HSRP – Fundamentals, Version 2 details, a basic configuration / verification of a Standby Group, and some misc gotchas!

Standby_Group_Basic

Though there are two physical switches shown with local IP Addresses configured, these represent a single “Virtual Router” as seen by hosts on the LAN, with a single shared IP Address between both devices.

Fundamentals of Hot Standby Router Protocol (HSRP) / Operation explained

HSRP is a Cisco proprietary protocol defined by RFC 2281, which allows for two or more switches to be configured to be part of an HSRP group, which form a single “Virtual Router” to provide High-Availability / Fault-Tolerant gateway redundancy for the LAN segment.

The HSRP group elects both an “Active Router and “Standby Router” from the group based first on highest Priority value, then by highest assigned IP Address on the network segment HSRP is configured on (SVI, L3 Interface, etc), a higher value being preferred for both the Priority and the configured IP Address while being elected.

Each instance of HSRP configured on a switch is referred to as a Router Group, the switches in these Router Groups are referred to as Router Group Members.

The Active Router handles all the workload as the default gateway of the LAN segment, the job of the Standby Router is to take over if the Active Router were to fail, all other Router Group members go into a “Listen” state where they do not send any Hellos but rather listen for them from the Active and Standby routers.

The “Active” and “Standby” Routers send Hellos every 3 seconds by default to Multicast “All Routers” IP Address of 224.0.0.2 via UDP Port 1985, which contains HSRP status information for the local switch, which is sent in a unique way so Router Group members can identify each other with the following “Source” Addressing method:

All Routers will use the IP Address on the HSRP enabled interface as the Source IP when sending Hellos, this include Active / Standby Routers, as well as Router Group members in “Listen” state once they begin sending Hellos if an election takes place
The Active Router uses the Virtual Router MAC Address as its Source MAC
The Standby Router uses its BIA MAC Address as its Source MAC

For any devices or hosts downstream from the HSRP enabled switches, they will only see the Virtual Router addressing information for both Layer 2 and layer 3 communication.

HSRP requires a Layer 3 interface on the switch that contains an IP Address for the network segment it will be acting as the gateway for, this can be a L3 Routed Port / SVI Interface / L3 EtherChannel, the assigned IP Address of the Layer 3 interface cannot be used for the Virtual Router IP configuration.

The Virtual Router IP CANNOT be assigned the same IP Address configured on the L3 Interface, the CLI will reject the command, and will not enable HSRP on the interface.

The Virtual MAC Address is made up of a well known HSRP MAC Address, followed with a two character Hex field representing the group number in the following format:
0000.0C07.ACxx
Highlighted in blue is the well known address for HSRP, and highlighted in red is the Hex value of the HSRP group #, the group # being a value between 0 – 255.

For information on Hex to Decimal conversion, my post on that can be found here.

There is also a method of load-sharing with HSRP called Multiple HSRP or MHSRP, where multiple instances or HSRP groups are configured on the same switch with a different Virtual IP Address, that can be used to load-balance LAN traffic by pointing one segment of hosts at Group A and the other segment of hosts at Group B.

MHSRP will be covered in a separate post, but wanted to bring that up here, as one good detail to know for HSRP is that a maximum of 64 instances of HSRP can be configured on a single switch.

This seems like prime exam question territory as the group number range is 0-255, however the maximum number configurable on a switch is 64, and is different in Version 2 which will be covered briefly just below.

One last note speaking of Version 2, HSRP Version 1 and Version 2 are not inter-operable, you must either run Version 1 or Version 2 across all members of the HSRP group.

Here is a quick list of default values for HSRP, bullet point style:

Hello time = 3 seconds
Hold time = 10 seconds
Version # = Version 1
Group # = 0
Priority = 100
Track interface Priority = 10 (will be discussed in a later post)
MAC Address = 0000.0C07.ACxx

A brief review of HSRP Version 2 details in bullet point format

I won’t go into detail for Version 2, but some basic differences to know for exam day:

HSRP Version 2 uses Multicast Address 224.0.0.102 for Hello traffic
HSRP Version 2 advertises and learns millisecond timer values
HSRP Version 2 allows for group numbers ranging from 0 – 4095
HSRP Version 2 uses a different well known MAC for this expanded group # range, the Version 2 format being 0000.0C9F.Fxxx <- 3 Hex characters for expanded range
HSRP Version 2 must be configured manually on the interface, as Ver 1 is default

I may add more to this, but I don’t think it is worth committing to memory for exam day beyond this basic information, there is plenty more to focus on with Version 1!

A basic HSRP Standby Group configuration and verification output reviewed

To start the configuration, a Layer 3 interface with an IP Address is needed:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#int vlan 10
SW1(config-if)#ip add 10.0.10.1 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#
*Mar 1 00:07:53.746: %LINK-3-UPDOWN: Interface Vlan10, changed state to up
SW1(config-if)#
*Mar 1 00:07:53.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
SW1(config-if)#

This SVI interface is now ready for HSRP configuration, which I’ll start with the absolute most basic configuration needed for HSRP to be enabled on the interface:

SW1(config-if)#standby ?
<0-255> group number
authentication Authentication
delay HSRP initialisation delay
follow Name of HSRP group to follow
ip Enable HSRP IPv4 and set the virtual IP address
mac-refresh Refresh MAC cache on switch by periodically sending packet
from virtual mac address
name Redundancy name string
preempt Overthrow lower priority Active routers
priority Priority level
redirect Configure sending of ICMP Redirect messages with an HSRP
virtual IP address as the gateway IP address
timers Hello and hold timers
track Priority tracking
version HSRP version

SW1(config-if)#standby ip ?
A.B.C.D Virtual IP address
<cr>

SW1(config-if)#standby ip

The command “standby ip” issued at interface level is all that is needed to configure or enable HSRP on a switch switch, once enabled it will go into a “Learn” state where it is trying to learn the Virtual Router IP information from fellow HSRP group members on the LAN, with a catch!

Switches can only Learn a Virtual IP from a member of the same Router Group, so another switch would need to also be in the default Router Group 0, and be reachable via VLAN 10 (no pruning on the path) to receive its Virtual IP.

After configuring this most basic group configuration, I review the “show standby” output which is the main verification command for HSRP:

SW1(config-if)#do sh standby
Vlan10 – Group 0
State is Learn
Virtual IP address is unknown
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Preemption disabled
Active router is unknown
Standby router is unknown
Priority 100 (default 100)
Group name is “hsrp-Vl10-0” (default)
SW1(config-if)#

Everything is at the default values stated in the Fundamentals section, and also the state is in “Learn” until it receives a Hello with Virtual Router / IP information, from a member of default Router Group 0 on VLAN 10.

To enable HSRP on a switch, all that is needed is “standby ip” on a Layer 3 interface.

I’ve removed that basic configuration, and will walk through a more complete configuration on SW1, as SW2 has already been configured with the same HSRP settings as will be demonstrated on SW1 to reduce output clutter.

Going step by step with IOS help along the way on SVI VLAN 10:

SW1(config-if)#standby 10 ?
authentication Authentication
follow Name of HSRP group to follow
ip Enable HSRP IPv4 and set the virtual IP address
name Redundancy name string
preempt Overthrow lower priority Active routers
priority Priority level
timers Hello and hold timers
track Priority tracking

SW1(config-if)#standby 10 ip ?
A.B.C.D Virtual IP address
<cr>

SW1(config-if)#standby 10 ip 10.0.10.254 ?
secondary Make this IP address a secondary virtual IP address
<cr>

SW1(config-if)#standby 10 ip 10.0.10.254
SW1(config-if)#

Note that this time, the group # is defined first, then the IP Address.

When configuring by IP address, you cannot put in a group # after:

SW1(config-if)#standby ip 10.0.10.100 ?
secondary Make this IP address a secondary virtual IP address
<cr>

This will default the group # again to 0, so for a group # that is not 0, you will want to specify that first and then define the IP Address to enable HSRP on the interface.

Now to review the output of the configuration using “show standby” again:

SW1(config-if)#do sh standby
Vlan10 – Group 10
State is Standby
2 state changes, last state change 00:02:57
Virtual IP address is 10.0.10.254
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.784 secs
Preemption disabled
Active router is 10.0.10.2, priority 100 (expires in 8.624 sec)
Standby router is local
Priority 100 (default 100)
Group name is “hsrp-Vl10-10” (default)
SW1(config-if)#

I could about highlight the whole output for valuable information, however it can be seen the Virtual IP Address is now configured along with a unique group #, and the Virtual MAC now has “0a” as the group # in Hex format.

It shows the Active Router is SW2 with its local IP 10.0.10.2 and Priority 100, and the standby router is the local router, with additional info such as # of state changes / time since last state change / Timer information / Group “name” / Priority / Etc.

Note that state changes should only increment when changes are made to the group, so if that is continually rising, it indicates something is “flapping” in the configuration, as once it is stable the state changes should not increment unless configurations are updated for the group.

Some possible random gotchas with the basic configuration

If a different Virtual IP Address is entered on a switch with a group # that is already live on the network, there will be a continual console output message until it is fixed:

SW1(config-if)#standby 10 ip 10.0.10.245
SW1(config-if)#
*Mar 1 01:17:08.489: %HSRP-4-DIFFVIP1: Vlan10 Grp 10 active routers virtual IP address 10.0.10.254 is different to the locally configured address 10.0.10.245
SW1(config-if)#

It WILL still join group 10 with a different Virtual IP for itself, which means if fail over occurs, the hosts with a default gateway of 10.0.10.254 will no longer be able to reach the gateway because of this mismatching Virtual IP.

A trunk interface that is allowing the SVI VLAN traffic is required, which is verified by “sh int trunk” to check for manual / STP / VTP Pruning, and adjust any Pruning being done to allow the traffic if needed.

Watch for the default “standby ip” configuration on what should be a Router Group member for a unique group #.

As long as there are Trunk Ports along the path between the HSRP enabled switches, those switches along the path have the VLAN configured on them, and that VLAN is allowed over the Trunk links then there can be 20 hops between each HSRP member!

That is it for this one!

Onto some finer details of HSRP!

Share this:

Like this:

Leave a Reply Cancel reply