First Hop Redundancy Protocols in IPv6: HSRP + GLBP

Currently Cisco has support for Hot Standby Router Protocol (HSRP) and Gateway Load Balancing (GLBP) in IPv6. There is an RFC5798 for Virtual Router Redundancy Protocol (VRRP), but checking the DocCD for this up to IOS 15.2M&T in the IPv6 configuration guide, I did not see it .

This post will only be covering HSRP and GLBP operations, but we need to cover some basic operations of IPv6 Neighbor Discovery (ND) before we get into FHRPs.

By default, IPv6 will use Router Advertisement (RA) to announce the presence of a router on a segment and use the Default Router Preference (DRP) options inside ND to determine the default gateway used.  There is a good post on cisconinja covering this and the difference of operations in different versions of IOS that do and do not support all the same DRP options.

IPv6 has a built in redundancy mechanism inside ND called Neighbor Unreachability Detection (NUD) using the Neighbor Solicitation (NS) and Neighbor Advertisement (NA) to detect the failure.  Reading RFC 5798, the most aggressive timers will only achieve failover within 5 seconds, which would significantly increase the overhead of ND traffic in a real world network of say 254 hosts in most common IPv4 VLAN designs with a /24 subnet. There is a good post on packetlife.net that shows this down to about 1 second by adjusting the Router Advertisement (RA) lifetime and Router Advertisement interval for more detailed information.

So now that we know that IPv6 uses ND and has a mechanism for detecting default routers and failover, why do we need FHRPs? Well this post is not here to debate the why of this, but to look at the how with some packet captures. But I would think that FHRPs are there for the same reason we have so many protocols that sort of overlap: we are always looking for a better mouse trap. And in limited testing, relying on ND for default router and failover does not scale to provide the predictable and reliable configurations that the FHRPs do. For example, I found no preempt capabilities for the default router election.  I will also make a nod to IPv6 security and mention that NUD has no authentication mechanism. Authentication can be accomplished using Secure Neighbor Discovery (SeND), but is out of the scope of this post.

Now back to FHRPs, let’s do what we do and mock up a very basic FHRP network on a LAN segment, and take a look at a few configuration parameters. We’ll start with HSRP, then GLBP, as well as some packet captures with Wireshark and discuss some of the differences between the IPv4 and IPv6 versions of each.

The very basic FHRP network will use HOST1, R1, and R2 on the LAN for the FHRP and a WAN router with serial interfaces for tracking and failover scenarios.

BASIC FHRP NETWORK DIAGRAM

Hot Standby Router Protocol (HSRP)

First step to configure HSRP for IPv6 is to enable HSRP version 2 to support IPv6: ‘standby version 2’. After that, the ‘standby’ commands are pretty much the same as with IPv4 – creating groups and adding tracking and preemption capabilities.

After configuration of HSRP and the Active -> Standby negotiation is complete, the Active HSRP router will send the RAs, and the IPv6 hosts will use the new link local address that is auto configured with the command ‘standby 1 ipv6 autoconfig’. This can be seen on HOST1 in the output of the ‘show ipv6 int f0/0’.

HOST1#sh ipv6 int f0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::233:33FF:FE33:3333
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:1212::3, subnet is 2001:DB8:1212::/64
Joined group address(es):
FF02::1
FF02::1:FF00:3
FF02::1:FF33:3333
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Default router is FE80::5:73FF:FEA0:1 on FastEthernet0/0

The R1 and R2 HSRP groups will communicate over multicast address FF02::66.

R1#sh ipv6 int f0/0 | b Joined
Joined group address(es):
FF02::1
FF02::2
FF02::66
FF02::1:FF00:1
FF02::1:FF11:1111

R2#sh ipv6 int f0/0 | b Joined
Joined group address(es):
FF02::1
FF02::2
FF02::66
FF02::1:FF00:2
FF02::1:FF22:2222

HSRP INTERFACE ROUTER CONFIGURATIONS and SHOW COMMANDS

R1#sh run int f0/0
interface FastEthernet0/0
mac-address 0011.1111.1111
ipv6 address 2001:DB8:1212::1/64
standby version 2
standby 1 ipv6 autoconfig
standby 1 priority 200
standby 1 preempt
standby 1 track Serial0/0

R2#sh run int f0/0
interface FastEthernet0/0
mac-address 0022.2222.2222
ipv6 address 2001:DB8:1212::2/64
standby version 2
standby 1 ipv6 autoconfig
standby 1 preempt
standby 1 track Serial0/1

R1#sh standby
FastEthernet0/0 – Group 1 (version 2)
State is Active
7 state changes, last state change 00:02:15
Virtual IP address is FE80::5:73FF:FEA0:1
Active virtual MAC address is 0005.73a0.0001
Local virtual MAC address is 0005.73a0.0001 (v2 IPv6 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.432 secs
Preemption enabled
Active router is local
Standby router is FE80::222:22FF:FE22:2222, priority 100 (expires in 7.388 sec)
Priority 200 (configured 200)
Track interface Serial0/0 state Up decrement 10
Group name is “hsrp-Fa0/0-1″ (default)
R2#sh standby
FastEthernet0/0 – Group 1 (version 2)
State is Standby
7 state changes, last state change 00:02:27
Virtual IP address is FE80::5:73FF:FEA0:1
Active virtual MAC address is 0005.73a0.0001
Local virtual MAC address is 0005.73a0.0001 (v2 IPv6 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.008 secs
Preemption enabled
Active router is FE80::211:11FF:FE11:1111, priority 200 (expires in 8.060 sec)
MAC address is 0011.1111.1111
Standby router is local
Priority 100 (default 100)
Track interface Serial0/1 state Up decrement 10
Group name is “hsrp-Fa0/0-1″ (default)

HSRP SUMMARY

IPv4

• HSRPv1
• UDP port 1985 224.0.0.2
• MAC address 0000.0C07.ACxy, where xy is the HSRP group number in hexadecimal

• HSRPv2
• UDP port 1985 224.0.0.102
• MAC address range 0000.0C9F.F000 to 0000.0C9F.FFFF

IPv6

• HSRPv2
• UDP port 2029 FF02::66
• MAC 0005.73A0.000 – 0005.73A0.0FFF (4096 addresses)
• RAs sent from active HSRP router

Wireshark screen captures and/or view online with CloudShark

R1 HSRP Active

R2 HSRP Standby (Passive)

R1 HSRP RA to set Default Router on HOST1

Gateway Load Balancing (GLBP)

GLBP only takes one command on the interface to put it into action: ‘glbp 1 ipv6 FE80::100′. We will just stick with this basic configuration and use the defaults, as we are only intrested in seeing the protocol work – not tweak it for max performance.

GLBP SHOW COMMAND

R1#sh glbp
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:22:41
Virtual IP address is FE80::100
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.736 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption disabled
Active is local
Standby is FE80::222:22FF:FE22:2222, priority 100 (expires in 8.692 sec)
Priority 100 (default)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
0011.1111.1111 (FE80::211:11FF:FE11:1111) local
0022.2222.2222 (FE80::222:22FF:FE22:2222)
There are 2 forwarders (1 active)
Forwarder 1
State is Active
1 state change, last state change 00:22:31
MAC address is 0007.b400.0101 (default)
Owner ID is 0011.1111.1111
Redirection enabled
Preemption enabled, min delay 30 sec
Active is local, weighting 100
Client selection count: 2
Forwarder 2
State is Listen
MAC address is 0007.b400.0102 (learnt)
Owner ID is 0022.2222.2222
Redirection enabled, 597.516 sec remaining (maximum 600 sec)
Time to live: 14397.516 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is FE80::222:22FF:FE22:2222 (primary), weighting 100 (expires in 7.512 sec)
Client selection count: 2

R2#sh glbp
FastEthernet0/0 – Group 1
State is Standby
1 state change, last state change 00:23:17
Virtual IP address is FE80::100
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.652 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption disabled
Active is FE80::211:11FF:FE11:1111, priority 100 (expires in 9.696 sec)
Standby is local
Priority 100 (default)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
0011.1111.1111 (FE80::211:11FF:FE11:1111)
0022.2222.2222 (FE80::222:22FF:FE22:2222) local
There are 2 forwarders (1 active)
Forwarder 1
State is Listen
MAC address is 0007.b400.0101 (learnt)
Owner ID is 0011.1111.1111
Time to live: 14399.688 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is FE80::211:11FF:FE11:1111 (primary), weighting 100 (expires in 8.960 sec)
Forwarder 2
State is Active
1 state change, last state change 00:23:15
MAC address is 0007.b400.0102 (default)
Owner ID is 0022.2222.2222
Preemption enabled, min delay 30 sec
Active is local, weighting 100

Let’s take a look at GLBP in action, using the default load balancing of round-robin.  Host1 will send 1 ping packet, at that point ND will occur for the default router of FE80::100 which was set as the GLBP virutal ipv6 address on the interface ‘glbp 1 ipv6 FE80::100′. First packet will be sent with MAC of Forwarder 1 on R1 and the second packet, after we clear ipv6 neighbors’, will be sent with the MAC of Forwarder 2 on R2 because of the default load balancing configuration of round-robin.

HOST1#sh ipv6 int f0/0 | i router
Default router is FE80::100 on FastEthernet0/0

HOST1#sh ipv6 neighbors

HOST1#ping 4444::4 r 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4444::4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 92/92/92 ms

HOST1#
ICMPv6-ND: DELETE -> INCMP: FE80::100
ICMPv6-ND: Sending NS for FE80::100 on FastEthernet0/0
ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100
ICMPv6-ND: Neighbour FE80::100 on FastEthernet0/0 : LLA 0007.b400.0101
ICMPv6-ND: INCMP -> REACH: FE80::100
ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100
ICMPv6-ND: Received RA from FE80::100 on FastEthernet0/0

HOST1#sh ipv6 neighbors fe80::100
IPv6 Address                              Age Link-layer Addr State Interface
FE80::100                                   1 0007.b400.0101  STALE Fa0/0

HOST1#clear ipv6 neighbors
ICMPv6-ND: STALE -> DELETE: FE80::222:22FF:FE22:2222
ICMPv6-ND: STALE -> DELETE: FE80::211:11FF:FE11:1111
ICMPv6-ND: STALE -> DELETE: FE80::100

HOST1#sh ipv6 neighbors fe80::100

HOST1#ping 4444::4 r 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4444::4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 88/88/88 ms

HOST1#
ICMPv6-ND: DELETE -> INCMP: FE80::100
ICMPv6-ND: Sending NS for FE80::100 on FastEthernet0/0
ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100
ICMPv6-ND: NA has no link-layer option
ICMPv6-ND: Received NA for FE80::100 on FastEthernet0/0 from FE80::100
ICMPv6-ND: Neighbour FE80::100 on FastEthernet0/0 : LLA 0007.b400.0102
ICMPv6-ND: INCMP -> REACH: FE80::100

HOST1#sh ipv6 int f0/0 | i router
Default router is FE80::100 on FastEthernet0/0

HOST1#sh ipv6 neighbors fe80::100

HOST1#sh ipv6 neighbors fe80::100
IPv6 Address                              Age Link-layer Addr State Interface
FE80::100                                   0 0007.b400.0102  STALE Fa0/0

GLBP SUMMARY

IPv4

• multicast address 224.0.0.102, UDP port 3222
• multiple virtual MAC addresses starting with 0007.b400.0101

IPv6

• multicast address FF02::66, UDP port 3222
• multiple virtual MAC addresses starting with 0007.b400.0101

Wireshark captures view online with CloudShark

WRAP UP

Quick conculsion seems they changed more in HSRP than GLBP to get it ready and working with IPv6. The devil is in the details of IPv6 ICMPv6 Neighbor Discovery as you will see the more you dig into IPv6.