Hot Standby Routing Protocol (HSRP) is a Cisco proprietary default gateway redundancy protocol. If the primary gateway fails, HSRP automatically redirects hosts to the the backup gateway.
HSRP has been covered in few RouterFreak’s articles such as:
- Comparing HSRP vs VRRP
- How to configure HSRP on a Cisco router
- First Hop Redundancy Protocols for CCNA
To avoid reinventing the wheel, let’s delve deeper into HSRP’s workings. To do this we’ll use the following topology:
After having read the aforementioned articles you will know that by using HSRP we’ll be able to configure Core-1 and Core-2 to share the default gateway IP address in an Active/Standby manner. Let’s go ahead and do that now:
Core-1: interface FastEthernet0/0 ip address 192.168.54.2 255.255.255.0 duplex auto speed auto standby 10 priority 105 standby 10 ip 192.168.54.1 standby 10 preempt
Core-2: interface FastEthernet0/0 ip address 192.168.54.3 255.255.255.0 duplex auto speed auto standby 10 ip 192.168.54.1 standby 10 priority 95 standby 10 preempt
This configuration is quite straight forward, but let’s dissect it for the sake of completeness:
- the two routers are in HSRP Group 10.
- Core-1 is the Active router due to its higher priority.
- the preempt command has been enabled, this means that if Core-1 goes offline, it will automatically regain its HSRP Active state in Group 10 when it is back online.
Let’s take a look at what information the “show standby” output tells us:
Core-1(config-if)# do show standby FastEthernet0/0 - Group 10 State is Active 2 state changes, last state change 00:00:09 Virtual IP address is 192.168.54.1 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.028 secs Preemption enabled Active router is local Standby router is 192.168.54.3, priority 95 (expires in 8.444 sec) Priority 105 (configured 105) Group name is "hsrp-Fa0/0-10" (default)
Let’s now dissect what the above information is telling us and play around with a few settings to make sure we fully understand what the above output is telling us.
FastEthernet0/0 - Group 10 State is Active
This tells us that Core-1’s FastEthernet0/0 interface is currently being used to serve as the default gateway in group 10. By shutting down this interface down we’ll see that it moves to an “Init” state instead:
Core-1(config-if)#do show standby FastEthernet0/0 - Group 10 State is Init (interface down)
If we jump onto Core-2 we’ll see that it has now become the active gateway:
Core-2(config-if)#do sh stand FastEthernet0/0 - Group 10 State is Active
(For more information on HSRP states, please refer to this page.)
Then we have this line:
2 state changes, last state change 00:00:09
This tells us the last time Core-1’s HSRP state changed. As we just saw, when we shut down Core-1’s FastEthernet0/0 interface it went from Active to Init. This is what is known as a state change. As a result, the change count incremented and the timer reset:
Core-1(config-if)#do sh stand FastEthernet0/0 - Group 10 State is Init (interface down) 3 state changes, last state change 00:00:02
This is a great indication of whether you’re having a HSRP issue. For example, if your state change count is high and your last state change is always low, it is more than likely that you have a problem that needs to be rectified.
Next, we have our HSRP MAC address:
Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default)
One might assume that this is an address which was picked at random. However, this is not the case. The MAC address can actually be broken down into three parts:
- MAC address Organizationally Unique Identifier (OUI) – the first six HEX characters of the MAC address (0000.0c) – belongs to Cisco.
- 07ac characters are used specifically by HSRP.
- the last two characters are used to identify the HSRP group number in HEX: as we’re using group 10, the characters in the MAC address are 0a.
Next is our Hello, Hold and Standby router timers:
Hello time 3 sec, hold time 10 sec Next hello sent in 2.028 secs Standby router is 192.168.54.3, priority 95 (expires in 7.444 sec)
Now let’s go ahead and verify if the router really is sending Hellos every three seconds:
Core-1#deb standby packets hello May 4 22:56:20.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:21.139: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 22:56:23.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:24.119: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 22:56:26.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:26.691: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:27.131: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 22:56:29.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:30.131: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 22:56:32.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:33.127: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 22:56:35.243: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1 May 4 22:56:35.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
As we can see from the above output, Core-1 is mostly keeping to its 3 seconds Hello interval but at times, it is also sending an additional Hello milliseconds after the previous one is sent.
In order to take the Hold and Standby router expiry timers for a spin, let’s jump onto Core-2 and block Core-1’s HSRP packets. Doing so will result in Core-2 believing that Core-1 is down resulting in Core-2 becoming the active gateway:
Core-2(config-if)#ip access-list ext BLOCK_HSRP Core-2(config-ext-nacl)#deny udp host 192.168.54.2 eq 1985 host 224.0.0.2 eq 1985 Core-2(config-ext-nacl)#permit ip any any Core-2(config)#int f0/0 Core-2(config-if)#ip access-group BLOCK_HSRP in
May 4 23:20:07.195: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 23:20:10.027: HSRP: Fa0/0 Interface adv out, Passive, active 0 passive 1 May 4 23:20:10.195: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 23:20:13.195: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Standby pri 95 vIP 192.168.54.1 May 4 23:20:13.223: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active May 4 23:20:13.223: HSRP: Fa0/0 Interface adv out, Active, active 1 passive 0 May 4 23:20:13.223: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Active pri 95 vIP 192.168.54.1
That’s interesting – we see that Core-2 proclaimed itself the active gateway in 6 seconds. We thought the hold timer was 10 seconds, though? Well, it is. However, as I applied the ACL a couple seconds after the last Hello packet was sent, the hold timer had evidently run down four seconds.
Next, we have these three lines:
Preemption enabled Active router is local Priority 105 (configured 105)
Preemption means that if a router with a higher priority comes online it will take over the active gateway duties.
The “Active router is local” line means just that – the router we issued the command on (Core-1) is the active gateway.
And finally, the “Priority 105” line tells us the priority that this interface is configured with. With HSRP, the device with the highest priority becomes the active gateway.
To test these three lines, what we’ll do is track Core-1’s upstream interface (FastEthernet0/1). If it goes down, we’ll decrement Core-1’s downstream (FastEthernet0/0) interface’s HSRP priority by 50, resulting in Core-2’s downstream (FastEthernet0/0) interface’s HSRP priority of 95 being higher. This will result in Core-2 becoming the active gateway.
Core-1(config-if)#interface FastEthernet0/0 Core-1(config-if)#standby 10 track FastEthernet0/1 50
Now that tracking has been setup, let’s shutdown FastEthernet0/1 on Core-1 and see what happens:
Core-1(config-if)#int f0/1 Core-1(config-if)#shut May 4 23:39:12.123: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down May 4 23:39:12.479: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak May 4 23:39:14.119: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down May 4 23:39:15.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down May 4 23:39:22.479: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby
Core-1(config-if)#do sh stan FastEthernet0/0 - Group 10 Preemption enabled Standby router is local Priority 55 (configured 105) Track interface FastEthernet0/1 state Down decrement 50 Group name is "hsrp-Fa0/0-10" (default)
As we can see from the output above, the Standby router is now local – not the Active router. We can also see that the priority has dropped from 105 to 55. Now to test pre-emption, we simply have to bring FastEthernet0/1 back up:
May 4 23:42:25.539: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Down->Up May 4 23:42:27.467: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active May 4 23:42:27.535: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up May 4 23:42:28.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Core-1(config-if)#do show standby FastEthernet0/0 - Group 10 Preemption enabled Active router is local Priority 105 (configured 105) Track interface FastEthernet0/1 state Up decrement 50 Group name is "hsrp-Fa0/0-10" (default)
If pre-emption weren’t enabled and we brought FastEthernet0/0 back up, Core-2 would remain the active gateway even though Core-1 has the better priority.
And that’s a wrap! If you have any questions please feel free to post them in the comments section below.
