Hot Standby Router Protocol

Sections:

Lab Topology
Group Numbers
Virtual IP and Virtual MAC Address
Active and Standby Roles
HSRP States
Hello Packets
Multicast Address
Priority
Pre-emption
Authentication
Object Tracking
Multi-Group Load Sharing

Overview:

HSRP is a Cisco proprietary protocol designed to provide high network availability and redundancy for IP networks
HSRP is critical in Cisco networking because it provides redundancy, fault tolerance, and high availability for network gateways while also simplifying management, reducing downtime, and helping maintain uninterrupted service, which is essential for modern business operations
Let's dive deep into the concepts of HSRP by configuring Cisco routers in a lab environment

Lab Topology

In this lab scenario, we will configure the concepts of HSRP on Gateway-R1 and Gateway-R2.

Group Numbers

Group Numbers in HSRP represent the routers that are participating in an HSRP instance. In HSRPv1, you can have up to 255 groups. In HSRPv2 you can have up to 4095 groups. The interface serving as the default gateway for hosts on the network will be assigned a group number. In this lab example, I have configured a group number on each sub-interface of the routers to serve each VLAN. Group numbers have to match between both routers that are part of the same HSRP group within the same VLAN or subnet.

HQ-Gateway-R1

HQ-Gateway-R2

Virtual IP and Virtual MAC Address

The Virtual IP in HSRP is what logically allows routers in an HSRP group to work together to serve as the default gateway of the network. The VIP address must match between all routers in a group. Network clients must use the VIP address as their default gateway vs the physical IP address of the router interface. In this lab example, I have set DHCP scopes on the Core switch to serve each VLAN and set the default gateway option to correspond to the appropriate HSRP VIP addresses of each group.

The Virtual MAC address, just like the VIP, must match between all routers in a HSRP group and is automatically configured depending on the HSRP version. All IP addresses need an associated MAC address in IP networking. By default, HSRPv1 is enabled when configuring HSRP for the first time. HSRPv1 uses the VMAC format '0000.0c07.acXX' where 'XX' represents the group number in hexadecimal.

HQ-Core-SW DHCP vIP

HQ-Gateway-R1 vIP

HQ-Gateway-R2 vIP

HQ-Gateway-R1 and HQ-Gateway-R2 vMACs

Active and Standby Roles

In HSRP, Active and Standby roles are assigned to routers in a group. One router will serve as the active gateway handling all user traffic while the standby gateway is ready to take over in cases when the primary gateway fails. By default the router that is first assigned to a group will assume the active role. We can manipulate router roles with the concept of Priority and Pre-emption discussed later.

HQ-Gateway-R1

HQ-Gateway-R2

HSRP States

In HSRP, routers go through a series of states behind the scenes used to determine it's role in the HSRP group. These states in order go from: Initial, Learn, Listen, Speak, and followed by either Standby or Active.

HSRP States

Init State: Router is waiting to start the HSRP process
Learn State: Router is in the process of learning the vIP of the group
Listen State: vIP is known but router listens for hello messages to determine active or standby role
Speak State: Participates in the election process of active and standby roles through use of hello messages
Standby State: Backup router waiting to take over active role if primary router fails
Active State: Primary router actively handling network traffic

HQ-Gateway-R1

Hello Packets

Hello Packets are essential in HSRP as routers exchange these messages to determine router roles during the election process and as keepalives for HSRP active failover. Hello packets contain information such as hello and hold timers, role states, priority, group numbers, and vIP. Below are some distinctions between HSRPv1 and HSRPv2 packets.

HSRPv1

Uses multicast address 224.0.0.2 (All routers)

HSRPv2

Uses multicast address 224.0.0.102 (All HSRPv2 routers)
Supports Authentication
Supports IPv4 or IPv6 versions

HSRPv1 Hello Packets

HSRPv2 Hello Packets

Multicast Address

Let's dive more in depth with the vMAC concept by configuring the vIP of each default gateway amongst all clients on the network via DHCP and examining the MAC address of the HSRP group in each VLAN. The vMAC of the HSRP group is using the HSRPv2 format '0000.0c9f.fXXX' where 'XXX' represents the HSRP group number in hexadecimal.

HQ-Core-SW

Client DHCP binding table.

ARP table for HSRP group vMACs.

Client ARP Tables

vMAC for vlan60 active router.

vMAC for vlan20 active router.

vMAC for vlan10 active router.

vMAC for vlan80 active router.

Priority

Priority is the value that determines which router in an HSRP group becomes the Active router. The router with the highest priority becomes the Active router. By default all HSRP routers use the priority value of 100 and can be manually set in the range of 0-255. Pre-emption can optionally be used to allow higher priority routers to retake over the active role after a failure. In this lab example, I will adjust the priority value of Gateway-R2 to a higher value so it becomes the preferred active router and a lower value on Gateway-R1. Without Pre-emption, if Gateway-R2 were to fail, Gateway-R1 will take over the active role but if Gateway-R2 were to come back online, it would remain the standby router even with a higher priority.

HQ-Gateway-R2

HQ-Gateway-R1

Pre-emption

Pre-emption is used in conjunction with priority values. Pre-emption is a feature that allows a higher priority router to take over the role of the active router in a failover scenario. This feature can be beneficial in situations such as planned maintenance or maintaining optimal network performance by ensuring the most preferred router handles traffic. However it is important to monitor routers in the HSRP group with Pre-emption enabled in cases where the higher priority router continues to go offline then back online causing brief disruptions in the network. In this lab example, I will enable pre-emption on the higher priority Gateway-R2 router for the VLAN10 group and cause a failover scenario triggering Gateway-R1 to transition to the active role. Once Gateway-R2 is brought back online, it will re-take over the active role.

HQ-Gateway-R2

Pre-emption enabled for VLAN10 sub-interface in HSRP group 10.

Failover scenario and Gateway-R2 re-taking Active Role.

Authentication

HSRP Authentication is an optional security feature that allows routers in an HSRP group to authenticate each other before participating in the protocol. This feature can prevent unauthorized devices from participating in the HSRP group. HSRP allows for a select few authentication types including plain text or MD5 authentication. MD5 authentication is a cryptographic hash function that encrypts a plain text password and thus is more secure. In this lab example, I will configure Plain text and MD5 authentication in separate scenarios for the VLAN80 HSRP group and then analyze a packet capture with the authentication information included.

Plain Text Authentication

After configuring authentication on Gateway-R1, Gateway-R2 is unable to join the HSRP group 80 and assumes Active role as a standalone router.

Gateway-R2 successfully joins HSRP group 80 after matching the plain text authentication string from Gateway-R1.

Plain Text Packet Capture: Gateway-R1 source

Plain Text Packet Capture: Gateway-R2 source

MD5 Authentication

MD5 authentication configured on Gateway-R1.

MD5 authentication configured on Gateway-R2.

MD5 Packet Capture: Gateway-R1 source

MD5 Packet Capture: Gateway-R2 source

Object Tracking

Object Tracking is an advanced HSRP concept that allows the HSRP active router to adjust its priority based on the status of certain network objects such as interfaces or IP routes. This feature enhances the failover mechanism by dynamically adjusting which router is active in response to changes in the network's state. A tracked object can include either an interface Line Protocol state, a tracked IP route, or a tracked IP SLA object. In this lab example, I will demonstrate all three scenarios to better understand how Object Tracking works for HSRP.

Interface Line Protocol Object Lab Topology

Scenario: Gateway-R2's WAN Interface Gi0/0 goes offline due to a loose connection and causes a loss of connectivity out to the WAN. When this occurs, we will have Gateway-R2 dynamically lower its Priority by 60 for all its HSRP groups causing Gateway-R1 to take over as the Active router with the higher Priority. We will also have Pre-emption enabled on Gateway-R2 so it can re-take over as the Active router once the Gi0/0 WAN interface of Gateway-R2 comes back online.

Router Roles

Gateway-R1: Standby role with Priority 100
Gateway-R2: Active role with Priority 150

Gateway-R1

Configured Priority 100 to all groups and enabled Preemption.

Gateway-R2

Configured Priority 150 to all groups and enabled Preemption.

Create a Track object in global configuration and specify the interface and line-protocol attribute to track. Once created we will assign this tracked object to the HSRP groups. Gi0/0 is the WAN link of Gateway-R2 towards the ISP router.

Specify the track object in each HSRP group interface and associate the object with the decrement priority sub commands with the decrement value. In turn, if the line protocol state of Gi0/0 goes down, the priority of the HSRP groups will decrement by 60.

Testing Failover

MGMT PC gateway failover to Gateway-R1 based on the single ICMP timeout.

I've shutdown the Gi0/0 interface of Gateway-R2 to cause the track object to take effect. Line protocol of interface Gi0/0 went down causing the HSRP groups to decrement their priority by 60. Groups went to the Standby state and Gateway-R1 took over as active during the failover.

Re-enabled interface Gi0/0 of Gateway-R2. Line protocol object triggered and with Pre-emption configured, Gateway-R2 re-took over as the active router with the higher priority.

Tracked IP SLA Object Lab Topology

IP SLA is a feature on Cisco devices that allows us to actively monitor and measure the performance of IP networks and services. It enables devices to generate and track various network traffic types such as ICMP, HTTP, DNS, and more.

Scenario: Internet-2 ISP circuit goes offline from the ISP side and causes Gateway-R2 to lose connection out to the WAN. With IP-SLA tracking, we will configure Gateway-R2 to dynamically lower its Priority by 60 for all its VLAN HSRP groups, allowing Gateway-R1 to take over as the active router with the higher priority. With Pre-emption configured on Gateway-R2, Gateway-R2 will re-take over as the active router once the Internet-2 circuit comes back online.

Router Roles

Gateway-R1: Standby role with Priority 100
Gateway-R2: Active role with Priority 150

Gateway-R2

Create an IP SLA entry that will be used and applied to a Track object. IP SLA icmp-echo operation is to be used to check reachability of IP address 8.8.8.8 from the source interface Gi0/0 on Gateway-R2.

Set a schedule to trigger and start the SLA entry operation.

Define the track object to be used by the HSRP groups and associate the IP SLA entry number.

Assign the track object to the HSRP groups and decrement the priority by 60 if the IP SLA entry in the track object triggers.

Testing Failover

Finance PC in VLAN20 failing over to the ISP Internet 1 circuit off of Gateway-R1 as it took over as the active router during failover.

From the Internet 2 ISP router, I've shutdown the Loopback 8 interface with the 8.8.8.8 IP address triggering the IP SLA entry in the track object of Gateway-R2 to go down.

Log messages on Gateway-R2 for the HSRP groups taking over as the Standby role after the failover scenario on the Internet-2 router.

With Preemption enabled, log messages on Gateway-R2 of the HSRP groups re-taking over as the Active role after the Internet-2 circuit comes back online.

Tracked IP Route Object Lab Topology

IP route object tracking is used to track the reachability of an IP route in the routing table. An IP route tracked object is considered up when a routing table entry exists for the route and the route is accessible. Use cases for this Object tracking method is with routes learned from dynamic routing protocols or when a down interface results in the routes being removed.

Scenario: The IPsec tunnel between Gateway-R2 and the Remote-Branch-Gateway goes down causing Gateway-R2 to not have an accessible route towards the Remote Branch site static networks. With IP route object tracking, we will configure Gateway-R2 to dynamically lower its Priority by 60 of all its HSRP groups for each VLAN, allowing Gateway-R1 to take over as the active router with the higher priority. With Pre-emption configured on Gateway-R2, Gateway-R2 will re-take over as the active router once the tunnel comes back online. In a future lesson, we will dive deep in configuring IPsec tunnels.

Router Roles

Gateway-R1: Standby role with Priority 100
Gateway-R2: Active role with Priority 150

Gateway-R2 IPSec Configuration

All IPsec configuration steps must be applied to the other side of the IPsec tunnel router or device.

Step 1: Create ISAKMP Phase 1 security parameters to establish the tunnel communication with the Remote Branch router

Step 2: Define the phase 1 pre-shared key with the public IP address of the neighbor router

Step 3: Create an IPSec Phase 2 Transform set and assign security parameters to establish the encrypted tunnel with the Remote Branch router

Step 4: Create an IPSec Phase 2 profile and assign the Transform set defined in the previous step

Step 5: Assign the IPsec Profile to the tunnel interface and repeat all steps on the remote router

Verification show commands for the active Security Associations of the Phase 1 and Phase 2 ISAKMP process.

Gateway-R2 IP Route Object Tracking

IPsec Tunnel Interface and remote branch routes are active. Goal is to configure IP route tracking so if the tunnel0 interface towards the Remote Branch site router goes down and loses the remote branch routes 5.5.5.5 and 6.6.6.6, Gateway-R1 will take over as the active router for all HSRP groups during that failover period.

Define the two track objects to track the IP route reachability status of networks 5.5.5.5 and 6.6.6.6 in the Gateway-R2 routing table towards the Remote Branch router. Track objects will trigger only if the routes are removed from the routing table.

Applying both IP route track objects to all HSRP groups decrementing the priority by 60 if the static routes are removed from the routing table.

Testing Failover

On the remote branch gateway router, I tested the failover event by shutting down the Tunnel interface towards Gateway-R2 causing Gateway-R2 to lose the static remote branch routes of 5.5.5.5 and 6.6.6.6.

Gateway-R2 took over the standby role after losing the remote branch networks via the tunnel interface.

With Preemption enabled, Gateway-R2 re-took over as the active router for all HSRP groups once the Tunnel interface came back up.

FHRPs

Hot Standby Router Protocol