Home / Certification / HSRP : the definitive guide

HSRP : the definitive guide

Hot Standby Routing Protocol (HSRP) is a Cisco proprietary default gateway redundancy protocol. If the primary gateway fails, HSRP automatically redirects hosts to the the backup gateway.

HSRP has been covered in few RouterFreak’s articles such as:

To avoid reinventing the wheel, let’s delve deeper into HSRP’s workings. To do this we’ll use the following topology:

Network Topology
Network Topology

After having read the aforementioned articles you will know that by using HSRP we’ll be able to configure Core-1 and Core-2 to share the default gateway IP address in an Active/Standby manner. Let’s go ahead and do that now:

Core-1:
interface FastEthernet0/0
ip address 192.168.54.2 255.255.255.0
duplex auto
speed auto
standby 10 priority 105
standby 10 ip 192.168.54.1
standby 10 preempt
Core-2:
interface FastEthernet0/0
ip address 192.168.54.3 255.255.255.0
duplex auto
speed auto
standby 10 ip 192.168.54.1
standby 10 priority 95
standby 10 preempt

This configuration is quite straight forward, but let’s dissect it for the sake of completeness:

  • the two routers are in HSRP Group 10.
  • Core-1 is the Active router due to its higher priority.
  • the preempt command has been enabled, this means that if Core-1 goes offline, it will automatically regain its HSRP Active state in Group 10 when it is back online.

Let’s take a look at what information the “show standby” output tells us:

Core-1(config-if)# do show standby
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:00:09
Virtual IP address is 192.168.54.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.028 secs
Preemption enabled
Active router is local
Standby router is 192.168.54.3, priority 95 (expires in 8.444 sec)
Priority 105 (configured 105)
Group name is "hsrp-Fa0/0-10" (default)

Let’s now dissect what the above information is telling us and play around with a few settings to make sure we fully understand what the above output is telling us.

FastEthernet0/0 - Group 10
State is Active

This tells us that Core-1’s FastEthernet0/0 interface is currently being used to serve as the default gateway in group 10. By shutting down this interface down we’ll see that it moves to an “Init” state instead:

Core-1(config-if)#do show standby
FastEthernet0/0 - Group 10
State is Init (interface down)

If we jump onto Core-2 we’ll see that it has now become the active gateway:

Core-2(config-if)#do sh stand
FastEthernet0/0 - Group 10
State is Active

(For more information on HSRP states, please refer to this page.)

Then we have this line:

2 state changes, last state change 00:00:09

This tells us the last time Core-1’s HSRP state changed. As we just saw, when we shut down Core-1’s FastEthernet0/0 interface it went from Active to Init. This is what is known as a state change. As a result, the change count incremented and the timer reset:

Core-1(config-if)#do sh stand
FastEthernet0/0 - Group 10
State is Init (interface down)
3 state changes, last state change 00:00:02

This is a great indication of whether you’re having a HSRP issue. For example, if your state change count is high and your last state change is always low, it is more than likely that you have a problem that needs to be rectified.

Next, we have our HSRP MAC address:

Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)

One might assume that this is an address which was picked at random. However, this is not the case. The MAC address can actually be broken down into three parts:

  1. MAC address Organizationally Unique Identifier (OUI) – the first six HEX characters of the MAC address (0000.0c) – belongs to Cisco.
  2. 07ac characters are used specifically by HSRP.
  3. the last two characters are used to identify the HSRP group number in HEX: as we’re using group 10, the characters in the MAC address are 0a.

Next is our Hello, Hold and Standby router timers:

Hello time 3 sec, hold time 10 sec
Next hello sent in 2.028 secs
Standby router is 192.168.54.3, priority 95 (expires in 7.444 sec)

Now let’s go ahead and verify if the router really is sending Hellos every three seconds:

Advertisement
Core-1#deb standby packets hello
May 4 22:56:20.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:21.139: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 22:56:23.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:24.119: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 22:56:26.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:26.691: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:27.131: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 22:56:29.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:30.131: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 22:56:32.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:33.127: HSRP: Fa0/0 Grp 10 Hello in 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 22:56:35.243: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1
May 4 22:56:35.527: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.2 Active pri 105 vIP 192.168.54.1

As we can see from the above output, Core-1 is mostly keeping to its 3 seconds Hello interval but at times, it is also sending an additional Hello milliseconds after the previous one is sent.

In order to take the Hold and Standby router expiry timers for a spin, let’s jump onto Core-2 and block Core-1’s HSRP packets. Doing so will result in Core-2 believing that Core-1 is down resulting in Core-2 becoming the active gateway:

Core-2(config-if)#ip access-list ext BLOCK_HSRP
Core-2(config-ext-nacl)#deny udp host 192.168.54.2 eq 1985 host 224.0.0.2 eq 1985
Core-2(config-ext-nacl)#permit ip any any
Core-2(config)#int f0/0
Core-2(config-if)#ip access-group BLOCK_HSRP in
May 4 23:20:07.195: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 23:20:10.027: HSRP: Fa0/0 Interface adv out, Passive, active 0 passive 1
May 4 23:20:10.195: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 23:20:13.195: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Standby pri 95 vIP 192.168.54.1
May 4 23:20:13.223: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active
May 4 23:20:13.223: HSRP: Fa0/0 Interface adv out, Active, active 1 passive 0
May 4 23:20:13.223: HSRP: Fa0/0 Grp 10 Hello out 192.168.54.3 Active pri 95 vIP 192.168.54.1

That’s interesting – we see that Core-2 proclaimed itself the active gateway in 6 seconds. We thought the hold timer was 10 seconds, though? Well, it is. However, as I applied the ACL a couple seconds after the last Hello packet was sent, the hold timer had evidently run down four seconds.

Next, we have these three lines:

Preemption enabled
Active router is local
Priority 105 (configured 105)

Preemption means that if a router with a higher priority comes online it will take over the active gateway duties.

The “Active router is local” line means just that – the router we issued the command on (Core-1) is the active gateway.

And finally, the “Priority 105” line tells us the priority that this interface is configured with. With HSRP, the device with the highest priority becomes the active gateway.

To test these three lines, what we’ll do is track Core-1’s upstream interface (FastEthernet0/1). If it goes down, we’ll decrement Core-1’s downstream (FastEthernet0/0) interface’s HSRP priority by 50, resulting in Core-2’s downstream (FastEthernet0/0) interface’s HSRP priority of 95 being higher. This will result in Core-2 becoming the active gateway.

Core-1(config-if)#interface FastEthernet0/0
Core-1(config-if)#standby 10 track FastEthernet0/1 50

Now that tracking has been setup, let’s shutdown FastEthernet0/1 on Core-1 and see what happens:

Core-1(config-if)#int f0/1
Core-1(config-if)#shut
May 4 23:39:12.123: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down
May 4 23:39:12.479: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak
May 4 23:39:14.119: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
May 4 23:39:15.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
May 4 23:39:22.479: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby
Core-1(config-if)#do sh stan
FastEthernet0/0 - Group 10
Preemption enabled
Standby router is local
Priority 55 (configured 105)
Track interface FastEthernet0/1 state Down decrement 50
Group name is "hsrp-Fa0/0-10" (default)

As we can see from the output above, the Standby router is now local – not the Active router. We can also see that the priority has dropped from 105 to 55. Now to test pre-emption, we simply have to bring FastEthernet0/1 back up:

May 4 23:42:25.539: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Down->Up
May 4 23:42:27.467: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active
May 4 23:42:27.535: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
May 4 23:42:28.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Core-1(config-if)#do show standby
FastEthernet0/0 - Group 10
Preemption enabled
Active router is local
Priority 105 (configured 105)
Track interface FastEthernet0/1 state Up decrement 50
Group name is "hsrp-Fa0/0-10" (default)

If pre-emption weren’t enabled and we brought FastEthernet0/0 back up, Core-2 would remain the active gateway even though Core-1 has the better priority.

And that’s a wrap! If you have any questions please feel free to post them in the comments section below.

Advertisement
HSRP : the definitive guide
5 (100%)

About Will Robinson

Will is a senior systems engineer who works in both the enterprise and data center space. His skills cover routing and switching, security, cloud, visualization and storage. When he's not working he's usually labbing, studying or helping out on I.T forums. He also owns and runs the oznetnerd.com blog.

Check Also

cisco certification

The practical guide to Cisco Career Certification Programs

Article Contents1 Introduction2 Two paths for network professionals3 Entry-level Cisco Certifications4 Associate-level Cisco Certifications5 Professional-level …

Leave a Reply

Your email address will not be published. Required fields are marked *