CISCO HSRP Hot Standby Router Protocol User Guide

: June 15, 2024
: Cisco

Table of Contents

Hot Standby Router Protocol (HSRP)
Information About HSRP
Supported Devices for HSRP
Configure HSRP Using CLI
Verify HSRP Configurations Using CLI
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

CISCO HSRP Hot Standby Router Protocol User Guide

Hot Standby Router Protocol (HSRP)

Note

To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco analytics Cisco Catalysts D-WAN Analytics, Cisco vBondto Cisco Catalyst SD-WAN Lavatorial , and Cisco v Smart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.

Table 1: Feature History

Feature Name	Release Information	Description

Support for HSRP and HSRP Authentication on Cisco IOS XE Catalyst SD-WAN Devices| Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco vManage Release 20.7.1 Cisco SD-WAN Release 20.7.1| This feature allows you to configure HSRPv2 and HSRP authentication on Cisco IOS XE Catalyst SD-WAN platforms via CLI template.
HSRP is a long-standing Cisco proprietary First Hop Redundancy Protocol (FHRP) to support version 2 of the protocol and authentication.

Information About HSRP, on page 1
Supported Devices for HSRP, on page 4
Configure HSRP Using CLI, on page 5
Verify HSRP Configurations Using CLI, on page 7

Information About HSRP

The Hot Standby Router Protocol (HSRP) is a First Hop Redundancy Protocol (FHRP) designed to allow
transparent failover of the first-hop IPdevice. HSRPprovides high network availability by providing first-hop routing redundancy for IP hosts on networks configured with a default gateway IP address. For identifying an active and standby device in a group of routers, HSRP is used. In a group of device interfaces, the active
device is the device of choice for routing packets; the standby device is the device that takes over if the active
device fails or if preset conditions are met.

You can configure multiple hot standby groups on an interface, thereby making full use of redundant devices and load sharing.

The following figure shows a network configured for HSRP. By sharing a virtual MAC address and IPaddress,
two or more devices can act as a single virtual router. The virtual device represents the common default gateway for devices that are configured to provide backup to each other. You don’t need to configure the hosts on the LAN with the IP address of the active device. Instead, you can configure them with the IP address (virtual IP address) of the virtual device as their default gateway. If the active device fails to send a hello message within a configurable time period, the standby device takes over and respondsto the virtual addresses and becomes the active device, taking over the duties of the active device.

Figure 1: HSRP Topology

HSRP Version 2 Support

Following are the HSRP version 2 (HSRPv2) features:

HSRPv2 advertises and learns millisecond timer values. This change ensuresstability of then
HSRPgroups in all cases.
HSRPv2 expands the group number range from 0 to 4095.
HSRPv2 provides improved management and troubleshooting. The HSRPv2 packet format includes a
6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address.
HSRPv2 uses the IP multicast address 224.0.0.102 to send hello packets. This multicast address allows Cisco Group Management Protocol (CGMP) leave processing to be enabled at the same time as HSRP.
HSRPv2 has a different packet format that uses a type-length-value (TLV) format.

HSRP MD5 Authentication

Supportable plain textstring and message digest 5 (MD5)schemes of protocol packets authentication.

HSRP MD5 authentication is an advanced type of authentication that generates an MD5 digest for the HSRP
portion of the multicast HSRPprotocol packet. Thisfunctionality provides added security and protects against the threat from HSRP-spoofing software.

MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5
authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part
of the outgoing packet. A keyed hash of an incoming packet is generated, and if the hash within the incoming packet doesn’t match the generated hash, the packet is ignored.

The key for the MD5 hash can be either given directly in the configuration using a key string or supplied indirectly through a key chain.

HSRP packets will be rejected in any of the following cases:

The authentication schemes differ on the device and in the incoming packets.
MD5 digests differ on the device and in the incoming packets.
Text authentication strings differ on the device and in the incoming packets.

HSRP Object Tracking

Object tracking separates the tracking mechanism from HSRP and creates a separate standalone tracking
process that can be used by any other process and HSRP. The priority of a device can change dynamically
when it has been configured for object tracking, and the object that is being tracked goes down. Examples of objects that can be tracked are the line protocol state of an interface or the reachability of an IP route. If the specified object goes down, the HSRP priority is reduced.

HSRP Static NAT Redundancy Overview

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a release, HSRP Static NAT redundancy is
supported on Cisco IOS XE Catalyst SD-WAN. Static mapping support for HSRP enables the active router
configured with a NAT address to respond to an incoming ARP. This feature provides redundancy in NAT
for traffic that fails over from HSRP active router to standby router without waiting for the ARP entry to timeout from previously active router.

The static NAT configuration is mirrored on the active and standby routers, and the active router processes
the traffic.

A virtual IP address is assigned to the router. The edge device sends traffic to the virtual IP address, which is
serviced by the active router. The standby routers monitor the active router. When the failover occurs, the
new HSRP active edge router automatically resumes the ownership of static NAT mapping without waiting
for ARP timeout. It sends gratuitous ARP for the static NAT mapping entry to update devices with their own mac addresses in the same LAN segment.

Note Only static NAT is supported in HSRP NAT redundancy configuration.

Perform the following tasks on active and standby routers to configure NAT static mapping for HSRP:

Ensure that the source and destination NAT works.
Enable HARP on the NAT interface.
Configure HARP redundancy group name.
Configure static NAT mapping manually on both active and standby edges, referring to Redundancy group name configured.

To enable static NAT redundancy for high availability in an Environmentalist, refer toStatic NAT mapping
support with HSRP.

HSRP Benefits

Redundancy: HSRPemploys a redundancy scheme that is time proven and deployed extensively in large networks.
Fast Failover: HSRP provides transparent fast failover of the first-hop device.
Preemption: Preemption allows a standby device to delay becoming active for a configurable amount of time.
Authentication: HSRP MD5 algorithm authentication protects against HSRP-spoofing software and uses the industry-standard MD5 algorithm for improved reliability and security.

Supported Devices for HSRP

Cisco Catalyst 8500 Series Edge Platforms
Cisco Catalyst 8300 Series Edge Platforms
Cisco Catalyst 8200 Series Edge Platforms
Cisco Catalyst 8200 uCPE Series Edge Platforms
Cisco ASR 1000 Series Aggregation Services Routers
Cisco ISR 1000 and ISR 4000 Series Integrated Services Routers (ISRs)
Cisco ISR 1100 and ISR 1100X Series Integrated Services Routers (ISRs)
Cisco IR1101 Integrated Services Router Rugged
Cisco Catalyst 8000v Series Cloud Services Router
For details on supported models for each of these device families, refer to Cisco Catalyst SD-WAN Device
Compatibility page.

Configure HSRP Using CLI

You can configure HSRP using the Cisco SD-WAN Manager CLI Add-on feature templates and CLI device
templates. For more information on configuring using CLI templates, see CLI Templates.

Note The following commands can be used in any order

The following list provides information about HSRP configuration on Cisco IOS XE Catalyst SD-WAN devices.

Enable HSRP.
Create (or enable) the HSRP group in IPv4 using its number and virtual IP address:
Device(config)# interface interface-type
Device(config-if)# standby group-number ip [ip-address [secondary]] Activate HSRP in IPv6:
Device(config)# interface interface-type
Device(config-if)# standby group-number ipv6 {link-local-address | autoconfig }
Change to Version 2.
Change the HSRP version. Note that the nostandby or nostandby version 2 commands are rejected when the interface has IPv6 groups.

Note no standby or no standby version 2 command is rejected when the interface has IPv6 groups.

Device(config)# interface interface-type
Device(config-if)# standby version {1|2}

Configure HSRP priority and preemption

Set the priority value used in choosing the active router, and configure HSRPpreemption and preemption
delay:

Device(config)# interface interface-type
Device(config-if)# standby group-number ip [ip-address [secondary]] Device (config-if)# standby group-number priority [priority] Device(config-if)# standby group-number preempt [ delay{ [ minimum seconds] [ reload
seconds] [ sync seconds]}]

Configure HSRP Authentication.

Configure HSRP MD5 authentication using a key chain.

Key chains allow a different key string to be used at different times according to the key chain configuration. HSRP queries the appropriate key chain to obtain the current live key and key ID for the specified key chain.

Device(config)# interface interface-type
Device(config-if)# ip address ip-address mask [secondary ] Device(config-if)# standby group-number priority [priority] Device(config-if)# standby group- number preempt [ delay{ [ minimum seconds] [ reload
seconds] [ sync seconds]}] Device(config-if)# standby group-number authentication md5 key-chain key-chain-name
Device(config-if)# standby group-number ip [ip-address [secondary]]

Configure HSRP text authentication.

The authentication string can be up to eight characters in length; the default string is Cisco.

Device(config)# interface interface-type
Device(config-if)# ip address ip-address mask [secondary ] Device(config-if)# standby group-number priority [priority] Device(config-if)# standby group- number preempt [ delay{ [ minimum seconds] [ reload
seconds] [ sync seconds]}] Device(config-if)# standby group-number authentication text string
Device(config-if)# standby group-number ip [ip-address [secondary]]

Configure HSRP timers

Configure the time between the hello packets and the time before other routers declare the active router
to be inactive:

Device(config)# interface interface-type
Device(config-if)# standby group-number ip [ip-address [secondary]] Device (config-if)# standby group-number timers hello time hold time

Configure HSRP object tracking

Configure HSRP to track an object and change the HSRP priority based on the state of the object:

Device(config)# interface interface-type
Device(config-if)# standby group-number track object-number [decrement priority-decrement] [shutdown]

Improve CPU and network performance with HSRP multiple group optimization.

Configure an HSRP group as a client group:
Device(config)# interface interface-type
Device(config-if)# standby group-number follow group-name
Configure the HSRP client group refresh interval:
Device(config)# interface interface-type
Device(config-if)# standby group-number mac-refresh seconds

Configure an HSRP virtual MAC address.

Specify a virtual MAC address for HSRP:
Device(config)# interface interface-type
Device(config-if)# standby group-number mac-address mac-address

Link IP redundancy clients to HSRP groups.

Configure the name of a standby group:

Note

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, static NAT mapping configurations with HSRP is supported. The redundancy naming conventions doesn’t include spaces. We recommend that you do not use redundancy name with spaces while configuring standby group-number name[redundancy-name] command.

Device(config)# interface interface-type
Device(config-if)# standby group-number name [redundancy-name]

The following is a complete HSRP configuration example on Cisco IOS XE Catalyst SD-WAN devices through CLI:

config-transaction
!
interface GigabitEthernet0/0/1.94
encapsulation dot1Q 94
vrf forwarding 509
ip address 10.96.194.2 255.255.255.0
ip directed-broadcast
ip mtu 1500
ip nbar protocol-discovery
standby version 2
standby 1 preempt
standby 94 ip 10.96.194.1
standby 94 timers 1 4
standby 94 priority 110
standby 94 preempt delay minimum 180
standby 94 authentication md5 key-string 7 094F471A1A0A
standby 94 track 8 shutdown
standby 194 ipv6 2001:10:96:194::1/64
standby 194 timers 1 4
standby 194 priority 110
standby 194 preempt delay minimum 180
standby 194 authentication md5 key-string 7 094F471A1A0A
standby 194 track 80 shutdown
ip policy route-map clear-df
ipv6 address 2001:10:96:194::2/64
ipv6 mtu 1500
arp timeout 1200
end

Verify HSRP Configurations Using CLI

The following is a sample output from the show standby command displaying the standby router information:

Device# show standby
GigabitEthernet0/0/1.94 – Group 94 (version 2)
State is Standby
1 state change, last state change 01:06:09
Track object 8 state Up
Virtual IP address is 10.96.194.1
Active virtual MAC address is 0000.0c9f.f05e (MAC Not In Use)
Local virtual MAC address is 0000.0c9f.f05e (v2 default)
Hello time 1 sec, hold time 4 sec
Next hello sent in 0.688 secs
Authentication MD5, key-string
Preemption enabled, delay min 180 secs
Active router is 10.96.194.2, priority 110 (expires in 4.272 sec)
MAC address is cc16.7e8c.6dd1
Standby router is local
Priority 105 (configured 105)
Group name is “hsrp-Gi0/0/1.94-94” (default)
FLAGS: 0/1
GigabitEthernet0/0/1.94 – Group 194 (version 2)
State is Standby
1 state change, last state change 01:06:07

Track object 80 state Up
Link-Local Virtual IPv6 address is FE80::5:73FF:FEA0:C2 (impl auto EUI64)
Virtual IPv6 address 2001:10:96:194::1/64
Active virtual MAC address is 0005.73a0.00c2 (MAC Not In Use)
Local virtual MAC address is 0005.73a0.00c2 (v2 IPv6 default)
Hello time 1 sec, hold time 4 sec
Next hello sent in 0.480 secs
Authentication MD5, key-string
Preemption enabled, delay min 180 secs
Active router is FE80::CE16:7EFF:FE8C:6DD1, priority 110 (expires in 4.032 sec)
MAC address is cc16.7e8c.6dd1
Standby router is local
Priority 105 (configured 105)
Group name is “hsrp-Gi0/0/1.94-194” (default)
FLAGS: 0/1

The following is a sample output from the show standby command displaying HSRP Version 2 information
if HSRP Version 2 is configured:

Device# show standby
Ethernet0/1 – Group 1 (version 2)
State is Speak
Virtual IP address is 10.21.0.10
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c9f.f001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.804 secs
Preemption enabled
Active router is unknown
Standby router is unknown
Priority 20 (configured 20)
Group name is “hsrp-Et0/1-1” (default)
Ethernet0/2 – Group 1
State is Speak
Virtual IP address is 10.22.0.10
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.804 secs
Preemption disabled
Active router is unknown
Standby router is unknown
Priority 90 (default 100)
Track interface Serial2/0 state Down decrement 10
Group name is “hsrp-Et0/2-1” (default)

The following is a sample output from the show standby command displaying Authentication information if HSRP MD5 authentication is configured:

Device# show standby
Ethernet0/1 – Group 1
State is Active
5 state changes, last state change 00:17:27
Virtual IP address is 10.21.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.276 secs
Authentication MD5, key-string, timeout 30 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 110 (configured 110)
Group name is “hsrp-Et0/1-1” (default)

The following is a sample output from the show standby brief command displaying HSRP information for a specific interface

Device# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0/1.94 94 105 P Standby 10.96.194.2 local 10.96.194.1
Gi0/0/1.94 194 105 P Standby FE80::CE16:7EFF:FE8C:6DD1 local FE80::5:73FF:FEA0:C2

The following is a sample output from the show standbyneighbors command displaying the HSRPneighbors
on Ethernet interface 0/0. Neighbor 10.0.0.250 is active for group 2 and standby for groups 1 and 8, and is
registered with BFD:

Device# show standby neighbors Ethernet0/0
HSRP neighbors on Ethernet0/0
10.0.0.250
Active groups: 2
Standby groups: 1, 8
BFD enabled
10.0.0.251
Active groups: 5, 8
Standby groups: 2
BFD enabled
10.0.0.253
No Active groups
No Standby groups
BFD enabled

The following is a sample output from the show standby neighbors command displaying information for all
HSRP neighbors:

Device# show standby neighbors
HSRP neighbors on FastEthernet2/0
10.0.0.2
No active groups
Standby groups: 1
BFD enabled
HSRP neighbors on FastEthernet2/0
10.0.0.1
Active groups: 1
No standby groups
BFD enabled

Company Logo