...

How to Configure HSRP on a Cisco Router (with GNS3 lab)

hsrp configuration

Hot Standby Routing Protocol or HSRP, is a Cisco proprietary protocol that allows two or more routers to work together to represent a single IP address for a particular network. HSRP, as well as Virtual Route Redundancy Protocol (VRRP) are considered high-availability network services that allow for almost immediate fail over to a secondary interface when the primary interface becomes unavailable. The HSRP configuration can be tricky at times, so this article will cover the fundamental points also presenting a GNS3 lab.

HSRP is one of the so called FHRP or “First Hop Redundancy Protocols”. You can read more about FHRP in this new article.

HSRP is a fairly simple concept that works by having one router within an HSRP group be selected as the primary, or active router. That primary will handle all routing requests while the other routers within the HSRP group simply wait in a standby state. These standby routers remain ready to take on all of the traffic load if the primary router becomes unavailable. In this scenario, HSRP provides high network availability since it routes IP traffic without depending on a single router.

To really dig into the Nitty Gritty of HSRP, check out RFC 2281 for full details on the inner workings of this widely used protocol.

The hosts that use the HSRP address as a gateway never know the actual physical IP or MAC address of the routers in the group. Only the virtual IP address that was created within the HSRP configuration along with a virtual MAC address is known to other hosts on the network.

Basic HSRP Configuration

Before we discuss more advanced HSRP concepts, let’s create a basic HSRP configuration to get an idea of how all this works. For this scenario we will use the topology shown below:

HSRP lab setup
Basic HSRP Configuration

The GNS3 topology setup looks like this:

HSRP lab setup
GNS3 topology setup

It consists of just two routers (R1 and R2) acting as the default gateway for the 192.168.1.0/24 network. Only one of these routers will be active at a particular time with a virtual IP address of 192.168.1.1. These means that all devices on the 192.168.1.0/24 segment (e.g. PC1) will be configured with this virtual IP address.

Note: Keep in mind that one or both of these routers could be multilayer switches such as a Cisco 6509 or 3750 as well. But for this discussion let’s just refer them as routers.

To achieve basic HSRP configuration, you need to do the following:

  • Configure normal IP address on interface (cannot be the same as HSRP virtual IP)
  • Bring interface up (no shutdown)
  • Configure HSRP group and virtual IP address using the standby command

Therefore, the configuration to enable HSRP on R1 is as follows:
interface fa0/0
ip address 192.168.1.11 255.255.255.0
no shutdown
standby 1 ip 192.168.1.1

The configuration on R2 is similar as follows:
interface fa0/0
ip address 192.168.1.12 255.255.255.0
no shutdown
standby 1 ip 192.168.1.1

In this example, we have configured an HSRP group “1”. This group number can be any number between 0 and 255 (HSRP version 1) and the only requirement is that you must use the same number across devices in the same HSRP group.

We can use the show standby command to see the status of our HSRP configuration.
R1#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:23:53
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.852 secs
Preemption disabled
Active router is local
Standby router is 192.168.1.12, priority 100 (expires in 7.452 sec)
Priority 100 (default 100)
Group name is "hsrp-Fa0/0-1" (default)
R1#

R2#show standby
FastEthernet0/0 - Group 1
State is Standby
1 state change, last state change 00:23:59
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.340 secs
Preemption disabled
Active router is 192.168.1.11, priority 100 (expires in 7.920 sec)
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Fa0/0-1" (default)

Notice that R1 is the Active router while R2 is on standby. Ideally, with the same priority, the router with the highest IP address will be elected the active router. However, I configured R1 first and it became active before R2 came on board. Since R2 has the same priority as R1, R2 will not become active even though it has a higher IP address (192.168.1.12 > 192.168.1.11).

We will talk about priority and preemption later in this article.

Now let’s test. We will perform a traceroute to 8.8.8.8 from PC1. Since R1 is the active router, this traffic should flow through R1 to the EXT_RTR.
PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 192.168.1.11 33.260 ms 22.408 ms 11.530 ms
2 *192.0.2.1 23.903 ms (ICMP type:3, code:3, Destination port unreachable)

Notice that this packet went through R1 (192.168.1.11).

Note: When replying traceroute, the IP address of the physical interface is used, not the virtual IP address. Check this link for more information.

I will now shut down the fa0/0 interface of R1 and try this traceroute again.
R1(config)#int fa0/0
R1(config-if)#shutdown
R1(config-if)#
*Mar 1 01:00:27.015: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Init
R1(config-if)#
*Mar 1 01:00:29.027: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar 1 01:00:30.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R1(config-if)#

PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 192.168.1.12 5.763 ms 10.462 ms 11.703 ms
2 *192.0.2.1 45.594 ms (ICMP type:3, code:3, Destination port unreachable)

Notice how the traffic flows through R2 (192.168.1.12). When we check the show standby command again, we see that R2 is now the active router:
R2#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:04:33
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.152 secs
Preemption disabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
Group name is "hsrp-Fa0/0-1" (default)

Routing with HSRP

I decided to take a little detour to talk about routing when HSRP is configured. There are a couple of things to note:

  1. Routes are not replicated between HSRP routers. This means that R1 and R2 must (individually) know how to reach the 8.8.8.8 network used in our example. In our case, we achieve this by configuring a default route to 192.0.2.1 (EXT_RTR) on both R1 and R2.
  2. Even though traffic from PC1 to 8.8.8.8 will flow through the active HSRP router, return traffic will be an issue. Since routing is done based on destination (by default), EXT_RTR will consult its routing table for how to forward the reply from 8.8.8.8 to PC1 (192.168.1.100). Depending on how you configure this, EXT_RTR will always use R1, always use R2 or use both R1 and R2. This can lead to asymmetric routing and/or traffic blackholing. One way around this issue is to configure NAT but that is beyond the scope of this article. For this article, I configured two static routes for the 192.168.1.0/24 network on EXT_RTR: one pointing to R1 and the other pointing to R2. This means that EXT_RTR load balances between R1 and R2.

HSRP Priority: Controlling the Active Router

There are more HSRP values that you’ll need to change from time to time to ensure complete control over your network traffic. For example, what if we wanted R1 to be the Active router instead of R2? To force a particular router to be the active router in an HSRP group you will need to use the priority command.

The default priority is 100. The higher priority will determine which router is active. If both routers are set to the same priority, the first router to come up will be the active router.

For example, in our sample scenario, if we bring the fa0/0 of R1 back up, R1 will become the standby router – it will not replace R2 as the active router:
R1(config-if)#no shutdown
R1(config-if)#
*Mar 1 01:19:07.095: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 01:19:08.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#
*Mar 1 01:19:26.111: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

If we wanted R1 to always be active when an election takes place, then we can increase its priority.
interface fa0/0
standby 1 priority 200

Note: Even though we have increased the priority of R1, it will remain in the standby mode because preemption is disabled. We will talk about preemption next.

HSRP Preempt: Avoid Fail-Back

In our scenario above, if R1 fails, R2 will become active as we have seen. This is perfect! But, if R1 comes back up and returns to service, R2 will continue to stay active. This may not be a preferred behavior. There are times when you may always want R1 to be in an active state in the HSRP group. Cisco provides a way for use to control this by using the preempt command. Preempt forces a router to be active after recovering from a failure.

Therefore, if we want R1 to take over the active function when it recovers from a failure, we can change our configuration on R1 to include the standby 1 preempt command.
R1(config-if)#standby 1 preempt
R1(config-if)#
*Mar 1 01:38:18.307: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
R1(config-if)#

Advanced HSRP Configuration – Load Balancing

So now you can see how great HSRP is and how it allows us to have high availability between multiple routers for a single network. But our standby routers aren’t doing anything and are just sitting there! Depending on the router model you are using, this can be a lot money just sitting idle.

Note: It is also important to keep in mind that if something happens to one of the devices in a High Availability pair, then the other device should be able to handle the network load.

To solve this problem, we can configure HSRP to be load balanced between routers. This doesn’t help us with a single HSRP group, but for multiple HSRP groups we can spread the load and have each HSRP group be active on different routers.

By configuring multiple HSRP groups on a single interface, HSRP load balancing can be achieved.

For our example, let’s add PC2 to the lab setup. For explanation sake, we will call HSRP group 1 “network-one” and HSRP group 2 “network-two”. R1 will be active for network-one while R2 will be active for network-two. This means that R1 will be standby for network-two while R2 will be standby for network-one.

HSRP lab upgraded

The full configuration on R1 is as follows:
interface FastEthernet0/0
ip address 192.168.1.11 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 200
standby 1 preempt
standby 1 name network-one
standby 2 ip 192.168.1.2
standby 2 name network-two

The full configuration on R2 is as follows:
interface FastEthernet0/0
ip address 192.168.1.12 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 name network-one
standby 2 ip 192.168.1.2
standby 2 priority 200
standby 2 preempt
standby 2 name network-two

This configuration allows us to have each router working for us and forwarding packets to best utilize our investment in our networking equipment. We’ve also added the HSRP group name command to help better describe each HSRP group. This can be a life saver when you have several HSRP groups that you need to track.

To test this configuration, we will perform a traceroute to 8.8.8.8 from both PC1 and PC2. PC1 uses 192.168.1.1 as its default gateway (network-one) while PC2 uses 192.168.1.2 as its default gateway (network-two).
PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 192.168.1.11 23.570 ms 10.141 ms 10.915 ms
2 *192.0.2.1 51.527 ms (ICMP type:3, code:3, Destination port unreachable)

PC2> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 *192.168.1.12 26.753 ms 10.339 ms
2 **192.0.2.1 41.634 ms (ICMP type:3, code:3, Destination port unreachable)

Notice that PC1 uses R1 while PC2 uses R2. Load balancing achieved!

One last note on HSRP standby groups. You can have multiple interfaces and networks configured using the same standby group number if the failover behavior needed is the same.

However if you need to have a different behavior, meaning different priority, preempt, etc., (as seen in our load balanced scenario above) then a separate group is needed.

Common problems with HSRP

To wrap up this article about HSRP, let’s quickly highlight some common problems with HSRP. This can serve as a sort of checklist when troubleshooting HSRP. The problems include:

  • HSRP routers not being on the same network segment.
  • HSRP routers not configured with IP addresses from the same subnet.
  • HSRP configuration issues like standby groups and virtual IPs not matching on the HSRP routers.

Conclusion

There is much more to HSRP then this article covers including:

For now, we wanted to give you a good foundation for the configuration of HSRP on a Cisco router.

Do you still have questions about this config or another question about HSRP? Leave a comment below and let’s work on it!

23 Responses

  1. In HSRP, if Router R1 fails,standby router R2 will be active. But during working of active router R1, whether any configuration updation done to standby Router to be ready as active of first one Router R1 will fail?

  2. I had 2 L3 switches running hsrp. 5 vlans are there on both switches.
    once I configure the 6th vlan on any of the switch my hsrp status is showing unknown.

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this article.

Recommended
Noction Ad
Popular Articles

More Articles

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.