HSRP vs GLBP

chrisone · June 2010

Ok so here are the rules.

1. Do you currently run either protocol in your networks. (Preferable the two at the same time on two different networks/locations for comparisons.)

2. What are the trade offs you actually do see in a real world environment.

3. Which causes you more troubleshooting headaches and explain why.

4. With GLBP have you ever experience any odd phenomena knowing the packets are split/load balanced between GLBP routers, experienced anything out of the ordinary with VOIP , WIFI, or any other technologies?

5. Got any other questions? please state them.

Thank you to everyone who participate.

burbankmarc · June 2010

I use HSRP in my network. I chose HSRP because the hardware I have doesn't support GLBP (3750's).

I have had several problems with HSRP. I've had Asymetric routing issues with it. Also, multicast doesn't work so well with HSRP, you'll have to put in mroutes.

Also, whenever an HSRP change happens it's pretty disruptive, since the MAC address is coming from a different location (that's what I assume is the problem anyways).

Really wish I could use GLBP.

ColbyG · June 2010

We use HSRP. I've never seen GLBP in production anywhere I've worked, so I can't comment much on it. I've not noticed any issues with HSRP at my current company.

DevilWAH · June 2010

i use hsrp, but i played with glbp and vrrp a lot before i made a decision. in the end i chose hsrp because glbp seemed an over kill and we don't load balance the wan links. only one is in use at a time. so glbp did not offer any advantage in our set up. and makes traffic monitering simpler. we might soon be getting new wan links that we will load balance. at which point i will move to glbp. in my testing any issues i did see where easy to sort out. and working them through improves you knowlage of the network.

ColbyG · June 2010

DevilWAH wrote: »

we don't load balance the wan links. only one is in use at a time.

ouch, why?

notgoing2fail · June 2010

burbankmarc wrote: »

I use HSRP in my network. I chose HSRP because the hardware I have doesn't support GLBP (3750's).

I have had several problems with HSRP. I've had Asymetric routing issues with it. Also, multicast doesn't work so well with HSRP, you'll have to put in mroutes.

Also, whenever an HSRP change happens it's pretty disruptive, since the MAC address is coming from a different location (that's what I assume is the problem anyways).

Really wish I could use GLBP.

Warning, newbie question soon to follow:

What exactly is asymmetric routing? Just one-way static routes?

Also, are the routers participating in HSRP configured exactly the same way? Meaning, if you have a specific configuration in one router to suppose an application, you also have it configured on the other router?

Or is it not necessary to have your routers have the exact same config?

ColbyG · June 2010

notgoing2fail wrote: »

Warning, newbie question soon to follow:

What exactly is asymmetric routing? Just one-way static routes?

Also, are the routers participating in HSRP configured exactly the same way? Meaning, if you have a specific configuration in one router to suppose an application, you also have it configured on the other router?

Or is it not necessary to have your routers have the exact same config?

Asymmetric routing means traffic takes one path to the destination and another path back, so picture a packet doing this:

Path to dest:
PC1 - R1 - R2 - R3 - PC2

Path back to source:
PC2 - R3 - R4 - R1 - PC1

Sorry for the weak diagram, but it's the best I can do in a post. So instead of coming back R3 R2 R1, it took the path from R3 through R4 to get to R1.

DevilWAH · June 2010

long long story why we dont load balance. but in a nushell. our wan links are managed but a goverment agency. and dispite there being no reson we should not be able to load balance, they control it and prevent us doing it. or they force all traffic out one link no matter what one of there routers i send it to. (they have two router on site that have there own etthernet link) itts a pants set up by we are forced in to it. each of my core switchs has a gig link to there router, wan links are 10 meg so no point in my load balancing to there routers as i know 99% of the time traffic only goes out of site from the router connected to the primary core. no poinnt in glbp across both cores. dont you just love goverment IT!!!

Nuul · June 2010

notgoing2fail wrote: »

Also, are the routers participating in HSRP configured exactly the same way? Meaning, if you have a specific configuration in one router to suppose an application, you also have it configured on the other router?

Or is it not necessary to have your routers have the exact same config?

The configs don't have to be exact but they'll probably be very close since you're wanting to route to the same place(s). I think about the only thing that's required to be the same is the group number though.

notgoing2fail · June 2010

ColbyG wrote: »

Sorry for the weak diagram, but it's the best I can do in a post. So instead of coming back R3 R2 R1, it took the path from R3 through R4 to get to R1.

No apology necessary, I completely understand it now. I'll do some google searches to see if I can find more information about it. thanks!

Nuul wrote: »

The configs don't have to be exact but they'll probably be very close since you're wanting to route to the same place(s). I think about the only thing that's required to be the same is the group number though.

ok good to know. I kinda figured they didn't have to be 10000% exactly configured. I suppose it's really up to how the network is designed...

burbankmarc · June 2010

notgoing2fail wrote: »

Warning, newbie question soon to follow:

What exactly is asymmetric routing? Just one-way static routes?

Also, are the routers participating in HSRP configured exactly the same way? Meaning, if you have a specific configuration in one router to suppose an application, you also have it configured on the other router?

Or is it not necessary to have your routers have the exact same config?

My network looks like this

ASA-----3750-1
  |
  |------3750-2

So each 3750 is connected to the ASA. The 3750's are running HSRP. So 3750-1 gets all the traffic from the users because it's normally HSRP active router. 3750-2 doesn't see all the out bound traffic so it's CAM table doesn't get populated.

Ok, so between the ASA and the 3750's I'm running OSPF. In OSPF the ASA load balances the users subnet to both 3750's. So all the return traffic for the users goes through the 3750-1 and the 3750-2. Since the 3750-2's CAM table isn't populated can you guess what it does with the traffic? It floods it out all ports except the one it received it on.

So what I did was change the OSPF cost on the 3750-2 to something lesser than the 3750-1. So now the ASA always sends traffic to the 3750-1 unless it's down.

So I guess it's not so much a "problem" but more of a caveat.

notgoing2fail · June 2010

burbankmarc wrote: »
My network looks like this
ASA-----3750-1
  |
  |------3750-2
So each 3750 is connected to the ASA. The 3750's are running HSRP. So 3750-1 gets all the traffic from the users because it's normally HSRP active router. 3750-2 doesn't see all the out bound traffic so it's CAM table doesn't get populated.

Ok, so between the ASA and the 3750's I'm running OSPF. In OSPF the ASA load balances the users subnet to both 3750's. So all the return traffic for the users goes through the 3750-1 and the 3750-2. Since the 3750-2's CAM table isn't populated can you guess what it does with the traffic? It floods it out all ports except the one it received it on.

So what I did was change the OSPF cost on the 3750-2 to something lesser than the 3750-1. So now the ASA always sends traffic to the 3750-1 unless it's down.

So I guess it's not so much a "problem" but more of a caveat.

That is fantastic my friend. Now that is a real world experience post that I salivate over. That's pretty clever what you did with OSPF.

So let me ask you some questions.

1) If you fine tuned OSPF to send data back to 3750-1 only, what happens when 3750-1 fails and HSRP/traffic begins to flow to 3750-2? I assume that OSPF will "learn" that 3750-1 has failed in someway and this probably won't be too big of an issue?

2) I assume you have each 3750 connected to separate ports on the ASA?

3) Are the 3750's connected together in anyway via stackwise?

4) What are the 3750's connected to on the other side? Are they connected to another switch? Like this?

ASA-----3750-1------|
  |                 |Switch #3| <----- LOCAL LAN CONNECTS HERE
  |------3750-2-----|

Nuul · June 2010

Why no router between the 3750s and the ASA? I would have probably put a router pair there (depending on the ISP connection) and done the HSRP at that level. Budget?

burbankmarc · June 2010

Nuul wrote: »

Why no router between the 3750s and the ASA? I would have probably put a router pair there (depending on the ISP connection) and done the HSRP at that level. Budget?

There's really no need for routers there. The ASA fully supports OSPF. I have a couple of 2811's on the other side of the ASA that actually connect to the ISPs.

the 3750's are actually connected to different ASA's, but the ASA's are working in failover mode, so to the network it appears that it's all just one box.

On the inside of the 3750's they're plugged into multiple switches. It's a collapsed core topology.

So if the connection to the ASA fails HSRP switches due to interface tracking. If one of the internal interfaces fails it's no biggie since the user subnets are a redundant topology running PVRSTP.

1) If you fine tuned OSPF to send data back to 3750-1 only, what happens when 3750-1 fails and HSRP/traffic begins to flow to 3750-2? I assume that OSPF will "learn" that 3750-1 has failed in someway and this probably won't be too big of an issue?

The route to the 3750-2 is still in the OSPF database, it just isn't being used because it isn't the optimal route. So once the optimal route does fail the ASA will immediately start using the 3750-2.

liven · June 2010

We use all three:

GLBP
VRRP
HSRP

and we also use

the mighty

BGP

to for failover (between primary and secondary links).

HSRP is only used on our Cisco gear (for obvious reasons). Almost everything else uses VRRP since all other manufacturers support it, and we use a lot of juniper, nortel, extreme etc...

Personally I have seen little if any difference between HSRP and VRRP. The only time there is issues with either besides poor/improper configuration is when all possible failures scenarios are not taken into consideration.

For example when a Metro Ethernet connection or even a ATM/frame relay link fails, it doesn't necessarily mean the interface configured with HSRP or VRRP will notice the failure. Often times a circuit,pvc,uplink can fail, but the interface configured with "standby" will still have link.

This makes it necessary to track reach abilities (tracking objects) and things of that nature to make HSRP and VRRP fully effective. Tracking objects can track the reach ability of an upstream IP or interface, multiple interfaces and things of that nature.

IMO, BGP seems to work the best for these kinds of things. Configure a primary and secondary link each with the same routes, but have the secondary link have a higher local preference, AS prepends etc.. This way if anything fails on the primary link, bgp should suffer and the secondary routes should takeover. I have also done things like this with OSPF, but of course it is necessary to tweak other metrics to make the primary link the preferred link.

Sure there is no "end all be all" solution. Combination of HSRP/VRRP for the LAN gateway and BGP for the uplinks to the core is probably the most all encompassing solution.

Word of caution, when using routing protocols for failover, it can be frustrating waiting for convergence to take place. This can make it appear that the secondary link has not taken over, when in fact if you wait a few more minutes everything works fine.

iproute · June 2010

chrisone wrote: »

Ok so here are the rules.

1. Do you currently run either protocol in your networks. (Preferable the two at the same time on two different networks/locations for comparisons.)

2. What are the trade offs you actually do see in a real world environment.

3. Which causes you more troubleshooting headaches and explain why.

4. With GLBP have you ever experience any odd phenomena knowing the packets are split/load balanced between GLBP routers, experienced anything out of the ordinary with VOIP , WIFI, or any other technologies?

5. Got any other questions? please state them.

Thank you to everyone who participate.

1. I run HSRP only. It was already configured when I took over management of this network.
2. Haven't had any problems with HSRP aside from the lack of interface tracking configurations. Basically if a link (i.e. the Internet connection) goes down on the active node, it doesn't "concede the election" to the other HSRP node. I plan to fix this in the near future.
3. As noted, I don't use GLBP/VRRP so I can't really comment. HSRP is usually problem-free where it's configured in my network.
4. No comments.
5. Nope.

zerglings · June 2010

I've heard from our Network Architects that they prefer HSRP because they've had problems with GLBP. I don't know what exactly the problem was. I didn't want to butt in to the conversation. I think there are still some sites out there that use GLBP but all the SVIs I've built are HSRPs.

notgoing2fail · June 2010

zerglings wrote: »

I've heard from our Network Architects that they prefer HSRP because they've had problems with GLBP. I don't know what exactly the problem was. I didn't want to butt in to the conversation. I think there are still some sites out there that use GLBP but all the SVIs I've built are HSRPs.

I would love to know what those GLBP issues are.

If I had to guess, I'd say something with the way it load balances the traffic.....maybe with the way the some devices get different MAC addresses for the same active gateway....

HSRP vs GLBP

Comments