Understanding Hot Standby Router Protocol (HSRP)

Adds redundancy to your default gateway by learning HSRP Hot Standby Router Protocol

Share This Post

Redundancy is a key factor for any modern network. You just can’t afford to stay without the network, even for a few hours. However, your network devices will fail one day. It might be next month, or within five years, but at some point, something will just stop working. If you don’t want your business to stop working too, you better add some redundancy. Since all your devices point to a default gateway if that fails they will stop communicating outside. The Hot Standby Routing Protocol (HSRP) allows a secondary router to take over the role of the default gateway, in case the first one fails. In this article, we will see how it works.

The need for HSRP

The problem

When a device comes up, it either has a static IP address or queries a DHCP server for a dynamic one. No matter what’s the case, the device will have an IP address and subnet, and the address of its default gateway. Unfortunately, the majority of devices can store a single IP address for the default gateway. As a result, if that gateway fails, they will simply point to a black hole. They won’t be able to communicate outside of their subnet.

If the default gateway fails, you will have a major outage. So, that router is a Single Point of Failure (SPoF).

HSRP is useful to remove single point of failures in the network. In this example, we have one
If the router fails, the entire network will be isolated.

You can also see that if a switch fails, the computers connected to it will be isolated. While this is an unpleasant event, the switch is not a Single Point of Failure. This is because their failure does not impact the entire infrastructure, only part of it. However, in case you are connecting servers in a data center, you want to connect a server to two switches at least.

The Solution

Your network should have no Single Point of Failure, and HSRP helps in that sense. The first thing you need to do is purchase another router and another Internet connection. Since we have no way to tell a client to use multiple gateways, we need to find a workaround. We do that by configuring the two routers with HSRP. Instead of telling the clients, we prepare the secondary gateway to mask itself as the primary one, if the primary fails. More or less, we are lying to clients about which router is the default gateway.

To do that configuration, you add a Virtual IP Address (VIP) on both routers. By default, only the primary router will use it. However, if the primary router fails the secondary will start using that address.

HSRP implements gateway redundancy with virtual IP address
This network implements redundancy by using a Virtual gateway.

That VIP is a dedicated IP address. You can make all your devices point to that address as default gateway, and you do the trick. In case the first router fails, the second one will start being the default gateway.

Understanding HSRP

The First Hop Redundancy Protocol Family

Hot Standby Routing Protocol is the first of the First Hop Redundancy Protocol (FHRP) family. It is a Cisco proprietary implementation, easy to configure, and troubleshoot. In the same family, we find the Virtual Router Redundancy Protocol (VRRP), which is standard; and the Gateway Load Balancing Protocol (GLBP), another Cisco proprietary implementation.

All the protocols have the major goal of default gateway redundancy. However, they slightly differ in features and implementation:

  • HSRP and VRRP work almost identically, the major difference is that VRRP is standard.
  • GLBP adds some load balancing feature. It puts in place a trick that allows some clients to use a physical router, and some other clients to use the other(s). As a result, you load balance over your LAN. It might seem the most optimized one, but if you have STP in place it will force your traffic on the same links, making load balancing ineffective.

For the CCNA curriculum, you need to know HSRP only. The good news is that with this knowledge you will also be ready to understand VRRP and GLBP, just in case.

The components of HSRP

You can configure multiple routers to share the same HSRP Virtual IP. However, only one of them will be active in a given moment. Nonetheless, all must understand that they are sharing a Virtual IP, and must talk with each other. To do that, they communicate using the multicast address 224.0.0.2 (HSRPv1) or 224.0.0.102 (HSRPv2).

In this communication, routers evaluate some key elements to define who should host the VIP. The router that is forwarding traffic for the VIP is called active, while the others are standby.

  • HSRP Group Number, an identifier of the HSRP Configuration. You can associate all your HSRP settings with that group so that you can add multiple groups on each interface. If you have them, it means there will be multiple VIPs on a VLAN. However, this is out of scope, as the common purpose is asymmetrical routing (CCNP Stuff). Instead, we will have a single VIP per VLAN, shared on multiple routers.
  • Virtual IP address, they all must know which is the VIP to do HSRP for. You can have one VIP per HSRP Group.
  • The priority of the router, default is 100 and ranging between 0 and 255. The higher, the most likely the router to be active. Each physical router can have a custom priority in each group.
  • Preemption allows a router with a better priority to take over the active role even if the other router (with lower priority) is active. You might want to configure that to make the active go back on the primary router when you restore it.

With these information, routers create Virtual IP and MAC addresses.

Virtual IP and MAC addresses

HSRP is a whole lie: routers lie to the clients, but also to the switches. In fact, HSRP needs to face some challenges to do what it does. Our major obstacle is the Address Resolution Protocol (ARP). In fact, after the DHCP request, clients know only the VIP of the default gateway. To communicate over Ethernet links, they need to use ARP to get the MAC address.

In HSRP, a router can take over the virtual IP if the other router fails
The secondary router takes over the virtual IP if the first router fails. Note that the secondary router already knows what is the virtual IP.

If, with ARP, they get the physical address of the primary router, what happens if it fails? They will continue to send traffic to a non-working mac address until their MAC address table times out. When we reach the timeout, which is 10 minutes on most devices, our PC will make a new ARP request. Hopefully, with that, it will get the MAC address of the secondary router who has taken over the VIP. However, for about 10 minutes we had an outage on most devices. We need to find a workaround.

HSRP overcomes this limitation by creating a virtual MAC address. This MAC address is shared among routers in the group and will be used from the active gateway only. Nonetheless, al routers know it and are ready to use it if the active fails. HSRP defines this MAC address as Standby MAC address. It has a standard format, as below:

0000.0c07.acXX

XX represents the HSRP Group number, so the Standby MAC for group 1 will be 0000.0c07.ac01. Secondary routers monitor the primary one. When the primary fails, the routers that are going to be active immediately sends out a frame with the Standby MAC address as source. This way, we update immediately the MAC address table on the switch.

Joining an HSRP Group

HSRP means cooperation. Routers must talk with each other, and understand their parameters. If they don’t interoperate correctly, you might have two routers believing to be active at the same time. As a result, the switches will see the MAC address in two places and believe it is a duplicate. Within seconds, the interfaces will start to flap, creating high instability.

We know that HSRP sends keep-alive messages. It doesn’t use them just to verify the availability of neighbors, but also to understand which neighbors are participating in the HSRP group. Two routers are in the same group if they have the same: group number, standby IP address, and authentication settings.

HSRP routers must agree on group, standby ip and authentication settings
Parameters that creates a HSRP agreement.

Since HSRP allows the default gateway to dynamically move in the network, it exposes us to some security concerns. In fact, a hacker attaches a new router on the network he can move the default gateway. This can lead to Man in the Middle attacks. To prevent that, HSRP supports the authentication of peers. To implement that, you need to specify a password. Then, before trusting another device, HSRP routers will challenge it with a password.

HSRP and STP

When designing an HSRP deployment, you need to be aware of the STP Configuration. This becomes more evident in a Three-Tier Infrastructure. Imagine that you have two routers, connected to two distribution switches. If the primary router is connected to the non-root switch, all traffic will go to the root switch first. Then, the root switch will send it to the non-root distribution switch, and then to the router. We are creating a suboptimal path.

To avoid that, ensure that the router being HSRP active (in normal conditions) is connected to the STP root switch. This way, packets will take the most straightforward path. Below, a correct example.

Connect the HSRP active router to the STP root switch for optimal path.
The HSRP active router is connected to the STP root.

Furthermore, you can implement HSRP on Multilayer switches. Instead of configuring it on router ports, like on routers, you configure it on Switch Virtual Interfaces (SVIs). If that’s the case, ensure that the multilayer switch is both STP Root and HSRP active for a given VLAN.

Convergence Times

The convergence time for HSRP is defined by timers. In fact, HSRP routers send keepalive messages. If three keepalives are lost, routers assume that the active gateway is down. By default, they send hello packets every 3 seconds, and give the active for dead if no hello was received for 10 seconds (the holdtime).

You can tune these timers at your will, and even use milliseconds. The best practice is to maintain the holdtime at least three times the hellotime. The smaller the timer (more frequent), the more resources it requires. Sending a packet every 3 seconds is different from sending it 50 times in a second. However, if you can maintain these timers in milliseconds, you might even have the takeover without losing a single packet.

Conclusion

In this article, we covered all the beauty of the Host Standby Router Protocol (HSRP). Now, you are ready to configure it and deploy a fully redundant campus architecture. Below, some key concepts you need to know from this article.

  • HSRP is a First Hop Redundancy Protocol that creates a Virtual IP (and associated virtual MAC address). Routers working in HSRP know about them, and if the primary router fails they take over the virtual addresses
  • Routers must agree on group number, virtual IP and authentication settings to join an HSRP group
  • Ensure that the HSRP active router is connected to the STP root, otherwise traffic may take suboptimal paths

With this knowledge, we can go on with our CCNA Course and continue to the next article. There, we will learn how we can configure HSRP.

Don't fail the CCNA Exam!

Failing the CCNA exam equals wasting $300. Don't do that, be prepared instead.
Together with our free course, we offer a companion book with Questions and Answers. And it's only $27.50 if you are following the course.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Alessandro Maggio

2017-08-24T16:30:37+00:00

Unspecified

Free CCNA Course

Unspecified