Hot Standby Router Protocol

HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as a single gateway IP address. RFC 2281 describes this protocol in more detail.

Basically, each of the routers that provides redundancy for a given gateway address is assigned to a common HSRP group. One router is elected as the primary, or active, HSRP router; another is elected as the standby HSRP router; and all the others remain in the listen HSRP state. The routers exchange HSRP hello messages at regular intervals so that they can remain aware of each other's existence and that of the active router.

NOTE HSRP sends its hello messages to the multicast destination 224.0.0.2 ("all routers") using UDP port 1985.

An HSRP group can be assigned an arbitrary group number, from 0 to 255. If you configure HSRP groups on several VLAN interfaces, it can be handy to make the group number the same as the VLAN number. However, most Catalyst switches support only up to 16 unique HSRP group numbers. If you have more than 16 VLANs, you will quickly run out of group numbers. An alternative is to make the group number the same (that is, 1) for every VLAN interface. This is perfectly valid because the HSRP groups are only locally significant on an interface. In other words, HSRP Group 1 on interface VLAN 10 is unique and independent from HSRP Group 1 on interface VLAN 11.

HSRP Router Election

HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router. To set the priority, use the following interface configuration command:

Switch(config-if)# standby group priority priority

For example, suppose that one switch is left at its default priority of 100, while the local switch is intended to win the active role election. You can use the following command to set the HSRP priority to 200:

Switch(config-if)# standby 1 priority 200

When HSRP is configured on an interface, the router progresses through a series of states before becoming active. This forces a router to listen for others in a group and see where it fits into the pecking order. Devices participating in HSRP must progress their interfaces through the following state sequence:

1. Disabled

2. Init

3. Listen

4. Speak

5. Standby

6. Active

Only the standby (the one with the second-highest priority) router monitors the hello messages from the active router. By default, hellos are sent every 3 seconds. If hellos are missed for the duration of the holdtime timer (default 10 seconds, or three times the hello timer), the active router is presumed to be down. The standby router is then clear to assume the active role.

At that point, if other routers are sitting in the Listen state, the next-highest priority router is allowed to become the new standby router.

If you need to change the timer values, use the following interface configuration command. If you decide to change the timers on a router, you should change them identically on all routers in the HSRP group.

Switch(config-if)# standby group timers [msec] hello [msec] holdtime

The hello and holdtime values can be given in seconds or in milliseconds, if the msec keyword precedes a value. The hello time can range from 1 to 254 seconds or from 15 to 999 milliseconds. The holdtime always should be at least three times the hello timer, and can range from 1 to 255 seconds or 50 to 3000 milliseconds.

As an example, the following command can be used to set the hello time at 100 milliseconds and the holdtime to 300 milliseconds:

Switch(config-if)# standby 1 timers msec 100 msec 300

NOTE Be aware that decreasing the HSRP hello time allows a router failure to be detected more quickly. At the same time, HSRP hellos will be sent more often, increasing the amount of traffic on the interface.

Normally, after the active router fails and the standby becomes active, the original active router cannot immediately become active when it is restored. In other words, if a router is not already active, it cannot become active again until the current active router fails—even if its priority is higher than that of the active router. An interesting case arises when routers are just being powered up or added to a network. The first router to bring up its interface becomes the HSRP active router, even if it has the lowest priority of all.

You can configure a router to pre-empt or immediately take over the active role if its priority is the highest at any time. Use the following interface-configuration command to allow pre-emption:

Switch(config-if)# standby group preempt [delay [minimum seconds] [reload seconds]]

By default, the local router immediately can pre-empt another router that has the active role. To delay the pre-emption, use the delay keyword followed by one or both of the following parameters:

■ Add the minimum keyword to force the router to wait for seconds (0 to 3,600 seconds) before attempting to overthrow an active router with a lower priority. This delay time begins as soon as the router is capable of assuming the active role, such as after an interface comes up or after HSRP is configured.

■ Add the reload keyword to force the router to wait for seconds (0 to 3,600 seconds) after it has been reloaded or restarted. This is handy if there are routing protocols that need time to converge. The local router should not become the active gateway before its routing table is fully populated; otherwise, it might not be capable of routing traffic properly.

HSRP also can use an authentication method to prevent unexpected devices from spoofing or participating in HSRP. All routers in the same standby group must have an identical authentication method and key. You can use either plain-text or MD5 authentication, as described in the following sections.

Plain-Text HSRP Authentication

HSRP messages are sent with a plain-text key string (up to eight characters), as a simple method to authenticate HSRP peers. If the key string in a message matches the key configured on an HSRP peer, the message is accepted.

When keys are sent in the clear, they can be easily intercepted and used to impersonate legitimate peers. Plain-text authentication is intended only to prevent peers with a default configuration from participating in HSRP. Cisco devices use "cisco" as the default key string.

You can configure a plain-text authentication key for an HSRP group with the following interface configuration command:

Switch(config-if)# standby group authentication string

MD5 Authentication

A Message Digest 5 (MD5) hash is computed on a portion of each HSRP message and a secret key known only to legitimate HSRP group peers. The MD5 hash value is sent along with HSRP messages. As a message is received, the peer recomputes the hash of the expected message contents and its own secret key; if the hash values are identical, the message is accepted.

MD5 authentication is more secure than plain-text authentication because the hash value contained in the HSRP messages is extremely difficult (if not impossible) to reverse. The hash value itself is not used as a key; instead, the hash is used to validate the message contents.

You can configure MD5 authentication by associating a key string with an interface, using the following interface-configuration command:

Switch(config-if)# standby group authentication md5 key-string [0 I 7] string

By default, the key string (up to 64 characters) is given as plain text. This is the same as specifying the 0 keyword. After the key string is entered, it is shown as an encrypted value in the switch configuration. You also can copy and paste an encrypted key string value into this command by preceding the string with the 7 keyword.

Alternatively, you can define an MD5 key string as a key on a key chain. This method is more flexible, enabling you to define more than one key on the switch. Any of the keys then can be associated with HSRP on any interface. If a key needs to be changed, you simply add a new key to the key chain and retire (delete) an old key.

First define the key chain globally with the key chain command; then add one key at a time with the key and key-string commands. The key-number index is arbitrary, but keys are tried in sequential order. Finally, associate the key chain with HSRP on an interface by referencing its chain-name. You can use the following commands to configure HSRP MD5 authentication:

Switch(config)# key chain chain-name Switch(config-keychain)# key key-number Switch(config-keychain-key)# key-string [0 I 7] string Switch(config)# interface type mod/num

Switch(config-if)# standby group authentication md5 key-chain chain-name

TIP HSRP MD5 authentication was introduced into some Catalyst switch platforms with Cisco IOS Software Release 12.2(25)S. At press time, this feature was available only on the Catalyst 3560 and 3750.

Conceding the Election

Consider an active router in an HSRP group: A group of clients sends packets to it for forwarding, and it has one or more links to the rest of the world. If one of those links fails, the router remains active. If all of those links fail, the router still remains active. But sooner or later, the path to the rest of the world is either crippled or removed, and packets from the clients no longer can be forwarded.

HSRP has a mechanism for detecting link failures and swaying the election, giving another router an opportunity to take over the active role. When a specific interface is tracked, HSRP reduces the router's priority by a configurable amount as soon as the interface goes down. If more than one interface is tracked, the priority is reduced even more with each failed interface. The priority is incremented by the same amount as interfaces come back up.

This is particularly useful when a switch has several paths out of a VLAN or subnet; as more interfaces fail and remove the possible paths, other HSRP peers should appear to be more desirable and take over the active role. To configure interface tracking, use the following interface configuration command:

Switch(config-if)# standby group track type mod/num [decrementvalue]

By default, the decrementvalue for an interface is 10. Keep in mind that interface tracking doesn't involve the state of the HSRP interface itself. Instead, the state of other specific interfaces affects the usefulness of the local router as a gateway. You also should be aware that the only way another router can take over the active role after interface tracking reduces the priority is if the following two conditions are met:

■ Another router now has a higher HSRP priority.

■ That same router is using preempt in its HSRP configuration. Without pre-emption, the active role cannot be given to any other router.

HSRP Gateway Addressing

Each router in an HSRP group has its own unique IP address assigned to an interface. This address is used for all routing protocol and management traffic initiated by or destined to the router. In addition, each router has a common gateway IP address, the virtual router address, which is kept alive by HSRP. This address also is referred to as the HSRP address or the standby address. Clients can point to that virtual router address as their default gateway, knowing that a router always keeps that address active. Keep in mind that the actual interface address and the virtual (standby) address must be configured to be in the same IP subnet.

You can assign the HSRP address with the following interface command:

Switch(config-if)# standby group ip ip-address [secondary] When HSRP is used on an interface that has secondary IP addresses, you can add the secondary keyword so that HSRP can provide a redundant secondary gateway address.

Naturally, each router keeps a unique MAC address for its interface. This MAC address is always associated with the unique IP address configured on the interface. For the virtual router address, HSRP defines a special MAC address of the form 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value. For example, HSRP Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10, and so on.

Figure 13-1 shows a simple network in which two multilayer switches use HSRP Group 1 to provide the redundant gateway address 192.168.1.1. CatalystA is the active router, with priority 200, and answers the ARP request for the gateway address. Because CatalystB is in the Standby state, it never is used for traffic sent to 192.168.1.1. Instead, only CatalystA performs the gateway routing function, and only its uplink to the access layer is utilized.

Figure 13-1 Typical HSRP Scenario with One HSRP Group

VLAN 50 192.168.1.10 MAC: 0000.aaaa.aaaa

Catalyst A

VLAN 50 192.168.1.11 MAC: 0000.bbbb.bbbb

Catalyst B

ARP Replies for

192.168.1.1

VLAN 50 192.168.1.10 MAC: 0000.aaaa.aaaa

VLAN 50 192.168.1.11 MAC: 0000.bbbb.bbbb

Catalyst A

ARP Replies for

192.168.1.1

Catalyst B

VLAN 50

Gateway: 192.168.1.1 Gateway ARP: 0000.0c07.ac01

VLAN 50

Gateway: 192.168.1.1 Gateway ARP: 0000.0c07.ac01

Example 13-1 shows the configuration commands you can use on CatalystA. CatalystB would be configured similarly, except that its HSRP priority would use the default value of 100.

Example 13-1 Configuring an HSRP Group on a Switch

CatalystA(config)# interface vlan 50

CatalystA(config-if)# ip address 192.168.1.10 255.255.255.0

CatalystA(config-if)# standby 1 priority 200 CatalystA(config-if)# standby 1 preempt CatalystA(config-if)# standby 1 ip 192.168.1.1

Load Balancing with HSRP

Consider a network in which HSRP is used on two distribution switches to provide a redundant gateway address for access-layer users. Only one of the two becomes the active HSRP router; the other remains in standby. All the users send their traffic to the active router over the uplink to the active router. The standby router and its uplink essentially sit idle until a router failure occurs.

Load balancing traffic across two uplinks to two HSRP routers with a single HSRP group is not possible. Then how is it possible to load balance with HSRP? The trick is to use two HSRP groups:

■ One group assigns an active router to one switch.

■ The other group assigns another active router to the other switch.

In this way, two different virtual router or gateway addresses can be used simultaneously. The rest of the trick is to make each switch function as the standby router for its partner's HSRP group. In other words, each router is active for one group and standby for the other group. The clients or end users also must have their default gateway addresses configured as one of the two virtual HSRP group addresses.

Figure 13-2 presents this scenario. Now, CatalystA is not only the active router for HSRP Group 1 (192.168.1.1), but it is also the standby router for HSRP Group 2 (192.168.1.2). CatalystB is configured similarly, but with its roles reversed. The remaining step is to configure half of the client PCs with the HSRP Group 1 virtual router address and the other half with the Group 2 address. This makes load balancing possible and effective. Each half of the hosts uses one switch as its gateway over one uplink.

Figure 13-2 Load Balancing with Two HSRP Groups

VLAN 50 VLAN 50

192.168.1.10 192.168.1.11

Figure 13-2 Load Balancing with Two HSRP Groups

VLAN 50 VLAN 50

192.168.1.10 192.168.1.11

VLAN 50

Example 13-2 shows the configuration commands you can use for the scenario shown in Figure 13-2.

Example 13-2 Configuring Load Balancing Between HSRP Groups

CatalystA(config)# interface vlan 50

CatalystA(config-if)# ip address 192.168.1.10 255.255.255.0 CatalystA(config-if)# standby 1 priority 200 CatalystA(config-if)# standby 1 preempt CatalystA(config-if)# standby 1 ip 192.168.1.1 CatalystA(config-if)# standby 1 authentication MyKey CatalystA(config-if)# standby 2 priority 100 CatalystA(config-if)# standby 2 ip 192.168.1.2 CatalystA(config-if)# standby 2 authentication MyKey

CatalystB(config)# interface vlan 50

CatalystB(config-if)# ip address 192.168.1.11 255.255.255.0 CatalystB(config-if)# standby 1 priority 100 CatalystB(config-if)# standby 1 ip 192.168.1.1 CatalystB(config-if)# standby 1 authentication MyKey CatalystB(config-if)# standby 2 priority 200 CatalystB(config-if)# standby 2 preempt CatalystB(config-if)# standby 2 ip 192.168.1.2 CatalystB(config-if)# standby 2 authentication MyKey

You can use the following command to display information about the status of one or more HSRP groups and interfaces:

Router# show standby [brief] [vlan vlan-id I type mod/num]

Based on the configuration in Example 13-2, the output in Example 13-3 shows that the CatalystA switch is the active router for HSRP group 1 and the standby router for HSRP group 2 on interface VLAN 50.

Example 13-3 Displaying the HSRP Router Role of a Switch: CatalystA

CatalystA# show standby vlan 50 brief

P indicates configured to preempt.

Interface Grp Prio P State Active addr Standby addr Vl50 1 200 P Active local 192.168.1.11

Vl50 2 100 Standby 192.168.1.11 local

CatalystA#

CatalystA# show standby vlan 50

Vlan50 - Group 1

Local state is Active, priority 200, may preempt Hellotime 3 sec, holdtime 10 sec Next hello sent in 2.248

Group addr

192.168.1.1

192.168.1.2

continues

Example 13-3 Displaying the HSRP Router Role of a Switch: CatalystA (Continued)

Virtual IP address is 192.168.1.1 configured Active router is local

Standby router is 192.168.1.11 expires in 9.860 Virtual mac address is 0000.0c07.ac01 Authentication text "MyKey" 2 state changes, last state change 00:11:58 IP redundancy name is "hsrp-Vl50-1" (default) Vlan50 - Group 2

Local state is Standby, priority 100 Hellotime 3 sec, holdtime 10 sec Next hello sent in 1.302

Virtual IP address is 192.168.1.2 configured Active router is 192.168.1.11, priority 200 expires in 7.812 Standby router is local Authentication text "MyKey" 4 state changes, last state change 00:10:04 IP redundancy name is "hsrp-Vl50-2" (default) CatalystA#

The output from CatalystB in Example 13-4 shows that it has inverted roles from CatalystA for HSRP groups 1 and 2.

Example 13-4 Displaying the HSRP Router Role of a Switch: CatalystB

CatalystB#show standby vlan 50 brief

P indicates configured to preempt.

Interface Grp Prio P State Active addr Vl50 1 100 Standby 192.168.1.10

Vl50 2 200 P Active local

CatalystB#

CatalystB#show standby vlan 50 Vlan50 - Group 1

Local state is Standby, priority 100 Hellotime 3 sec, holdtime 10 sec Next hello sent in 0.980

Virtual IP address is 192.168.1.1 configured Active router is 192.168.1.10, priority 200 expires in 8.128 Standby router is local Authentication text "MyKey" 1 state changes, last state change 00:01:12 IP redundancy name is "hsrp-Vl50-1" (default) Vlan50 - Group 2

Local state is Active, priority 200, may preempt Hellotime 3 sec, holdtime 10 sec Next hello sent in 2.888

Standby addr local

192.168.1.10

Group addr

192.168.1.1

192.168.1.2

Example 13-4 Displaying the HSRP Router Role of a Switch: CatalystB (Continued)

Virtual IP address is 192.168.1.2 configured

Active router is local

Standby router is 192.168.1.10 expires in 8.500 Virtual mac address is 0000.0c07.ac02 Authentication text "MyKey" 1 state changes, last state change 00:01:16 CatalystB#

Was this article helpful?

0 0

Post a comment