HSRP (Hot Standby Router Protocol)

HSRP is Cisco's proprietary protocol and allows multiple L3 devices to masquerade as a SINGLE gateway. This is done by creating a virtual IP and virtual MAC address and assigning them to all routers participating in the HSRP group. All of them in a group use the SAME group number (between 0 - 255 for HSRP v1) or (0 - 4096 for HSRP v2 which has support for IPv6). The routers communicate via multicast on UDP PORT 1985

• v1 = 224.0.02

• v2 = 224.0.0.102

Virtual MAC address v1 = 0000.0c07.acXX (where XX=HSRP group number in HEX) Virtual MAC address v2 = 0000.0c9f.fXXX (where XXX=HSRP group number in HEXADECIMAL- up to FFFF - that's why its 4096 - 16^3=4096)

In a situation with multiple subnets(L3)/VLANS(L2) you can configure a different active router in each subnet/vlan to load balance.

HSRP routers are elected to specific roles with only ONE active and ONE standby router PER GROUP

• ACTIVE ROUTER

• STANDBY ROUTER

• LISTENING ROUTER

"Hello" packets are used to elect HSRP roles (active, standby and listening) and to also ensure all routers are functional. These Hello packets are sent every 3 seconds and should the STANDBY router not receive any "Hello" messages, it would become the active router and a NEW standby router will be elected.

TO become the ACTIVE router - the decision is based upon the following:

• The Priority (default 100) can be changed between (0-255) - Higher=Better

• If priority the same, then the router which has the HIGHEST IP address on its HSRP interface becomes the ACTIVE router, and the router with the 2nd highest IP address becomes the STANDBY router

All devices in the local LAN would be configured with the Default Gateway (DG) of their first hop HSRP routers virtual IP. PC1 wants to send data outside the network and so broadcasts an ARP request to its DG IP address and requests the DG's MAC address to it can reach the DG This ARP request goes to BOTH routers (R1 AND R2) as they both have the SAME virtual IP and virtual MAC address. Because R1 is the ACTIVE router, it sends the ARP reply (unicast) with the virtual mac address back to PC1 and it then forwards the data onto R1 and it forwards this to the internet.

If R1 should fail, R2 will stop receiving Hello packets from R1 and so becomes the "ACTIVE" router. All PC's will still have the DG virtual IP and virtual MAC address in their ARP tables so nothing to change there! However R2 needs to tell the switches that they must now send traffic with the virtual MAC address to R2 and NOT R1.

R2 NEEDS the switches to UPDATE their MAC tables Remember, Switches learn the SOURCE MAC address when it receives a frame on a port and it then updates the MAC address table accordingly R2 It does this by sending a GRATUITOUS ARP (meaning that ARP replies are being sent WITHOUT them being requested) reply (broadcast and NOT unicast a like a normal ARP reply) with the virtual mac address. As its a BROADCAST, all switches will update their MAC address tables (as seen below)

FHRP's are 'non-preemptive' so if R1 comes back on line the active router (old Standby) will NOT give up its role - It will then take over as STANDBY ROUTER. BUT!!!

We can force R1 take back its ACTIVE roll via the "PREEMPT" command and force R2 to take back the Standby role.

HSRP States:

A router INTERFACE participating in HSRP will go through several states before setting into a role:

• A DISABLED state indicates that the INTERFACE has not been configured for HSRP, or is administratively shut down.

• An interface enters the LEARN state if it does not KNOW the HSRP virtual IP address. This would be normally be manually configured on the interface - otherwise it will be learned from the current ACTIVE router via the "Hello" packets

• It enters the LISTEN state when it knows the virtual IP but has not been elected as either an ACTIVE or STANDBY router

• Interfaces in the SPEAK state are currently participating in the the election of an active or standby router. Elections are performed using "hello" packets which are sent out every 3 seconds by default

• A STANDBY state indicates that the interface is acting as a backup to the active router. The standby router continuously exchanges "hello" packets with the active router and will take over if the active router fails.

• An interface in the ACTIVE state is the live GATEWAY and will forward traffic sent to the virtual IP address. Hosts will use the virtual IP address as their DEFAULT GATEWAY. The active router will also respond to ARP requests for the virtual IP with the virtual MAC address.

HSRP Basic Configuration:

• HSRP is configured on the interface that is ACCEPTING traffic from hosts

• The Router(config-if)#standby 1 priority 150 command specifies the HSRP group (The “1” is the group number for HSRP. It doesn’t matter what you pick just make sure it’s the same on both devices) the interface belongs to and the new priority (with 100 being the default)

• HSRP can also be configured on a VLAN Layer 3 interface on a multilayer switch

  • SwitchB(config)#interface vlan 100 SwitchB(config-if)# standby 1 priority 150

• Each interface in the HSRP group retains its local IP address. The HSRP group itself is assigned a virtual IP address

To configure the virtual HSRP IP address: SwitchA(config)# interface vlan 100 SwitchA(config-if)# ip address 10.1.1.2 255.255.255.0 SwitchA(config-if)# standby 1 ip 10.1.1.1 SwitchB(config)# interface vlan 100 SwitchB(config-if)# ip address 10.1.1.3 255.255.255.0 SwitchB(config-if)# standby 1 ip 10.1.1.1

HSRP supports using multiple virtual IP addresses: SwitchB(config-if)# standby 1 ip 10.1.1.5 secondary

The HSRP virtual MAC address can be manually changed: Switch(config-if)# standby 1 mac-address 0000.00ab.12ef

HSRP authentication prevents an unauthorized router from joining the HSRP group. All routers in the HSRP group must be configured with an identical authentication string.

• To specify a clear-text authentication string:

  • Switch(config-if)# standby 1 authentication STAYOUT

• To specify an MD5-hashed authentication string:

  • Switch(config-if)# standby 1 authentication md5 key-string STAYOUT

HSRP Preempt

If a new router joins an existing HSRP group, it will not preemtively assume role of the active router,even if it has the best priority or higher IP (if no priority configured) than the rest of the group members. In fact - the router which is powered on FIRST will become the active router even if it has the lower priority.

The preempt parameter will allow a router to forcibly take over the role as active router if it has the higher priority

SwitchB(config-if)# standby 1 preempt

The optional delay parameter will force a router to wait before preempting as the active router. The delay is measured in seconds: Switch(config-if)# standby 1 preempt delay 10

The router can also be forced to wait a specified number of seconds after a reload before preempting the active role: Switch(config-if)# standby 1 preempt reload 20 This allows routing protocols to converge before the router becomes active.

HSRP Timers

Hello packets are used to elect the Active and Standby router and to detect if there is a failure and these are exchanged every 3 seconds (default) to the multicast address 224.0.0.2 (v1) or 224.0.0.102 (v2) over port 1985. If no elections are occurring ONLY the active and standby routers exchange hello packets.

If NO hello packets are received within the hold-down timer duration, the standby router assume the active router has failed and takes over The hold-down timer is 3 times the hello timer (10 seconds !! Cisco maths, not mine) To manually adjust the times measured in SECONDS or MILLISECONDS

SwitchB(config-if)# standby 1 timers 4 12 -------- or SwitchB(config-if)# standby 1 timers msec 800 msec 2400

HSRP Object Tracking

Object Interface Tracking

HSRP offers a feature called interface tracking. We can select an interface to track and if it fails we will give it a penalty. This way your priority will decrease and another device can become the active router.

To fix this issue we can TRACK interfaces. If a tracked interface fails the routers PRIORITY is decreased by a SPECIFIED value (default is 10)

SwitchB(config)# track 1 interface gi2/23 line-protocol SwitchB(config)# interface vlan 1 SwitchB(config-if)# standby 1 track 1 decrement 60 The 60 is the manual priority which will DECREASE by if interface gi2/23 goes down. The 60 priority was chosen so the priority would be LESS than the standby, which then forces SWITCH A to become ACTIVE. If it was left at the default 10, the priority would have dropped to 140 which is still higher than Switch A's priority.

Object Tracking

Object tracking works by tracking combined states of defined objects and is used with the following boolean functions:<See more here>

AND - it requires that ALL the objects defined in the track list to be UP OR - it requires that AT LEAST ONE object to be UP

Enhanced Object Tracking

Interface tracking is useful but it will only check the state of the interface. Its possible the state of the interface remains up but unable to reach the ISP router. Its better to use IP SLA instead since it can check end-to-end connectivity.

Lets remove the current object tracking configuration SwitchB(config)# interface gi2/34 SwitchB(config-if)# no standby 1 track 1 decrement 60 SwitchB(config)# ip sla 1 SwitchB(config-ip-sla)# icmp-echo 10.1.33.2 SwitchB(config-ip-sla)# frequency 10 SwitchB(config-ip-sla)# timeout 10000 SwitchB(config)# ip sla schedule 1 start-time now life forever

We can now combine IP SLA with object tracking

SwitchB(config)#no track 1 SwitchB(config)# track 1 ip sla 1

And we will configure SW2 once again that the priority that the priority will decrease by 60 when the object is DOWN !!

SwitchB(config)# interface vlan 1 SwitchB(config-if)# standby 1 track 1 increment 60 SwitchB# sho ip sla statistics FORCE SWICTHOVER BY SHUTTING DOWN THE INTERFACE

hostname H1
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 192.168.1.254
!
end

hostname R3
!
interface GigabitEthernet0/1
 ip address 192.168.13.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
end

hostname SW1
!
interface GigabitEthernet0/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 no switchport
 ip address 192.168.13.1 255.255.255.0
 negotiation auto
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 standby version 2
 standby 1 ip 192.168.1.254
 standby 1 timers msec 100 msec 300
 standby 1 preempt delay minimum 60
 standby 1 authentication md5 key-string MY_SECRET_KEY
!
end

hostname SW2
!
track 1 ip sla 1
!
interface GigabitEthernet0/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 no switchport
 ip address 192.168.23.2 255.255.255.0
 negotiation auto
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
 standby version 2
 standby 1 ip 192.168.1.254
 standby 1 timers msec 100 msec 300
 standby 1 priority 150
 standby 1 preempt delay minimum 60
 standby 1 authentication md5 key-string MY_SECRET_KEY
 standby 1 track 1 decrement 60
!
ip sla 1
 icmp-echo 192.168.23.3
 frequency 10
ip sla schedule 1 life forever start-time now
!
end

Router 3 track 1 ip sla 1 ip sla 1 icmp-echo 192.168.4.1 source-interface eth0 frequency 5 timeout 10000 -------mili seconds ip sla schedule 1 life forever start-time now

R3# show run | sec track track1 ip sla 1 track 2 ip route 1.1.1.0 255.255.255.0 reachability track 4 list boolean and object 1 object 2 standby 1 track 4 decrement 50