Pages

CCNP Switch - Layer 3 High Availability (HSRP, VRRP, GLBP)

 - HSRP, VRRP, GLBP must be in the same L2 domain
 - Higher values equal higher priority
 - HSRP routers switchover time is about 30+ seconds (10 second HRSP holdtime + STP time), better with RSTP
 - VRRP IP address used can be either a virtual one or the actual IP address of the primary router. 
 - preemt (substitute active router) - take place of active router if priority is higher than currect Active router
 - preemtion disabled (exact as DR is OSPF) = even if HSRP router appears with higher priority, it don't take the place of active router (as is OSPF DR)
 - This is Non-Stop Forwarding (NSF): The ability of the forwarding plane to continue running “headless” if the control plane stops. 
 - Only one FHRP could be applied on same interface
R3(config-if)# vrrp 1 ip 10.0.0.250
% 10.0.0.250 is assigned to another application on FastEthernet0/0   <--- 10.0.0.250 already using by HRRP
- The VRRP TTL MUST be set to 255. A VRRP router receiving a packet with the TTL not equal to 255 MUST discard the packet.
 
HSRPv1 UDP/1985 mulicast IP=224.0.0.2,   virtual MAC address 0000.0C07.ACxx      <-- X will be HEX representation of the (decimal) group ID
HSRPv2 UDP/2029 mulicast IP=224.0.0.102, virtual MAC address 0000.0C9F.Fxxx-FFFF <-- X will be HEX representation of the (decimal) group ID 
VVRP   UDP/112  mulicast IP=224.0.0.18,  virtual MAC address 0000.5E00.01XX    <-- X will be HEX representation of the (decimal) group ID
GLBP   UDP/3222 mulicast IP=224.0.0.102, virtual MAC address 0007.b4XX.XXYY    <-- X - group ID, YY - value of AVF number

 - the protocols that can be used for redundant router addresses, load balancing across multiple routers, and load balancing into a server farm.
 - features that support redundancy in hardware (within a single multilayer switch chassis, two supervisor modules with integrated route processors can be used to provide hardware redundancy. If an entire supervisor module fails, the other module can pick up the pieces and continue operating the switch)

HSRP versions difference: HSRP version 2 has the following enhancements to HSRP version 1:
•Expands the group number range. HSRP version 1 supports group numbers from 0 to 255. HSRP version 2 supports group numbers from 0 to 4095.
•For IPv4, uses the IPv4 multicast address 224.0.0.102to send hello packets instead of the multicast address of 224.0.0.2, which is used by HSRP version 1.
•Uses the MAC address range from 0000.0C9F.F000 to 0000.0C9F.FFFF. HSRP version 1 uses the MAC address range 0000.0C07.AC00 to 0000.0C07.ACFF.
•Adds support for MD5 authentication.
When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new virtual MAC address.
HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value (TLV) format. HSRP version 2 packets received by an HSRP version 1 router are ignored.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/unicast/503_A1_1/l3_nx-os/l3_hsrp.html

Router Redundancy in Multilayer Switching
 - Multilayer switches can act as IP gateways for connected hosts by providing gateway addresses at VLAN SVIs and Layer 3 physical interfaces.
 - These switches can also participate in routing protocols, just as traditional routers do.
 - MLS should offer a means of preventing one switch (gateway) failure from isolating an entire VLAN.

Packet-Forwarding Review
 - When a host must communicate with a device on its local subnet, it can generate an ARP request, wait for the ARP reply, and exchange packets directly.
 - if the far end is located on a different subnet, the host must rely on an intermediate system (a router, for example) to relay packets to and from that subnet.
 - a host identifies its nearest router, also known as the default gateway or next hop, by its IP address.



Hot Standby Router Protocol (HSRP)
 - Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as a single gateway IP address.
 - RFC 2281 describes this protocol in more detail.
 - One router is elected as the primary, or active HSRP router; another is elected as the standby HSRP router; and all the others remain in the listen HSRP state.

 - HSRP can be configured on L3 interfaces ( routed port, SVI= vlan interface, L3-etherchannel)
 - HSRP sends its hello messages to the multicast address 224.0.0.2 (all routers) for version 1, or 224.0.0.102 for version 2, using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers.
 - The primary router will respond to the ARP request from machines connected to the LAN with the virtual MAC address 0000.0C07.ACXX (or 0000.0C9F.FXXX for HSRPv2) where X will be hex representation of the (decimal) group ID.
 - An HSRP group can be assigned an arbitrary group number, from 0 to 255. Maximum number of groups configured = 256
 - Default Standby group number is 0  (could be configured without indicate group number)
 - HSRP groups are locally significant only on an interface (HSRP Group 1 on interface VLAN 10 is unique and independent from HSRP Group 1 on interface VLAN 11)
 - HSRP election is based on a priority value (0 to 255) that is configured on each router in the group.
 - By default, the priority is 100.
 - The router with the highest priority value (255 is highest) becomes the active router for the group.
 - If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router.
 -  By default, hellos are sent every 3 seconds. If hellos are missed for the duration of the holdtime timer (default 10 seconds, or three times the hello timer), the active router is presumed to be down.
 - When HSRP is configured on an interface, the router progresses through a series of states before becoming active.
   1=disabled, 2=Init, 3=Listen, 4=Speak, 5=Standby, 6=Active
initial - this is the starting state and indicates that HSRP is not running.
learn - the router has not determined the virtual IP address, and not yet seen an authenticated Hello message from the active router.  Inth is state the router is still waiting to hear from the active router.
listen - the router knows the virtual IP address, but is neither the active router nor the standby router.  It listens for Hello messages from those routers.
speak - the router sends periodic Hello messages and is actively participating in the election of the active and/or standby router.A router cannot enter Speak state unless it has the virtual IP address.
standby - the router is a candidate to become the next active router and sends periodic Hello messages.  Excluding transient conditions,there MUST be at most one router in the group in Standby state.
active - the router is currently forwarding packets that are sent to thegroup's virtual MAC address.  The router sends periodic Hello messages.  Excluding transient conditions, there MUST be at most one router in Active state in the group.
 - HSRP hellos are sent in Active, Standby and Speak states only. 
 - if a router is not already active, it cannot become active again until the current active router fails—even if its priority is higher than that of the active router.
 - preempt = immediately take over the active role if its priority is the highest at any time.
 - HSRP also can use an authentication method to prevent unexpected devices from spoofing or participating in HSRP.
   Pass (key string) or alternatively, you can define an MD5 key string as a key on a key chain.
 - HSRP can change priority by interface tracking (When a specific interface is tracked, HSRP reduces the router’s priority by a  configurable amount as soon as the interface goes down. If more than one interface is tracked, the priority is reduced even more with each failed interface. The priority is incremented by the same amount as interfaces come back up.)
 - Without preemption, the active role cannot be given to any other router.
Create (or enable) the HSRP group using its number and virtual IP address.
Switch(config-if)# standby <group> ip [ip-address [secondary]]
Set HSRP priority

Switch(config-if)# standby <group> priority <priority>
Tune HSRP Timers
Switch(config-if)# standby <group> timers [msec] <hello> [msec] <holdtime>
HSRP Preemtion
Switch(config-if)# standby <group> preempt [delay [minimum <seconds>] [reload <seconds>]]
minimum - force the router to wait for seconds (0 to 3600 seconds) before attempting to overthrow an active router with a lower priority.
reload - force the router to wait for seconds (0 to 3600 seconds) after it has been reloaded or restarted. (for IGPs)
HSRP Authentication
Switch(config-if)# standby <group> authentication <string>
OR
Switch(config)# key chain <chain-name>
Switch(config-keychain)# key <key-number>
Switch(config-keychain-key)# key-string [0 | 7] <string>
Switch(config)# interface type <mod/num>
Switch(config-if)# standby <group> authentication md5 key-chain <chain-name>
HSRP interface tracking
Switch(config-if)# standby <group> track <type mod/num> [<decrementvalue>]
<decrementvalue> - By default, the decrement valuefor an interface is 10
R1(config-if)#standby 1 track FastEthernet 0/1 ?
  <1-255>  Decrement value
  <cr>

Example config HSRP
Switch(config-if)# int vlan 10
Switch(config-if)# ip address 192.168.1.254 255.255.255.0
Switch(config-if)# standby 1 priority 200
Switch(config-if)# standby 1 preemt
Switch(config-if)# standby 1 ip 192.168.1.1     <---- will be used as default-gateway in LAN
Switch(config-if)# standby 1 timers msec 100 msec 300
Switch(config-if)# standby 1 authentication md5 key-string 0 HsRpPass

Load Balancing with HSRP
 - Load balancing traffic across two uplinks to two HSRP routers with a single HSRP group is not possible.
 - It possible to load balance with HSRP using two HSRP groups (two different virtual router or gateway addresses can be used simultaneously):
   SAME VLAN, 2 default gateways (assume a half of the LAN is using gateway ip 192.168.1.1, and another half of the LAN is using ip 192.168.1.2)
   2 HSRP groups: R1 is active in group1, and stanby in group2
                           R2 is standy in group1, and active in group2

Verification
Router# show standby [brief] [vlan <vlan-id> | <type mod/num>]
CatalystA# show standby vlan 50 brief
        P indicates configured to preempt.
Interface Grp Prio  P  State         Active addr          Standby addr   Group addr
Vl50      1   200   P  Active        local                192.168.1.11   192.168.1.1
Vl50      2   100      Standby       192.168.1.11         local          192.168.1.2
CatalystA# show standby vlan 50
Vlan50 - Group 1
    Local state is Active, priority 200, may preempt
    Hellotime 3 sec, holdtime 10 sec
    Next hello sent in 2.248
    Virtual IP address is 192.168.1.1 configured
    Active router is local
    Standby router is 192.168.1.11 expires in 9.860
    Virtual mac address is 0000.0c07.ac01
    Authentication text “MyKey”
    2 state changes, last state change 00:11:58
    IP redundancy name is “hsrp-Vl50-1” (default)
Vlan50 - Group 2
    Local state is Standby, priority 100
    Hellotime 3 sec, holdtime 10 sec
    Next hello sent in 1.302
    Virtual IP address is 192.168.1.2 configured
    Active router is 192.168.1.11, priority 200 expires in 7.812
    Standby router is local
    Authentication text “MyKey”
    4 state changes, last state change 00:10:04
    IP redundancy name is “hsrp-Vl50-2” (default)
CatalystA#
Troubleshooting: ( @ cisco.com)
 - HSRP State Continuously Changes (Active, Standby, Speak) or %HSRP-6-STATECHANGE
   These error messages describe a situation in which a standby HSRP router did not receive three successive HSRP hello packets from its HSRP peer.
   The error messages signify the loss of HSRP hellos between the peers. (not properly exchanging three hello messages)
Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Standby -> Active
Jan 9 08:00:56.011: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Active -> Speak
Jan 9 08:01:03.011: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Speak -> Standby
Jan 9 08:01:29.427: %STANDBY-6-STATECHANGE: Standby: 49: Vlan149 state Standby -> Active
- HSRP Does Not Recognize Peer
  Router configured for HSRP but does not recognize its HSRP peers. In order for this to occur, the router must fail to receive HSRP hellos from the neighbor router.
  Verify Physical Layer Connectivity and the Verify HSRP Router Configuration
Vlan8 - Group 8
  Local state is Active, priority 110, may preempt
  Hellotime 3 holdtime 10
  Next hello sent in 00:00:01.168
  Hot standby IP address is 10.1.2.2 configured
  Active router is local
  Standby router is unknown expired
  Standby virtual mac address is 0000.0c07.ac08
  5 state changes, last state change 00:05:03
HSRP Track Lab - http://sclabs.blogspot.com/2014/10/ccnp-switch-hsrp-lab.html


Virtual Router Redundancy Protocol - VRRP
 - VRRP is to HSRP (only slightly different terminology and a couple of slight functional differences)
 - VRRP is open protocol defined in IETF standard RFC 2338
 - The active router is called the master router, whereas all others are in the backup state.
 - The master router is the one with the highest router priority in the VRRP group.
 - VRRP group numbers range from 0 to 255; router priorities range from 1 to 254. (254 is the highest, 100 is the default.)
 - VRRP sends its advertisements to the multicast destination address 224.0.0.18 (VRRP), using IP protocol 112.
 - The virtual router MAC address is of the form 0000.5e00.01xx, where xxis a two-digit hex VRRP group number.
 - VRRP advertisements are sent at 1-second intervals. Backup routers optionally can learn the advertisement interval from the master router.
 - By default, all VRRP routers are configured to preempt the current master router if their priorities are greater.
 - VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the master role.
 - The priority value for the VRRP router that owns the IP address(es) associated with the virtual router MUST be 255. 
 - VRRP routers backing up a virtual router MUST use priority values between 1 and 254.
 - The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. This is used to trigger Backup routers to quickly transition to Master without having to wait for the current Master to timeout.

VRRP Configuration
vrrp <group> priority <level>                   <---Assign a VRRP router priority (default 100)
vrrp <group> timers advertise[msec] <interval>  <---Alter the advertisement timer (default 1 second)
vrrp <group> timers learn                       <---Learn the advertisement interval from the master router
no vrrp <group> preempt                         <---Disable preempting (default is to preempt)
vrrp <group> preempt [delay <seconds>]          <---Change the preempt delay (default 0 seconds)
vrrp <group> authentication <string>            <---Use authentication for advertisements
vrrp <group> ip <ip-address> [secondary]        <---Assign a virtual IP address

Configuring Load Balancing with VRRP
CatalystA(config)# interface vlan 50
CatalystA(config-if)# ip address 192.168.1.10 255.255.255.0
CatalystA(config-if)# vrrp 1 priority 200
CatalystA(config-if)# vrrp 1 ip 192.168.1.1
CatalystA(config-if)# vrrp 2 priority 100
CatalystA(config-if)# no vrrp 2 preempt
CatalystA(config-if)# vrrp 2 ip 192.168.1.2

CatalystB(config)# interface vlan 50
CatalystB(config-if)# ip address 192.168.1.11 255.255.255.0
CatalystB(config-if)# vrrp 1 priority 100
CatalystB(config-if)# no vrrp 1 preempt
CatalystB(config-if)# vrrp 1 ip 192.168.1.1
CatalystB(config-if)# vrrp 2 priority 200
CatalystB(config-if)# vrrp 2 ip 192.168.1.2

VRRP Verify
Switch# show vrrp    <---detailed output
Switch# show vrrp brief     <---brief output
CatalystA# show vrrp brief
Interface    Grp Pri Time Own Pre State   Master addr    Group addr
Vlan50       1   200 3218     Y   Master  192.168.1.10   192.168.1.1
Vlan50       2   100 3609         Backup  192.168.1.11   192.168.1.2

Gateway Load Balancing Protocol (GLBP)
Active Virtual Gateway - AVG
 - One router is elected the active virtual gateway(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address supported by one of the routers in the group is returned.
 - The AVG also assigns the necessary virtual MAC addresses to each of the routers participating in the GLBP group. Up to four virtual MAC addresses can be used in any group.
 
Active Virtual Forwarder - AVF
 - router that forwarding traffic received on its virtual MAC address
 - other routers in the group serve as backup or secondary virtual forwarders, in case the AVF fails
 -  a router that might serve as an AVF cannot preempt another when it has a higher weight value.

GLBP:
 - Cisco-proprietary protocol designed to overcome the limitations of existing redundant router protocols:
 - all routers in the group can participate and offer load balancing by forwarding a portion of the overall traffic.
 - GLBP is available only for the Catalyst 6500 Supervisor 2 with IOS Release 12.2(14)SY4 or later and Supervisor 720 with IOS Release 12.2(17a)SX4 switch platforms.
 - GLBP group numbers range from 0 to 1023. The router priority can be 1 to 255 (255 is the highest priority), defaulting to 100.
 - As with HSRP, another router cannot take over an active role until the current active router fails.
 - GLBP does allow a router to preempt and become the AVG if it has a higher priority than the current AVG.
 - Hello messages are sent at hellotime intervals, with a default of 3 seconds.
 - If hellos are not received from a peer within a holdtime, defaulting to 10 seconds, that peer is presumed to have failed.
 -  The virtual MAC addresses always have the form 0007.b4xx.xxyy.
  The 16-bit value denoted by xx.xx represents six zero bits followed by a 10-bit GLBP group number.
  The 8-bit yy value is the virtual forwarder number.
 - By default, GLBP uses the periodic hello messages to detect AVF failures, each router within a GLBP group must send hellos to every other GLBP peer.
 - AVG maintain 2 timers: redirect and timeout
redirect (600 seconds=10 minutes) - used to determine when the AVG will stop using the old virtual MAC address in ARP replies.
  The AVF corresponding to the old address continues to act as a gateway for any clients that try to use it.
  When the timeout timer expires (14,400 seconds=4 hours), the old MAC address and the virtual forwarder using it are flushed from all the GLBP peers. The AVG assumes that the previously failed AVF will not return to service, so the resources assigned to it must be reclaimed. At this point, clients still using the old MAC address in their ARP caches must refresh the entry to obtain the new virtual MAC address.
- GLBP also can use a weighting function to determine which router becomes the AVF for a virtual MAC address in a group.
- By default, a router receives a maximum weight of 100.
- If AVG become unavailable, frames to its AVF MAC will be forwarded by the AVG standby router.


GLBP Configuration
Switch(config-if)# glbp <group> ip [<ip-address> [secondary]]
Switch(config-if)# glbp <group> priority <level>
Switch(config-if)# glbp <group> preempt [delay minimum <seconds>]
Switch(config-if)# glbp <group> timers [msec] <hellotime> [msec] <holdtime>
   The timer values normally are given in seconds, unless they are preceded by the msec keyword, to indicate milliseconds.
Switch(config-if)# glbp <group> timers redirect <redirect> <timeout>

GLBP Weighting
Switch(config)# track <object-number> interface <type mod/num> {line-protocol | ip  routing}
Switch(config-if)# glbp <group>  weighting   <maximum> [lower <lower>] [upper <upper>]
   The maximum weight can range from 1 to 254 (default 100).
    The upper (default maximum) and lower (default 1) thresholds define when the router can and cannot be the AVF, respectively.

GLBP Load Balancing
Load-balancing methods in a GLBP group:
■ Round robin—Each new ARP request for the virtual router address receives the next available virtual MAC address in reply.
  Traffic load is distributed evenly across all AVFs in the group, assuming that each of the clients sends and receives the same amount of traffic. This is the default method used by GLBP.
■ Weighted—The GLBP group interface’s weighting value determines the proportion of traffic that should be sent to that AVF. A higher weighting results in more frequent ARP replies containing the virtual MAC address of that router. If interface tracking is not configured, the maximum weighting value configured is used to set the relative proportions among AVFs.
■ Host dependent—Each client that generates an ARP request for the virtual router address always receives the same virtual MAC address in reply. This method is used if the clients have a need for a consistent gateway MAC address. (Otherwise, a client could receive replies with different MAC addresses for the router over time, depending on the load-balancing method in use.)
Switch(config-if)# glbp <group> load-balancing [round-robin | weighted | host-dependent]


GLBP Verify
show glbp [brief]
CatalystA# show glbp brief
Interface  Grp Fwd Pri State   Address         Active router   Standby router
Vl50       1   -   200 Active  192.168.1.1     local           192.168.1.11
Vl50       1   1   7   Active  0007.b400.0101  local           -
Vl50       1   2   7   Listen  0007.b400.0102  192.168.1.11    -
Vl50       1   3   7   Listen  0007.b400.0103  192.168.1.12    -
CatalystA#

CatalystA# show glbp
Vlan50 - Group 1
    State is Active
    7 state changes, last state change 03:28:05
    Virtual IP address is 192.168.1.1
    Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.672 secs
    Redirect time 600 sec, forwarder time-out 14400 sec
    Preemption enabled, min delay 0 sec
    Active is local
    Standby is 192.168.1.11, priority 150 (expires in 9.632 sec)
    Priority 200 (configured)
    Weighting 100 (default 100), thresholds: lower 1, upper 100
    Load balancing: round-robin
    There are 3 forwarders (1 active)
Forwarder 1
  State is Active
  3 state changes, last state change 03:27:37
  MAC address is 0007.b400.0101 (default)
  Owner ID is 00d0.0229.b80a
  Redirection enabled
  Preemption enabled, min delay 30 sec
  Active is local, weighting 100
Forwarder 2
  State is Listen
  MAC address is 0007.b400.0102 (learnt)
  Owner ID is 0007.b372.dc4a
  Redirection enabled, 598.308 sec remaining (maximum 600 sec)
  Time to live: 14398.308 sec (maximum 14400 sec)
  Preemption enabled, min delay 30 sec
  Active is 192.168.1.11 (primary), weighting 100 (expires in 8.308 sec)
Forwarder 3
  State is Listen
  MAC address is 0007.b400.0103 (learnt)
  Owner ID is 00d0.ff8a.2c0a
  Redirection enabled, 599.892 sec remaining (maximum 600 sec)
  Time to live: 14399.892 sec (maximum 14400 sec)
  Preemption enabled, min delay 30 sec
  Active is 192.168.1.12 (primary), weighting 100 (expires in 9.892 sec)
CatalystA# 

Supervisor and Route Processor Redundancy
Supervisor Engine is a module that is installed in the Cisco Chassis-based Catalyst Switches or Routers. Supervisor engine contains nearly all the same components of a fixed Cisco Switches or Routers. These Supervisor engines come in a variety of different types with different functionalities and are installed in the Switches/Router Chassis as per requirements of the network types.

Policy Feature Card (PFC) is the forwarding plane and does the following:
 - The PFC3 is the ASIC-based forwarding engine daughtercard for the Sup720;
 - Performs Layer 2 and Layer 3 forwarding.
 - Enforces access control list (ACL) functions,
 - Performs policing and marking for quality of service (QoS) traffic.
Distributed Forwarding Card (DFC)
 - Combo daughter card comprising a MSFC and PFC used by a fabric enabled Cat6500 linecard to perform distributed switching. DFCs are located in linecards, not in Supervisors.
 - Performance is the biggest and most obvious reason to implement DFCs. You move from a 30 Mpps centralized forwarding system anywhere up to a 400 Mpps distributed forwarding system. This forwarding performance is for all L2 bridging, L3 routing, ACLs, QoS, and Netflow features, i.e., not just L3.
Multilayer Switch Feature Card (MSFC) is the control plane and does the following: 
 - Performs routing for the chassis. The MSFC contains the route processor (RP) and Swtch processor (SP) for the router.
 - Runs Layer 2 and Layer 3 protocols, such as the Spanning Tree Protocol (STP) and others.

The MSFC is a Cisco IOS® router in a compact package and, when used in combination with the PFC, provides intelligent multilayer switching for the Catalyst 6000 Family in a single slot solution.

 - Some Cisco switches have the capability to provide redundancy for the supervisor engine itself.
 - This is accomplished by having redundant hardware in place within a switch chassis, ready to take over during a failure.
 - Some switch platforms can have multiple power supplies; if one power supply fails, another immediately takes over the load.

Redundant Switch Supervisors
 - Modular switch platforms such as the Catalyst 4500R and 6500 can accept two supervisor modules installed in a single chassis. The first supervisor module to successfully boot becomes the active supervisor for the chassis. The other supervisor remains in a standby role, waiting for the active supervisor to fail.

Redundancy modes on Catalyst switches:
■ Route processor redundancy (RPR)—The redundant supervisor is only partially booted and initialized.
   When the active module fails, the standby module must reload every other module in the switch and then initialize all the supervisor functions.
■ Route processor redundancy plus (RPR+)—The redundant supervisor is booted, allowing the supervisor and route engine to initialize.
   No Layer 2 or Layer 3 functions are started, however. When the active module fails, the standby module finishes initializing without reloading other switch modules.
   This allows switch ports to retain their state.
■ Stateful switchover (SSO)—The redundant supervisor is fully booted and initialized. Both the startup and running configuration contents are synchronized between the supervisor modules.
   Layer 2 information is maintained on both supervisors so that hardware switching can continue during a failover.
   The state of the switch interfaces is also maintained on both supervisors so that links don’t flap during a failover.

Configuring the Redundancy Mode
 - RPR  - Catalyst 6500 Supervisors 2 and 720, Catalyst 4500R Supervisors IV and V
    Failover Time: Good (> 2 minutes)
 - RPR+ Catalyst 6500 Supervisors 2 and 720 Better
   Failover Time: (> 30 seconds)
 - SSO Catalyst 6500 Supervisor 720, Catalyst 4500R Supervisors IV and V
   Failover Time: Best (> 1 second)
Router(config)# redundancy
Router(config-red)# mode {rpr | rpr-plus | sso}
 - If you are configuring redundancy for the first time on the switch, you must enter the previous commands on both supervisor modules.
 - When the redundancy mode is enabled, you will make all configuration changes on the active supervisor only.
 - The running configuration is synchronized automatically from the active to the standby module.

Verify Redundacy
SW-4500#show redundancy states
       my state = 13 -ACTIVE
     peer state = 8  -STANDBY HOT
           Mode = Duplex
           Unit = Primary
        Unit ID = 1

Redundancy Mode (Operational) = Stateful Switchover
Redundancy Mode (Configured)  = Stateful Switchover
     Split Mode = Disabled
   Manual Swact = Enabled
 Communications = Up

   client count = 23
 client_notification_TMR = 240000 milliseconds
          keep_alive TMR = 9000 milliseconds
        keep_alive count = 0
    keep_alive threshold = 18
           RF debug mask = 0x0  
SW-4500#
Configuring Supervisor Synchronization
Router(config)# redundancy
Router(config-red)# main-cpu
Router(config-r-mc)# auto-sync {startup-config | config-register | bootvar}

redundancy
power redundancy-mode redundant
Nonstop Forwarding NSF
Objective of Cisco NSF is to continue forwarding IP packets following a route processor (RP) switchover. 
 - Cisco NSF helps to suppress routing flaps (when a networking device restarts, all routing peers of that device detect that the device went down and then came back up) in SSO-enabled devices, thus reducing network instability. 
 - Data traffic is forwarded through intelligent line cards while the standby RP assumes control from the failed active RP during a switchover. 

Cisco NSF always runs with SSO and provides redundancy for Layer 3 traffic. NSF works with SSO to minimize the amount of time that a network is unavailable to its users following a switchover. The main purpose of NSF is to continue forwarding IP packets following a supervisor engine switchover. 

During normal NSF operation, CEF on the active RP synchronizes its current FIB and adjacency databases with the FIB and adjacency databases on the standby RP. Upon switchover of the active RP, the standby RP initially has FIB and adjacency databases that are mirror images of those that were current on the active RP. For platforms with intelligent line cards, the line cards will maintain the current forwarding information over a switchover; for platforms with forwarding engines, CEF will keep the forwarding engine on the standby RP current with changes that are sent to it by CEF on the active RP. In this way, the line cards or forwarding engines will be able to continue forwarding after a switchover as soon as the interfaces and a data path are available.  

 - You can enable another redundancy feature along with SSO on the Catalyst 4500R and 6500 (Supervisor 720 only).
 - NSF requires SSO
 - The Hot Standby Routing Protocol (HSRP) is not supported with Cisco Nonstop Forwarding with Stateful Switchover. Do not use HSRP with Cisco Nonstop Forwarding with Stateful Switchover.  
 - Nonstop Forwarding (NSF) is an interactive method that focuses on quickly rebuilding the Routing Information Base (RIB) table after a supervisor switchover.
 - Instead of waiting on any configured Layer 3 routing protocols to converge and rebuild the FIB, a router can use NSF to get assistance from other NSF-aware neighbors.
 - Cisco-proprietary NSF functions must be built in to the routing protocols on both the router that will need assistance and the router that will provide assistance.
 - NSF is supported by the BGP, EIGRP, OSPF and IS-IS routing protocols.
 - NSF is available on the Catalyst 6500 Supervisor 720 (with the integrated MSFC3) and on the Catalyst 4500R Supervisor III, IV, and V running IOS Software Release 12.2(20)EWA or later.

Configure NFS
Router(config)# router bgpas-number
Router(config-router)# bgp graceful-restart

Router(config)# router eigrpas-number
Router(config-router)# nsf

Router(config)# router ospfprocess-id
Router(config-router)# nsf

Router(config)# router isis[tag]
Router(config-router)# nsf[cisco| ietf]
Router(config-router)# nsf interval [minutes]
Router(config-router)# nsf t3{manual [seconds] | adjacency}
Router(config-router)# nsf interface wait <seconds>