Configuring HSRP
This chapter describes how to use Hot Standby Router Protocol (HSRP) to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.
You can also use a version of HSRP in Layer 2 mode to configure a redundant command switch to take over cluster management if the cluster command switch fails.
Note |
HSRP and VRRP features are supported only on Cisco Catalyst 3560-CX switches. |
Information About Configuring HSRP
HSRP Overview
HSRP is Cisco's standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of any single router. It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.
Note |
Routers in an HSRP group can be any router interface that supports HSRP, including routed ports and switch virtual interfaces (SVIs). |
HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets; the standby router is the router that takes over the routing duties when an active router fails or when preset conditions are met.
HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a new router when their selected router reloads or loses power. When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among router interfaces in a group of router interfaces running HSRP. The router selected by the protocol to be the active router receives and routes packets destined for the group's MAC address. For n routers running HSRP, there are n +1 IP and MAC addresses assigned.
HSRP detects when the designated active router fails, and a selected standby router assumes control of the Hot Standby group's MAC and IP addresses. A new standby router is also selected at that time. Devices running HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate active and standby routers. When HSRP is configured on an interface, Internet Control Message Protocol (ICMP) redirect messages are automatically enabled for the interface.
You can configure multiple Hot Standby groups among switches and switch stacks that are operating in Layer 3 to make more use of the redundant routers. To do so, specify a group number for each Hot Standby command group you configure for an interface. For example, you might configure an interface on switch 1 as an active router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active router with another interface on switch 1 as its standby router.
The following figure shows a segment of a network configured for HSRP. Each router is configured with the MAC address and IP network address of the virtual router. Instead of configuring hosts on the network with the IP address of Router A, you configure them with the IP address of the virtual router as their default router. When Host C sends packets to Host B, it sends them to the MAC address of the virtual router. If for any reason, Router A stops transferring packets, Router B responds to the virtual IP address and virtual MAC address and becomes the active router, assuming the active router duties. Host C continues to use the IP address of the virtual router to address packets destined for Host B, which Router B now receives and sends to Host B. Until Router A resumes operation, HSRP allows Router B to provide uninterrupted service to users on Host C's segment that need to communicate with users on Host B's segment and also continues to perform its normal function of handling packets between the Host A segment and Host B.
You can configure multiple Hot Standby groups among switches and switch stacks that are operating in Layer 3 to make more use of the redundant routers. To do so, specify a group number for each Hot Standby command group you configure for an interface. For example, you might configure an interface on switch 1 as an active router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active router with another interface on switch 1 as its standby router.
HSRP Versions
Cisco IOS XE Release 3.3SE and later support these Hot Standby Router Protocol (HSRP) versions:
The switch supports these HSRP versions:
-
HSRPv1- Version 1 of the HSRP, the default version of HSRP. It has these features:
- The HSRP group number can be from 0 to 255.
- HSRPv1 uses the multicast address 224.0.0.2 to send hello packets, which can conflict with Cisco Group Management Protocol (CGMP) leave processing. You cannot enable HSRPv1 and CGMP at the same time; they are mutually exclusive.
-
HSRPv2- Version 2 of the HSRP has these features:
- HSRPv2 uses the multicast address 224.0.0.102 to send hello packets. HSRPv2 and CGMP leave processing are no longer mutually exclusive, and both can be enabled at the same time.
- HSRPv2 has a different packet format than HRSPv1.
A switch running HSRPv1 cannot identify the physical router that sent a hello packet because the source MAC address of the router is the virtual MAC address.
HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet uses the type-length-value (TLV) format and has a 6-byte identifier field with the MAC address of the physical router that sent the packet.
If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignored.
Multiple HSRP
The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups. You can configure MHSRP to achieve load-balancing and to use two or more standby groups (and paths) from a host network to a server network.
In the figure below, half the clients are configured for Router A, and half the clients are configured for Router B. Together, the configuration for Routers A and B establishes two HSRP groups. For group 1, Router A is the default active router because it has the assigned highest priority, and Router B is the standby router. For group 2, Router B is the default active router because it has the assigned highest priority, and Router A is the standby router. During normal operation, the two routers share the IP traffic load. When either router becomes unavailable, the other router becomes active and assumes the packet-transfer functions of the router that is unavailable.
Note |
For MHSRP, you need to enter the standby preempt interface configuration command on the HSRP interfaces so that if a router fails and then comes back up, preemption restores load sharing. |
SSO HSRP
SSO HSRP alters the behavior of HSRP when a device with redundant Route Processors (RPs) is configured for stateful switchover (SSO) redundancy mode. When an RP is active and the other RP is standby, SSO enables the standby RP to take over if the active RP fails.
With this functionality, HSRP SSO information is synchronized to the standby RP, allowing traffic that is sent using the HSRP virtual IP address to be continuously forwarded during a switchover without a loss of data or a path change. Additionally, if both RPs fail on the active HSRP device, then the standby HSRP device takes over as the active HSRP device.
The feature is enabled by default when the redundancy mode of operation is set to SSO.
How to Configure HSRP
Default HSRP Configuration
Feature | Default Setting |
---|---|
HSRP version | Version 1 |
HSRP groups | None configured |
Standby group number | 0 |
Standby MAC address | System assigned as: 0000.0c07.acXX, where XX is the HSRP group number |
Standby priority | 100 |
Standby delay | 0 (no delay) |
Standby track interface priority | 10 |
Standby hello time | 3 seconds |
Standby holdtime | 10 seconds |
HSRP Configuration Guidelines
-
HSRPv2 and HSRPv1 are mutually exclusive. HSRPv2 is not interoperable with HSRPv1 on an interface and the reverse.
-
In the procedures, the specified interface must be one of these Layer 3 interfaces:
-
Routed port: A physical port configured as a Layer 3 port by entering the no switchport command in interface configuration mode.
-
SVI: A VLAN interface created by using the interface vlan vlan_id in global configuration mode, and by default a Layer 3 interface.
-
Etherchannel port channel in Layer 3 mode: A port-channel logical interface created by using the interface port-channel port-channel-number in global configuration mode, and binding the Ethernet interface into the channel group.
-
-
All Layer 3 interfaces must have IP addresses assigned to them.
-
If you change the HSRP version on an interface, each HSRP group resets because it now has a new virtual MAC address.
Enabling HSRP
The standby ip interface configuration command activates HSRP on the configured interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the address is learned through the standby function. You must configure at least one Layer 3 port on the LAN with the designated address. Configuring an IP address always overrides another designated address currently in use.
When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface's Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the interface is in a different state, proxy ARP responses are suppressed.
SUMMARY STEPS
- configure terminal
- interface interface-id
- standby version { 1 | 2 }
- standby [ group-number] ip [ ip-address [ secondary]]
- end
- show standby [ interface-id [ group]]
- copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
|
Step 2 |
interface interface-id Example:
|
Enters interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP. |
Step 3 |
standby version { 1 | 2 } Example:
|
(Optional) Configures the HSRP version on the interface.
If you do not enter this command or do not specify a keyword, the interface runs the default HSRP version, HSRP v1. |
Step 4 |
standby [ group-number] ip [ ip-address [ secondary]] Example:
|
Creates (or enable) the HSRP group using its number and virtual IP address.
|
Step 5 |
end Example:
|
|
Step 6 |
show standby [ interface-id [ group]] Example:
|
|
Step 7 |
copy running-config startup-config Example:
|
(Optional) Saves your entries in the configuration file. |
Configuring HSRP Priority
The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over.
When configuring HSRP priority, follow these guidelines:
- Assigning a priority allows you to select the active and standby routers. If preemption is enabled, the router with the highest priority becomes the active router. If priorities are equal, the current active router does not change.
- The highest number (1 to 255) represents the highest priority (most likely to become the active router).
- When setting the priority, preempt, or both, you must specify at least one keyword (priority, preempt, or both)
- The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down.
- The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP. When a tracked interface fails, the hot standby priority on the device on which tracking has been configured decreases by 10. If an interface is not tracked, its state changes do not affect the hot standby priority of the configured device. For each interface configured for hot standby, you can configure a separate list of interfaces to be tracked
- The standby track interface-priority interface configuration command specifies how much to decrement the hot standby priority when a tracked interface goes down. When the interface comes back up, the priority is incremented by the same amount.
- When multiple tracked interfaces are down and interface-priority values have been configured, the configured priority decrements are cumulative. If tracked interfaces that were not configured with priority values fail, the default decrement is 10, and it is noncumulative.
- When routing is first enabled for the interface, it does not have a complete routing table. If it is configured to preempt, it becomes the active router, even though it is unable to provide adequate routing services. To solve this problem, configure a delay time to allow the router to update its routing table.
Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface:
SUMMARY STEPS
- configure terminal
- interface interface-id
- standby [ group-number] prioritypriority
- standby [ group-number] preempt [ delay [ minimumseconds] [ reloadseconds] [ syncseconds]]
- standby [ group-number] track type number [ interface-priority]
- end
- show running-config
- copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
interface interface-id Example:
|
|
Step 3 |
standby [ group-number] prioritypriority Example:
|
Use the no form of the command to restore the default values. |
Step 4 |
standby [ group-number] preempt [ delay [ minimumseconds] [ reloadseconds] [ syncseconds]] Example:
|
Use the no form of the command to restore the default values. |
Step 5 |
standby [ group-number] track type number [ interface-priority] Example:
|
|
Step 6 |
end Example:
|
|
Step 7 |
show running-config |
|
Step 8 |
copy running-config startup-config |
|
Configuring MHSRP
To enable MHSRP and load-balancing, you configure two routers as active routers for their groups, with virtual routers as standby routers as shown in the MHSRP Load Sharing figure in the Multiple HSRP section. You need to enter the standby preempt interface configuration command on each HSRP interface so that if a router fails and comes back up, the preemption occurs and restores load-balancing.
Router A is configured as the active router for group 1, and Router B is configured as the active router for group 2. The HSRP interface for Router A has an IP address of 10.0.0.1 with a group 1 standby priority of 110 (the default is 100). The HSRP interface for Router B has an IP address of 10.0.0.2 with a group 2 standby priority of 110.
Group 1 uses a virtual IP address of 10.0.0.3 and group 2 uses a virtual IP address of 10.0.0.4.
Configuring Router A
SUMMARY STEPS
- configure terminal
- interface type number
- no switchport
- ip address ip-address mask
- standby [ group-number] ip [ ip-address [ secondary]]
- standby [ group-number] priority priority
- standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]]
- standby [ group-number] ip [ ip-address [ secondary]]
- standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]]
- end
- show running-config
- copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
|
Step 2 |
interface type number Example:
|
|
Step 3 |
no switchport Example:
|
|
Step 4 |
ip address ip-address mask Example:
|
|
Step 5 |
standby [ group-number] ip [ ip-address [ secondary]] Example:
|
|
Step 6 |
standby [ group-number] priority priority Example:
|
Use the no form of the command to restore the default values. |
Step 7 |
standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]] Example:
|
Use the no form of the command to restore the default values. |
Step 8 |
standby [ group-number] ip [ ip-address [ secondary]] Example:
|
|
Step 9 |
standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]] Example:
|
Use the no form of the command to restore the default values. |
Step 10 |
end Example:
|
|
Step 11 |
show running-config |
|
Step 12 |
copy running-config startup-config |
|
Configuring Router B
SUMMARY STEPS
- configure terminal
- interface type number
- no switchport
- ip address ip-address mask
- standby [ group-number] ip [ ip-address [ secondary]]
- standby [ group-number] priority priority
- standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]]
- standby [ group-number] ip [ ip-address [ secondary]]
- standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]]
- end
- show running-config
- copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
|
Step 2 |
interface type number Example:
|
|
Step 3 |
no switchport Example:
|
|
Step 4 |
ip address ip-address mask Example:
|
|
Step 5 |
standby [ group-number] ip [ ip-address [ secondary]] Example:
|
|
Step 6 |
standby [ group-number] priority priority Example:
|
Use the no form of the command to restore the default values. |
Step 7 |
standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]] Example:
|
Use the no form of the command to restore the default values. |
Step 8 |
standby [ group-number] ip [ ip-address [ secondary]] Example:
|
|
Step 9 |
standby [ group-number] preempt [ delay [ minimum seconds] [ reload seconds] [ sync seconds]] Example:
|
Use the no form of the command to restore the default values. |
Step 10 |
end Example:
|
|
Step 11 |
show running-config |
|
Step 12 |
copy running-config startup-config |
|
Configuring HSRP Authentication and Timers
You can optionally configure an HSRP authentication string or change the hello-time interval and holdtime.
When configuring these attributes, follow these guidelines:
-
The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP.
-
Routers or access servers on which standby timer values are not configured can learn timer values from the active or standby router. The timers configured on an active router always override any other timer settings.
-
All routers in a Hot Standby group should use the same timer values. Normally, the holdtime is greater than or equal to 3 times the hellotime.
Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP authentication and timers on an interface:
SUMMARY STEPS
- configure terminal
- interface interface-id
- standby [ group-number] authentication string
- standby [ group-number] timers hellotime holdtime
- end
- show running-config
- copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
interface interface-id Example:
|
|
Step 3 |
standby [ group-number] authentication string Example:
|
(Optional) group-number—The group number to which the command applies. |
Step 4 |
standby [ group-number] timers hellotime holdtime Example:
|
|
Step 5 |
end Example:
|
|
Step 6 |
show running-config |
|
Step 7 |
copy running-config startup-config |
|
Enabling HSRP Support for ICMP Redirect Messages
ICMP redirect messages are automatically enabled on interfaces configured with HSRP. ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides diagnostic functions, such as sending and directing error packets to the host. This feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be changed to an HSRP virtual IP address. For more information, see the Cisco IOS IP Configuration Guide, Release 12.4.
Configuring HSRP Groups and Clustering
When a device is participating in an HSRP standby routing and clustering is enabled, you can use the same standby group for command switch redundancy and HSRP redundancy. Use the cluster standby-group HSRP-group-name [routing-redundancy] global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy. If you create a cluster with the same HSRP standby group name without entering the routing-redundancy keyword, HSRP standby routing is disabled for the group.
Troubleshooting HSRP
If one of the situations as shown in the following table occurs, this message appears:
%FHRP group
not consistent with already configured groups on the switch stack - virtual MAC
reservation failed
Situation | Action |
You configure more than 32 HSRP group instances. |
Remove HSRP groups so that up to 32 group instances are configured. |
Verifying HSRP
Verifying HSRP Configurations
From privileged EXEC mode, use this command to display HSRP settings:
show standby [ interface-id [ group]] [ brief] [ detail]
You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface. You can also specify whether to display a concise overview of HSRP information or detailed HSRP information. The default display is detail . If there are a large number of HSRP groups, using the show standby command without qualifiers can result in an unwieldy display.
Example
Switch #show standby
VLAN1 - Group 1
Local state is Standby, priority 105, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:02.182
Hot standby IP address is 172.20.128.3 configured
Active router is 172.20.128.1 expires in 00:00:09
Standby router is local
Standby virtual mac address is 0000.0c07.ac01
Name is bbb
VLAN1 - Group 100
Local state is Standby, priority 105, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:02.262
Hot standby IP address is 172.20.138.51 configured
Active router is 172.20.128.1 expires in 00:00:09
Active router is local
Standby router is unknown expired
Standby virtual mac address is 0000.0c07.ac64
Name is test
Configuration Examples for Configuring HSRP
Enabling HSRP: Example
This example shows how to activate HSRP for group 1 on an interface. The IP address used by the hot standby group is learned by using HSRP.
Note |
This procedure is the minimum number of steps required to enable HSRP. Other configurations are optional. |
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby 1 ip
Switch(config-if)# end
Switch # show standby
Configuring HSRP Priority: Example
This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and waits for 300 seconds (5 minutes) before attempting to become the active router:
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby ip 172.20.128.3
Switch(config-if)# standby priority 120 preempt delay 300
Switch(config-if)# end
Switch # show standby
Configuring MHSRP: Example
This example shows how to enable the MHSRP configuration shown in the figure MHSRP Load Sharing
Router A Configuration
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.0.0.1 255.255.255.0
Switch(config-if)# standby ip 10.0.0.3
Switch(config-if)# standby 1 priority 110
Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 2 ip 10.0.0.4
Switch(config-if)# standby 2 preempt
Switch(config-if)# end
Router B Configuration
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.0.0.2 255.255.255.0
Switch(config-if)# standby ip 10.0.0.3
Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 2 ip 10.0.0.4
Switch(config-if)# standby 1 priority 110
Switch(config-if)# standby 2 preempt
Switch(config-if)# end
Configuring HSRP Authentication and Timer: Example
This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate:
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby 1 authentication word
Switch(config-if)# end
This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds:
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby 1 ip
Switch(config-if)# standby 1 timers 5 15
Switch(config-if)# end
Configuring HSRP Groups and Clustering: Example
This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to be used for command switch redundancy and router redundancy. The command can only be executed on the cluster command switch. If the standby group name or number does not exist, or if the switch is a cluster member switch, an error message appears.
Switch # configure terminal
Switch(config) # cluster standby-group my_hsrp routing-redundancy
Switch(config-if)# end
Information About VRRP
Configuring VRRP
Virtual Router Redundancy Protocol (VRRP) is an election protocol that enables a group of routers to form a single virtual router to provide redundancy. In a VRRP configuration, one router is elected as the virtual router primary, and the other routers act as backups in case it fails. The LAN clients can then be configured with the virtual router as their default gateway, allowing several routers on a multi-access link to use the same virtual IP address. The virtual router, representing a group of routers, forms a VRRP group.
Both HSRP and VRRP perform the same function. You can choose to configure either IETF standard VRRP or Cisco’s more powerful HSRP protocol on a device or stack.
Restrictions for VRRP
-
The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
-
The VRRP implementation on the switch supports only text-based authentication.