Hot Standby Routing Protocol (HSRP)
In this book, several examples dealt with creating backup links for use in case some other link fails. But routers themselves failso how do you implement backup routers? You might think that this shouldn't be a problem: after all, if you have two routers connecting your site to the external world, and one fails, your own routing protocols should eventually route around the failure. However, it's not that simple. If the individual hosts on your network aren't running some sort of routing protocol (such as RIP) or router discovery protocol (such as IRDP), they'll never find out about the failure. And in most cases, you don't want to be running a routing protocol on individual hosts; you want to set up each host with a simple default route and leave it at that. Furthermore, when a router fails, it can take some time for a protocol such as RIP to converge on a new route.
That's the overall picture. More concretely, the top illustration in Figure 13-1 shows a larger network comprising two smaller networks. There are two routers, both connected to the external gateway. Let's assume that you want to configure the hosts on Network 1 and Network 2 with static default routes. To which router should these default routes point? All the hosts on both networks can reach either router, but each host can have only one default route. What happens if the router a particular host is using fails? How does that host find out about the other router, aside from an administrator manually changing its default route?
The elegant solution is HSRP. The second part of Figure 13-1 shows a new router, Router 3. Router 3 is a virtual router, meaning that there's no such physical piece of equipment: it's an illusion created by the use of HSRP on Router 1 and Router 2. However, although Router 3 is an illusion, it has a unique IP address and a unique MAC address that is configured between Router 1 and Router 2.
Configuring HSRP is as simple as using the standby command on the appropriate interfaces. In the following configuration, we apply the standby command to the ethernet1 interfaces of both routers. Router 1 has the standby preempt command, which tells the routers that Router 1 should be the active router for the standby group, but only when Router 1 has the higher priority. We ensure it has a higher priority by setting the value explicitly to 120 with the priority command. If Router 1 goes down, Router 2 becomes the standby router and takes over the routing duties for our virtual Router 3. If Router 1 comes back up, it will automatically take over because it has the higher priority and the preempt command in its configuration. The standby ip command provides the IP address for the virtual router.
Figure 13-1. HSRP layout
Here's the configuration for Router 1:
interface ethernet1 ! A real IP address is still required for this interface ip address 10.10.28.1 255.255.255.0 standby preempt standby priority 120 ! The IP address for the virtual Router3 is 10.10.28.3 standby ip 10.10.28.3
Here's the configuration for Router 2:
interface ethernet1 ! A real IP address is still required for this interface ip address 10.10.28.2 255.255.255.0 ! The IP address for the virtual Router3 is 10.10.28.3 standby ip 10.10.28.3
With this configuration, all the nodes in Networks 1 and 2 can use 10.10.28.3 as their default gateway address. This is the IP address for the virtual router, Router 3; hosts on the two networks can communicate with Router 3 as if it were a real device. Initially, Router 1 acts as Router 3 and handles packets sent to the virtual router's address. If Router 1 fails, Router 2 takes over immediately. The switchover happens so quickly that the network devices never know that anything has happened; they can continue to use Router 3 as their default router.
It's worth mentioning that the routers adopt a common virtual MAC address as well as a virtual IP address. You don't have to configure the virtual MAC address; the routers do this for you. A virtual MAC address ensures that the ARP caches remain valid when HSRP switches over to another router.
13.2.1. Tracking Another Interface
With the HSRP TRack command, we can tell our HSRP process to watch another interface and decrement our priority if the other interface goes down. This feature would be useful in our examples to track the interface on each router going to the gateway router. Let's assume that Router 1 and Router 2 both use serial0 to connect to the gateway router as shown in Figure 13-1. All we need to do to our previous configuration is add the track command.
Here's the configuration for Router 1:
interface ethernet1 ip address 10.10.28.1 255.255.255.0 standby preempt standby priority 120 standby track serial0 standby ip 10.10.28.3
And here's the configuration for Router 2:
interface ethernet1 ip address 10.10.28.2 255.255.255.0 standby track serial0 standby ip 10.10.28.3
13.2.2. Naming Our HSRP Configuration
We can also assign a name to our HSRP configuration. As we will see later in the NAT configuration, we'll use this for stateful NAT. The command is simply standby name followed by the name you would like to use.
interface ethernet1 standby name hsrpname1
13.2.3. Multiple-Group Hot Standby Routing
HSRP allows you to create multiple virtual routers, each supported by a number of physical routers, by using the concept of router groups in the standby commands. Multiple standby groups are supported only by newer router models and high-end routers. The 2500-series routers do not support this function (Lance Ethernet chipset).
Our previous example didn't specify a group number, meaning that both routers were in the default group (group 0). In this example, we'll use three physical routers to create three virtual routers, using three router groups. Here's how we'll organize the routers:
Router 1
Active for group 1 and standby for group 3
Router 2
Active for group 2 and standby for group 3
Router 3
Active for group 3 and standby for group 1 and group 2
The virtual router for group 1 has the address 10.10.1.11; group 2 has the address 10.10.1.12; and group 3 has the address 10.10.1.13.
Here's the configuration for Router 1:
interface ethernet1 ip address 10.10.1.1 255.255.255.0 standby 1 priority 120 standby 1 preempt standby 1 ip 10.10.1.11 standby 3 ip 10.10.1.13
Here's the configuration for Router 2:
interface ethernet1 ip address 10.10.1.2 255.255.255.0 standby 2 priority 120 standby 2 preempt standby 2 ip 10.10.1.12 standby 3 ip 10.10.1.13
And here's the configuration for Router 3:
interface ethernet1 ip address 10.10.1.3 255.255.255.0 standby 3 priority 120 standby 3 preempt standby 3 ip 10.10.1.13 standby 1 ip 10.10.1.11 standby 2 ip 10.10.1.12
HSRP groups help your switches behave reasonably as different routers are enabled. Remember that the router automatically generates a virtual MAC address for each HSRP router. If you have your HSRP routers connected to a single switch (or multiple switches VLANed together), the switch will see the same MAC address on different ports as the HSRP routers become active. With HSRP groups, the routers use a unique MAC address for each HSRP group. So, if you do have your HSRP routers plugged into a single switch, you can use multiple HSRP groups to enforce the use of different MAC addresses on different ports, which keeps switches happy.
13.2.4. Load Sharing with Hot Standby
You can use HSRP for a form of load sharing . Think back to Figure 13-1. In this network, we gave all the hosts a default route to the virtual router (10.10.28.3) and configured Router 1 to act as the virtual router unless it failed. This is clearly inefficient, since most of the time Router 2 was doing nothing: all the traffic flowed through Router 1, and Router 2 just waited for Router 1 to break.
In this example, we configure the networks so that Network 1 uses Router 1 as its default route, and Network 2 uses Router 2. To do so, we create two virtual routers, each with its own IP address. Each physical router is the primary router for one of the virtual routers and the backup for the other. With this configuration, Network 1 can use the virtual Router 1 (10.10.28.3) for its default route, and Network 2 can use the virtual Router 2 (10.10.28.4). In this way, they both carry traffic until one of the routers goes down, and then the other router takes over all the traffic.
Here's the configuration for Router 1:
interface ethernet1 ip address 10.10.28.1 255.255.255.0 standby 1 preempt standby 1 priority 120 standby 1 ip 10.10.28.3 standby 2 ip 10.10.28.4
Here's the configuration for Router 2:
interface ethernet 1 ip address 10.10.28.2 255.255.255.0 standby 2 preempt standby 2 priority 120 standby 2 ip 10.10.28.4 standby 1 ip 10.10.28.3
Devices within Network 1 use 10.10.28.3 as their default router, and devices within Network 2 use 10.10.28.4 as their default router. This configuration provides a primitive form of load sharing across the two networks. If either router goes down, the other takes over.
13.2.5. HSRP show Commands
The command show standby displays all the HSRP information that the router knows about. In this configuration, we can see that HSRP is configured only on Ethernet0:
Router1#show standby Ethernet0 - Group 0 Local state is Active, priority 120, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:02.564 Hot standby IP address is 192.168.1.3 configured Active router is local Standby router is unknown expires in 00:00:04 Standby virtual mac address is 0000.0c07.ac00