Below are my notes for the CCNP Routing & Switching SWITCH 300-115 certification exam. I used two Cisco 3560 switches and GNS3 to perform my labs. For theory, I used Cisco Configuration Guides and the Cisco Press Official Certification Guide.
Hot Standby Router Protocol, HSRP, is a Cisco proprietary protocol to make multiple routers or switches appear as one gateway. The gateway is where the redundancy is provided. For each redundant gateway, there is a common HSRP group. One router/switch becomes the primary HSRP router and another is selected as the standby HSRP router. Any other devices part of the group are in the listen HSRP state.
R1 and R2 will be HSRP enabled.
At a 3 second interval, routers send HSRP hello messages to become aware if the other is up or down (between Active and Standby). The hold time value is 10 seconds or three times the hello timer. These hello messages are sent to the multicast address 224.0.0.2 using UDP port 1985.
There can be up to 255 HSRP groups and they are only locally significant.
Election of an active and standby HSRP router is based on a priority value of 0 through 255. By default, the priority is 100 but the highest priority value becomes the active router for the HSRP group. If there is a tie, the router with the highest IP address becomes the active router.
When HSRP is enabled, an interface goes through the following states:
- Disabled
- Init
- Listen
- Speak
- Standby
- Active
Configuration
I will use R1 and R2 as the two routers to provide a redundant gateway for 192.168.1.1.
Starting at R1, we will configure the HSRP group of 1 to use the gateway address, 192.168.1.1. As you can see, from the host we cannot ping that address at the moment.
HostA#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On R1, in interface configuration mode under interface g2/0 we configure the HSRP IP address
R1(config-if)#standby 1 ip 192.168.1.1
Once this command is configured, the HSRP process is started. The router will begin an election process to become the active router for HSRP group 1.
If we wanted this particular router to always take over as an Active router we need to tell it to preempt. If this router was the Standby and the Active failed, the Standby router would take over as the Active. If this router was once the Active router and it came back online, it would preempt the current Active router. This would only occur if the priorities were set up correctly.
R1(config-if)#standby 1 preempt R1(config-if)#standby 1 preempt delay reload 120 R1(config-if)#standby 1 priority 115
The preempt command with the reload delay 120 tells the router to delay it from preempting the Active router until 120 seconds has passed. This is helpful to allow the routing process to converge.
Below is a debug of the HSRP process. You can see the router begin by sending out Hello messages for the IP address 192.168.1.1. When no other router responds back, the router then moves into Standby and from Standby into Active.
*Jan 25 15:31:28.523: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Speak pri 100 vIP 192.168.1.1 R1(config-if)# *Jan 25 15:31:31.523: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Speak pri 100 vIP 192.168.1.1 R1(config-if)# *Jan 25 15:31:34.523: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Speak pri 100 vIP 192.168.1.1 *Jan 25 15:31:35.523: HSRP: Gi2/0 Grp 1 Speak: d/Standby timer expired (unknown) *Jan 25 15:31:35.523: HSRP: Gi2/0 Grp 1 Standby router is local *Jan 25 15:31:35.523: HSRP: Gi2/0 Grp 1 Speak -> Standby *Jan 25 15:31:35.523: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Speak -> Standby *Jan 25 15:31:35.527: HSRP: Gi2/0 Grp 1 Redundancy "hsrp-Gi2/0-1" state Speak -> Standby *Jan 25 15:31:35.527: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Standby pri 100 vIP 192.168.1.1 *Jan 25 15:31:36.023: HSRP: Gi2/0 Grp 1 Standby: c/Active timer expired (unknown) *Jan 25 15:31:36.023: HSRP: Gi2/0 Grp 1 Active router is local *Jan 25 15:31:36.023: HSRP: Gi2/0 Grp 1 Standby router is unknown, was local *Jan 25 15:31:36.023: HSRP: Gi2/0 Grp 1 Standby -> Active *Jan 25 15:31:36.027: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Standby -> Active R1(config-if)# *Jan 25 15:31:36.027: HSRP: Gi2/0 Redirect adv out, Active, active 1 passive 0 *Jan 25 15:31:36.027: HSRP: Gi2/0 Grp 1 Redundancy "hsrp-Gi2/0-1" state Standby -> Active *Jan 25 15:31:36.027: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Active pri 100 vIP 192.168.1.1 R1(config-if)# *Jan 25 15:31:39.027: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Active pri 100 vIP 192.168.1.1 *Jan 25 15:31:39.027: HSRP: Gi2/0 Grp 1 Redundancy group hsrp-Gi2/0-1 state Active -> Active R1(config-if)# *Jan 25 15:31:42.039: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.2 Active pri 100 vIP 192.168.1.1 *Jan 25 15:31:42.043: HSRP: Gi2/0 Grp 1 Redundancy group hsrp-Gi2/0-1 state Active -> Active
Now we configure R2 to be part of the same group but we will leave it with its default priority of 100. Because of this default priority, R1 will always become the Active router.
R2(config-if)#int g2/0 R2(config-if)#standby 1 ip 192.168.1.1 R2(config-if)#standby 1 preempt R2(config-if)#standby 1 preempt delay reload 120
Here is the debug output of R2 becoming a Standby router for HSRP group 1.
*Jan 25 15:42:08.447: HSRP: Gi2/0 Grp 1 Init: a/HSRP enabled *Jan 25 15:42:08.447: HSRP: Gi2/0 Grp 1 Init -> Listen *Jan 25 15:42:08.447: HSRP: Gi2/0 Redirect adv out, Passive, active 0 passive 1 *Jan 25 15:42:08.451: HSRP: Gi2/0 Grp 1 Redundancy "hsrp-Gi2/0-1" state Init -> Backup *Jan 25 15:42:09.311: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:09.311: HSRP: Gi2/0 Grp 1 Active router is 192.168.1.2 *Jan 25 15:42:09.315: HSRP: Gi2/0 Redirect adv out, Passive, active 0 passive 1 *Jan 25 15:42:12.303: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:15.307: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:18.311: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:18.447: HSRP: Gi2/0 Grp 1 Listen: d/Standby timer expired (unknown) *Jan 25 15:42:18.447: HSRP: Gi2/0 Grp 1 Listen -> Speak *Jan 25 15:42:18.447: HSRP: Gi2/0 Grp 1 Redundancy "hsrp-Gi2/0-1" state Backup -> Speak *Jan 25 15:42:18.447: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.3 Speak pri 100 vIP 192.168.1.1 *Jan 25 15:42:21.311: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:21.447: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.3 Speak pri 100 vIP 192.168.1.1 *Jan 25 15:42:24.311: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:24.447: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.3 Speak pri 100 vIP 192.168.1.1 *Jan 25 15:42:27.323: HSRP: Gi2/0 Grp 1 Hello in 192.168.1.2 Active pri 120 vIP 192.168.1.1 *Jan 25 15:42:27.447: HSRP: Gi2/0 Grp 1 Hello out 192.168.1.3 Speak pri 100 vIP 192.168.1.1 *Jan 25 15:42:28.447: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Speak -> Standby
If we wanted to change the default HSRP timers, you can do so with the following syntax:
SW(config-if)#standby group-num timers [msec] hello-value [msec] holdtime-value
Here we make the modification on R1 and R2.
R1(config-if)#standby 1 timers msec 300 msec 900
R2(config-if)#standby 1 timers msec 300 msec 900
Authentication
Authentication can be configured on the HSRP group to prevent any unauthorized routers from becoming Active. While it is possible to configure a plaintext password, the example below uses MD5 authentication.
R1(config-if)#standby 1 authentication md5 key-string Cisco
Configure the same command on all routers participating in the same group.
Now let us verify connectivity from HostA to it’s gateway, 192.168.1.1.
HostA#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!!
Success! How do we know that HostA is actually using R1 as its default gateway? Let’s issue a show arp command to display the ARP table:
HostA#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.1 1 0000.0c07.ac01 ARPA GigabitEthernet2/0
HSRP uses the following syntax for it’s MAC address – 0000.0c07.acxx where xx is the HSRP group number.
Moving onto R1 we issue the following verification command, show standby
R1#show standby GigabitEthernet2/0 - Group 1 State is Active 2 state changes, last state change 00:18:21 Virtual IP address is 192.168.1.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 300 msec, hold time 900 msec Next hello sent in 0.000 secs Authentication MD5, key-string "Cisco" Preemption enabled, delay reload 120 secs Active router is local Standby router is 192.168.1.3, priority 100 (expires in 0.844 sec) Priority 120 (configured 120) IP redundancy name is "hsrp-Gi2/0-1" (default)
In the output above, R1 is in the state Active and it is using the Active virtual MAC address which is the same as the MAC on HostA.
R2 has similar output except it displays its state as Standby:
R2#show standby GigabitEthernet2/0 - Group 1 State is Standby 4 state changes, last state change 00:03:29 Virtual IP address is 192.168.1.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 300 msec, hold time 900 msec Next hello sent in 0.264 secs Authentication MD5, key-string "Cisco" Preemption enabled, delay reload 120 secs Active router is 192.168.1.2, priority 120 (expires in 0.660 sec) Standby router is local Priority 100 (default 100) IP redundancy name is "hsrp-Gi2/0-1" (default)
How quickly does HSRP converge? R1 was shut down and this was the output from R2:
R1(config-if)#shut R1(config-if)# *Jan 25 16:09:06.195: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Active -> Init R1(config-if)# *Jan 25 16:09:08.203: %LINK-5-CHANGED: Interface GigabitEthernet2/0, changed state to administratively down R1(config-if)# *Jan 25 16:09:08.203: %ENTITY_ALARM-6-INFO: ASSERT INFO Gi2/0 Physical Port Administrative State Down *Jan 25 16:09:09.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0, changed state to down R1(config-if)#
R2# *Jan 25 16:08:50.071: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Speak -> Standby R2# *Jan 25 16:09:17.519: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Standby -> Active
HostA still has connectivity to its gateway:
HostA#ping 192.168.1.1 repeat 10000 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!
Just a few dropped pings but not an extensive outage. I issued a shutdown on R1’s g2/0 interface and R2 picked up the Active HSRP failure very quickly.
Track Interfaces
What were to happen if R1 were to lose connectivity to its upstream gateway? By default, the HSRP group would still be up thus answering as the gateway for it’s hosts. This is not ideal. In this case, we want the router to concede if it lost connectivity upstream. We can lower the priority of the Active router to a value below the Standby’s. When the Standby sees it’s priority is now the highest and it has preempt enabled, it will become the Active router for the HSRP group.
We perform this with Interface Tracking. When tracking an interface, it will decrement the HSRP priority of the router by 10. This is the default decrement value. Within the HSRP group, we tell it which interface to track and if you wish to decrement a value different from the default, just add it to the end. In this example, I created a loopback interface on R1 for HSRP group 1 to track. If the loopback interface is unreachable or the status goes down, then I will decrement R1’s priority from 115 to 95 (20 decrement values):
R1(config-if)#standby 1 track loopback1 20 R1#show standby GigabitEthernet2/0 - Group 1 State is Active 4 state changes, last state change 00:01:06 Virtual IP address is 192.168.1.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.048 secs Authentication MD5, key-string "Cisco" Preemption enabled, delay reload 120 secs Active router is local Standby router is 192.168.1.3, priority 100 (expires in 9.412 sec) Priority 115 (configured 115) Track interface Loopback1 state Up decrement 20 IP redundancy name is "hsrp-Gi2/0-1" (default)
On Router 1, I will shut down the loopback interface:
R1(config-if)#shut R1(config-if)# *Jan 25 16:15:56.963: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Active -> Speak *Jan 25 16:15:56.999: %LINK-5-CHANGED: Interface Loopback1, changed state to administratively down R1(config-if)# *Jan 25 16:15:57.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to down R1(config-if)# *Jan 25 16:16:06.963: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Speak -> Standby R1(config-if)#
R1(config-if)#do show standby GigabitEthernet2/0 - Group 1 State is Standby 8 state changes, last state change 00:00:43 Virtual IP address is 192.168.1.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.732 secs Authentication MD5, key-string "Cisco" Preemption enabled, delay reload 120 secs Active router is 192.168.1.3, priority 100 (expires in 8.824 sec) Standby router is local Priority 95 (configured 115) Track interface Loopback1 state Down decrement 20 IP redundancy name is "hsrp-Gi2/0-1" (default)
Because HSRP group 1 is tracking Loopback1, it automatically drops its priority to 95 and it then concedes its Active role and becomes Standby.
R2# *Jan 25 16:16:52.959: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Standby -> Active R2#show standby GigabitEthernet2/0 - Group 1 State is Active 8 state changes, last state change 00:01:30 Virtual IP address is 192.168.1.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.752 secs Authentication MD5, key-string "Cisco" Preemption enabled, delay reload 120 secs Active router is local Standby router is 192.168.1.2, priority 95 (expires in 9.640 sec) Priority 100 (default 100) IP redundancy name is "hsrp-Gi2/0-1" (default)
R2 assumes the Active role as predicted.
HostA barely notices a thing:
HostA#ping 192.168.1.1 repeat 300
Type escape sequence to abort. Sending 300, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Once Loopback1 is enabled again, HSRP will increment its priority back to 115 and will become Active:
R1(config-if)#no shut R1(config-if)# *Jan 25 16:18:03.727: %LINK-3-UPDOWN: Interface Loopback1, changed state to up R1(config-if)# *Jan 25 16:18:03.779: %HSRP-5-STATECHANGE: GigabitEthernet2/0 Grp 1 state Standby -> Active *Jan 25 16:18:04.727: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R1(config-if)#
Verification
Verifying HSRP configuration can be done using a few commands:
R1#show standby GigabitEthernet2/0 - Group 1 State is Active 9 state changes, last state change 00:00:53 Virtual IP address is 192.168.1.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.264 secs Authentication MD5, key-string "Cisco" Preemption enabled, delay reload 120 secs Active router is local Standby router is 192.168.1.3, priority 100 (expires in 8.016 sec) Priority 115 (configured 115) Track interface Loopback1 state Up decrement 20 IP redundancy name is "hsrp-Gi2/0-1" (default)
R1#show standby brief P indicates configured to preempt. | Interface Grp Prio P State Active Standby Virtual IP Gi2/0 1 115 P Active local 192.168.1.3 192.168.1.1
You can also see the other options for verifying HSRP:
R1#show standby ? BVI Bridge-Group Virtual Interface FastEthernet FastEthernet IEEE 802.3 GigabitEthernet GigabitEthernet IEEE 802.3z Port-channel Ethernet Channel of interfaces all Include groups in disabled state brief Brief output capability HSRP capability delay Group initialisation delay internal Internal HSRP information redirect HSRP ICMP redirect information | Output modifiers <cr>
Do you have any questions? Let me know in the comments below.
An Overview of inSSIDer
Very cool