- What is FHRP? Why do we need to FHRP?
- Different type of FHRP
- What is HSRP and how HSRP works?
- Explanation of HSRP State
- HSRP Tracking
- Load Balancing using multiple group
- ICMP Redirect
First Hop Redundancy Protocol is designed to allow transparent fail-over at the first-hop IP router. FHRP enable two or more devices to work together in a group, sharing a single Virtual IP address and Virtual MAC address. The virtual IP address is configured in each end user’s as a default gateway address.
There are three first hop redundancy protocols that could be used for this purpose:
- HSRP is a Cisco proprietary protocol. HSRP is used to provide default gateway redundancy for IP network by sharing a virtual IP address and MAC Address between two or more routers participating in a HSRP Group. HSRP Group is identified by group id.
- In HSRP Group we have below contain:
I. One router is elected as Active router and active router is responsible for traffic forwarding destined to Virtual IP Address.
II. One router is elected as Standby router that will become active when active router fails.
III. All other router participating in HSRP group is called Additional Router or listening router.
Router will exchange HSRP Hello message at regular interval. Hello packets are only exchanged in Speak, Standby and active state.
- Active and standby router is elected using below process:
1st. Active and standby router is elected based on Priority. Priority can be in between 0 to 255 and default priority is 100 and higher priority is preferred.
2nd. If all router in group have same priority then router with highest IP address on its HSRP interface is elected as Active router.
Note: By default HSRP election is Non-Preemptive. Router that is first powered on will become active even if it has lower priority.
- HSRP State: – A router interface participating in HSRP must go through below states before taking the role:
I. Initial: This is the starting state and indicates that HSRP is not running.This state is entered via a configuration change or when an Interface first comes up.
II. Learn: The router has not determined the virtual IP address, and not yet Seen an authenticated Hello message from the active router. In this state the router is still waiting to hear from the active router.
III. Listen : The router knows the virtual IP address, but is neither the active router nor the standby router. It listens for Hello messages from those routers.
IV. Speak: The router sends periodic Hello messages and is actively participating in the election of the active and/or standby router.
V. Standby: The router is a candidate to become the next active router and Sends periodic Hello messages.
VI. Active: The router is currently forwarding packets that are sent to the Group’s virtual MAC address. The router sends periodic Hello messages.
Below are the customised capture during HSRP negotiation.
- HSRP Preempt
As we know by default HSRP election process is Non-Preemptive. Router that is first powered on will become active even if it has lower priority.
Let’s discuss this through below topology.
Preempt is feature that will allow a router to powerfully assume the role of active router if it has high priority.
** When a high priority router peempts a lower priority router, the router sends a Coup message. When lower priority active router receive Coup Message then router change its state to speak state and sendsresign Message.
If router added in HSRP group where active router already exist and new router doesn’t have “Preempt” enabled then new router will not send Coup message even if it has higher priority.
Hello messages are sent to indicate that a router runs HSRP and is able to become the active router.
Coup messages are sent when a router wishes to become the active router.
Resign messages are sent when a router no longer wishes to be the active router.
|HSRP Version 1
|HSRP Version 2
|Maximum number of group supported –256 ( 0 -255 )
|Maximum number of group supported – 4096 ( 0 – 4095 ).
We cannot change from version 2 to version 1 if you have configured groups above the group number range allowed for version 1 (0 to 255).
|Hello packet multicast address is 220.127.116.11 .This address can conflict with Cisco Group Management Protocol (CGMP) leave processing.
|Hello packet multicast address 18.104.22.168 which removes the problem with version1
|Uses mac address 0000.0c07.acxx, where xx is the group number in hexadecimal.
|Uses a new mac address range 0000.0C9F.Fxxx, where xxx is the group number in hexadecimal.
|In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.
HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, you cannot use HSRP active hello messages to identify which physical device sent the message because the source MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address.
Version 1 is the default version of HSRP.
HSRP version 2 will not interoperate with HSRP version 1. An interface cannot operate both version 1 and version 2 because both versions are mutually exclusive. However, the different versions can be run on different physical interfaces of the same router.
HSRP version doesnot support IPv6 but HSRP version 2 support IPv6.
- HSRP Load Balancing:
By default, HSRP does not support load-balancing, means that only one router can be active in the HSRP group, so only one path from active router will be used for traffic forwarding and other path (standby path is unused until active goes down) will be unused. In this way there is a waste on bandwidth, as only one router is used to forward traffic. To overcome from this situation cisco used MHSRP where we creates multiple group let’s say two group, one router is active for one group (let’s say group X) and another router in active for another group let’s say Y.Then we will configure half of the host’s default gateways with the HSRP group X virtual IP address, and the other half of the hosts default gateways with the HSRP group Y virtual IP address. In this way we can use both available path for traffic forwarding.
Let’s have look using below Topology:
|eva-wro1(config)# int eth0/0
eva-wr01(config-if)# ip address 10.0.0.3 255.255.255.0
eva-wr01(config-if)# standby 1 ip 10.0.0.1
eva-wr01(config-if)# standby 1 priority 110
eva-wr01(config-if)# standby 1 preempt
eva-wr01(config-if)# standby 2 ip 10.0.0.2
eva-wr01(config-if)# standby 2 preempt
eva-wr02(config-if)# ip address 10.0.0.4 255.255.255.0
eva-wr02(config-if)# standby 1 ip 10.0.0.1
eva-wr02(config-if)# standby 1 preempt
eva-wr02(config-if)# standby 2 ip 10.0.0.2
eva-wr02(config-if)# standby 2 priority 110
eva-wr02(config-if)# standby 2 preempt
|As per the configuration eva-wr01 will be the active router for group 1 and eva-wr02 will be the active router for group 2 means clients/hosts who has default gateway as 10.0.0.2 will go through eva-wr02 and who has default gateway as 10.0.0.1 will go through eva-wr01.
Let’s say Eva-wr01 is active router and eva-wr02 is standby.
- Both eva-wr01 and eva-wr02 exchange periodic hello packets to update their status.
- If WAN link goes down on eva-wr01 hello packets can still be exchanged with eva-wr02 via interface eth0/0
- eva-wr02 is unaware that eva-wr01 has a failure and can no longer forward traffic to other networks. Eva-wr02 will remain as the active router and traffic will be black holed.
- To avoid a scenario like this…. we can use HSRP track interface or IP. If a tracked interface fails, the router’s priority is decreased by a specified valve – by default , this is 10.
Eva-wr02 (config-if) # standby 1 track gi1/0 60
- HSRP uses UDP port 1985. let see packet capture:
- VRRP is an open standard protocol which works same as like Cisco Proprietary HSRP. VRRP is used to provide default gateway redundancy for IP network by sharing a virtual IP address and MAC Address between two or more routers participating in a VRRP Group. VRRP Group is identified by group id.
- The virtual MAC address by default is 0000.5e00.01xx, where xx means th hexadecimal VRRP group number.
- By default preemption is enabled in VRRP.
- A VRRP group has one master router and one or more backup routers.
- One router is elected as Master router and Master router is responsible for traffic forwarding destined to Virtual IP Address.
- One or more routers can be elected as Backup router that will become Master when Master router fails.
** In VRRP we can use physical interface IP as VRRP virtual IP when we are doing it than router who owns real IP Address will be the master and known as the IP address owner. Priority will be 255 when we use the physical IP address as virtual IP if needed to save IP address space.
Master and Backup router is elected based on highest priority and if priority ties
than router with highest IP address on its VRRP interface is elected as Master router. Priority can be configured between 0 to 254.
IF Master router fails, the router configured with the highest priority will become Master router.
- VRRP state
There are 3 states defined for a VRRP protocol:
- Initialize state: in this state device detects its state according to advertisement
packets received from other routers
- Master state: if router is in master this state means router functions as the forwarding router for the Virtual IP address.
- Backup state: The purpose of the Backup state is to monitor the availability and state of the Master Router.
ICMP Redirect:ICMP redirect messages are used by router to notify host on the data link that a better route is available for particular destination.
ICMP redirect are automatically disabled when we enable HSRP.
When ICMP redirect messages are sent:
1. Interface on which packet comes into router is the same interface on which the packet gets routed out.
2. Network of the source IP address is on the same Next Hop IP address of the routed packet.