Ensuring Internet Connectivity with HSRP: A Lifeline for Large Organizations

In today's digitally interconnected world, large organizations rely heavily on their internet connectivity to keep their operations running smoothly. Whether it's for communication, accessing cloud services, or facilitating transactions, a stable internet connection is crucial. However, even the most robust network infrastructure can encounter hiccups, such as router failures or internet line disruptions, leading to potential downtime and productivity losses. This is where High Availability Seamless Redundancy Protocol (HSRP) comes into play as a vital solution for maintaining uninterrupted connectivity.

What is HSRP?

HSRP, short for High Availability Seamless Redundancy Protocol, is a networking protocol used to provide redundancy and high availability for routing traffic between two or more routers or internet lines. Essentially, HSRP creates a failover mechanism where if one router or internet line fails, another router seamlessly takes over the traffic, ensuring continuity of service.

How Does HSRP Work?

HSRP operates by creating a virtual circuit between the routers involved, establishing a backup path for traffic in case of failure. This virtual circuit is represented by a virtual IP address, which devices use to communicate instead of the physical interface IP addresses of the routers.

The routers participating in HSRP are designated as Active and Standby. The Active router is responsible for forwarding traffic to the internet or the next hop, while the Standby router remains ready to take over in case the Active router fails. This standby router essentially acts as a backup, ensuring uninterrupted connectivity when the primary router encounters issues.

HSRP use 224.0.0.2 on port number 1985.

Initial Configuration:

1. HSRP Virtual IP assign

HSRP assigns a virtual IP address to the devices within the network, providing a stable point of communication instead of relying solely on physical interface IP addresses. This virtual IP is associated with a specific group, allowing for the management of multiple sites or connections.

Here 10 is group number

This configuration is same on both Gateway-1 & Gateway-2

Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 ip 172.16.10.1

After applying virtual IP edge router change their state to Active and Standby

Gateway-1
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Standby -> Active

Gateway-2
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Standby -> Listen
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Speak -> Standby

2. Preemption

Preemption ensures that the router with the highest priority becomes the active router. If a router with a higher priority becomes available after a failure, it automatically assumes the active role.

This configuration is same on both Gateway-1 & Gateway-2

Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 preempt

To check Preemption is enable or not:

Gateway-1#sh standby | section Preempt
  Preemption enabled

3. Authentication

HSRP employs authentication mechanisms, such as MD5 encryption, to prevent unauthorized devices from joining the group and sending messages to authenticated routers.

Use the same key on both routers.

This configuration is same on both Gateway-1 & Gateway-2

Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 authentication md5 key-string CISCO-SECRET

To check Authentication:

Gateway-1#sh standby | section Authentication
  Authentication MD5, key-string

4. HSRP Version 2

When organizations aim to transfer traffic swiftly or require routers to become active within a shorter time frame, HSRP version 1 may not suffice. In version 1, the minimum hello timer is set to 1 second, with a hold timer of 3 seconds. However, this may not meet the requirements for rapid state changes. Version 2, on the other hand, supports millisecond granularity, allowing for quicker transitions to the active state.

Additionally, while version 1 supports group numbers within the range of 0-255, which may be limiting for organizations with numerous VLANs and multiple ISPs, version 2 extends this range to 0-4095, accommodating larger-scale deployments.

HSRP utilizes the multicast address 224.0.0.2 for communication, a common address for routers to advertise their messages. However, relying solely on this multicast address can sometimes lead to communication issues.

In contrast, version 2 of HSRP employs an independent multicast address, specifically 224.0.0.102, dedicated solely to HSRP communication, thus avoiding potential conflicts and communication problems.

This configuration is same on both Gateway-1 & Gateway-2

Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby version 2

HSRP assigns a virtual MAC address to the client devices. In version 1, the virtual MAC address format includes a (9ff0) 16-bit identifier, leaving only 8 bits for group designation, resulting in support for 256 groups. Conversely, version 2 utilizes a (9ff) 12-bit identifier, allowing for 4096 groups, effectively expanding the scalability and flexibility of HSRP deployments.

To check version on router:

Gateway-1#sh standby | include version
GigabitEthernet0/1 - Group 10 (version 2)

5. HSRP Timers

HSRP operates on the principle of redundancy, allowing for failover in case of router malfunctions or link failures. Key to this redundancy are the hello and hold timers, which regulate the exchange of information between routers within an HSRP group.

1. Hello Timer: The hello timer determines the frequency with which routers exchange hello messages. By default, the hello timer is set to 3 seconds, indicating that routers broadcast hello messages every 3 seconds to the multicast group address. This periodic exchange facilitates router monitoring and detection of failures.

2. Hold Timer: The hold timer, also known as the dead timer, defines the duration for which a router considers its peer as active if no hello message is received. HSRP sets the hold timer to three times the value of the hello timer, resulting in a default hold time of 9 seconds. During this period, if a router fails to receive a hello message from its peer, it transitions to the active state.

Manual Configuration for Optimal Performance: While the default timer values ensure basic functionality, they may not always align with specific network requirements, especially in environments where rapid failover is critical. Fortunately, HSRP allows for manual configuration of timers, offering network administrators greater flexibility and control.

This configuration is same on both Gateway-1 & Gateway-2

Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 timers msec 500 msec 1500

To check timer configuration:

Gateway-1#sh standby | include time
  Hello time 500 msec, hold time 1500 msec

6. Interface Tracking or Object tracking

In HSRP (Hot Standby Router Protocol), timers are sent within an internal network to facilitate communication between routers. However, a problem arises if one side of the internet connection fails while an HSRP timer message is being sent. In this scenario, the edge router might erroneously interpret the loss of communication as a signal to become the Active router. Consequently, all traffic is forwarded to that side, leading to potential data loss. To prevent such situations, interface tracking can be implemented.

With interface tracking, the router monitors specific interfaces. If an interface goes down, the router imposes a penalty by decrementing the priority, as configured. Subsequently, when the interface comes back online, the router automatically increments the priority accordingly. This mechanism ensures that routers make informed decisions about their role in the network, mitigating the risk of traffic misdirection and loss.

This configuration is set on only one router that have higher priority and Active router.

Gateway-1(config)#track 10 interface GigabitEthernet 0/0 line-protocol
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config)#standby 10 track 10 decrement 90

In this scenario, g0/0 will shutdown and show how traffic will go and what changes in a standby configuration

Gateway-1#sh standby
GigabitEthernet0/1 - Group 10 (version 2)
  State is Standby
    13 state changes, last state change 00:00:00
  Virtual IP address is 172.16.10.1
  Active virtual MAC address is 0000.0c9f.f00a
    Local virtual MAC address is 0000.0c9f.f00a (v2 default)
  Hello time 500 msec, hold time 1500 msec
    Next hello sent in 0.128 secs
  Authentication MD5, key-string
  Preemption enabled
  Active router is 172.16.10.20, priority 100 (expires in 1.696 sec)
    MAC address is 0c21.fe23.8201
  Standby router is local
  Priority 30 (configured 120)
    Track object 10 state Down decrement 90
  Group name is "hsrp-Gi0/1-10" (default)
  
State change log on Gateway-1:
  %TRACK-6-STATE: 10 interface Gi0/0 line-protocol Up -> Down
  %HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Speak -> Standby
  
State change log in Gateway-2:
 %HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Standby -> Active