This chapter covers network redundancy strategies, a core topic under Network Operations (Objective 3.4) for the N10-009 exam. Redundancy ensures high availability by duplicating critical components like links, devices, and paths. Expect roughly 8-12% of exam questions to touch on redundancy concepts, including STP, link aggregation, first-hop router redundancy, and load balancing. You must understand not just what each technology does, but exactly how it fails over and what timers are involved.
Jump to a section
Think of network redundancy like a car with a full-size spare tire. In normal operation, the car runs on four tires. If one tire blows out (link failure), the driver must stop and manually change to the spare (failover). The spare tire must be identical in size and pressure (capacity) to the others, or the car handles poorly (asymmetric routing). A modern car might have run-flat tires that allow limited driving for 50 miles at 50 mph—like a backup link with reduced bandwidth (e.g., DSL or 4G failover). The spare tire sits in the trunk, unused until needed, just like a standby router in a hot standby pair. But if you have two full-size spares and rotate them (load balancing), you can keep driving even if two tires fail. The key point: redundancy isn't free—the spare tire adds weight (cost) and takes up space (ports, IP addresses). And if you never check the spare's pressure (testing), it might be flat when you need it (configuration drift). In networking, you must periodically test failover paths using tools like ping, traceroute, or BGP convergence timers to ensure the spare actually works.
What is Network Redundancy?
Network redundancy is the duplication of network components—links, switches, routers, firewalls, power supplies—to eliminate single points of failure. The goal is to achieve high availability (HA), often measured in terms of uptime percentage (e.g., 99.999% uptime = five nines, or ~5 minutes downtime per year). Redundancy is not the same as resilience; resilience implies the network can gracefully degrade, while redundancy provides a standby or alternate path.
The exam focuses on four key redundancy strategies: - Link Redundancy: Multiple physical paths between devices (e.g., using Spanning Tree Protocol (STP) to prevent loops, or Link Aggregation (LAG) to combine links). - Device Redundancy: Duplicate routers/switches in a failover cluster (e.g., HSRP, VRRP, GLBP). - Path Redundancy: Multiple routes through the network (e.g., equal-cost multipath (ECMP) routing, BGP prefix independent convergence (PIC)). - Power Redundancy: Dual power supplies and UPS systems.
How Spanning Tree Protocol (STP) Works
STP (IEEE 802.1D) prevents loops in redundant Ethernet topologies. It elects a root bridge and blocks specific ports to create a loop-free logical tree. The steps: 1. Root Bridge Election: The switch with the lowest bridge ID (priority + MAC address) becomes root. Default priority is 32768. 2. Root Port Selection: Each non-root switch selects one port with the lowest path cost to the root. Path cost is based on link speed: 10 Mbps = 100, 100 Mbps = 19, 1 Gbps = 4, 10 Gbps = 2. 3. Designated Port Selection: On each segment, the switch with the lowest path cost to the root becomes the designated port; the other is blocked. 4. Blocking: Ports that are neither root nor designated are placed in blocking state (no data forwarding).
STP uses Bridge Protocol Data Units (BPDUs) exchanged every 2 seconds (Hello time). The Max Age timer (default 20 seconds) determines how long a switch waits before re-electing a new root after a failure. The Forward Delay timer (default 15 seconds) controls the transition from listening to learning to forwarding states. Total convergence time can be up to 50 seconds (20 + 15 + 15). Rapid STP (RSTP, 802.1w) reduces convergence to 1-3 seconds by using alternate/backup ports and active negotiation.
First-Hop Router Redundancy Protocols
For device redundancy at the default gateway, three protocols exist: - HSRP (Hot Standby Router Protocol): Cisco proprietary. Uses an active/standby model. The active router forwards packets; the standby monitors and takes over if the active fails. Virtual IP and MAC addresses are shared. Hello timers: 3 seconds (default), hold time: 10 seconds. Preemption is disabled by default. - VRRP (Virtual Router Redundancy Protocol): Open standard (RFC 5798). Similar to HSRP but with one master and multiple backups. The master sends advertisements every 1 second (default). VRRP supports preemption by default. - GLBP (Gateway Load Balancing Protocol): Cisco proprietary. Provides load balancing across multiple routers simultaneously, using multiple virtual MAC addresses. Each router can be active for a subset of hosts.
All three use a virtual IP address that hosts configure as their default gateway. The active/master router owns the virtual IP and responds to ARP requests. Failover is triggered when hello messages are missed. On exam questions, know the default timers and the difference between HSRP/VRRP (active/standby) and GLBP (load sharing).
Link Aggregation (LAG) and EtherChannel
Link Aggregation combines multiple physical links into a single logical link for increased bandwidth and redundancy. Standards: IEEE 802.3ad (LACP) and Cisco proprietary PAgP. Up to 8 active links can be bundled (16 total with 8 standby). Load balancing is based on a hash algorithm (source/dest MAC, IP, or port). If one link fails, traffic is redistributed across remaining links. The exam expects you to know LACP (active/passive modes) and PAgP (desirable/auto).
Load Balancing and ECMP
Equal-cost multipath (ECMP) allows routers to forward packets over multiple equal-cost paths. This is not redundancy per se, but it provides path diversity. Common implementations: OSPF (up to 4 or 8 equal-cost paths by default), BGP (can use BGP multipath). Load balancing can be per-packet (round-robin) or per-flow (hashing). Per-packet can cause out-of-order delivery; per-flow is preferred. The exam may ask about the difference between ECMP and LAG.
Redundancy in the Data Center: VPC and MLAG
Virtual Port Channel (VPC) on Cisco Nexus and Multi-chassis Link Aggregation (MLAG) on other vendors allow a single LAG to terminate on two different switches. This eliminates STP blocking while providing device-level redundancy. The two switches synchronize state via a keepalive link and a peer-link. This is a common data center scenario.
Power Redundancy
Dual power supplies (1+1 or 2N redundancy) and UPS systems ensure power faults don't cause outages. UPS sizing is based on load (VA/watts) and runtime (minutes). The exam may ask about the difference between redundant power supplies and UPS.
Interaction with Related Technologies
Redundancy interacts with routing protocols (OSPF, BGP) and STP. For example, in a redundant campus network, STP prevents loops at Layer 2, while OSPF provides path redundancy at Layer 3. Misconfiguration can cause asymmetric routing or black holes. The exam tests your ability to identify when STP blocks a port vs. when a routing protocol fails over.
Configuration and Verification Commands
STP: show spanning-tree, spanning-tree vlan 1 priority 4096 (set root priority).
HSRP: standby 1 ip 192.168.1.1, standby 1 priority 150, standby 1 preempt.
VRRP: vrrp 1 ip 192.168.1.1, vrrp 1 priority 150.
LACP: channel-group 1 mode active (LACP active), show etherchannel summary.
ECMP: maximum-paths 4 under OSPF or BGP.
Common Exam Traps
Trap 1: Confusing HSRP and VRRP timers. HSRP default hello is 3 seconds; VRRP is 1 second.
Trap 2: Thinking STP blocks all redundant links. It blocks only one port per segment to prevent loops.
Trap 3: Assuming load balancing is always per-packet. Most implementations use per-flow hashing.
Trap 4: Believing that LAG provides device redundancy. Standard LAG requires both ends on the same switch pair; VPC/MLAG is needed for cross-device.
Root Bridge Election in STP
When switches boot up, they all assume they are the root bridge and send BPDUs with their own bridge ID. Each switch compares the received BPDU's bridge ID to its own. The switch with the lowest bridge ID wins. If a switch receives a BPDU with a lower bridge ID, it stops claiming to be root and begins forwarding BPDUs from the new root. The root bridge is the logical center of the spanning tree. The election process takes about 2-3 Hello intervals (4-6 seconds). An engineer can observe the root bridge by issuing 'show spanning-tree' and looking for the line 'This bridge is the root' or noting the root ID.
Port Role Selection and Blocking
After the root bridge is elected, each non-root switch selects one root port (the port with the lowest path cost to the root). Then, on each segment, the switch with the lowest path cost to the root becomes the designated port; the other switch's port becomes non-designated and is placed in blocking state. Blocked ports do not forward data traffic but still listen for BPDUs. The process uses the STP timers: listening (15 sec), learning (15 sec), then forwarding or blocking. This ensures a loop-free topology. Engineers can view port roles with 'show spanning-tree interface gig0/1'.
HSRP Active/Standby Election
HSRP routers exchange hello messages every 3 seconds (default). The router with the highest priority (default 100) becomes the active router. If priorities are equal, the highest IP address wins. The active router owns the virtual IP and MAC (0000.0c07.acXX). The standby router monitors hellos. If the standby does not hear a hello for 10 seconds (hold time), it assumes the active has failed and transitions to active. Preemption is disabled by default, so a higher-priority router coming online later will not take over unless configured. Engineers can verify with 'show standby brief'.
LACP Link Aggregation Formation
LACP (802.3ad) uses two modes: active (sends LACPDUs) and passive (only responds). For a LAG to form, at least one side must be active. Switches exchange LACPDUs to negotiate the bundle. They agree on a system priority (lower is better) and port priority. Up to 8 ports can be aggregated. Once formed, the logical interface (e.g., port-channel1) appears as a single link. If a physical link fails, traffic is redistributed among remaining links. Engineers can check with 'show etherchannel summary' and 'show lacp neighbor'.
ECMP Path Selection
When a router has multiple equal-cost routes to a destination (e.g., OSPF with same metric), it can load balance. The router uses a hash function (e.g., over source/dest IP or Layer 4 port) to choose a path for each flow. This ensures all packets of a flow take the same path (per-flow load balancing). The hash is deterministic. If a path fails, the routing protocol recalculates, and the router updates the forwarding table. Engineers can see ECMP routes with 'show ip route' (multiple next hops) and adjust the hash algorithm with 'ip cef load-sharing algorithm'.
Scenario 1: Campus Network with STP and HSRP
A university campus has two distribution switches (D1 and D2) and multiple access switches. Each access switch has two uplinks to D1 and D2. STP blocks one uplink per access switch to prevent loops. The default gateway for each VLAN is a virtual IP shared between D1 and D2 via HSRP. D1 is active for VLAN 10, D2 for VLAN 20. If D1 fails, HSRP fails over VLAN 10 to D2 in about 10 seconds (hold time). Simultaneously, STP reconverges on the access switches to unblock the alternate uplink (if needed). In production, engineers set STP priorities to control root placement and use HSRP preemption to ensure the primary router resumes after recovery. Common issue: asymmetric routing if STP root and HSRP active are on different switches for the same VLAN, causing traffic to hairpin. Mitigation: align STP root with HSRP active per VLAN.
Scenario 2: Data Center with VPC and LACP
A data center uses a pair of Nexus switches in a VPC domain. Each server has two NICs in a LAG, connecting to both switches. VPC allows the LAG to terminate on two different switches while appearing as a single logical link. This provides both link and device redundancy. The VPC peer-link carries control traffic and some data; a keepalive link (typically out-of-band) monitors peer health. If one switch fails, the other takes over all traffic without STP reconvergence. Engineers configure VPC domain ID, peer-keepalive, and member ports. Common pitfalls: mismatched LACP modes (one side active, other passive) or inconsistent VPC parameters causing split-brain. Performance: VPC can support up to 16 links per port-channel.
Scenario 3: Enterprise WAN with BGP Multipath
A company has two ISP connections (ISP-A and ISP-B) with BGP. Both links have the same bandwidth and cost. Using BGP multipath (maximum-paths 2), the router load balances outbound traffic across both ISPs per flow. Inbound traffic is controlled by AS path prepending or MED. If one ISP fails, BGP withdraws the route and all traffic uses the remaining link. Engineers must ensure the router has enough memory for the full BGP table from both ISPs. Common issue: asymmetric routing if outbound traffic goes via ISP-A but return traffic enters via ISP-B, which may be blocked by firewall state. Solution: use stateful failover or policy-based routing.
What N10-009 Tests
Objective 3.4: 'Given a scenario, implement network redundancy strategies.' The exam expects you to:
Compare and contrast STP, RSTP, and MSTP (know default timers and port states).
Describe HSRP, VRRP, and GLBP operation (active/standby vs. load sharing, default timers).
Explain link aggregation (LACP/PAgP modes, max links).
Identify appropriate redundancy for a given scenario (e.g., use LAG for bandwidth, HSRP for gateway).
Troubleshoot redundancy failures (e.g., STP loops, HSRP split-brain).
Common Wrong Answers
'STP provides load balancing' — Wrong. STP blocks redundant links to prevent loops; it does not load balance. Load balancing is done by LAG or ECMP.
'HSRP and VRRP are identical' — Wrong. HSRP is Cisco proprietary with default hello 3 sec; VRRP is open standard with hello 1 sec. Also, HSRP uses active/standby; VRRP uses master/backup with preemption enabled by default.
'LACP requires both sides to be active' — Wrong. At least one side must be active; the other can be passive. If both are passive, no LAG forms.
'ECMP distributes traffic per-packet' — Wrong. Most implementations use per-flow hashing to avoid reordering.
Numbers and Terms That Appear Verbatim
STP default priority: 32768.
STP path costs: 10 Mbps=100, 100 Mbps=19, 1 Gbps=4, 10 Gbps=2.
STP timers: Hello 2 sec, Max Age 20 sec, Forward Delay 15 sec.
HSRP default hello 3 sec, hold 10 sec.
VRRP default advertisement 1 sec.
LACP max active links: 8.
'BPDU guard', 'root guard', 'loop guard' are STP enhancement features.
Edge Cases and Exceptions
STP and VLANs: PVST+ (Per-VLAN STP) runs a separate STP instance per VLAN. This allows load balancing across VLANs but increases CPU usage.
RSTP edge ports: Ports connected to end hosts can be configured as edge ports to skip listening/learning (portfast). BPDU guard can shut down edge ports if a BPDU is received.
HSRP version 2: Supports IPv6 and increased group numbers (0-4095) vs. version 1 (0-255).
GLBP weighting: Can use weighting to track interfaces and adjust priority.
How to Eliminate Wrong Answers
If a question mentions 'loop prevention', think STP. If it mentions 'default gateway failover', think HSRP/VRRP/GLBP. If it mentions 'increased bandwidth and redundancy', think LAG. If it mentions 'multiple equal-cost paths', think ECMP.
Watch for timer values: if the question says '3 seconds', it's likely HSRP; '1 second' is VRRP.
Remember that STP does not load balance; LAG and ECMP do.
STP prevents loops in redundant Ethernet networks; default timers: Hello 2s, Max Age 20s, Forward Delay 15s.
RSTP (802.1w) converges in 1-3 seconds using proposal/agreement and edge ports.
HSRP default hello is 3 seconds, hold 10 seconds; VRRP default advertisement is 1 second with preemption enabled.
LACP (802.3ad) supports up to 8 active links; modes: active, passive. At least one side must be active.
ECMP (equal-cost multipath) load balances across multiple routes; uses per-flow hashing to avoid reordering.
VPC/MLAG allows a LAG to terminate on two switches, providing device redundancy.
STP does not load balance; use PVST+ for per-VLAN load balancing by placing different root bridges.
BPDU guard, root guard, and loop guard are STP enhancement features to protect against misconfiguration.
HSRP version 2 supports IPv6 and more group numbers (0-4095).
Always test redundancy failover in a lab before production; configuration drift is a common cause of failure.
These come up on the exam all the time. Here's how to tell them apart.
STP (802.1D)
Convergence time up to 50 seconds (20+15+15).
Port states: blocking, listening, learning, forwarding, disabled.
Relies on timer-based convergence.
Uses BPDUs every 2 seconds.
No edge port concept; all ports go through listening/learning.
RSTP (802.1w)
Convergence time 1-3 seconds.
Port states: discarding, learning, forwarding (no listening).
Uses proposal/agreement handshake for fast convergence.
Same BPDU format but includes flags for rapid transition.
Edge ports (portfast) skip listening/learning and transition immediately.
HSRP
Cisco proprietary.
Default hello: 3 seconds; hold: 10 seconds.
Active/standby model; preemption disabled by default.
Virtual MAC: 0000.0c07.acXX.
Supports object tracking for priority adjustment.
VRRP
Open standard (RFC 5798).
Default advertisement: 1 second.
Master/backup model; preemption enabled by default.
Virtual MAC: 0000.5e00.01XX.
Also supports object tracking.
LAG (LACP)
Operates at Layer 2 (link layer).
Combines multiple physical links into one logical link.
Requires both ends to support LAG.
Provides both increased bandwidth and link redundancy.
Load balancing based on hash (MAC/IP/port).
ECMP (Routing)
Operates at Layer 3 (network layer).
Uses multiple equal-cost routes in routing table.
Works with any router; no special protocol needed.
Provides path redundancy but not increased bandwidth per flow.
Load balancing typically per-flow based on IP/port hash.
Mistake
STP provides load balancing across redundant links.
Correct
STP blocks all but one path to prevent loops. Load balancing is achieved by LAG (link aggregation) or ECMP (routing). In PVST+, you can have different root bridges per VLAN, but each VLAN still has a single active path.
Mistake
HSRP and VRRP are functionally identical.
Correct
HSRP is Cisco proprietary; VRRP is an open standard (RFC 5798). HSRP default hello is 3 seconds, hold 10; VRRP default advertisement is 1 second. VRRP enables preemption by default; HSRP does not. Also, HSRP uses a virtual MAC 0000.0c07.acXX; VRRP uses 0000.5e00.01XX.
Mistake
LACP requires both switches to be configured as active.
Correct
LACP can form if at least one side is active and the other is passive. If both are passive, negotiation fails. PAgP (Cisco proprietary) has modes desirable (active) and auto (passive).
Mistake
ECMP distributes traffic evenly per packet.
Correct
ECMP typically uses a hash of source/destination IP and/or port to assign flows to paths. This is per-flow load balancing, not per-packet. Per-packet load balancing can cause out-of-order delivery and is generally avoided.
Mistake
Link aggregation provides device-level redundancy.
Correct
Standard LAG requires both ends to be on the same pair of switches; if one switch fails, the LAG loses all links to that switch. VPC (Virtual Port Channel) or MLAG allows a LAG to terminate on two different switches, providing device redundancy.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
STP (802.1D) takes up to 50 seconds to converge because it relies on timers (Max Age 20s + Forward Delay 30s). RSTP (802.1w) converges in 1-3 seconds using a handshake mechanism (proposal/agreement) and introduces edge ports (portfast) that transition immediately. RSTP also merges blocking/listening into a single discarding state. For the exam, remember that RSTP is faster and backward-compatible with STP.
HSRP default hello timer is 3 seconds, and the hold timer is 10 seconds (three times the hello plus a small margin). The active router sends hellos every 3 seconds; if the standby misses three hellos (10 seconds), it assumes the active is down and takes over. These timers can be adjusted with the 'standby timer' command. VRRP's default advertisement interval is 1 second.
LACP (IEEE 802.3ad) uses Link Aggregation Control Protocol Data Units (LACPDUs) to negotiate a bundle. Each switch can be in active mode (sends LACPDUs) or passive mode (only responds). At least one side must be active. They exchange system priority, port priority, and port keys. Up to 8 ports can form a single logical link (port-channel). If a link fails, traffic is redistributed among remaining links. Use 'show lacp neighbor' to verify.
BPDU guard is an STP feature used on access ports (edge ports). If a port configured with BPDU guard receives a BPDU, it immediately goes into errdisable state (shuts down). This prevents a rogue switch from being connected and causing a loop. It is commonly used with PortFast. On the exam, know that BPDU guard protects against STP manipulation.
Yes, they operate at different layers. STP prevents loops at Layer 2; HSRP provides default gateway redundancy at Layer 3. In a typical campus network, access switches have redundant uplinks to distribution switches (STP blocks one), and the distribution switches run HSRP for gateway failover. You must align the STP root bridge with the HSRP active router per VLAN to avoid suboptimal traffic flow.
VRRP is an open standard (RFC 5798); HSRP is Cisco proprietary. VRRP default advertisement is 1 second; HSRP default hello is 3 seconds. VRRP enables preemption by default; HSRP does not. VRRP uses the actual router's MAC address plus a virtual MAC (0000.5e00.01XX); HSRP uses a proprietary virtual MAC (0000.0c07.acXX). Both provide a virtual IP for default gateway failover.
IEEE 802.3ad allows up to 8 active links per LAG. Some vendors support up to 16 links total (8 active + 8 standby). The number of LAGs per switch is limited by hardware. On the exam, remember 8 active links as the standard maximum.
You've just covered Network Redundancy Strategies — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?