HSRP (Hot Standby Router Protocol)
Updated: Nov 9, 2022
Large organizations are always connected to the internet. But sometimes any fail-over in edge router or internet line is broken in that case organization is immediately transferring the traffic for on another edge router act as a backup. Here, HSRP is used.
HSRP is a reliable connection from two or more lines or edge router between any fail-over or any problem. It uses two or more router to create a virtual circuit that provides a better path for connecting to the internet or in the system. If one router goes down another router, is it transfer whole traffic from edge router.
HSRP use 224.0.0.2 on port number 1985. HSRP uses Active and Standby router, based on that forward traffic from them. Active means this router is ready to forward traffic for the internet or next hop. Standby means this router is ready but doesn't transfer traffic from them. It's like a backup path when the active router goes down or any issue that time standby router became an Active router and forward traffic on the internet or next hop.
HSRP uses virtual IP for devices to communicate on this IP instead of a physical interface IP address. HSRP created a group for multiple sites or multiple different connections. Each group router communicates or became active and standby in it. HSRP used timers to know how to become Active and Standby router.
Initial Configuration:
1. HSRP Virtual IP assign
Here 10 is group number
This configuration is same on both Gateway-1 & Gateway-2
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 ip 172.16.10.1After applying virtual IP edge router change their state to Active and Standby
Gateway-1
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Standby -> Active
Gateway-2
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Standby -> Listen
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Speak -> Standby2. Preemption
It used when always to be higher priority router becomes the active router. After downtime or disconnected router will up and its priority is higher than another will elect as the active roster, there will be another standby state.
This configuration is same on both Gateway-1 & Gateway-2
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 preemptTo check Preemption is enable or not:
Gateway-1#sh standby | section Preempt
Preemption enabled
3. Authentication
HSRP uses authentication to prevent other router or devices that do not authorize and can't connect to this group and send messages to the authenticated router. HSRP use md5 encryption.
Use the same key on both routers.
This configuration is same on both Gateway-1 & Gateway-2
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 authentication md5 key-string CISCO-SECRETTo check Authentication:
Gateway-1#sh standby | section Authentication
Authentication MD5, key-string4. HSRP Version 2
- When organizations transfer traffic immediately or less time to become router on active state version 1 support in value in sec. That time the minimum hello timer is 1sec & hold timer is 3sec. It is not worth that. Version 2 supports msec, standby to active time is less and faster to change the state of the router.
- Version 1 supports only the 0-255 range of the group. If your organization has many too many vLANs and more ISP to connected value is more so version 2 support 0-4095 range.
- HSRP uses to communicate or advertise their message on multicast address 224.0.0.2.
- This address is all router multicasts address & sometimes it has a problem to communicate.
- Version 2 uses independent multicast address 224.0.0.102 only for HSRP communication.
This configuration is same on both Gateway-1 & Gateway-2
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby version 2
HSRP uses a virtual mac address to the client. That format virtual mac-address to find version 1 and 2. version 1 use 9ff0(16bit) for identifier & only 8bit are remaining, so it uses 256 groups. Version 2 uses 9ff(12bit) for version identifier & 12bit are remaining, so it uses 4096 groups.
To check version on router:
Gateway-1#sh standby | include version
GigabitEthernet0/1 - Group 10 (version 2)5. HSRP Timers
HSRP sends hello and holds timer in a multicast group address. Hello and Hold time are 3x
Hold timer = 3x Hello Timer. The default hello timer is 3s & hold time is 9s. This time is too long. So HSRP provides manual configuration of timer for better conversion.
This configuration is same on both Gateway-1 & Gateway-2
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config-if)#standby 10 timers msec 500 msec 1500To check timer configuration:
Gateway-1#sh standby | include time
Hello time 500 msec, hold time 1500 msec6. Interface Tracking or Object tracking
HSRP timers are sent in an internal network to communicate. But what happens if one side of the internet line is broken at that time edge router also sends HSRP timer message and acts as an Active router. All traffic is forward into that side and drop, to prevent this situation use interface tracing. In interface tracking router will track the interface, if that interface will down so it will give penalty and decrement priority to set in configuration and after interface will up automatically increment priority respectively.
This configuration is set on only one router that have higher priority and Active router.
Gateway-1(config)#track 10 interface GigabitEthernet 0/0 line-protocol
Gateway-1(config)#interface gigabitEthernet 0/1
Gateway-1(config)#standby 10 track 10 decrement 90In this scenario, g0/0 will shutdown and show how traffic will go and what changes in a standby configuration
Gateway-1#sh standby
GigabitEthernet0/1 - Group 10 (version 2)
State is Standby
13 state changes, last state change 00:00:00
Virtual IP address is 172.16.10.1
Active virtual MAC address is 0000.0c9f.f00a
Local virtual MAC address is 0000.0c9f.f00a (v2 default)
Hello time 500 msec, hold time 1500 msec
Next hello sent in 0.128 secs
Authentication MD5, key-string
Preemption enabled
Active router is 172.16.10.20, priority 100 (expires in 1.696 sec)
MAC address is 0c21.fe23.8201
Standby router is local
Priority 30 (configured 120)
Track object 10 state Down decrement 90
Group name is "hsrp-Gi0/1-10" (default)
State change log on Gateway-1:
%TRACK-6-STATE: 10 interface Gi0/0 line-protocol Up -> Down
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Speak -> Standby
State change log in Gateway-2:
%HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 10 state Standby -> Active