Hot Standby Router Protocol (HSRP)
is a CISCO proprietary protocol, which provides redundancy for a local subnet.
Routers within the same HSRP group must be assigned the same group number, which can range from 0 to 255. However, most Cisco platforms only support 16 configured HSRP groups.
HSRP Router Roles
Hot Standby Router Protocol works
with HSRP Groups. For each group, there are different routers that has
different roles. These roles are:
- Active Router: The router that actively sends and receives a packet to the host within the organization. It is the default gateway router. Only one active router will be selected among the HSRP group of routers.
- Standby Router: This is the backup of Active Router. When the active router fails then this router becomes Active, and the traffic goes through this router.
- Listening Routers: All other routers participating in HSRP.
Only one active and one standby router are allowed per HSRP group. Thus, HSRP provides Layer-3 redundancy, but no inherent load balancing.
HSRP Packet
- Version Number is 8-bit HSRP version. Whether it is version 1 or 2.
- Opcode is 8 bits. Op Code 0 – Hello. The HSRP is running and is capable of becoming the active or standby router. Op Code 1 – Coup. The router become the active router. Op Code 2 – Resign. The router is no longer the active router.
- HSRP States is 8 bits.
- Hello time is 8 bits. The interval between successive HSRP hello messages from a given router is a 3 sec.
- Hold time the interval between the receipt of a hello message and the presumption that the sending router has failed after 10 sec.
- Priority is 8 bits. Default priority is 100. Router with a higher priority win. Priority field is used in election process the active and standby routers. In tie breaking situation, highest IP address wins.
- Group is 8 bits. This field identifies the standby group between 0 to 255.
- Reserved is 8 bits.
- Authentication Data is a 64 bit. This field contains a clear text of 8 character reused password. If no authentication data is configured, the RECOMMENDED default value is 0x63 0x69 0x73 0x63 0x6F 0x00 0x00 0x00.
- Virtual IP Address is 32 bits. The virtual IP address used by this group. If the virtual IP address is not configured on a router, then it may be learned from the Hello message from the active router. An address should only be learned if no address was configured, and the Hello message is authenticated.
HSRP Version
- Version 1 packet size is 4-bytes
- HSRP version 1 routers communicate by sending messages to Multicast group address 224.0.0.2 using UDP port 1985
- Maximum number of groups supported –256 (0 -255)
- MAC used – 0000. 0c07.ac00 to 0000. 0c07.acff (which can conflict with CGMP leave processing)
- Default version (in both catalyst and Nexus switches)
- Only Text authentication with cisco password is supported.
- Millisecond Timers are not advertised or learned.
- The active router will send hello messages with source MAC address of the HSRP virtual MAC address
HSRP version 2:
- Version 2 packet size is 6-bytes
- HSRP version 2 routers communicate by sending messages to Multicast group address 224.0.0.102 using UDP port 1985
- Maximum number of groups supported – 4096 (0 – 4095).
- Mac address used – 0000. 0c9f.f000 – 0000. 0c9F.FFFF.
- Hello packet multicast address 224.0.0.102 which removes the problem with version1. This new multicast address allows CGMP leave processing to be enabled at the same time as HSRP.
- Need to enable version 2 explicitly.
- Supports MD5 authentication
- Millisecond Timers can be advertised or learned.
- The active router will send hello messages with source MAC address of the interface MAC address.
Note:
HSRP version 1 and 2 have different
Packet format
Both are not compatible to each
other. Both side of interface must have identical version.
HSRP Messages
With HSRP, there are three types of multicast messages sent between the devices:
- Hello – sent between Active and Standby devices every 3 seconds by default. If standby device does not hear from active device in 10 seconds, standby device will take over the active role.
- Resign – sent by the active device when it’s going offline or ready to give up the active role for some other reason. This message tells standby device to be ready and take over the active role.
- Coup – used when a standby router wants to assume the active role (preempt).
HSRP States
- A disabled state indicates that the interface is either not configured for HSRP or is administratively shutdown.
- An interface begins in an initial state when first configured with HSRP or taken out of an administratively shutdown state.
- An interface enters a learn state if it does not know the HSRP virtual IP address. Normally the virtual IP is manually configured on the interface – otherwise, it will be learned from the current Active router via hello packets.
- An interface in a listen state knows the virtual IP address but was not elected as either the Active or Standby Router.
- Interfaces in a speak state are currently participating in the election of an active or standby router. Elections are performed using hello packets, which are sent out every 3 seconds by default.
- A standby state indicates that the interface is acting as a backup to the active router. The standby router continuously exchanges hello packets with the active router and will take over if the active router fails.
- An interface in an active state is the live gateway and will forward traffic sent to the virtual IP address. Hosts will use the virtual IP address as their default gateway. The active router will respond to ARP requests for the virtual IP with the virtual MAC address.
Note that hello packets are only
exchanged in three HSRP states: Speak, Standby, Active
Interfaces in a listen state will
only listen for hello packets. If an active or standby router fails, a listen
interface will transition to a speak state to participate in a new election.
HSRP Election Process:
HSRP active/standby router election process uses priority value (0-255)
that is manually configured on the router (255 is the highest). By default, the
priority is 100.
If all the routers are set to default value, then the router with
highest IP address on the HSRP interface becomes the active router.
By default, HSRP uses virtual IP address and virtual MAC Address.
Virtual IP address in manually configured through HSRP configuration. However,
virtual MAC address is automatically generated.
The virtual MAC-address is divided into three fields. For Example,
consider virtual MAC Address 00-01-0B-07-AC-0B
- 00-01-0B is the vendor code.
- 07-AC is a well-known HSRP code
- 0B is the HSRP group number (11 decimal and 0B in hexadecimal)
HSRP Preempt:
Also, if a new router is added to an HSRP group, it will not preemptively assume the role of the active router, even if it has the best priority.
In fact, the router that is first powered on will become the active router, even if it has the lowest priority!
To overcome this problem, we can use preempt configuration in HSRP to make the first active router active again once the router comes up or operational.
The preempt parameter will allow a router to forcibly assume the role of active router, if it has the highest priority. The preempt feature is disabled by default:
- The optional delay parameter will force a router to wait before pre-empting as the active router. The delay is measured in seconds:
- Switch(config-if)# standby 1 preempt delay 10
- The router can also be forced to wait a specified number of seconds after a reload before preempting the active role:
- Switch(config-if)# standby 1 preempt reload 20
HSRP Timers:
HSRP Routers sends hello packets
at regular intervals to each other. Hello packets are sent by default every 3
second (Hello interval)
Holdtime is default 10 seconds and
should be three times the hello interval.
- To manually adjust the HSRP timers, measured in seconds:
- SwitchB(config-if)# standby 1 timers 4 12
- The first timer value represents the hello timer, while the second represents the holddown timer.
- The timers can also be specified in milliseconds:
- SwitchB(config-if)# standby 1 timers msec 800 msec 2400
HSRP Tracking:
- In the above example, SwitchB will become the active router, and SwitchA the standby.
- Both SwitchA and SwitchB exchange periodic hello packets to update their status.
- If interface gi2/23 goes down on SwitchB, hello packets can still be exchanged with SwitchA via interface gi2/22.
- SwitchA is unaware that SwitchB has a failure and can no longer forward traffic to other networks. SwitchB will remain as the active router, and traffic will be blackholed.
- To mitigate a scenario like this, HSRP can track interfaces.
- If a tracked interface fails, the router’s priority is decreased by a specified value – by default, this is 10.
- HSRP can track interfaces or objects and decrement priority if an interface or object fails.
Consider the following tracking
configuration on SwitchB:
SwitchB(config-if)#
standby 1 track gi2/23 60
- If interface gi2/23 on SwitchB fails, the priority of the switch will decrease by 60.
- The objective is to decrement the priority enough to allow the standby router to take over as active.
- This requires conscientious planning - if SwitchB’s priority decremented by only 40, it would remain as active, as its priority would still be higher than SwitchA.
- For tracking to be successful, the standby router must be configured to preempt:
SwitchA(config-if)#
standby 1 preempt
- Otherwise, the standby router will never take over as active.
HSRP Authentication:
HSRP Groups:
We can also use HSRP groups to
provide high redundancy and load sharing if we have multiple VLAN’s in our network.
For example, we can create Group 10 for Vlan 10,20 to be active on R1 and Group
20 for vlan 30, 40 to be active on R2.
No comments:
Post a Comment