HSRP & VRRP Questions
If you are not sure about HSRP, please read our HSRP tutorial (on 9tut.com).
|
Quick VRRP overview: + is IETF RFC 3768 standard |
Question 1
Explanation
When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new virtual MAC address. HSRP version 1 uses the MAC address range 0000.0C07.ACxx while HSRP version 2 uses the MAC address range 0000.0C9F.F0xx.
HSRP supports interface tracking which allows to specify another interface on the router for the HSRP process to monitor in order to alter the HSRP priority for a given group.
Question 2
Explanation
If you change the version for existing groups, Cisco NX-OS reinitializes HSRP for those groups because the virtual MAC address changes.
Question 3
Question 4
Explanation
The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it supports load balancing among members in a GLBP group.
Note: Although GLBP is not a topic for this exam but not sure why we still have this question!
Question 5
Explanation
HSRP consists of 6 states:
| State | Description |
| Initial | This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on |
| Learn | The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router. |
| Listen | The router knows both IP and MAC address of the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby state will remain in listen state. |
| Speak | The router sends periodic HSRP hellos and participates in the election of the active or standby router. |
| Standby | In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router) |
| Active | The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages |
Please notice that not all routers in a HSRP group go through all states above. In a HSRP group, only one router reaches active state and one router reaches standby state. Other routers will stop at listen state.
Question 6
Explanation
A VRRP router receiving a packet with the TTL not equal to 255 must discard the packet (only one possible hop) -> B is correct.
Currently there are three VRRP versions which are versions 1, 2 and 3 -> E is correct.
VRRP uses multicast address 224.0.0.18 and supports plaintext or MD5 authentication.
Question 7
Question 8
Explanation
The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it supports load balancing among members in a GLBP group.
Question 9
Explanation
SSO HSRP alters the behavior of HSRP when a device with redundant Route Processors (RPs) is configured for stateful switchover (SSO) redundancy mode. When an RP is active and the other RP is standby, SSO enables the standby RP to take over if the active RP fails.
The SSO HSRP feature enables the Cisco IOS HSRP subsystem software to detect that a standby RP is installed and the system is configured in SSO redundancy mode. Further, if the active RP fails, no change occurs to the HSRP group itself and traffic continues to be forwarded through the current active gateway device.
Question 10
Explanation
In fact, VRRP has the preemption enabled by default so we don’t need the “vrrp 10 preempt” command. The default priority is 100 so we don’t need to configure it either. But notice that the correct command to configure the virtual IP address for the group is “vrrp 10 ip {ip-address}” (not “vrrp group 10 ip …”) and this command does not include a subnet mask.
Question 11
Explanation
The “preempt” command enables the HSRP router with the highest priority to immediately become the active router.
Question 12
Question 2
Which behavior can be expected when the HSRP versions is changed from 1 to 2?
A. Each HSRP group reinitializes because the virtual MAC address has changed
B. No changes occur because version 1 and 2 use the same virtual MAC OUI
C. Each HSRP group reinitializes because the multicast address has changed
D. No changes occur because the standby router is upgraded before the active router
Answer: C
Explanation
When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new virtual MAC address. HSRP version 1 uses the MAC address range 0000.0C07.ACxx while HSRP version 2 uses the MAC address range address range 0000.0C9F.F0xx.
Shouldn’t the answer be “A” as the MAC is changing?
@that one dude i would agree the answer might be A
224.0.0.2
HSRP version 1 uses the multicast address 224.0. 0.2. HSRP version 2 uses multicast address 224.0. 0.102 for its communication.Sep
Question answer should be A
When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new
virtual MAC address.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/unicast/503_A1_1/l3_nx-os/l3_hsrp.pdf
Question 2 is 100% A. The Mac address changes when you change versions:
“When the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.”
source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-v2.html
@Digitaltut,
Q6 is not added in the composite i believe
Question 6.
VRRP Limitations
The switch supports either HSRP or VRRP, but not both. The switch cannot join a stack that has both HSRP and VRRP configured.
The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
The VRRP implementation on the switch supports only text -based authentication.
The switch supports VRRP only for IPv4.
Which statement about VRRP is true?
A. It supports load balancing
B. It can be configured with HSRP on a switch or switch stack
C. It supports IPv4 and IPv6
D. It supports encrypted authentication
Answer is D
?
vrrp group authentication md5 key-string [0 | 7] key-string [timeout seconds]
Specifying 7 means the key will be encrypted. The key-string authentication key will automatically be encrypted if the service password-encryption global configuration command is enabled.
anyone can confirm ?
VRRP Limitations
The switch supports either HSRP or VRRP, but not both. The switch cannot join a stack that has both HSRP and VRRP configured.
The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
The VRRP implementation on the switch supports only text -based authentication.
The switch supports VRRP only for IPv4.
what would be the correct answer ?
Hi Digital Tut, Can you please explain Qn.6 please ? as to how B is the answer.
QN 6 please update
Why is the corret answer ?
Which statement about VRRP is true?
A. It supports load balancing
B. It can be configured with HSRP on a switch or switch stack
C. It supports IPv4 and IPv6
D. It supports encrypted authentication
Answer is D
Question 6a ;)
Which statement about VRRP is true?
A. It supports load balancing
B. It can be configured with HSRP on a switch or switch stack
C. It supports IPv4 and IPv6
D. It supports encrypted authentication
B is correct on all routing devices, D is correct only on routers, not on Multilayer-Switches.
result: B is correct
Question 5 (HSRP states)
IMO correct answers are: A,E,F (INIT, listen, speak)
See example debug (standby router)
debug output (standby router):
*Jan 8 19:20:10.095: HSRP: Et0/1 Grp 1 Disabled -> Init
*Jan 8 19:20:11.101: HSRP: Et0/1 Grp 1 Init -> Listen
*Jan 8 19:20:23.013: HSRP: Et0/1 Grp 1 Listen -> Speak
*Jan 8 19:20:33.672: HSRP: Et0/1 Grp 1 Speak -> Standby
Even though some cisco documentation lists Learning state – it is not present in ENCOR Student Learnig Guide.
Question 7:
C. It supports IPv4 and IPv6
Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6
https://tools.ietf.org/html/rfc5798
@Anonymous: This question does not mention which VRRP version so B is still the better answer.
digitaltut – Yes, Question 7, Answer B still the best answer :)
Question 11: Refer to the exhibit. Edge-01 is currently operational as the HSRP primary with priority 110. Which command on Edge-02 causes it to take over the forwarding role when Edge-01 is down?
A. standby 10 priority
B. standby 10 timers
C. standby 10 track
D. standby 10 preempt
Is A the better answer? I think D will make Edge-2 the HSRP primary immediately instead of waiting until Edge-1 is down.
Question 11 doesn’t make much sense. Edge-01 is a higher priority of 110. When it becomes unavailable Edge-02 would take over with Answer A. standby 10 priority (Default priority of 100)
Answer D would make more sense if we want Edge-01 to resume activity after recovering from failure.
@digitaltut – maybe this question is worded incorrectly?
Q7 Only not Answer B
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swhsrp.html
Q7
Configured the HSRP on switch cisco 3750.
When trying to create a VRRP group, the switch issues a message.
interface FastEthernet1/0/24
no switchport
ip address 172.16.199.100 255.255.255.0
standby 11 ip 172.16.199.200
!
interface FastEthernet1/0/25
no switchport
ip address 172.16.99.99 255.255.255.0
(config-if)#vrrp 10 ip 172.16.99.200
%FHRP group not consistent with already configured groups on the switch stack
% Cannot create new VRRP group
@digitaltut,
I believe the correct answer could be answer D?
Question 7
Which statement about VRRP is true?
B. It can be configured with HSRP on a switch or switch stack – can be configured HSRP or VRRP but not both.
D. It supports encrypted authentication – from Cisco book:
Step 4. (Optional) Establish VRRP authentication by using
the command vrrp instance-id authentication {textpassword | text text-password | md5 {key-chain
key-chain | key-string key-string}}.
from my lab cisco 3725
Router(config-if)#vrrp 1 authentication ?
md5 Use MD5 authentication
text Plain text authentication
but Cisco IOS XE Software, Version 17.03.02 only supports text authentication:
R1(config-if)#vrrp 1 authentication ?
text TEXT authentication
R1(config-if)#vrrp 1 authentication
Router(config-if)#vrrp 1 authentication
Still not completely sure. If someone could confirm and advise, please?
Thank you
ADMIN…………………. Q 6 ????
What sort of silly answer is this dear.. how can both vrrp and hsrrp be supported together .
You guys should be 200 % not 100 % sure about the answers here since people rely on you guys.
You should hire experts to check the answers and verify before posting.
i would not mind paying 20 $ more if my answers are being verified by an expert CCIE .. instead of failing the exam because of wrong answers ….
Correction… my above query is about Q 7 not Q 6……………………
Q7 should be C????
It supports IPv4 and IPv6
Scroll down here:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swhsrp.html
VRRP Limitations
The switch supports either HSRP or VRRP, but not both. The switch cannot join a stack that has both HSRP and VRRP configured.
The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
The VRRP implementation on the switch supports only text -based authentication.
The switch supports VRRP only for IPv4.
BUT it looks like these are limitations of this switch.
If you look here:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhrp-vrrpv3.html
The VRRP version 3 (v3) Protocol Support feature provides the capability to support IPv4 and IPv6 addresses while VRRP version 2 (v2) only supports IPv4 addresses.
Q7, A supported too.
source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-vrrp.html#GUID-3A5601DB-95A3-48EE-9F46-ECB746E820FC
Encrypted authentication supported too, but rely on “service password-encryption”
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/command/fhp-cr-book/fhp-v1.html#wp8990239320
Q7
Could it be that D (Encrypted Authentication) is wrong, because you can store the key encrypted in the config, but the authentication process itself between the VRRP units only supports:
-> No authentication
-> Plain text authentication
-> MD5 authentication
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-vrrp.html
From what I know, MD5 is only a hash and a hash isn’t an encryption, because you can’t get the orginal value back out of the hash.
Q7: I think C is correct:
C. It supports IPv4 and IPv6
If they said, Which statement about VRRP v1 or v2 are true, then that is a different story
From Cicco:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhrp-vrrpv3.html
VRRPv3 supports usage of IPv4 and IPv6 addresses while VRRPv2 only supports IPv4 addresses
Q7 does not contain an obvious answer. In older IOS, the protocol behavior depends on the device model. In the new version IOS-XE there is no mention of any restrictions at all.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_58_se/configuration/guide/3750xscg/swhsrp.html#pgfId-1107127
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swhsrp.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/configuration_guide/ip/b_169_ip_9200_cg/vrrpv3_protocol___support.html#reference_2D4493CE22F744128B9D3CF50EAF52B7