14 First Hop Redundancy Protocol (HSRP) Flashcards
Proxy Address Resolution Protocol (Proxy ARP)
Proxy ARP enables hosts, which have no knowledge of routing options, to obtain the MAC address of a gateway router that can forward packets for them. If a Proxy ARP–enabled router receives an ARP request for an IP address that it knows isn’t on the same subnet as the requesting host, it will respond with an ARP reply packet to the host.
First Hop Redundancy
Protocol (FHRP)
First hop redundancy protocols (FHRPs) work by giving you a way to configure more than one physical router to appear as if they were only a single logical one. This makes client configuration and communication easier because you can simply configure a single default gateway and the host machine can use its standard protocols to communicate. First hop is a reference to the default router being the first router, or first router hop, that a packet will pass through. A Redundancy protocol is presenting a virtual router to all of the clients. The virtual router has its own IP and MAC addresses. The virtual IP address is the address that’s confi gured on each of the host machines as the default gateway. The virtual MAC address is the address that will be returned when an ARP request is sent by a host. The hosts don’t know or care which physical router is actually forwarding the traffic. It’s the responsibility of the redundancy protocol to decide which physical router will actively forward traffic and which one will be placed on standby in case the active router fails. Even if the active router fails, the transition to the standby router will be transparent to the hosts because the virtual router that’s identifi ed by the virtual IP and MAC addresses is now used by the standby router. The hosts never change default gateway information, so traffic keeps flowing.
Hot Standby Router Protocol (HSRP)
HSRP is a Cisco proprietary protocol that provides a redundant gateway for hosts on a local subnet. The drawback here is that this isn’t a loadbalanced solution. HSRP allows you to configure two or more routers into a standby group that shares an IP and MAC address and provides a default gateway. When the IP and MAC addresses are independent from the routers’ physical addresses—on a virtual interface and not tied to a specific interface—they can swap control of an address if the current active forwarding router fails. There is actually a way you can sort of achieve load balancing with HSRP. By using multiple VLANs and designating a specific router active for one VLAN, then an alternate router as active for the other VLAN via trunking.
It defines a standby group, and each standby group that you define includes the following routers:
■ Active router
■ Standby router
■ Virtual router
■ Any other routers that maybe attached to the subnet
The problem with HSRP is that with it, only one router is active and two or more routers just sit there in standby mode and won’t be used unless a failure occurs—not very cost effective or efficient!
Virtual Router Redundancy Protocol (VRRP)
Provides a redundant gateway for hosts on a local subnet, but not a load-balanced one. It’s an open standard protocol that functions almost identically to HSRP.
Gateway Load Balancing Protocol (GLBP)
GLBP doesn’t stop at providing us with a redundant gateway, it’s a true load-balancing solution for routers. GLBP allows a maximum of four routers in each forwarding group. By default, the active router directs the traffic from hosts to each successive router in the group using a round-robin algorithm. The hosts are directed to send their traffic toward a specific router by being given the MAC address of the next router in line for deployment.
Virtual MAC Address
A virtual router in an HSRP group has a virtual IP address and a virtual MAC address. So where does that virtual MAC come from? The virtual IP address isn’t that hard to figure out; it just has to be a unique IP address on the same subnet as the hosts defined in the configuration. But MAC addresses are a little different, right? Or are they? The answer is yes—sort of. With HSRP, you create a totally new, made-up MAC address in addition to the IP address. The HSRP MAC address has only one variable piece in it. The first 24 bits still identify the vendor who manufactured the device (the organizationally unique identifier, or OUI). The next 16 bits in the address tell us that the MAC address is a well-known HSRP MAC address. Finally, the last 8 bits of the address are the hexadecimal representation of the HSRP group number.
HSRP Timers
The timers are very important to HSRP function because they ensure communication between the routers, and if something goes wrong, they allow the standby router to take over. The HSRP timers include hello, hold, active, and standby.
Hello timer
The hello timer is the defined interval during which each of the routers send out Hello messages. Their default interval is 3 seconds, and they identify the state that each router is in. This is important because the particular state determines the specific role of each router and, as a result, the actions each will take within the group. This timer can be changed, but people used to avoid doing so because it was thought that lowering the hello value would place an unnecessary load on the routers. That isn’t true with most of the routers today; in fact, you can configure the timers in milliseconds, meaning the failover time can be in milliseconds! Keep in mind that increasing the value will make the standby router wait longer before taking over for the active router when it fails or can’t communicate.
Hold timer
The hold timer specifies the interval the standby router uses to determine whether the active router is offline or out of communication. By default, the hold timer is 10 seconds, roughly three times the default for the hello timer. If one timer is changed for some reason, I recommend using this multiplier to adjust the other timers too. By setting the hold timer at three times the hello timer, you ensure that the standby router doesn’t take over the active role every time there’s a short break in communication.
Active timer
The active timer monitors the state of the active router. The timer resets each time a router in the standby group receives a Hello packet from the active router. This timer expires based on the hold time value that’s set in the corresponding field of the HSRP hello message.
Standby timer
The standby timer is used to monitor the state of the standby router. The timer resets anytime a router in the standby group receives a Hello packet from the standby router and expires based on the hold time value that’s set in the respective Hello packet.
Group Roles
Each of the routers in the standby group has a specific function and role to fulfill. The three main roles are as virtual router, active router, and standby router. Additional routers can also be included in the group.
Virtual router
The virtual router is not a physical entity. It really just defines the role that’s held by one of the physical routers. The physical router that communicates as the virtual router is the current active router. The virtual router is nothing more than a separate IP address and MAC address that packets are sent to.
Active router
The active router is the physical router that receives data sent to the virtual router address and routes it onward to its various destinations. As I mentioned, this router accepts all the data sent to the MAC address of the virtual router in addition to the data that’s been sent to its own physical MAC address. The active router processes the data that’s being forwarded and will also answer any ARP requests destined for the virtual router’s IP address.
Standby router
The standby router is the backup to the active router. Its job is to monitor the status of the HSRP group and quickly take over packet-forwarding responsibilities if the active router fails or loses communication. Both the active and standby routers transmit Hello messages to inform all other routers in the group of their role and status.
Other routers
An HSRP group can include additional routers (up to 255 per group), which are members of the group but that don’t take the primary roles of either active or standby states. These routers monitor the Hello messages sent by the active and standby routers to ensure that an active and standby router exists for the HSRP group that they belong to. They will forward data that’s specifically addressed to their own IP addresses, but they will never forward data addressed to the virtual router unless elected to the active or standby state. These routers send “speak” messages based on the hello timer interval that informs other routers of their position in an election.
Interface Tracking
It’s a very good thing that the active router can change dynamically, giving us much needed redundancy on our inside network. But what about the links to the upstream network or the Internet connection off of those HSRP-enabled routers? And how will the inside hosts know if an outside interface goes down or if they are sending packets to an active router that can’t route to a remote network? Key questions and HSRP do provide a solution for them called interface tracking.
HSRP Load Balancing
As you know, HSRP doesn’t really perform true load balancing, but it can be configured to use more than one router at a time for use with different VLANs. This is different from the true load balancing that’s possible with GLBP, but HSRP still performs a load-balancing act of sorts. How can you get two HSRP routers active at the same time? Well for the same subnet with this simple configuration you can’t, but by trunking the links to each router, they’ll run and be configured with a “router on a stick” (ROAS) configuration. This means that each router can be the default gateway for different VLANs, but you still only have one active router per VLAN. In a more advanced setting you usually wouldn’t go with HSRP for load balancing. Instead, opt for GLBP. This HSRP feature improves network resilience by allowing for load-balancing and redundancy capabilities between subnets and VLANs.
HSRP Troubleshooting
Most of your HSRP misconfiguration issues can be solved by checking the output of the show standby command. In the output, you can see the active IP and the MAC address, the timers, the active router, and more, as shown in the verification section above. There are several possible misconfigurations of HSRP, but the following ones are the focus for your CCNA:
Different HSRP virtual IP addresses configured on the peers. Console messages will notify you about this of course, but if you configure it this way and the active router fails, the standby router takes over with a virtual IP address. This is different to the one used previously, and different to the one configured as the default-gateway address for end devices, so your hosts stop working, defeating the purpose of a FHRP.
Different HSRP groups are configured on the peers. This misconfiguration leads to both peers becoming active, and you’ll start receiving duplicate IP address warnings. This seems easy to troubleshoot, but the next issue results in the same warnings.
Different HSRP versions are configured on the peers or ports blocked HSRP comes in 2 versions, 1 and 2. If there’s a version mismatch, both routers will become active and you’ll get duplicate IP address warnings again. In version 1, HSRP messages are sent to the multicast IP address 224.0.0.2 and UDP port 1985. HSRP version 2 uses and the multicast IP address 224.0.0.102 and UDP port 1985. These IP addresses and ports need to be permitted in the inbound access lists. If the packets are blocked, the peers won’t see each other, meaning there will be no HSRP redundancy.
