HSRP – Hot Standby Router Protocol
– CISCO Owner
– Based on an Active/Passive model
This protocol comes in several versions:
– MAC address used: 0000.0C07. ACxx
– Uses the multicast address 220.127.116.11
– Group 0 in Group 255
– IPv4 / IPv6
– MAC address used: 0000.0C9F. Fxxx
– Uses multicast address 18.104.22.168
– Group 0 in Group 4095
The principle of hSRP's operation
The HSRP protocol is based on the Active/Passive model. This means that there will be only one router in "Active" mode and the other routers in "Passive" mode:
– Active Mode (Active)
This router will carry the IP address and the virtual MAC address
– Passive mode (Passive)
Other routers wait until the active router is unavailable to take its place.
In order to find out which of the routers will go into Active mode, they will organize an election.
Election of active router
Each router has a priority.
This priority can be changed by the administrator.
The default priority is 100. It is between 0 and 255.
The router with the highest priority will be in Active mode
In the event of a tie, the router with the highest IP address will become the active router.
The router in Active mode will therefore carry our IP address and our virtual MAC address.
The Passive router or routers will be kept informed of the health of the Active router via "Hello" packages sent in mulitcast.
– The router in Active mode sending "Hello" packages to passive routers
This time interval is called "Hello Timer" (default: every 3 seconds)
– If our Passive routers no longer receive "Hello" packages, they consider the active router to be out of service, so there will be a new election!
This time interval is called "Hold-time Timer" (default: 10 seconds or 3x the Hello Timer)
The values "Hello Timer" and "Hold-time Timer" can be changed administratively.
Switch (config-if) standby 1 timers 3 10< Hello = 3s / Hold-time = 10s hello="3s" hold-time=""></ Hello = 3s / Hold-time = 10s>
(Putting these values is useless because it's the defaults)
switch (config-if) standby 1 timers msec 100 msec 300
We switched the "Hello timer" to 100 milliseconds and the "Hold-time" to 300 (3×100) milliseconds
This gives us a tipping speed in the event of a 300-millisecond failure.
These times must be common to all our routers.
Switching in the event of a breakdown
If our Active router is no longer in working order, a new election will take place.
A router in Passive mode will therefore switch to Active mode.
If our offline router is online again, there will be no new election!
(It will not recover its role until the new router fails in Active mode.)
Definition of Preemption:
Pre-emption is the ability of a multitasking operating system to interrupt an ongoing task in favor of a higher priority task. (source: Wikipedia)
The "preempt" command will allow a router with a higher priority than the others to replace the router currently in Active mode (without waiting for the next election, #CoupD state)
The order is as follows:
Switch (config-if) standby 1 preempt
In order to authenticate the routers in our HSRP working group, authentication can be set up.
To do this, two methods:
If both routers have the same "Plain–test key string" they will be able to work together.
This chain must have between 1 and 8 characters.
This authentication method is already used by default, "cisco" is the value of the chain.
The character chain goes clear on the network ….
Reminder: Hello packages are sent in multicast. If someone does a simple network listening, they will get the HSRP group number as well as this character chain.
To change this chain of character:
Switch (config-if) - standby 1 finger authentication
To explain this type of authentication, let's put ourselves in a situation:
– The R1 and R2 routers are in the same HSRP group.
– R1 to a message to send to R2.
– The latter create a hash with its MD5 key.
– R1 sends its message as well as the hash of its message.
– R2 create a hash with its MD5 key from the message received.
– If the R1 hash is equal to the value of the R2 hash, the message is accepted.
– Does not run on the network.
– Can have a maximum of 64 characters.
Two ways to set up an MD5 key:
Switch (config-if) standby 1 authentication md5 key-string[ 0 | 7 ] Finger
0 – Clear key
7 – Encrypted key
Switch (config) - key chain Finger-chain Switch (config-keychain) - key 1 Switch (config-keychain-key) - key-strin[ 0 | 7 ]g Finger Switch (config) - interface vlan 10 Switch (config-if) standby 1 authentication md5 key-chain Finger-chain
Setting up the HSRP
The HSRP protocol will be configured on an interface. (Physics or vlan)
Step 1: Set the HSRP version to use:
Router (config) - interface vlan 10 Router (config-if) - standby version 2
Step 2: Set the HSRP priority
The HSRP protocol works in groups, so it needs to be specified in which working group it will work. Let's say we're on the right router, we want this router to be in Passive mode, so we'll put it a higher priority on the left router (This router will have a default priority value: 100)
Router (config-if) standby 1 priority 110
Step 3: Set the virtual IP address
(The virtual MAC address will be generated based on the HSRP group number)
Router (config-if) standby 1 IP 192.168.10.254
Load Balancing HSRP (MHSRP)
As we have seen above, all our streams wanting to go on the internet will therefore go through a single router. While the second is only there if the first link falls. The best would be to use both links! To do this, we will do manual load balancing! (The GLBP protocol does dynamic load balancing)
Let's take up our architecture with two vlan this time!
– Vlan 10 – 192.168.10.0/24
– Vlan 20 – 192.168.20.0 /24
We will do two different HSRP groups (one for each vlans) and we will decide that the left router will be in Active mode for the vlan 10.
The right router will be in Active mode for the vlan 20.
So we'll use our two connections.
To do this, we will have to create the same configuration as above and play on the priority of our routers in each HSRP group.
HSRP and AlS
The IP SLA service allows you to do different type of test (see Article SLA).
This service will allow us to check the availability of our services behind our gateway.
We two routers provide INTERNET via two separate Boxes. If one of the two Boxes is no longer in working order, the HSRP will never switch.
With the SLA service, we'll tell him that if his WAN link is out of use, he has to hand over to the Stand-by router.
Step 1: Setting up our ALS test:
Router (config) ip sla 10 Router (config-ip-sla) - icmp-echo 22.214.171.124 Router (config-ip-sla) frequency 5
Router (config) ip sla schedule 10 start-time now life forever
IP address 126.96.36.199 is google's DNS server. he'll still be alive. we will do our INTERNET connextion test with this IP address.
Step 2: Taking ALS into account through our HSRP architecture
Router (config) track 1 IP sla 10 reachability Router (config) - interface vlan 10 Router (config-if) standby 1 track 10 decrement 20
Decree is the number that will have to be removed from the router's priority if the test returns a negative result.
Since router A is 110 and router B is 100. Router A is in "Active" mode.
The SLA test is therefore to be put on router A.
If the test result is negative. The priority of router A increased to 90. Router B goes into "Active" mode
Router show standby Router show standby brief
Hoping this article has been helpful to you! Don't hesitate to let me know!!
This site has other network items, take the opportunity to browse the menu bar!