-
Catalyst 4840G Software Feature and Configuration Guide, Software Release 12.0(13)WT6(1)
-
Preface
-
Overview of Layer 3 Switching and Software Features
-
Before You Begin
-
Configuring the Router Processor
-
Configuring Interfaces
-
Server Load Balancing
-
Firewall Load Balancing
-
Configuring SLB Redundancy
-
Configuring Networking Protocols
-
Configuring Bridging
-
Configuring EtherChannel
-
Configuring NTP
-
Command Reference
-
Cisco IOS Commands Not Supported in Layer 3 Switching Software
-
Using Technical Support
-
Glossary
-
Table Of Contents
Hot Standby Router Protocol (HSRP)
Example Stateful Backup Configuration
Example of IOS SLB with Active Standby
Configuring SLB Redundancy
This chapter describes how to configure server load-balancing redundancy on the Catalyst 4840G SLB switch. For further information about the commands used in this chapter, refer to "Command Reference."
The Catalyst 4840G SLB switch could represent a point of failure and the servers could lose their connections to the backbone if power fails or if a link from a switch to the distribution-layer switch is disconnected. This section describes redundancy features you can use to reduce that risk.
This chapter includes the following sections:
•
Hot Standby Router Protocol (HSRP)
Note
Hot Standby Router Protocol (HSRP)
The Hot Standby Router Protocol (HSRP) provides high network availability by routing IP traffic from hosts on Ethernet networks without relying on the availability of any single Catalyst 4840G SLB switch. This feature is useful for hosts that do not support a router discovery protocol (such as the Intermediate System-to-Intermediate System [IS-IS] Interdomain Routing Protocol [IDRP]) and do not have the functionality to switch to a new load-balancing switch when their selected load-balancing switch reloads or loses power.
Requirements
Configuring HSRP on the Catalyst 4840G SLB switch requires the following:
•
•
•
How SLB HSRP Works
A SLB switch running the HSRP detects a failure by sending and receiving multicast User Datagram Protocol (UDP) hello packets. When the SLB switch running HSRP detects that the designated active SLB switch has failed, the selected backup SLB switch assumes control of the HSRP group MAC and IP addresses. (You can also select a new standby SLB switch at that time.)
The chosen MAC address and IP addresses must be unique and not conflict with any others on the same network segment. The MAC address is selected from a pool of Cisco MAC addresses. Configure the last byte of the MAC address by using the HSRP group number. When the HSRP is running, it selects an active SLB switch and instructs its device layer to listen on an additional (dummy) MAC address.
SLB switching software supports HSRP over 10/100 Ethernet, Gigabit Ethernet, FEC, GEC, and Bridge Group Virtual Interface (BVI) connections.
For example, in the HSRP network shown in Figure 7-1, Device A is the active HSRP SLB switch and is responsible for handling packets to the real servers 1 through 4. If the connection between Device A and the client accessing virtual server IP address 10.10.10.12 tcp 23 or 10.10.10.18 tcp 23 fails, fast converging routing protocols, such as the Enhanced Interior Gateway Routing Protocol (Enhanced IGRP) and Open Shortest Path First (OSPF), can respond within seconds so that Device B is prepared to transfer packets that would have gone through Device A.
Figure 7-1 HSRP Example Network Topology
HSRP uses a priority scheme to determine which HSRP-configured SLB switch is to be the default active SLB switch. To configure a SLB switch as active, you assign it a priority that is higher than the priority of all the other HSRP-configured SLB switches. The default priority is 100, so if you configure just one SLB switch to have a higher priority, that switch becomes the default active switch.
HSRP works by the exchange of multicast messages that advertise priority among HSRP-configured SLB switches. When the active switch fails to send a hello message within a configurable period of time, the standby switch with the highest priority becomes the active switch. The transition of packet-forwarding functions between SLB switches is completely transparent to all hosts accessing the network.
HSRP-configured SLB switches exchange the following three types of multicast messages:
•
•
•
At any time, HSRP-configured SLB switches are in one of the following states:
•
•
•
•
Configuring HSRP
To configure HSRP over VLANs between SLB switches, you must first create its environment. Perform these tasks in the order in which they appear:
•
Note
•
•
•
To enable HSRP on an interface, enable the protocol, then customize it for the interface. Perform this task in interface configuration mode:
Enable HSRP.
You can customize an HSRP group attributes using these commands in interface configuration mode:
This example shows how to enable the HSRP standby group 100 IP address, preempt, priority, timers, and how to configure a name and authentication for Device A in Figure 7-1:
SLB-Switch(config-if)# standby 100 ip 172.20.100.10SLB-Switch(config-if)# standby 100 priority 110SLB-Switch(config-if)# standby 100 preemptSLB-Switch(config-if)# standby 100 timers 5 15SLB-Switch(config-if)# standby 100 name Web_group1SLB-Switch(config-if)# standby 100 authentication SecretSLB-Switch(config-if)# exitSLB-Switch#Example HSRP Configuration
Figure 7-1 shows the topology of an IP network with two Catalyst 4840G SLB switches configured for HSRP.
All hosts accessing the network use the IP address of the virtual servers (in this case, 10.10.10.12 or 10.10.10.18).
Note
The following is the configuration for Switch A (active):
hostname Switch A!ip slb serverfarm ServerGroup1real 172.20.100.3inservicereal 172.20.100.4inservice!ip slb serverfarm ServerGroup2real 172.20.200.3inservicereal 172.20.200.4inservice!ip slb vserver VS1virtual 10.10.10.12 tcp 23serverfarm ServerGroup1in-service standby Web_Group1!ip slb vserver VS2virtual 10.10.10.18 tcp 23serverfarm ServerGroup2in-service standby Web_Group2!ip routingrouter ripnetwork 172.20.0.0!interface vlan100ip address 172.20.100.1 255.255.255.0standby 100 ip 172.20.100.10standby 100 priority 110standby 100 preemptstandby 100 timers 5 15standby 100 name Web_Group1standby 100 authentication Secret!interface vlan200ip address 172.20.200.1 255.255.255.0standby 200 ip 172.20.200.10standby 200 priority 110standby 200 preemptstandby 200 timers 5 15standby 200 name Web_Group2standby 200 authentication Covert!The following is the configuration for Switch B (standby):
hostname Switch B!ip slb serverfarm ServerGroup1real 172.20.100.3inservicereal 172.20.100.4inservice!ip slb serverfarm ServerGroup2real 172.20.200.3inservicereal 172.20.200.4inservice!ip slb vserver VS1virtual 10.10.10.12 tcp 23serverfarm ServerGroup1in-service standby Web_Group1!ip slb vserver VS2virtual 10.10.10.18 tcp 23serverfarm ServerGroup2in-service standby Web_Group2!ip routingrouter ripnetwork 172.20.0.0!interface vlan100ip address 172.20.100.2 255.255.255.0standby 100 ip 172.20.100.10standby 100 preemptstandby 100 timers 5 15standby 100 name Web_Group1standby 100 authentication Secret!interface vlan200ip address 172.20.200.2 255.255.255.0standby 200 ip 172.20.200.10standby 200 preemptstandby 200 timers 5 15standby 200 name Web_Group2standby 200 authentication CovertThe standby ip interface configuration command enables HSRP and establishes 10.10.10.12 and 10.10.10.18 as the IP addresses of the virtual servers. The configurations of both switches include this command so that both switches share the same virtual IP address. The 100 establishes Hot Standby group 100. (If you do not specify a group number, the default is group 0.) The configuration for at least one switch in the Hot Standby group must specify the IP address of the virtual server; specifying the IP address of the virtual router is optional for other routers in the same group.
The standby preempt interface configuration command allows the switch to become the active switch when its priority is higher than all other HSRP-configured switches in this group. The configurations of both switches include this command so that each can be the standby switch for the other switch. The 100 indicates that this command applies to Hot Standby group 100. If you do not use the standby preempt command in the configuration for a load-balancing switch, that switch cannot become the active switch.
The standby priority interface configuration command sets the switch's HSRP priority to 110, which is higher than the default priority of 100. Only the configuration of Device A includes this command, which makes Device A the default active switch. The 100 indicates that this command applies to Hot Standby group 100.
The standby authentication interface configuration command establishes an authentication string whose value is an unencrypted eight-character string that is incorporated in each HSRP multicast message. This command is optional. If you choose to use it, each HSRP-configured switch in the group should use the same string so that each switch can authenticate the source of the HSRP messages that it receives. The 100 indicates that this command applies to Hot Standby group 100.
The standby timers interface configuration command sets the interval in seconds between hello messages (called the hello time) to five seconds and sets the duration in seconds that a switch waits before it declares the active switch to be down (called the hold time) to eight seconds. (The defaults are three and 10 seconds, respectively.) If you decide to modify the default values, you must configure each switch to use the same hello time and hold time. The 100 indicates that this command applies to Hot Standby group 100.
Verifying HSRP Configuration
To verify that the HSRP feature has been configured and is operating correctly, use the following show ip slb vserver commands to display information about the SLB virtual server status:
SLB-Switch# show ip slb vserverslb vserver prot virtual state conns-------------------------------------------------------------------VS1 TCP 10.10.10.12:23 INSERVICE 2VS2 TCP 10.10.10.18:23 INSERVICE 2SLB-Switch# show ip slb vserver detailVS1, state = INSERVICE, v_index = 10virtual = 10.10.10.12:23, TCP, service = NONE, advertise = TRUEserver farm = SERVERGROUP1, delay = 10, idle = 3600sticky timer = 0, sticky subnet = 255.255.255.255sticky group id = 0synguard counter = 0, synguard period = 0conns = 0, total conns = 0, syns = 0, syn drops = 0standby group = NoneVS2, state = INOFSERVICE, v_index = 11virtual = 10.10.10.18:23, TCP, service = NONE, advertise = TRUEserver farm = SERVERGROUP2, delay = 10, idle = 3600sticky timer = 0, sticky subnet = 255.255.255.255sticky group id = 0synguard counter = 0, synguard period = 0conns = 0, total conns = 0, syns = 0, syn drops = 0standby group = NoneSLB Stateful Backup
The stateful backup feature enables SLB to back up its load-balancing decisions incrementally between primary and backup Catalyst 4840G SLB switches. The backup switch has its virtual servers in a dormant state until failover is detected by HSRP; then the backup (now primary) switch begins advertising virtual addresses and filtering traffic.
This feature provides the switch with a one-to-one stateful or idle backup scheme. This means that only one instance of SLB is handling client or server traffic at a given time, and that there is at most one backup platform for each active load-balancing switch.
Figure 7-2 is an example of a stateful backup configuration, using HSRP on both the client and server sides to handle failover. The real servers route outbound traffic to 10.10.3.100, which is the HSRP address on the server side interfaces. The client (or access router) routes to the virtual IP address (10.10.10.12) through 10.10.2.100, the HSRP address on the client side.
Notice the loopback interfaces configured on both boxes for the exchange of these messages. Each SLB should also be given duplicate routes to the other switch loopback address to allow replication messages to flow despite an interface failure.
Note
Figure 7-2 SLB Stateful Environment
Configuring Stateful Backup
To configure stateful backup on the Catalyst 4840G SLB switches, perform this task beginning in global configuration mode:
This example shows how to configure stateful backup for virtual server RESTRICTED_HTTP using listening IP 10.10.3.132 and remote IP 10.10.99.3 over port 1032, and configure the password as "PASS" for Device A in Figure 7-2:
SLB-Switch(config)# ip slb vserver RESTRICTED_HTTPSLB-Switch(config-slb-vserver)# virtual 10.10.10.12 tcp telnetSLB-Switch(config-slb-vserver)# replicate casa 10.10.3.132 10.10.99.3 1024 password PASSSLB-Switch(config-slb-vserver)# inservice standby virtSLB-Switch(config-slb-vserver)#.(Information Deleted).Example Stateful Backup Configuration
Following is the stateful backup configuration for switch SLB1 shown in Figure 7-2:
!ip slb serverfarm SF1nat serverreal 10.10.3.1inservicereal 10.10.3.2inservicereal 10.10.3.3inservice!ip slb vserver VS1virtual 10.10.10.12 tcp telnetserverfarm SF1replicate casa 10.10.99.132 10.10.99.99 1024 password PASSinservice standby virt!interface Loopback1ip address 10.10.99.132 255.255.255.255!!interface FastEthernet1ip address 10.10.3.132 255.255.255.0no ip redirectsno ip mroute-cachestandby priority 5 preemptstandby name outstandby ip 10.10.3.100standby track FastEthernet3!interface FastEthernet3ip address 10.10.2.132 255.255.255.0no ip redirectsstandby priority 5 preemptstandby name virtstandby ip 10.10.2.100standby track FastEthernet1!Following is the stateful backup configuration for switch SLB2 shown in Figure 7-2:
ip slb serverfarm SF1nat serverreal 10.10.3.1inservicereal 10.10.3.2inservicereal 10.10.3.3inservice!ip slb vserver VS1virtual 10.10.10.12 tcp telnetserverfarm SF1replicate casa 10.10.99.99 10.10.99.132 1024 password PASSinservice standby virt!!interface Loopback1ip address 10.10.99.99 255.255.255.255!interface FastEthernet2ip address 10.10.2.99 255.255.255.0no ip redirectsno ip route-cacheno ip mroute-cachestandby priority 10 preemptstandby name virtstandby ip 10.10.2.100standby track FastEthernet3!interface FastEthernet3ip address 10.10.3.99 255.255.255.0no ip redirectsno ip route-cacheno ip mroute-cachestandby priority 10 preemptstandby name outstandby ip 10.10.3.100standby track FastEthernet2!Example of IOS SLB with Active Standby
Figure 7-3 shows an IOS SLB network configured for active standby, with two IOS SLB devices load-balancing the same virtual IP address while backing up each other. If either device fails, the other takes over its load via normal HSRP failover and IOS SLB stateless redundancy.
Figure 7-3 IOS SLB Active Standby
The sample network configuration in Figure 7-3 has the following characteristics:
•
•
•
•
•
•
Configuration on SLB 1
ip slb serverfarm EVENnat serverreal 10.10.3.2inservicereal 10.10.3.3inservice!ip slb serverfarm ODDnat serverreal 10.10.3.2inservicereal 10.10.3.3inservice!ip slb vserver EVEN ; Same EVEN virtual server as in SLB 2virtual 10.10.10.12 tcp wwwserverfarm EVENclient 0.0.0.0 0.0.0.1inservice standby STANDBY_EVEN ; See standby name in Ethernet 3/3 below!ip slb vserver ODD ; Same ODD virtual server as in SLB 2virtual 10.10.10.12 tcp wwwserverfarm ODDclient 0.0.0.1 0.0.0.1inservice standby STANDBY_ODD ; See standby name in Ethernet 3/2 below!interface Ethernet3/2ip address 10.10.5.132 255.255.255.0standby priority 20 preemptstandby name STANDBY_ODD ; See standby name in SLB 2, Ethernet 3/5standby ip 10.10.5.100!interface Ethernet3/3ip address 10.10.2.132 255.255.255.0standby priority 10standby name STANDBY_EVEN ; See standby name in SLB 2, Ethernet 3/1standby ip 10.10.2.100Configuration on SLB 2
ip slb serverfarm EVENnat serverreal 10.10.3.4inservicereal 10.10.3.5inservice!ip slb serverfarm ODDnat serverreal 10.10.3.4inservicereal 10.10.3.5inservice!ip slb vserver EVEN ; Same EVEN virtual server as in SLB 1virtual 10.10.10.12 tcp wwwserverfarm EVENclient 0.0.0.0 0.0.0.1inservice standby STANDBY_EVEN ; See standby name in Ethernet 3/1 below!ip slb vserver ODD ; Same ODD virtual server as in SLB 1virtual 10.10.10.12 tcp wwwserverfarm ODDclient 0.0.0.1 0.0.0.1inservice standby STANDBY_ODD ; See standby name in Ethernet 3/5 below!interface Ethernet3/1ip address 10.10.2.128 255.255.255.0standby priority 20 preemptstandby name STANDBY_EVEN ; See standby name in SLB 1, Ethernet 3/3standby ip 10.10.2.100!interface Ethernet3/5ip address 10.10.5.128 255.255.255.0standby priority 10 preemptstandby name STANDBY_ODD ; See standby name in SLB 1, Ethernet 3/2standby ip 10.10.5.100Configuration on the Access Router
interface Ethernet0/0ip address 10.10.5.183 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cache!interface Ethernet0/1ip address 10.10.2.183 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cache!interface Ethernet0/2ip address 10.10.6.183 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cacheip policy route-map virts!access-list 100 permit ip 0.0.0.1 255.255.255.254 host 10.10.10.12access-list 101 permit ip 0.0.0.0 255.255.255.254 host 10.10.10.12route-map virts permit 10match ip address 100set ip next-hop 10.10.5.100!route-map virts permit 15match ip address 101set ip next-hop 10.10.2.100!
