs the MAC address of
Host D.
•
This is a layer 2, Ethernet
broadcast (FFFF.FFFF.FFFF).
ARP Request: “Hey everyone
on my network, whoever is
172.16.20.200, send me your
Ethernet MAC Address!
•

The ARP request reaches all
the nodes in the Subnet A,
including the router's e0
interface, but does not reach
Host D.
•
The broadcast will not reach
Host D because routers, by
default, do not forward
broadcasts.
Rick Graziani 12
Proxy ARP
•
Since the router knows that
the target address
(172.16.20.200) is on another
subnet and can reach Host D,
it will reply with its own MAC
address to Host A.
ARP Request/Reply: “I can
reach 172.16.20.200 on
another network, so I will
Reply to the Host A with
my MAC address.”
•
The Proxy ARP reply that the
router sends to Host A.
•
The proxy ARP reply packet is
encapsulated in an Ethernet

frame with router's MAC address
as the source address and Host
A's MAC address as the
destination address.
•
The ARP replies are always
unicast to the original requester.
•
On receiving this ARP reply, Host
A updates its ARP table as below
Host A’s ARP Table
Proxy ARP Reply
Rick Graziani 13
Proxy ARP
•
From now on Host A will
forward all the packets
that it wants to reach
172.16.20.200 (Host D)
to the MAC address 00-
00-0c-94-36-ab
(router).
•
Since the router knows
how to reach Host D,
the router forwards the
packet to Host D.
•
The ARP cache on the
hosts in Subnet A is

populated with the MAC
address of the router
for all the hosts on
Subnet B.
•
Hence, all packets
destined to Subnet B
are sent to the router.
•
The router forwards
those packets to the
hosts in Subnet B.
Host A’s
ARP Table
Rick Graziani 14
Proxy ARP
Host A’s
ARP Table
Rick Graziani 15
Non Proxy
ARP
Different Situation and
Addresses:
Host A pings Host B
ARP Request/Reply
•
What if Host A has a packet
to send Host B?
•
In this case, both the

Router and Host B will
receive the ARP Request (MAC
broadcast).
•
The ARP Request is an ARP
message in a L2 Ethernet
frame, no IP packet.
•
The switch will flood this
broadcast out all ports.
•
Host B will send an ARP
Reply, a L2 Ethernet frame
with no IP packet.
•
When IP is not involved,
only L2, the device on the
same Ethernet segment will
communicate directly.
•
Now, lets see what happens
when IP gets involved.
Host A’s
ARP Table
00-00-0c-94-36-bb
ARP
Request
172.16.20.200/24
0000.0c94.36bb
172.16.20.200

Rick Graziani 16
Non Proxy
ARP
IP and ICMP Echo
Request/Reply
•
Host A sends the Echo
Request to Host B (L2
frame with MAC of Host
B).
•
Host B wants to send
Echo Reply, BUT sees
source and destination
IP addresses on
different networks.
•
Host B sends ARP
Request (after checking
ARP cache) for default
gateway, Router.
•
Router sends ARP Reply.
•
Host B sends ICMP Echo
Reply to Router.
•
Router sends ICMP Echo
Reply to Host A.
Host A’s

ARP Table
ICMP
Echo
Request
ICMP
Echo
Reply
172.16.20.200/24
0000.0c94.36bb
00-00-0c-94-36-bb172.16.20.200
Rick Graziani 17
Proxy ARP
•
This is enabled by default.
•
Proxy ARP can be disabled on a per interface basis
with the interface configuration command no ip
proxy-arp.
•
To enable proxy ARP on an interface, use the ip
proxy-arp interface configuration command.
Router(config)# interface ethernet 0
Router(config-if)# no ip proxy-arp
Rick Graziani 18
Proxy ARP
•
Proxy ARP should be used on the network where IP
hosts are not configured with default gateway or
does not have any routing intelligence.
•

Disadvantages of Proxy ARP
•
Hosts have no idea of the physical details of their
network and assume it to be a flat network in which
they can reach any destination simply by sending an
ARP request.
•
But using ARP for everything has disadvantages, some
of which are listed below:
–
It increases the amount of ARP traffic on your segment.
–
Hosts need larger ARP tables to handle IP-to-MAC address
mappings.
–
Security may be undermined. A machine can claim to be another in
order to intercept packets, an act called "spoofing."
–
It does not work for networks that do not use ARP for address
resolution.
–
It does not generalize to all network topologies (for example, more
than one router connecting two physical networks).
Rick Graziani 19
Proxy ARP
•
Host ARP entry: Has
Router A’s MAC address
for File Server A.
•

With proxy ARP, the host
behaves as if the
destination device is
connected to the same
segment of the network.
•
If the responsible
router fails, the source
end station continues to
send packets for the
destination to the MAC
address of that router.
•
Those packets
subsequently are
discarded.
Packets
dropped
Packets
Rick Graziani 20
Proxy ARP
•
To acquire the MAC address of
the failover router, the
source end station must
either:
– initiate another ARP request
– wait for the ARP entry to be flushed
dynamically.
•

The ARP flush timer
determines the period of time
in which the source end
station cannot communicate
with the destination even
though the routing protocol
has converged.
•
Once the ARP flushes the
entry due to flush timer
expiry, the host recovers the
default gateway MAC address.
•
Nevertheless, Cisco does not
recommend the use of proxy
ARP, because it makes
troubleshooting very
difficult.
•
In addition, proxy ARP does
not scale at all in medium-
size to large networks.
Router down, but Host ARP entry
is still Router A, packets continue
to get dropped.
Packets
Once ARP entry times out on
host, it will send another ARP
Request
Router B will send a Proxy ARP

Reply with its MAC address
Host now sends packets to Router
B for File Server A.
Rick Graziani 21
IRDP – ICMP Router Discovery Message Protocol
Rick Graziani 22
•
IP hosts may use IRDP to find
a new path when an existing
primary router becomes
unavailable.
•
IRDP is an extension to ICMP
that provides a mechanism for
routers to advertise useful
default routes.
•
IRDP offers several
advantages over other methods
of discovering addresses of
neighboring routers.
•
For example, IRDP does not
require hosts to recognize
routing protocols, nor does
IRDP require manual
configuration by an
administrator.
IRDP – ICMP Router Discovery Message Protocol
Rick Graziani 23

A host that uses IRDP:
•
Listens for hello multicast
messages from the preferred
default router.
•
The IRDP-based advertisements are
considered valid only for a
predefined lifetime value.
•
If a new advertisement is not
seen during that lifetime, the
router address is considered
invalid and the host removes the
corresponding default route.
•
The IRDP protocol allows for
varying timing values.
•
A lifetime value is included in
the header of every IRDP
advertisement.
•
A host uses the router address
only for the specified number of
lifetime seconds after the most
recent advertisement.
IRDP – ICMP Router Discovery Message Protocol
IRDP Advertisements
I will use Router A as my default

gateway.
Rick Graziani 24
•
IRDP Advertisements are sent
every 7 to 10 minutes.
•
The default lifetime the
Host will keep the IRDP
Advertisement is 30 minutes.
•
However, the router has
complete control over the
interval and lifetime
values, and thus can control
the period of time during
which the addresses are
considered valid.
•
For more details, consult
RFC 1256.
IRDP – ICMP Router Discovery Message Protocol
I haven’t heard from Router A in
awhile, so I will use Router B.
IRDP Advertisements
Rick Graziani 25
IRDP – ICMP Router Discovery Message Protocol
•
As with other host redundancy methods, IRDP is not very
common and is very difficult to troubleshoot in medium-
size to large networks.

•
Most enterprise and service provider networks do not use
dynamic discovery protocols, and instead rely on
administrators to statically configure a default router on
end devices.
•
From RFC 1256:
•
“This means that, using the default values, the
advertisements are not sufficient as a mechanism for
"black hole" detection, i.e., detection of failure of the
first hop of an active path ideally, black holes should
be detected quickly enough to switch to another router
before any transport connections or higher-layer sessions
time out. It is assumed that hosts already have mechanisms
for black hole detection…”