Hot Standby Router Protocol

Hot Standby Router Protocol

Hot Standby Router Protocol (HSRP) is a Cisco proprietary layer 3 First Hop Redundancy Protocol used to provide fault tolerant default gateways.

Why HSRP?

Every network device use Default gateway to communicate with the hosts that are not in same subnet. This means when communicating to other LAN or Internet, the device will use default gateway. This makes Default gateway a critical resource. You can imagine the impact if the Router working as default gateway fails. No PC will be able talk to the PCs on different LAN or can not use internet until the default gateway comes back online. The critical nature of Default Gateway brings the concept of layer-3 redundancy protocols like HSRP and VRRP. Virtual Router Redundancy Protocol (VRRP) is just like HSRP with exception that it is open standard and it can also be used on non-Cisco routers.

HSRP Operation

At least two routers are needed for HSRP to work. HSRP group is created and it can have more than two routers sharing same virtual IP and virtual MAC address. The virtual MAC address is 0000.0c07.acxx for version 1 and 0000.0c9f.f0xx for version 2 of HSRP, where xx is the HSRP group number. One router is elected as Active and the other router(s) become Standby. The active router election is done on the basis of highest HSRP priority (default priority is 100). In case of a tie, the router with the highest configured IP address is elected. All the routers in HSRP group keep exchanging hello packets which keep informing about the state of Active member to Standby members. HSRP has a hold timer of 10 seconds which means that Standby router will assume Active router down if it does not receive any hello packet for 10 seconds. Standby router becomes Active when existing active router fails and start forwarding the traffic. Since the new Active router uses the same virtual IP and virtual MAC address, the end devices will not notice any change. This process is completely transparent to end users. A new standby router is also elected at this time if there are more than two routers in a HSRP group.

Note:- HSRP version 1 uses multicast address 224.0.0.2 while HSRP version 2 uses multicast address 224.0.0.102 to send periodic hello packets. HSRPv1 is default HSRP version on Cisco devices. By default, a hello packet is sent between the HSRP standby group devices every 3 seconds, and the standby device becomes active when a hello packet is not received for 10 seconds.

HSRP States

All routers in HSRP group go through all the states mentioned below. However, only one router remains in Active state and one router remain in Standby state. Other routers stay in listen state.

Initial This is the state at the start. This state indicates that HSRP is not running.
Learn – The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router.
Listen – The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers.
Speak The router sends periodic hello messages and actively participates in the election of the active and/or standby router. A router cannot enter speak state unless the router has the virtual IP address.
Standby – The router will become Active in case it does not receive hello packets from currently Active router for group. The router sends periodic hello messages.
Active The router currently forwards packets that are sent to the group virtual MAC address. The router sends periodic hello messages.

HSRP Configuration

Consider the network as shown below:

HSRP Demonstration
HSRP Demonstration

In the network shown above, we have PC1 and PC2 configured with IP address 10.10.10.1 as default gateway. These PCs can communicate with each other without default gateway but they will use default gateway to reach Internet (8.8.8.8). Let us assume that the connectivity of these PCs to Internet is very critical and they can not expect any downtime.

You can use HSRP in this scenario. Let us configure HSRP on R1 and R2.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/1
R1(config-if)#ip address 10.10.10.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#standby 1 ip 10.10.10.1
R1(config-if)#
*Jul 22 11:54:59.731: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Speak -> Standby
*Jul 22 11:55:00.231: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Standby -> Active
R1(config-if)#standby 1 priority 110
R1(config-if)#standby 1 preempt
R1(config-if)#standby version 2
R1(config-if)#end
R1#

Let us discuss the above commands in detail.

I have configured IP address 10.10.10.2/24 on interface connected to LAN (SW1). This IP can be any unused IP address from same subnet as LAN. Then the standby 1 ip 10.10.10.1 command is used to create an HSRP group 1 and assign the virtual IP 10.10.10.1 to group. Remember that all the HSRP group members will use same virtual IP address but different IP address at physical interface to prevent duplicate addresses. The standby 1 priority 110 command is used to increase the priority of R1 because by default all Cisco routers have priority of 100. The standby 1 preempt command is used to tell the router R1 that if you see any router with lower priority working as Active, R1 can overthrow the other router and become Active router in HSRP group. The standby version 2 is used to change the HSRP version to 2 (default is 1).

You can verify the HSRP status using show standby command.

R1#show standby
FastEthernet0/1 - Group 1 (version 2)
  State is Active
    5 state changes, last state change 00:36:12
  Virtual IP address is 10.10.10.1
  Active virtual MAC address is 0000.0c9f.f001
    Local virtual MAC address is 0000.0c9f.f001 (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.068 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Fa0/1-1" (default)

Did you notice Standby router is unknown? This is because we have not yet configured any other router is HSRP group 1. Now, lets go to R2 and configure it.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int fa0/0
R2(config-if)#ip address 10.10.10.3 255.255.255.0
R2(config-if)#no shut
R2(config-if)#standby 1 ip 10.10.10.1
R2(config-if)#standby 1 preempt
R2(config-if)#standby version 2
R2(config-if)#
*Jul 22 12:35:49.823: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
R2(config-if)#end
R2#

Now take a look at the configuration,

R2#show standby
FastEthernet0/0 - Group 1 (version 2)
  State is Standby
    1 state change, last state change 00:03:05
  Virtual IP address is 10.10.10.1
  Active virtual MAC address is 0000.0c9f.f001
    Local virtual MAC address is 0000.0c9f.f001 (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.404 secs
  Preemption enabled
  Active router is 10.10.10.2, priority 110 (expires in 9.728 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/0-1" (default)
R2#

The R2 is elected to be Standby member until R1 goes down.

HSRP Verification

Let us now verify if HSRP is working. I will go to one of PCs and run a ping to 8.8.8.8.

PC1>ping 8.8.8.8
8.8.8.8 icmp_seq=1 timeout
84 bytes from 8.8.8.8 icmp_seq=2 ttl=254 time=16.263 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=254 time=25.240 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=254 time=25.299 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=254 time=15.248 ms

PC1>show arp

00:00:0c:9f:f0:01  10.10.10.1 expires in 111 seconds

PC1>

Notice that PC1 will see only virtual MAC and virtual IP of HSRP group instead of physical IP address configured on routers.

To verify that HSRP is actually switching the members from Standby to Active, I will run continue ping to 8.8.8.8 from PC1 and then I will shutdown the interface fa0/1 on R1 which is connected to LAN. This will stop Standby router R2 to receive hello packets from current Active member (R1). So, it will change its state to Active.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/1
R1(config-if)#shut
R1(config-if)#
*Jul 22 13:29:33.655: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init
R1(config-if)#end

The HSRP state of R1 changed from Active to Init and now the Router R2 will become Active.

R2#show standby
FastEthernet0/0 - Group 1 (version 2)
  State is Active
    2 state changes, last state change 00:32:00
  Virtual IP address is 10.10.10.1
  Active virtual MAC address is 0000.0c9f.f001
    Local virtual MAC address is 0000.0c9f.f001 (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.312 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/0-1" (default)

The PC1 will not notice any change, and it will still have connectivity to 8.8.8.8.

PC1>ping 8.8.8.8 -t
84 bytes from 8.8.8.8 icmp_seq=1 ttl=254 time=12.131 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=254 time=11.319 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=254 time=11.242 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=254 time=12.234 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=254 time=12.294 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=254 time=13.204 ms
84 bytes from 8.8.8.8 icmp_seq=7 ttl=254 time=12.213 ms
84 bytes from 8.8.8.8 icmp_seq=8 ttl=254 time=12.180 ms
84 bytes from 8.8.8.8 icmp_seq=9 ttl=254 time=35.178 ms
8.8.8.8 icmp_seq=10 timeout
8.8.8.8 icmp_seq=11 timeout
8.8.8.8 icmp_seq=12 timeout
84 bytes from 8.8.8.8 icmp_seq=13 ttl=254 time=12.272 ms
84 bytes from 8.8.8.8 icmp_seq=14 ttl=254 time=14.120 ms
84 bytes from 8.8.8.8 icmp_seq=15 ttl=254 time=15.960 ms
84 bytes from 8.8.8.8 icmp_seq=16 ttl=254 time=11.258 ms
84 bytes from 8.8.8.8 icmp_seq=17 ttl=254 time=12.023 ms
84 bytes from 8.8.8.8 icmp_seq=18 ttl=254 time=14.258 ms
84 bytes from 8.8.8.8 icmp_seq=19 ttl=254 time=13.276 ms

PC1 lost 3 packets and again returns the connectivity to destination. You can tweak the HSRP timers so that the another router becomes Active more quickly but I would personally not recommend doing this. If you tweak the timers, you can have problems when there is link flapping.

I will now enable debugging of HSRP events on router R2 and then I will enable the interface on R1 (which I had disabled earlier to demonstrate the changeover of R2 from Standby to Active).

R2#debug standby events
HSRP Events debugging is on
R2#
R1(config)#int fa0/1
R1(config-if)#no shut
R1(config-if)#
*Jul 22 14:14:30.439: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Listen -> Active
R1(config-if)#

Now look at the debug messages of R2 given below:

R2#
*Jul 22 14:16:03.863: HSRP: Fa0/0 API arp proto filter, 0000.0c9f.f001 is active vMAC for grp 1 - filter
*Jul 22 14:16:03.867: HSRP: Fa0/0 API arp proto filter, 0000.0c9f.f001 is active vMAC for grp 1 - filter
*Jul 22 14:16:03.867: HSRP: Fa0/0 Grp 1 Active: j/Coup rcvd from higher pri router (110/10.10.10.2)
*Jul 22 14:16:03.871: HSRP: Fa0/0 Grp 1 Active router is 10.10.10.2, was local
*Jul 22 14:16:03.871: HSRP: Fa0/0 Grp 1 Active -> Speak
*Jul 22 14:16:03.871: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
*Jul 22 14:16:03.875: HSRP: Fa0/0 Grp 1 Redundancy "hsrp-Fa0/0-1" state Active -> Speak
*Jul 22 14:16:13.871: HSRP: Fa0/0 Grp 1 Speak: d/Standby timer expired (unknown)
*Jul 22 14:16:13.871: HSRP: Fa0/0 Grp 1 Standby router is local
*Jul 22 14:16:13.871: HSRP: Fa0/0 Grp 1 Speak -> Standby
*Jul 22 14:16:13.871: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
R2#
*Jul 22 14:16:13.875: HSRP: Fa0/0 Grp 1 Redundancy "hsrp-Fa0/0-1" state Speak -> Standby
R2#

Now, the State of R2 becomes Standby because preempt command is configured on router R1 and R1 also has higher priority. So, R1 taken over R2 and forced it to become Standby.

This seems good. But what happens when the link between R1 (or R2) and Internet goes down? The Routers will still exchange HSRP hello packets and HSRP changeover will never happen but the traffic of PCs will be dropped.

The good news is that we can track the other interface on router so that if other interface goes down, the router will decrement its priority by certain number.

R1(config)#int fa0/1
R1(config-if)#standby 1 ?
  authentication  Authentication
  ip              Enable HSRP and set the virtual IP address
  mac-address     Virtual MAC address
  name            Redundancy name string
  preempt         Overthrow lower priority Active routers
  priority        Priority level
  timers          Hello and hold timers
  track           Priority tracking

R1(config-if)#standby 1 track ?
  <1-500>            Tracked object number
  Async              Async interface
  BVI                Bridge-Group Virtual Interface
  CDMA-Ix            CDMA Ix interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  Lex                Lex interface
  Loopback           Loopback interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Port-channel       Ethernet Channel of interfaces
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-PPP        Virtual PPP interface
  Virtual-TokenRing  Virtual TokenRing
  XTagATM            Extended Tag ATM interface

R1(config-if)#standby 1 track FastEthernet 0/0 ?
  <1-255>  Decrement value
  <cr>

R1(config-if)#standby 1 track FastEthernet 0/0 20
R1(config-if)#exit
R1(config)#int fa0/0
R1(config-if)#shut
R1(config-if)#
*Jul 22 15:20:49.570: HSRP: Fa0/1 Grp 1 Track 1 object changed, state Up -> Down
*Jul 22 15:20:49.570: HSRP: Fa0/1 Grp 1 Priority 110 -> 90

The standby 1 track FastEthernet 0/0 20 command will start tracking the status of interface, and if the interface goes down, the router will decrement the priority by 20 and this will lower the R1’s priority than that of R2. The R2 will then become Active and start forwarding traffic.

This concludes our HSRP Configuration section. In the next section we will look into Virtual Router Redundancy Protocol.

Back



Microsoft Certified Professional | Cisco Certified Network Associate

1 Comment

Leave a Reply