FHRP & HSRP Config

  • HSRP
    • Cisco Proprietary
    • Elects active by priority.
      • Default 100, max 255
      • Highest IP as Tie-Breaker
      • No preempt by default.
      • Highest priority wins
    • Uses UDP port 1985
      • Can use authentication by MD5 or cleartext
    • Supports multiple groups per interface
      • Group ID encoded in Virtual MAC.
  • VRRP
    • Standards based alternative
    • RFC 3768
    • Uses terms master/backup as opposed to active/standby
  • Other concepts are similar
    • Uses transport protocol 112 and
    • Virtual MAC is 0000.5e00.01xx
    • Preemptive by default.
  • GLBP
    • Cisco Proprietary
    • Extends HSRP functionality to support load balancing.
    • Transport via UDP 3222 and
    • Every physical gateway can be active.
      • Called active virtual forwards (AVF)
      • Each AVF is assigned virtual MAC.
    • One gateway responds to ARP requests for GLBP IP
      • Called Active Virtual Gateway (AVG)
      • ARP response uses virtual MACs of AVFs to implement load-balancing.
    • AVG
      • Elected based on priority
      • By default only AVF, all others standby.
      • No AVG preemption by default.
        • Enable using glbp preempt
      • To enable load balancing:
        • ‘glbp xxx load-balancing weighted’
        • Assign weights with ‘glbp xxx weighting Y’
      • Weight can be adjusted based on object tracking.
  • FHRP enhanced object tracking
    • Gateway recovery relies on correct failure detection.
      • eg. FHRP keepalives or BFD.
    • What if southbound link is up but northbound is down?
      • REsult is Active/master maintains bizz as usual.
      • Solution:
        • Setup IP SLA with FHRP.
    • Object tracking is bound to priority.
      • Decrement priority if object is down.
      • Assumes preemption is configured.
  • IPv6 support
    • HSRPv2
      • Increases group range
      • adds new dedicated transport add
        • Doesn’t overlap with ALL ROUTERS
      • Adds IPv6 support.
      • Enabled with int level standby version 2
    • VRRPv3
      • RFC5798
      • enabled with global ‘fhrp version vrrp v3’

HSRP Config:

From the topology above, we’re going to run HSRP between R6 and R4. This will provide redundancy for the host to internet if one of the gateway routers were to fail.

R6 and R7 are the gateways for the LAN network The host is using a default gateway of and R6/R7 will setup that VIP. To get HSRP running it only requires these commands on each box:

Note each physical interface has an IP in the lan – and

On the host now we can see the Virtual MAC address for and on R6 we can see which router is the active node:

R6 is active and R4 is standby.

If we want to switch which router is active, we’ll add the priority command that is higher than the default 100, which is what R4 is currently using.

Pre-emption is not enabled, which means this will not take affect until the HSRP election comes up again.

After I shutdown the LAN interface on R6, R4 became the active router. Now if I change the priority of R6 to something higher than 200, then enable preemption, R6 will take over as active again.

Often times two devices running HSRP are doing this process for multiple gateways/VLANs/Subnets, and each process is running the multicast keepalives between the two routers. In order to minimize this chatter and CPU overhead, BFD can be used between the two boxes for ALL processes.

Under the interface on R6 we add the command ‘bfd interval 250 min_rx 250 multiplier 4’ and immediately BFD starts working with HSRP. The same command gets added to R4.

By default in IOS-XE, BFD is already enabled for HSRP if you turn it on under the interface that’s running HSRP.


  • If we want to add authentication for an extra layer of security between HSRP nodes, the config is below.
  • For MD5 authentication we’ll first create a key chain in global config, then apply that keychain to the authentication string under the standby interface command.

Object Tracking:

In the topology, we have the ‘Internet’ host with a loopback of that we’re going to use as an example of object tracking. R6 is going to run an ongoing ping to and if it fails to reach the destination, it will be configured to leave the HSRP active state.

The IP SLA has been configured, but not applied to HSRP yet. This needs to be added under the interface running the VIP.

Decrement means that if the IP SLA tracking fails, decrement the router priority by 101. The priority would then be 100, lower than R4’s 200.

The last step is configuring the tracking object. The tracking object configuration is below:

Below is what happens when the loopback interface on ‘Internet’ goes down.

R4 took over as active HSRP and the Standby router priority is now 100 instead of 201.

Per Tunnel QoS for DMVPN

  • Legacy Hub and Spoke, QoS was applied per VC or DLCI
  • With DMVPN, all spokes exist on same Tunnel and underlay.
    • Per-Tunnel QoS for DMVPN fixes this.
  • Spoke signals QoS group to hub through NHRP.
    • ‘ip nhrp attribute group <group>’
    • Group name must match between hub and spoke.
  • QoS group name maps to QoS template on hub.
    • ‘nhrp map group <group> service-policy output <policy>’
    • Result is that each spoke has a separate QoS policy.
  • Verified as ‘show policy-map multipoint on the hub.

Per Tunnel QoS with DMVPN is applied via group commands on each hub and spoke.



You create a group that has a Service-Policy applied to it, then on the spoke you’re joining a group to receive the attribute of QoS. Using groups allows the hub to push out a service policy to the spokes granularly. In a way it acts as a controller.

The group and service-policy can be seen by running a ‘show dmvpn detail’.

Traffic Policing

  • Used to meter a packet flow rate.
    • Marks packets that exceed metered rate.
    • Drop is a mark action.
  • Normally an ingress operation.
    • PE ingress from CE for example.
  • Policing has two parameters
    • Metering rate – CIR
    • Averaging interval – Tc
  • Larger Tc the more bursting is allowed
    • Bc = CIR*Tc is max burst size allowed momentarily (in bytes)
  • Be – excessive burst
    • Max amount of bytes allowed above Bc during Tc.
    • Only allowed if Bc was not fully utilized before.
  • Single-Rate Policing Syntax
    • Configuration
      • ‘police <cir> <CIR> <Bc> <Be>’
      • CIR in bps while bursts are in bytes
    • Applied to an MQC class
      • Three actions (colors): conform, exceed, violate
      • Exceed: flow exceeds Bc but under Bc+Be
      • Violate: burst size exceeds Bc+Be
  • Dual-Rate Policing Syntax
    • Configuration
      • ‘police cir <CIR> bc <Bc> pir <PIR> be <Be>’
    • Normally used to implement two-rate access.
      • Customer is guaranteed CIR.
      • Allowed to send up to PIR
      • Traffic between PIR and CIR are marked
        • Lower DSCP
  • Shaping and Policing Together
    • Operations are Complimentary
      • Shaping is done egress.
      • Policing is done ingress.
    • Parameters should match
      • Shaping is set to match policing
      • Same CIR, Bc and Be
        • Policing values could be greater.


  • Traffic policing CAN be done on both input and output queue.
  • Traffic Policing is used to REMARK traffic that exceeds rate.
    • Often times that mark is going to drop, but not always.

Traffic Shaping

  • Goal is to normalize traffic flow
    • Smooth out bursts
    • Prepare traffic for ingress policing.
    • Delay and Queue exceeding traffic.
  • Terminology
    • Access Rate – AR
      • Physical port speed
    • Committed Information Rate – CIR
      • Average rate the shaper is targetting.
    • Time Committed – Tc
      • Time interval in ms to emit traffic bursts
      • Bursts always emitted at Access Rate (AR)
    • Burst Committed – Bc
      • Amount of bits that could be sent every Tc
    • Burst Excessive – Be
      • Amount of bits over Bc that could be sent during Tc
      • Must be accumulated by idle periods.
  • Modular QoS Command line (MQC) Syntax
    • Configuration via MQC
      • ‘shape average <cir> [Bc][Be]
      • Tc is found implicitly as Bc/CIR
    • Default shaper queue is FIFO.
      • Can be turned into HQF by associating a child policy-map with shaped class.
      • Specify HQF settings in the child-policy
        • ie. nested policies.
          • ie. shaping could be on outside policy, fancy queueing is referenced in outer policy via ‘service-policy’ command.


Create new access-list referencing ICMP:

Create new class-map that references access-list ‘ICMP’:

Create new Policy-map that references Class-map ‘ICMP’:

Under the Policy-map ‘SHAPER’ we’re saying the shape average is target bit rate.

And lastly, apply to the desired interface.

Now when doing a normal ping and high repeat ping out interface gig0/3, we’ll see the latency is very low, then very high.

Our normal ping has an average latency to of 3ms. The high repeat ping has an average latency of 689ms.

Congestion Avoidance

  • Tail Drop
    • Default for all queues.
      • When queue full, new packets trying to enter the tail of queue are denied admission.
    • Tail drop treats all packets equally.
      • No classification is performed.
    • Tail drop can result in global TCP synchronization.
      • Simultaneous drops.
      • Looks like shark tooth.
      • Slow start by all senders at same time until they gradually begin going up again at same time. Then restart process.
  • Random Early Detection
    • Selectively drop flows from queue before buffer is 100% full.
    • Goal is to send individual senders into slow start, not all senders at once.
    • Result is more even traffic.
  • WRED adds weighting to Random Early Detection.
    • Higher weight means less likely to be dropped.
    • Configured as ‘random-detect’
      • Can be combined with other queueing mechanisms.

Configuration Example:

  • Create new Class-map

Create new Policy-map and add Class-map ‘SQL’ to the it.

And above we’re adding a bandwidth guarantee and then specifying ‘random-detect’ for WRED.

Note- A bandwidth command is required to enable random-detect.

Congestion Management

  • FIFO Queueing
    • Simplest and easiest to configure.
      • Only parameter is queue-depth
    • Configuration
      • Disable Previous queueing strategy
        • ‘no fair-queue’
      • Define queue depth
        • ‘hold-queue out
    • Typically used as part of other solutions.
      • CBWFQ/HQF
    • Similar to ‘best effort’ traffic.
  • Fair Queueing
    • Known as max-min scheduling.
    • Services multiple requests for a shared resource.
      • 1. Share resource equally
      • 2. Take excessive amounts
      • 3. Share excess equally among unsatisfied requests.
    • ‘Try and treat all traffic the same’.
  • Weighted Fair Queueing
    • Max-min scheduling but not equal.
      • Allocate bandwidth per flow proportional to weight metric.
    • Flow is defined dynamically.
      • Src/Dst IP + Src/Dst Port + ToS Byte
    • Weight is IP Precedence + 1.


  • ‘fair queue <CDT> <Queues>’
  • ‘hold-queue out <max buffers>’
  • CDT
    • Congestive Discard Threshold
      • Individual queue size threshold.
    • If number of flows > number of queues…
      • Flow collision occurs and queues are shared.


  • Allows defining of custom flows
    • Class definition using MQC Syntax
    • ‘bandwidth‘ keyword defines class’ ‘weight’
  • Bandwidth is shared proportionally to weight
    • Relative sharing, not absolute reservation.

NOTE – Bandwidth does not work on subinterfaces.

  • Every queue in Hierarchical QoS Framework (HQF) is FIFO
    • Includes ‘class-default’
    • Buffer-limit with ‘queue-limit’ command.
      • Global buffer limit with hold-queue out.
    • Can be turned into Fair-Queue
      • Command ‘fair-queue <FLOWS>
      • All flows are equal, no weighting.
      • Queue limit per flow is 1/4* queue-limit.
  • Reservations
    • Absolute with ‘bandwidth [Kbps]’
    • Relative with ‘bandwidth percent [%]
      • Percent of interface ‘bandwidth’ setting
    • All bandwidths must sum to interface ‘bandwidth’
  • Class-Default
    • Always guaranteed at least 1% of interface BW
      • max-reserved-bandwidth now deprecated.

Low Latency Queue (LLQ) in HQF:

  • Priority Queue
    • Only one per Hierarchical QoS Framework (HQF) configuration.
      • Designated with ‘priority [x]’
      • Always emptied
    • Optionally policed to X Kbps only in times of congestion.
      • Congestion defined as having TX-Ring full.
    • Multiple classes can have priority
      • Share single queue but could be policed differently.
  • Remaining Bandwidth
    • Commonly used with LLQ
    • Bandwidth remaining after LLQ allocations.
    • Command ‘bandwidth remaining x’
    • Calculated as Interface_BW – LLQ_BW

Classification and Marking

  • Layer 2 Markings
    • Frame-Relay DE bit (1 bit)
    • MPLS EXP bits (3 bits)
    • 802.1Q CoS bits (3 bits)
  • IPv4 and IPv6 ToS Byte
    • IP precedence (3 bits)
    • DSCP (6 bits)
  • IP Precedence
    • 7 – Network
    • 6 – Internet
    • 5 – Critical
    • 4 – Flash-Override
    • 3 – Flash
    • 2 – Immediate
    • 1 – Priority
    • 0 – Routine
  • DSCP
    • Default
      • Best Effort
      • DSCP value 0
    • Expedited Forwarding (EF)
      • Priority
      • DSCP Value 46
    • Assured Forwarding (AF)
      • Bandwidth Guaranteed
      • Four Classes
        • AFxy where x = 1-4
        • Higher is more preferred
      • Three drop precedences
        • AFxy where y = 1-3
        • Higher means higher drop precedence
      • DSCP value (xxxyy0)
    • Class Selectors
      • Backwards compatible with IP Precedence
    • Seven classes
      • CSx where x = 1-7
      • Higher is more preferred.
  • Configuring Classification
    • MQC Classification Options
      • Match any vs. match all
      • Access-lists
      • DSCP/IP Precedence
      • NBAR
      • Source Interface
      • Source/Destination MAC address
    • Can combine multiple matches in one class.
  • Configuring Marking
    • Marking can be configured both input and output.
    • Specifically implemented with:
      • MQC/HQF policy
      • Legacy rate-limit (policer)
      • PBR

Hierarchical Queueing Framework

  • Hierarchical Queueing Framework (HQF)
  • Queueing
    • Occurs when packets are delayed by router.
    • Simplified in Ethernet Switches
      • Hardware Queues only
    • Could be hierarchical
      • PVC-Queue (Frame-Relay)
        • Interface Queue (software queue)
          • Hareware queue (TX-Ring)
    • Fancy queueing methods apply to software queue.
      • How traffic is processed when waiting for TxR
  • Modular Quality of Service Command line reference
    • Allows multiple QoS methods per interface per direction.
      • Old QoS methods did not do this.
    • Previously CBWFQ
    • Now HQF
      • Hierarchical queueing framework
        • 12.4 and higher.


  • Define traffic classes
    • ‘class map’
    • Define traffic match criteria
  • Define traffic policy
    • ‘policy-map’
    • Define actions
  • Apply Policy
    • ‘service-policy [in/out]on interface.
  • MQC Verification
    • ‘show class-map’
    • ‘show run class-map’
    • ‘show policy-map’
    • ‘show run policy-map’
    • ‘show policy-map interface’

Define Traffic Classes w/ Class Map:

Class Map with a match statement

Policy Map:

The first statement we’re creating a policy map that will reference the class map we created.

Then the question mark shows all the options we have here for QoS mechanisms. Bandwidth is used for reserving a certain minimum amount of bandwidth for this type of flow. The flow can use more than what is set but if there’s high contention, then the flow will always have at least this minimum set.

In this scenario we will set a policer.

The Policer is set to 8000 bps. The conform action, ie. what to do when under 8000 bps, is set to transmit. The exceed-action, ie. what to do when over 8000 bps, is set to drop.

The last step is applying to an interface with the service-policy input command. Input or output means apply inbound or outbound on the interface.

Now on a neighboring router we’re going to send pings to this interface with a high repeat count. On the console of the neighboring router it shows that traffic is being stopped after a certain amount hits.

On R1 a ‘show policy-map interface’ shows the conformed and exceeded packets.

QoS Overview

  • Provide different priority to different applications.
    • Different service levels for different types or ‘classes’ of traffic flows.
  • Cause:
    • Resource contention
      • Multiple flows using same link.
      • Same or multiple applications
      • Each app has its own requirements.
    • Contention results in queuing.
      • Packets may be delayed or dropped.
      • Effective flow throughput decreases.
      • Delay or Jitter may exceed threshold.
  • Best Solution
    • Don’t over provision
  • Next Best
    • QoS
      • Congestion is controlled.
      • Delay/Loss/Jitter/Throughput are controlled.
      • Only alleviates temporary congestion.
  • QoS Models
    • Integrated Services
      • RFC 1633
      • Connection-oriented model.
      • Every flow has an explicit reservation end-to-end.
      • Does not scale well because network must maintain too much state.
      • Best use case is MPLS TE
    • Differentiated Services
      • RFC 2475
      • Connectionless model
      • Traffic is grouped into classes.
      • QoS behavior is defined by traffic’s class.
      • Called Per-Hop-Behavior (PHB)
      • Focus for CCIE


  • Classification and Marking
    • In order for DiffServ to work, traffic must be placed into correct classes.
      • ‘classifications’
    • Traffic classification normally occurs at network ingress edge.
      • Typically a manual process we must enforce.
    • Classification can be encoded inside packet itself.
      • Known as packet’s ‘marking’.
  • Classification Types:
    • Classification and marking can happen at multiple places.
    • Layer 2 Class of Service (CoS)
      • 802.1q Ethernet Header
    • Layer 3 IP Type of Service (ToS)
      • IP Precedence and Differentiated Services Code Point (DSCP)
    • Layer 4
      • TCP and UDP Ports
    • Upper Layers
      • Network Based Application Recognition (NBAR)
      • Deep Packet Inspection (DPI)
  • QoS Tools:
    • Used to implement QoS Models
      • Many tools rely on correct QoS classification and marking
    • Different Tools for
      • Network Edge
      • Network Core
    • Tools fall into three main categories.
      • Admission Control
      • Congestion Management
      • Congestion Avoidance
  • Admission Control
    • Used to enforce traffic marking or traffic rate
    • 2 main types:
      • Traffic Policing
      • Traffic Shaping
  • Traffic Policing
    • Used to limit inbound and outbound traffic flows
      • Traffic that exceeds the rate can be dropped, marked, or re-marked.
      • Typically applied on ingress edge.
    • Example use case
      • PE connects to CE with GigE port
      • Circuit is provisioned at 250Mbps
      • PE applies inbound policer at port level
        • If traffic <=250Mbps, transmit
        • If traffic > 250Mbps, drop
  • Traffic Shaping
    • Used to normalize outbound traffic flows
      • Smooth out traffic bursts
      • Prepares traffic for ingress policing
      • Delay and Queue exceeding traffic
    • Example use case
      • PE connects to CE with GigE port
      • Circuit is provisioned at 250Mbps
      • CE applies outbound shaper at port level
        • If traffic <= 250Mbps, transmit
        • If traffic >250Mbps, queue for later transmission
  • Congestion Management Techniques
    • Used to deal with congestion once it occurs
      • ie. Queueing
    • Queueing Types
      • First in First out (FIFO)
      • Weighted Fair Queueing (WFQ)
      • Priority Queueing (PQ)/Low Latency Queueing (LLQ)
    • Example use case
      • CE to PE link is experiencing packet loss
      • Apply LLQ to give VoIP low delay
      • Apply WFQ to guarantee 50% BW for SQL
      • All other traffic gets best effort FIFO.
  • Congestion Avoidance Techniques
    • Stop congestion before it occurs
      • Packet drop strategy
    • Drop strategy types
      • Weighted Random Early Detection (WRED)
      • Tail Drop
    • Example Use Case
      • CE to PE link is experiencing packet loss
      • Apply WRED to selectively drop low priority flows.
      • Senders go into slow start
      • Congestion management is offloaded to end host TCP stack.

IPv6 First Hop Security

  • First hop
    • Segment between end host and default gateway.
  • Security
    • Prevent against internal threats at access layer
  • Both IPv4/6 have vulnerable control plane at access-layer.
    • IPv4
      • ARP
      • DHCP
    • IPv6
      • Neighbor Discovery (icmpv6)
      • Duplicate Address Detection (DAD)
      • SLAAC
      • DHCPv6
  • ICMPv6 ND
    • Replaces ARP in v4
    • ICMPv6 ND uses 4 messages instead of 2 (like arp request/reply)
      • NS – Neighbor Solicitation
        • ask for neighbor info
      • NA – Neighbor Advertisement
        • Advertise yourself to other neighbors
      • RS – Router solicitation
        • Ask info about local routers
      • RA – Router Advertisement
        • Advertise yourself as an active router
  • Router Advertisement Guard
    • Hosts dynamically discover default gateway based on NDP RA messages.
      • Prevents router spoofing on segment.
      • Prevents prefix spoofing on segment
      • Policy can be applied at VLAN or port level.
      • Says on interface level what’s on the other end
        • ie. Proper router or host.
  • DHCPv6 Guard
    • DHCPv6 does not assign default-router like IPv4.
      • Default router is learned through SLAAC from RA.
    • Similar in scope to DHCP Snooping.
    • Prevents DHCPv6 server spoofing.
    • Policy can be applied at VLAN or port level.
  • IPv6 Snooping:
    • IPv6 to MAC resolution achieved through Neighbor Discovery NS/NA messages.
      • Similar to dynamic arp inspection.
    • Inspects DHCPv6 and NDP messages.
      • Performs binding table through v6 neighbor tracking.
      • Prevents host spoofing on segment.
      • Optionally enables basic RA Guard and DHCPv6 Guard
      • Optionally can inspect data packets to perform neighbor binding.
    • Manual bindings can be completed.
    • Policy can be applied at VLAN or port level.
  • IPv6 Source-Guard
    • Similar in scope to IPv4 Source Guard
      • Relies on v6 snooping to create v6 neighbor binding table.
      • Creates automatic v6 PACL to filter sources based on neighbor binding table.