Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway, and has been described in detail in RFC 2281.
The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway should become inaccessible,[1] in close association with a rapid-converging routing protocol like EIGRP or OSPF. By multicasting packets, HSRP sends its hello messages to the multicast address 224.0.0.2 (all routers) using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers. The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP and will respond to the ARP request from machines connected to the LAN with the mac address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over.
The idea here is that HSRP routers will only have one of it’s peer responding to arp requests at one time.
So for my example lets say we have two routers depicted below. The HSRP standby address will be 10.1.1.1 and this will be the default gateway that traffic is routed through.
Setup is really pretty basic…. define your interface and assign it the gateways ip address. In our example this is 10.1.1.1 The example below is a trunk interface on VLAN 3874 for the first router.
1
2
3
4
5
6
7
| interface GigabitEthernet0/0.40
description Trunk port interface with HSRP defined.
encapsulation dot1Q 3874
ip address 10.1.1.2 255.255.255.0
standby 1 ip 10.1.1.1
standby 1 priority 105 ! Higher priority, primary router
standby 1 preempt ! Router with highest priority is active |
The second router’s configuration as backup.
1
2
3
4
5
6
7
| interface GigabitEthernet0/0.40
description Trunk port interface with HSRP defined.
encapsulation dot1Q 3874
ip address 10.1.1.3 255.255.255.0
standby 1 ip 10.1.1.1
standby 1 priority 105 ! Lower priority, backup router
standby 1 preempt ! Router with highest priority is active |
This same technique and syntax can be applied to VLAN interfaces on a switch also. Used in conjunction with Cisco Port-Channel’s it is a simple and effect method for offering highly available routing.
Cisco’s Overview of DHCP Snooping
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.
Well thanks for that extremely clear overview…….. what actually is going on? Lets say you have a switch. You hook a DHCP server up to port #1 and designate this as a “trusted” interface and all of the rest of the ports that will have devices connected to them are setup as “untrusted”. You would set this up using the commands:
*** Enable DHCP Snooping & ARP Inspection ***
ip dhcp snooping vlan 100
no ip dhcp snooping information option
ip dhcp snooping database flash:/dhcpdb.dat
ip dhcp snooping
ip arp inspection vlan 100
*** Untrusted Access Interfaces for DHCP ****
Int Range Fa1/0/2 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
Int Range Fa2/0/1 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
*** Trusted Access Interface for DHCP ***
Int Fa1/0/1
description DHCP Server
switchport access vlan 100
switchport mode access
no mdix auto
ip dhcp snooping trust
DHCP Client requests are forwarded regardless of the trust state of the port, but DHCP server responses are dropped if the port is untrusted.
So lets say on port #2 the switch sees a DHCP discovery packet float by from a DHCP client. Because it is a broadcast message this gets flooded to all ports on the VLAN. The DHCP server connected to port #1 sees the discovery packet and sends an uninicast DHCPOFFER packet to the client. Because this originated from a “trusted” port the offer is allowed to go through. The client recieves the DHCPOFFER chooses an offer from all that it receives and responds with a DHCPREQUEST back to the DHCP server. The server then responds with a DHCPACK and includes the configuration parameters and committed network address. The switch records the client binding port, vlan, mac address, and ip, etc into its local snooping database.
(more…)