Professional Documents
Culture Documents
18-Troubleshooting HSRP Authentication
18-Troubleshooting HSRP Authentication
18-Troubleshooting HSRP Authentication
Lab Topology
The topology diagram below represents the NetMap in the Simulator.
IP Addresses
Device Interface IP Address Subnet Mask Default Gateway
Router1 FastEthernet 0/0 192.168.51.49 255.255.255.252 -
FastEthernet 0/1 192.168.51.53 255.255.255.252 -
Loopback 0 172.16.0.1 255.255.255.255 -
Loopback 1 198.51.100.1 255.255.255.255 -
DSW1 FastEthernet 0/0 192.168.51.50 255.255.255.252 192.168.51.49
VLAN 100 10.10.100.1 255.255.255.0 -
VLAN 200 10.10.200.1 255.255.255.0 -
HSRP Group 100 10.10.100.3 - -
DSW2 FastEthernet 0/0 192.168.51.54 255.255.255.252 192.168.51.53
VLAN 100 10.10.100.2 255.255.255.0 -
VLAN 200 10.10.200.2 255.255.255.0 -
HSRP Group 100 10.10.100.3 - -
ASW1 VLAN 100 10.10.100.5 255.255.255.0 -
VLAN 200 10.10.200.5 255.255.255.0 -
ASW2 VLAN 100 10.10.100.6 255.255.255.0 -
VLAN 200 10.10.200.6 255.255.255.0 -
The HSRP configurations used in this lab are shown in the tables below:
Ticket 2: Configure HSRP to Load Balance VLAN 100 and VLAN 200
Your company has consolidated a small software development staff into its corporate headquarters. The
software developer workstations are confined to VLAN 200 and currently use DSW1 as a default gateway.
In this task, you will configure HSRP for VLAN 200 so that VLAN 200 clients use DSW2 as their default
gateway and use DSW1 only if the connection between DSW2 and Router1 goes down. The HSRP active
router for VLAN 100 clients should not be modified.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
You should create a troubleshooting and verification plan before attempting to correct the problem. There
are several possible solutions to this task; this lab documents only one of them.
1. On PC1, issue the ipconfig command. Based on the output, you can determine that PC1 has
been configured with an IP address of 10.10.100.10/24. This is the subnet that has been assigned
to VLAN 100. Additionally, PC1 has been assigned a default gateway of 10.10.100.3, which is the
virtual IP address that has been assigned to the HSRP group 100 routers in this scenario. Sample
output is shown below:
C:>ipconfig
<output omitted>
2. Using the topology diagram in this lab document, you can determine that PC1 is connected to the
FastEthernet 0/11 interface of ASW1. You can verify that PC1 is operating in VLAN 100 by issuing
the following command on ASW1; the output should reveal that the FastEthernet 0/11 port to which
PC1 is connected is operating in VLAN 100. Sample output is below:
Similarly, ASW2 is reporting that the root bridge has a priority of 8192, has a MAC address of
000C.1289.3959, and is accessible through ASW2’s FastEthernet 0/4 port. Based on either the
topology diagram or the output of the show cdp neighbors command on ASW2, you can determine
that ASW2’s FastEthernet 0/2 port is directly connected to DSW2. Therefore, traffic from PC1 that is
destined for Router1 is most likely being correctly sent from ASW1 to DSW1.
4. When you examine the console of DSW1, you should notice that DSW1 is also producing debug
messages related to HSRP authentication. The error messages indicate that HSRP Group 100
on DSW2 (10.10.100.2) is unable to correctly authenticate with HSRP Group 100 on DSW1
(10.10.100.1). Additionally, the debug message indicates that DSW2 is reporting itself as the active
HSRP router for HSRP group 100. Sample output from DSW1 is below:
5. On DSW1, you should issue the show standby command to display HSRP information for HSRP
group 100. Based on the output, you can determine the following:
• DSW1 is reporting itself as the active router for HSRP group 100.
• DSW1 has been unable to locate a standby router for HSRP group 100.
• HSRP group 100 has been configured with a priority of 120 on DSW1.
• HSRP preemption is enabled.
• HSRP group 100 on DSW1 is tracking the FastEthernet 0/0 interface.
• HSRP authentication has been configured for HSRP group 100 by using a key string of
my80$0nL485! from which an MD5 hash is generated.
When the FastEthernet 0/0 interface goes down, the priority of HSRP group 100 on DSW1 will be
decremented by 20. However, the tracked interface is currently in the Up state.
DSW1#show standby
Vlan0100 - Group 100
State is Active
2 state changes, last state change 00:2:34
Virtual IP address is 10.10.100.3
Active virtual MAC address is 0000.0c07.ac64
Local virtual MAC address is 0000.0c07.ac64(v1 default)
Hello time 4 sec, hold time 12 sec
Next hello sent in 2.299secs
Authentication MD5, key-string “my80$0nL485!”
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is local
Standby router is unknown
Priority 120 (configured 120)
Track interface FastEthernet0/1 state Up decrement 20
IP redundancy name is HSRP1, advertisement interval is 34 sec
7. On DSW2, you should issue the following commands to correct the configuration.
DSW1 and DSW2 will not be able to exchange HSRP Hello packets until the correct key string has
been configured on DSW2. The no standby 100 authentication command removes authentication
from the DSW2 HSRP group 100 configuration. The standby 100 authentication md5 key-string
my80$0nL485! command configures HSRP group 100 on DSW2 to use MD5 authentication based
on a key string of my80$0nL485!.
DSW1#show standby
Vlan0100 - Group 100
State is Active
2 state changes, last state change 00:2:34
Virtual IP address is 10.10.100.3
Active virtual MAC address is 0000.0c07.ac64
Local virtual MAC address is 0000.0c07.ac64(v1 default)
Hello time 4 sec, hold time 12 sec
Next hello sent in 1.938secs
Authentication MD5, key-string “my80$0nL485!”
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is local
Standby router is 10.10.100.2, priority 110
Priority 120 (configured 120)
Track interface FastEthernet0/1 state Up decrement 20
IP redundancy name is HSRP1, advertisement interval is 34 sec
DSW2#show standby
Vlan0100 - Group 100
State is Standby
2 state changes, last state change 00:2:34
Virtual IP address is 10.10.100.3
Active virtual MAC address is 0000.0c07.ac64
Local virtual MAC address is 0000.0c07.ac64(v1 default)
Hello time 4 sec, hold time 12 sec
Next hello sent in 2.306secs
Authentication MD5, key-string “my80$0nL485!”
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is 10.10.100.1, priority 120 (expires in 5.694)
Standby router is local
Priority 110 (configured 110)
IP redundancy name is HSRP1, advertisement interval is 34 sec
9. On PC1, you should issue the following command to trace the route to Router1’s Loopback 1
interface (198.51.100.1). Based on the output, you should be able to determine that PC1 can now
successfully communicate with Router1 through DSW1 (10.10.100.1) and that the path is via DSW1.
C:>tracert 198.51.100.1
DSW1#show standby
Vlan0100 - Group 100
State is Active
2 state changes, last state change 00:2:34
Virtual IP address is 10.10.100.3
Active virtual MAC address is 0000.0c07.ac64
Local virtual MAC address is 0000.0c07.ac64(v1 default)
Hello time 4 sec, hold time 12 sec
Next hello sent in 1.938secs
Authentication MD5, key-string “my80$0nL485!”
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is local
Standby router is 10.10.100.2, priority 110 (expires in 2.437 sec)
Priority 120 (configured 120)
Track interface FastEthernet0/1 state Up decrement 20
IP redundancy name is HSRP1, advertisement interval is 34 sec
Based on the output, you should be able to determine that the HSRP group 100 VLAN 100
interface is tracking DSW1’s FastEthernet 0/0 interface. Additionally, you can determine that if the
FastEthernet 0/0 interface enters the Down state, the priority of HSRP group 100 on DSW1 will be
decremented by 20.
11. On DSW1, you should issue the following commands to shut down the FastEthernet 0/1 interface:
12. After the network has time to converge, you should issue the following command on PC1 to trace
the route to Router1’s Loopback 1 interface (198.51.100.1):
C:>tracert 198.51.100.1
PC1’s traffic to Router1 is now forwarded through DSW2 (10.10.100.2) instead of DSW1
(10.10.100.1). When the line protocol of DSW1’s FastEthernet 0/1 interface went down, HSRP
group 100’s priority value on DSW1 was decremented by 20. Therefore, DSW2 has taken over the
active HSRP router role from DSW1 because DSW1’s HSRP priority is now lower than DSW2’s and
preemption has been configured on DSW2.
10 Boson NetSim Lab Manual
13. On DSW1, you should issue the following command to enable the FastEthernet 0/1 interface:
DSW1(config-if)#no shutdown
00:10:29: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:10:29: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:10:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
00:10:29: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.51.49
(FastEthernet0/1) is up: new adjacency
00:10:30: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Down->Up
00:10:30: %HSRP-6-STATECHANGE: Vlan0100 Grp 100 state Standby -> Active
Ticket 2: Configure HSRP to Load Balance VLAN 100 and VLAN 200
Your company has consolidated a small software development staff into its corporate headquarters. The
software developer workstations are confined to VLAN 200 and currently use DSW1 as a default gateway.
In this task, you will configure HSRP for VLAN 200 so that VLAN 200 clients use DSW2 as their default
gateway and use DSW1 if the connection between DSW2 and Router1 goes down. The HSRP active
router for VLAN 100 clients should not be modified.
You should create a troubleshooting and verification plan before attempting to correct the problem. There
are several possible solutions to this task; this lab documents only one of them.
1. On PC1, you should trace the route to Router1’s Loopback 1 interface (198.51.100.1). As shown in
the following sample output, traffic from PC1 is forwarded to Router1 through DSW1 (10.10.100.1):
C:>tracert 198.51.100.1
2. On PC4, you should trace the route to Router1’s Loopback 1 interface (198.51.100.1). As shown in
the following sample output, traffic from PC4 is forwarded to Router1 by DSW2 (10.10.200.2):
C:>tracert 198.51.100.1
By segregating the LAN into VLANs and configuring an HSRP group per VLAN, you can load
balance traffic from the LAN as a whole across multiple HSRP routers.
On PC4:
C:>ipconfig
<output omitted>
4. On DSW2, you should issue the following command to display STP information for VLAN 200.
Based on the output, you can determine that DSW2 is not the root bridge for VLAN 200 and that the
root bridge for VLAN 200 has a priority value of 8192.
VLAN200
Spanning tree enabled protocol pvst
Root ID Priority 8192
Address 000C.1289.3959
Cost 19
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
An STP best practice when using HSRP is to configure the HSRP group active router as the
STP root bridge for the group’s corresponding VLAN on the same device. Therefore, you should
configure DSW2 as the root bridge because it is the STP instance that is configured on what will be
the active HSRP router for the HSRP group that corresponds to VLAN 200.
5. On DSW2, you should issue the following command to configure STP for VLAN 200 to use a priority
value of 4096:
7. On DSW2, you should issue the following command to configure the VLAN 200 interface with
preemption for HSRP group 200:
8. On DSW2, you should issue the following command on the VLAN 200 interface to configure
HSRP interface tracking for group 200 and to decrement HSRP group 200 priority by 20 if DSW2’s
FastEthernet 0/1 interface goes down:
9. On DSW2, you should issue the following command on the VLAN 200 interface to configure HSRP
group 200 with a virtual IP address of 10.10.200.3:
10. On DSW2, you should issue the following command to configure HSRP authentication for group 200
using a key string of my80$0nL485!:
The md5 keyword configures HSRP group 200 to generate an MD5 hash from the string of
characters that is defined by the key-string keyword.
11. On PC2 and PC4, you should issue the following command to configure the default gateway to be
the virtual IP address of HSRP group 200 (10.10.200.3):
12. From PC4, you should issue the following command to trace the path to Router1’s Loopback 1
interface (198.51.100.1). Based on the output, you should be able to determine that traffic from PC4
is taking the path through DSW2 (10.10.200.2) to communicate with Router1 (192.168.51.53):
C:>tracert 198.51.100.1
DSW2#show standby
<output omitted>
Vlan0200 - Group 200
State is Active
2 state changes, last state change 00:2:34
Virtual IP address is 10.10.200.3
Active virtual MAC address is 0000.0c07.acC8
Local virtual MAC address is 0000.0c07.acC8(v1 default)
Hello time 4 sec, hold time 12 sec
Next hello sent in 1.748secs
Authentication MD5, key-string “my80$0nL485!”
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is local
Standby router is unknown
Priority 120 (configured 120)
Track interface FastEthernet0/1 state Up decrement 20
IP redundancy name is HSRP1, advertisement interval is 34 sec
Given the current configuration, traffic from PC2 or PC4 will not be able to reach Router1 if you
shut down DSW2’s FastEthernet 0/0 interface, because no standby router for HSRP group 200 has
been configured. Therefore, DSW2 will remain the active router for HSRP group 200 even when
the FastEthernet 0/0 interface has been shut down and DSW2’s HSRP group 200 priority has been
decremented.
14. Based on the HSRP group 200 configuration on DSW2, you should issue the following commands
on DSW1 to configure DSW1 to be the standby router for HSRP group 200 and to use a priority
value of 110:
15. On PC4, you should issue the following command to determine the path to Router1’s Loopback
1 interface. From the sample output below, you can see that the path to Router1’s Loopback 1
interface from PC4 has not changed because DSW1 is the standby router for HSRP group 200;
DSW2 remains the active router for HSRP group 200:
C:>tracert 198.51.100.1
1 10.10.200.2 20 msec 16 *
2 192.168.51.53 20 msec 16 msec *
17. On PC4, you should issue the following command to determine the path to Router1’s Loopback
1 interface. From the sample output below, you can see that the path to Router1’s Loopback 1
interface from PC4 has changed because DSW1 is now the active router for HSRP group 200:
C:>tracert 198.51.100.1
18. On DSW2, you should issue the following command to enable the FastEthernet 0/1 interface:
DSW2(config-if)#no shutdown
00:16:02: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:16:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
00:16:02: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.51.53
(FastEthernet0/1) is up: new adjacency
00:16:02: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Down->Up
00:16:02: %HSRP-6-STATECHANGE: Vlan0200 Grp 200 state Standby -> Active
19. On PC4, you should issue the following command to trace the path to Router1’s Loopback 1
interface. From the sample output below, you can see that the path from PC4 to Router1 is now
through DSW2 because DSW2’s HSRP group 200 priority has been restored; therefore, DSW2 has
taken the active router role for HSRP group 200:
C:>tracert 198.51.100.1
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.