Hot Standby Routing Protocol (HSRP) is Cisco standard of providing redundancy for IP host configured in a LAN network with default gateway address.It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN.
A single router that is elected from the group is responsible for the forwarding of the packets that hosts send to the virtual router. This router is known as the active router. Another router is elected as the standby router. If the active router fails, the standby assumes the packet forwarding duties. Although an arbitrary number of routers may run HSRP, only the active router forwards the packets that are sent to the virtual router IP address.
Routers that run HSRP communicate HSRP information between each other through HSRP hello packets. These packets are sent to the destination IP multicast address 18.104.22.168 on User Datagram Protocol (UDP) port 1985. IP multicast address 22.214.171.124 is a reserved multicast address that is used to communicate to all routers. The active router sources hello packets from its configured IP address and the HSRP virtual MAC address. The standby router sources hellos from its configured IP address and the burned-in MAC address (BIA). This use of source addressing is necessary so that HSRP routers can correctly identify each other.
Virtual MAC address that is composed of 0000.0c07.ac** where ** is the HSRP group number in hexadecimal, based on the respective interface. For example, HSRP group 1 uses the HSRP virtual MAC address of 0000.0c07.ac01. Hosts on the adjoining LAN segment use the normal Address Resolution Protocol (ARP) process in order to resolve the associated MAC addresses.
Even though HSRP group can be consist of multiple layer 3 devices, in typical enterprise environment distribution block (two aggregation switches) is configured with HSRP to provide gateway redundancy to all access layer VLANs. Below shows a typical topology which we are going to see how we configure HSRP.
When we selecting HSRP Active, it is always good idea to select spanning tree root for that VLAN select as HSRP active for that vlan.
DS01 vlan 50 interface Vlan50 ip address 10.10.50.251 255.255.255.0 DS02 vlan 50 interface vlan 50 ip address 10.10.50.252.0 255.255.255.0 DS02(config)#do sh span vlan 50 VLAN0050 Spanning tree enabled protocol ieee Root ID Priority 50 Address 001a.e3a7.ff00 This bridge is the root
To configure the HSRP parameters on this interface you have to use command syntax “standby <HSRP_Group> <HSRP_Parameter>“. All configurable options shown below (highlighted few commonly configured features).
CAT2(config-if)#standby ? <0-255> group number authentication Authentication delay HSRP initialisation delay follow Name of HSRP group to follow ip Enable HSRP IPv4 and set the virtual IP address mac-refresh Refresh MAC cache on switch by periodically sending packet from virtual mac address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level redirect Configure sending of ICMP Redirect messages with an HSRP virtual IP address as the gateway IP address timers Hello and hold timers track Priority tracking version HSRP version
Minimum configuration wise you need to configure “standby <group> ip <virtual-IP>” in order to activate HSRP on an interface. In this example will configure HSRP Group no 50 ( a value between 0 -255). Therefore virtual MAC address should be 0000.0c07.0032 (where 50 is in hex 32). If you haven’t specify a group number it will assume group number as 0. So will configure “standby 50 ip 10.10.50.250” command on DS01 & DS02 vlan 50 interface. You can verify status of this HSRP group by issuing “show standby vlan 50” command as shown below.
DS01#show standby vlan 50 Vlan50 - Group 50 State is Standby 3 state changes, last state change 00:08:02 Virtual IP address is 10.10.50.250 Active virtual MAC address is 0000.0c07.ac32 Local virtual MAC address is 0000.0c07.ac32 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.192 secs Preemption disabled Active router is 10.10.50.252, priority 100 (expires in 8.368 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Vl50-50" (default) DS02#show standby vlan 50 Vlan50 - Group 50 State is Active 2 state changes, last state change 00:11:40 Virtual IP address is 10.10.50.250 Active virtual MAC address is 0000.0c07.ac32 Local virtual MAC address is 0000.0c07.ac32 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.632 secs Preemption disabled Active router is local Standby router is 10.10.50.251, priority 100 (expires in 8.816 sec) Priority 100 (default 100) Group name is "hsrp-Vl50-50" (default)
Here is the wireshark packet capture of a HSRP Hello packet with this default settings.
As you can see DS02 has become active HSRP router. HSRP priority value determine who will become active. In this case both having same default priority of 100.If you want to ensure DS02 become HSRP active for this vlan you can configure higher priority value (between 1-255) on DS02. You can do that by using “standby 50 priority 200” on DS02 vlan 50 interface.
In the event of DS02 failure, DS01 will assume the HSRP active role. But even DS02 came back after a failure, still DS01 will acting as active router. If you want to change this behaviour (ie make DS02 when it is available) you have to configure “preempt” on the DS02. You can do that “standby 50 preempt” command. When configuring preempt you can specify a delay when to preempt. It is good practice to configure a value thinking about your STP/IGP convergence & set a value suitable for your environment. Otherwise leave the default settings.
CAT2(config-if)#standby 50 preempt delay ? minimum Delay at least this long reload Delay after reload sync Wait for IP redundancy clients
If you want to make sure this HSRP is secure, you can configure Authentication for this HSRP communication.
DS02(config-if)#standby 50 authentication ? md5 Use MD5 authentication text Plain text authentication DS02(config-if)#standby 50 authentication md5 ? key-chain Set key chain key-string Set key string *** This is how you do it with a Key String **** DS02(config-if)#standby 50 authentication md5 key-string 0 MRN-CCIEW **** This is how you do it with Key-Chain ****** DS02(config-if)#standby 50 authentication md5 key-chain MRN DS02(config)#key chain MRN DS02(config-keychain)#? Key-chain configuration commands: default Set a command to its defaults exit Exit from key-chain configuration mode key Configure a key no Negate a command or set its defaults DS02(config-keychain)#key ? <0-2147483647> Key identifier DS02(config-keychain)#key 1 ? <cr> DS02(config-keychain)#key 1 DS02(config-keychain-key)#? Key-chain key configuration commands: accept-lifetime Set accept lifetime of key default Set a command to its defaults exit Exit from key-chain key configuration mode key-string Set key string no Negate a command or set its defaults send-lifetime Set send lifetime of key DS02(config-keychain-key)#key-string ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) user password DS02(config-keychain-key)#key-string 0 MRN
As you can see, default Hello Time is 3s & default Hold Time is 10s. If you want to make the HSRP fail-over occur more quickly you can change these values. In seconds, you can go to min 1s Hello Time. But if you want to make it further faster, you can specify in Hello Time in ms.
DS02(config-if)#standby 50 timers ? <1-254> Hello interval in seconds msec Specify hello interval in milliseconds *** How to set Hello Time 333 ms & Hold Time 1s (or 1000 ms) *** DS02(config-if)#standby 50 timers msec 333 msec 1000
Make sure you change these timer values in all router in the same HSRP group. There are two version of HSRP. Version 1 & Version 2. By default it would be version 1 if you not specify the version. You can configure it “standby 50 version 2” command in our example. What are the difference between v1 & v2. Here is the full list of differences.
1. In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.
2. The group numbers in version 1 are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095. For example, new MAC address range will be used, 0000.0C9F.Fyyy, where yyy = 000-FFF (0-4095).
3. HSRP version 2 uses the new IP multicast address 126.96.36.199 to send hello packets instead of the multicast address of 188.8.131.52, which is used by version1.
4. HSRP version 2 packet format includes a 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address. This improves troubleshooting network loops and configuration errors.
5. HSRP version 2 allows for future support of IPv6.
6. HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value (TLV) format. HSRP version 2 packets received by an HSRP version 1 router will have the type field mapped to the version field by HSRP version 1, and subsequently ignored.
7. Note that HSRP version 2 will not interoperate with HSRP version 1. However, the different versions can be run on different physical interfaces of the same router.
It looks like 3750 switch does not support HSRPv2 config
CAT2(config-if)#do sh standby vlan 50 Vlan50 - Group 50 (version 2) State is Init (virtual MAC reservation failed) 3 state changes, last state change 00:06:25 Virtual IP address is 10.10.50.250 Active virtual MAC address is unknown Local virtual MAC address is 0000.0c9f.f032 (v2 default) Hello time 333 msec, hold time 1 sec Authentication MD5, key-chain "MRN" Preemption enabled Active router is unknown Standby router is unknown Priority 200 (configured 200) Group name is "hsrp-Vl50-50" (default)
So here is the my final configuration of the two switches in HSRPv1 config
IN DS01 key chain MRN key 1 key-string MRN-CCIEW ! interface Vlan50 ip address 10.10.50.251 255.255.255.0 standby 50 ip 10.10.50.250 standby 50 timers msec 333 1 standby 50 authentication md5 key-chain MRN IN DS02 key chain MRN key 1 key-string MRN-CCIEW ! interface Vlan50 ip address 10.10.50.252 255.255.255.0 standby 50 ip 10.10.50.250 standby 50 timers msec 333 1 standby 50 priority 200 standby 50 preempt standby 50 authentication md5 key-chain MRN
You can find more useful information from this HSRP-FAQ document from Cisco.
Execellent write up.Loved every bit of it. especially the src/dst ip/mac.
Thanks for the feedback…
Thanks for your post. It solves my HSRP problem.
If an access switch uplink to DS01 has failed how can we configure fail over so that DS02 become the active switch for vlan 50 using best practices?
As long as DS01-DS02 connected via trunk link & vlan 50 defined on both switches with HSRP config on SVI, you should be good.
Enable premption with higher priority , if you want particular switch to be active when both switches are up.
Great article! Can HSRP be used with WLC’s in HA/SSO configuration? e.g. WLC-Active connected to SW-A and WLC-Standby connected to SW-B sharing the same HSRP gateway?
Great post! Can this be used with WLC HA/SSO configuration, where each WLC of the pair is connected to a separate switch sharing the same HSRP subnet and gateway?
You cannot connect a WLC to two different switches, unless those two switches are part of same VSS pair
Phil Ray said:
I don’t mean 1 WLC to 2 different switches but WLCa to switch A and WLCb to switch B where WLC’s A and B are an HA pair.
that is not supported
Nice Article! If the Interface status of Active Router is UP but the Link protocol is down, will the Standby Router be able to detect that and take over the role of the Active Router?