From CCIE Study Wiki

Hot Standby Router Protocol or (HSRP) is a Cisco-proprietary feature that enables first-hop redundancy in a group of routers providing transparent fail-over capabilities.

Theory

Contents 1 Theory 2 Commands 3 Default Settings 4 Verification 5 Troubleshooting, Tips, and Tricks 6 Online Resources

HSRP helps overcome the problem of a host only knowing a single path to get out of its subnet. HSRP allows multiple routers to share a virtual IP and MAC address so that one can takeover the forwarding of traffic if a failure occurs. HSRP detects when the designated active router fails, at which point a selected standby router assumes control of the MAC and IP addresses of the Hot Standby group. A new standby router is also selected at that time.

Devices that are running HSRP send and receive multicast hello messages to detect failures. When the active router fails to send a hello message within a configurable period of time, the standby router with the highest priority becomes the active router. Each router in an HSRP group has a priority of 1-255 (100 by default) that determines the active router. The standby router(s) listen for hellos from the default. If the active router fails, the standby with the next highest priority will take over the forwarding of traffic. When the first active router comes back up, it can again assume control over the forwarding of traffic if a feature called preemption is enabled (disabled by default).

The preemption feature enables the HSRP router with the highest priority to immediately become the active router. If two routers have the same priority value, the primary IP address are compared and the router with the highest IP has priority.

A router's priority for a group can be lowered via Object Tracking.

There are two different versions of HSRP, with version 1 being the default. Differences between the two are:

• HSRP group numbers range from 0 to 255 in v1, and from 0 to 4095 in v2.
• v1 uses the multicast address of 224.0.0.2 to send hellos, which may conflict with CGMP. v2 uses the multicast address of 224.0.0.102
• HSRP v2 has a different packet format. Most notably, each packet includes the MAC address of the sending interface. HSRP v2 packets received by an HSRP v1 router will have the new type field mapped to the version field by HSRP version 1 and subsequently ignored.
• v2 timers are expressed in milliseconds, while v1 timers can be configured in seconds OR milliseconds.

HSRP groups use a virtual MAC of 0000.0c07.acXX - where xx is the HSRP group number in hex format. Virtual IPs must be in the same subnet as the router's interfaces, and must be unique.

MD5 and clear-text authentication is supported for HSRP, help protect the routers from DOS attacks. Authentication can be configured to use a text string or a key-chain.

When using multiple HSRP groups on the same subnet, each client (either via DHCP or statically) must be configured with a default gateway of one of the two HSRP groups.

There are three types of HSRP multicast messages:

1. Hello - basic message that holds priority and state info about the router
2. Coup - sent by the standby router when it wants to become the active router
3. Resign - sent by an active router shutting down or when another router with a higher priority sends a hello or coup message

Each HSRP router maintains three timers that are used for timing hello messages: an active timer, a standby timer, and a hello timer. When a timer expires, the router changes to a new HSRP state. Routers or access servers for which timer values are not configured can learn timer values from the active or standby router. The timers configured on the active router always override any other timer settings. All routers in a Hot Standby group should use the same timer values.

Commands

• standby [group-number] ip [ip-address [secondary]] (interface) - enables a HSRP group and defines the virtual IP
• standby [group-number] priority priority (interface) (interface) - defines the HSRP group priority
• standby [group-number] timers [msec] hellotime [msce] holdtime (interface) (interface) - allows you to manually configure the hsrp timers
• standby [group-number] preempt [delay [minimum delay | reload delay | sync delay}] (interface) - enables HSRP preemption and sets timers
• standby delay minimum min-seconds reload reload-seconds (interface) - Command allows you to delay HSRP from initializing after a reload and/or after an interface comes up. Helps prevent HSRP state "flapping". Cisco recommends the min-seconds/reload-seconds to be set at 30 and 60 respectively.
• standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}] (interface) - Configures the HSRP preemption feature and allows you to delay preemption as needed.
• standby [group-number] track object-number [decrement priority-decrement] (interface) - HSRP command used with the object-tracking feature.
• standby [group-number] track object-number shutdown (interface) - HSRP command used with the object-tracking feature.
• standby [group-number] authentication md5 key-string [0 | 7] key [timeout seconds] (interface) - Command to configure HSRP to use a given string for authentication purposes.
• standby [group-number] authentication md5 key-chain key-chain-name (interface) - Command to have HSRP reference a key-chain for authentication.
• standby group-number follow group-name (interface) - Optimizes HSRP resource utilization by preventing HSRP groups timers activating at the same time.
• standby version {1 | 2} (interface) - Changes the HSRP version in use.

Default Settings

• HSRP version 1
• Default HSRP priority 100
• Default 3 second hello interval
• 10 second dead interval
• No preemption

Verification

• show standby [all] [brief] - Basic verification command to display HSRP info.
• show standby type number [group-number | all] [brief] - Shows HSRP information about specific groups or interfaces.
• debug standby errors - Shows error messages related to HSRP.
• debug standby events ha - Will display the active and standby routers.

Troubleshooting, Tips, and Tricks

• Must-read whitepaper from Cisco on troubleshooting HSRP. Cisco also has another paper on how switching environments can cause instabilities in HSRP.

• Why HSRP virtual and physical interfaces have to be in the same subnet.

• Pashtuk explains an HSRP "gotcha" that involves him trying to delete a tracking statement out of his config.

• The same HSRP group number or HSRP MAC address cannot be configured on different subinterfaces of the same major interface.

• Watch out for timer behavior if the legacy HSRPv1 is in use; if using millisecond timers (which HSRPv2 always uses), these values must be present on all HSRP group routers.

Online Resources

• Cisco IOS IP application configuration guide on configuring HSRP.

• Cisco Learning Module presentation on configuring HSRP to track an interface.

• Cisco's HSRP FAQ. Cisco also has a whitepaper on using HSRP preempt and track commands.

• Good explanation of basic HSRP.

• Ciscozine has a nice article outlining the differences between HSRPv1 and v2. Fabio also shares us some HSRP basics and shows us how to optimize HSRP in separate articles.

• Here's a handy video on configuring HSRP from Happy Router.

• Packetlife has a cool explanation of how HSRP authentication can prevent a hijack attack.

• CCIE To Be provides his usual in-depth analysis, this time tackling HSRP redirects.

• My Cisco Learning Path also has some HSRP notes.

• Configuration labs on HSRP and multiple HSRP from CCIE the Beginning.

• Jeremy Stretch of Packetlife.net shares a very useful first-hop redundancy cheatsheet.

• A nice example of configuration of the HSRP protocol.

• Using the track statement from Routing Bits.

Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.

Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.

If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.