IP Addresses and Services Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.4.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Hot Standby Router
Protocol (HSRP) is an IP routing redundancy protocol designed to allow for
transparent failover at the first-hop IP router. HSRP provides high network
availability, because it routes IP traffic from hosts on networks without
relying on the availability of any single router. HSRP is used in a group of
routers for selecting an active router and a standby router. (An active router
is the router of choice for routing packets; a standby router is a router that
takes over the routing duties when an active router fails, or when preset
conditions are met.)
Feature History
for Implementing HSRP
Release
3.7.2
This
feature was introduced.
Release
3.9.0
Support
was added for the following features:
BFD
for HSRP.
Hot
restartability for HSRP.
Release 4.2.0
Multiple
Group Optimization (MGO) for HSRP feature was added.
Release 4.2.1
Enhanced
object tracking for HSRP and IP Static feature was added.
Note
GLBP is not supported on ASR9k.
Prerequisites for Implementing HSRP
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include
the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact
your AAA administrator for assistance.
Restrictions for Implementing HSRP
HSRP is supported on Ethernet interfaces, Ethernet sub-interfaces, Ethernet link bundles, and Bridge Virtual Interfaces (BVIs).
Information About Implementing HSRP
To implement HSRP on Cisco IOS XR software software, you need to understand the following concepts:
HSRP Overview
HSRP is useful for hosts that do not support a router discovery protocol (such as Internet Control Message Protocol [ICMP]
Router Discovery Protocol [IRDP]) and cannot switch to a new router when their selected router reloads or loses power. Because
existing TCP sessions can survive the failover, this protocol also provides a more transparent recovery for hosts that dynamically
choose a next hop for routing IP traffic.
When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among a group
of routers running HSRP. The address of this HSRP group is referred to as the virtual IP address. One of these devices is selected by the protocol to be the active router. The active router receives and routes packets destined for the MAC address of the group. For n routers running HSRP, n + 1 IP and MAC addresses are assigned.
HSRP detects when the designated active router fails, at which point a selected standby router assumes control of the MAC
and IP addresses of the HSRP group. A new standby router is also selected at that time.
Devices that are running HSRP send and receive multicast User Datagram Protocol (UDP) based hello packets to detect router
failure and to designate active and standby routers.
HSRP Groups
An HSRP group consists
of two or more routers running HSRP that are configured to provide hot standby
services for one another. HSRP uses a priority scheme to determine which
HSRP-configured router is to be the default active router. To configure a
router as the active router, you assign it a priority that is higher than the
priority of all the other HSRP-configured routers. The default priority is 100,
so if you configure just one router to have a higher priority, that router will
be the default active router.
HSRP works by the
exchange of multicast messages that advertise priority among the HSRP group.
When the active router fails to send a hello message within a configurable
period of time, the standby router with the highest priority becomes the active
router. The transition of packet-forwarding functions between routers is
completely transparent to all hosts on the network.
In
Routers Configured as Members of Multiple HSRP Groups,
the Ethernet interface 0 of Router A belongs to group 1. Ethernet interface 0
of Router B belongs to groups 1, 2, and 3. The Ethernet interface 0 of Router C
belongs to group 2, and the Ethernet interface 0 of Router D belongs to group
3. When you establish groups, you might want to align them along departmental
organizations. In this case, group 1 might support the Engineering Department,
group 2 might support the Manufacturing Department, and group 3 might support
the Finance Department.
Router B is configured
as the active router for groups 1 and 2 and as the standby router for group 3.
Router D is configured as the active router for group 3. If Router D fails for
any reason, Router B assumes the packet-transfer functions of Router D and
maintains the ability of users in the Finance Department to access data on
other subnets.
Note
A different virtual
MAC address (VMAC) is required for each sub interface. VMAC is determined from
the group ID. Therefore, a unique group ID is required for each sub interface
configured, unless the VMAC is configured explicitly.
Note
We recommend that
you disable Spanning Tree Protocol (STP) on switch ports to which the virtual
routers are connected. Enable RSTP or rapid-PVST on the switch interfaces if
the switch supports these protocols.
HSRP and ARP
When a router in an HSRP group goes active, it sends a number of ARP responses containing its virtual IP address and the virtual
MAC address. These ARP responses help switches and learning bridges update their port-to-MAC maps. These ARP responses also
provide routers configured to use the burned-in address of the interface as its virtual MAC address (instead of the preassigned
MAC address or the functional address) with a means to update the ARP entries for the virtual IP address. Unlike the gratuitous
ARP responses sent to identify the interface IP address when an interface comes up, the HSRP router ARP response packet carries
the virtual MAC address in the packet header. The ARP data fields for IP address and media address contain the virtual IP
and virtual MAC addresses.
Preemption
The HSRP preemption feature enables the router with highest priority to immediately become the active router. Priority is
determined first by the priority value that you configure, and then by the IP address. In each case, a higher value is of
greater priority.
When a higher-priority router preempts a lower-priority router, it sends a coup message. When a lower-priority active router
receives a coup message or hello message from a higher-priority active router, it changes to the speak state and sends a resign
message.
ICMP Redirect Messages
Internet Control Message Protocol (ICMP) is a network layer Internet protocol that provides message packets to report errors
and other information relevant to IP processing. ICMP provides many diagnostic functions and can send and redirect error packets
to the host. When running HSRP, it is important to prevent hosts from discovering the interface (or real) MAC addresses of
routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router, and that router later fails,
then packets from the host are lost.
ICMP redirect messages are automatically enabled on interfaces configured with HSRP. This functionality works by filtering
outgoing ICMP redirect messages through HSRP, where the next-hop IP address may be changed to an HSRP virtual IP address.
To support ICMP redirects, redirect messages are filtered through HSRP, where the next-hop IP address is changed to an HSRP
virtual address. When HSRP redirects are turned on, ICMP interfaces with HSRP do this filtering. HSRP keeps track of all HSRP
routers by sending advertisements and maintaining a real IP address to virtual IP address mapping to perform the redirect
filtering.
How to Implement HSRP
This section contains instructions for the following tasks:
Enabling
HSRP
The
hsrp ipv4
command activates HSRP on the configured interface. If an IP address is
specified, that address is used as the designated address for the Hot Standby
group. If no IP address is specified, the virtual address is learned from the
active router. For HSRP to elect a designated router, at least one router in
the Hot Standby group must have been configured with, or learned, the
designated address. Configuring the designated address on the active router
always overrides a designated address that is currently in use.
If an IP
address is specified, that address is used as the designated address for the
Hot Standby group. If no IP address is specified, the virtual address is
learned from the active router.
Note
If you
configure HSRP for IPv6, you must configure a link local IPv6 address or enable
it using the
autoconfig
keyword. If you do not configure a linklocal IPv6 address, the router does not
accept the configuration when you commit your changes using the
commit
keyword.
Activates HSRP
on the configured interface and assigns a linklocal IPv6 address.
The virtual
linklocal address must not match any other virtual linklocal address that is
already configured for a different group.
The virtual
linklocal address must not match the interface linklocal IPv6 address.
If you use
the
autoconfig
keyword, the linklocal address is calculated using the EUI-64 format.
Use the
legacy-compatible keyword to be compatible with
Cisco IOS and other legacy Cisco devices.
Step 7
address
globalipv6-address
Example:
RP/0/RSP0/CPU0:router(config-hsrp-gp)# address global 2001:DB8:A:B::1
Activates HSRP
on the configured interface and assigns a global IPv6 address.
Note
If you
configure HSRP for IPv6, you must configure a link local IPv6 address or enable
it using the
autoconfig
keyword. If you do not configure a linklocal IPv6 address, the router does not
accept the configuration when you commit your changes using the
commit
keyword.
Step 8
commit
Configuring HSRP
Group Attributes
To configure other
Hot Standby group attributes that affect how the local router participates in
HSRP, use the following procedure in interface configuration mode as needed:
(Optional)
Configures the HSRP to use the burned-in address of the interface as its
virtual MAC address, instead of the preassigned MAC address or the functional
address.
Enter the
use-bia command on an interface when there are devices that
reject Address Resolution Protocol (ARP) replies with source hardware addresses
set to a functional address.
To restore
the default virtual MAC address, use the no hsrp use-bia
command.
The
assigned priority is used to help select the active and standby routers.
Assuming that preemption is enabled, the router with the highest priority
becomes the designated active router. In case of ties, the primary IP addresses
are compared, and the higher IP address has priority.
The
priority of the device can change dynamically if an interface is configured
with the
track command and another interface on the device goes down.
If
preemption is not enabled using the
preempt
command, the router may not become active even though it might have a higher
priority than other HSRP routers.
To restore
the default HSRP priority values, use the
no priority
command.
(Optional)
Configures an interface so that the Hot Standby priority changes on the basis
of the availability of other interfaces.
When a
tracked interface goes down, the Hot Standby priority decreases by 10. If an
interface is not tracked, its state changes do not affect the Hot Standby
priority. For each interface configured for Hot Standby, you can configure a
separate list of interfaces to be tracked.
The
optional
priority-decrement argument specifies by how much to
decrement the Hot Standby priority when a tracked interface goes down. When the
tracked interface comes back up, the priority is incrementally increased by the
same amount.
When
multiple tracked interfaces are down and the
priority-decrement argument has been configured, these
configured priority decrements are cumulative. If tracked interfaces are down,
but none of them were configured with priority decrements, the default
decrement is 10 and it is cumulative.
The
preempt command must be used in conjunction with this command on all
routers in the group whenever the best available router should be used to
forward packets. If the
preempt command is not used, the active router stays active,
regardless of the current priorities of the other HSRP routers.
To remove
the tracking, use the
no
preempt command.
Step 9
preempt [delayseconds]
Example:
RP/0/RSP0/CPU0:router(config-hsrp-gp)# preempt
(Optional)
Configures HSRP preemption and preemption delay.
When you
configure preemption and preemption delay with the
preempt command, the local router attempts to assume control
as the active router when the local router has a Hot Standby priority higher
than the current active router. If the
preempt command is not configured, the local router assumes
control as the active router only if it receives information indicating that no
router is currently in the active state (acting as the designated router).
When a
router first comes up, it does not have a complete routing table. If it is
configured to preempt, it becomes the active router, yet it is unable to
provide adequate routing services. This problem can be solved by configuring a
delay before the preempting router actually preempts the currently active
router.
The
preempt
delay
seconds value does not apply if there is no router currently in the active
state. In this case, the local router becomes active after the appropriate
timeouts (see the
timers command), regardless of the preempt delay seconds
value.
To restore
the default HSRP preemption and preemption delay values, use the
no
preempt command.
(Optional)
Configures an authentication string for the Hot Standby Router Protocol (HSRP).
The
authentication string is sent unencrypted in all HSRP messages. The same
authentication string must be configured on all routers and access servers on a
LAN to ensure interoperation.
Authentication mismatch prevents a device from learning the
designated Hot Standby IP address and the Hot Standby timer values from other
routers configured with HSRP.
Authentication mismatch does not prevent protocol events such as
one router taking over as the designated router.
To delete
an authentication string, use the
no
authentication
command.
(Optional)
Specifies a virtual MAC address for the HSRP.
We do not
recommend this command, except for IBM networking environments in which
first-hop redundancy is based on being able to use a virtual MAC address, and
in which you cannot change the first-hop addresses in the PCs that are
connected to an Ethernet switch.
HSRP is
used to help end stations locate the first-hop gateway for IP routing. The end
stations are configured with a default gateway. However, HSRP can provide
first-hop redundancy for other protocols. Some protocols, such as Advanced
Peer-to-Peer Networking (APPN), use the MAC address to identify the first-hop
for routing purposes. In this case, it is often necessary to specify the
virtual MAC address; the virtual IP address is unimportant for these protocols.
Use the mac-address
command to specify the virtual MAC address.
The MAC
address specified is used as the virtual MAC address when the router is active.
The
mac-address
command is intended for certain APPN configurations.
In an APPN
network, an end node is typically configured with the MAC address of the
adjacent network node. Use the
mac-address command in the routers to set the virtual MAC
address to the value used in the end nodes.
Enter the
no
mac-address command to revert to the standard virtual MAC address
(0000.0C07.ACn).
Step 12
commit
Configuring the HSRP
Activation Delay
The activation delay
for HSRP is designed to delay the startup of the state machine when an
interface comes up. This give the network time to settle and avoids unnecessary
state changes early after the link comes up.
Delays the
startup of the state machine when an interface comes up, so that the network
has time to settle and there are no unnecessary state changes early after the
link comes up. The reload delay is the delay applied after the first interface
up event. The minimum delay is the delay that is applied after any subsequent
interface up event (if the interface flaps).
If an IP
address is specified, that address is used as the designated address for the
Hot Standby group. If no IP address is specified, the virtual address is
learned from the active router.
Note
If you
configure HSRP for IPv6, you must configure a link local IPv6 address or enable
it using the
autoconfig
keyword. If you do not configure a linklocal IPv6 address, the router does not
accept the configuration when you commit your changes using the
commit
keyword.
Step 8
commit
Enabling HSRP Support
for ICMP Redirect Messages
By default, HSRP
filtering of ICMP redirect messages is enabled on routers running HSRP.
To configure the
reenabling of this feature on your router if it is disabled, use the
hsrp redirects
command in interface configuration mode.
Configures
Internet Control Message Protocol (ICMP) redirect messages to be sent when the
Hot Standby Router Protocol (HSRP) is configured on an interface.
The
hsrp
redirects command can be configured on a per-interface basis. When HSRP is
first configured on an interface, the setting for that interface inherits the
global value. If ICMP redirects have been explicitly disabled on an interface,
then the global command cannot reenable the functionality.
With the hsrp redirects command
enabled, ICMP redirect messages are filtered by replacing the real IP address
in the next-hop address of the redirect packet with a virtual IP address, if it
is known to HSRP.
To revert
to the default, which is that ICMP messages are enabled, use the
no hsrp
redirects command.
If an IP
address is specified, that address is used as the designated address for the
Hot Standby group. If no IP address is specified, the virtual address is
learned from the active router.
Note
If you
configure HSRP for IPv6, you must configure a link local IPv6 address or enable
it using the
autoconfig
keyword. If you do not configure a linklocal IPv6 address, the router does not
accept the configuration when you commit your changes using the
commit
keyword.
Step 8
commit
Multiple Group Optimization (MGO) for HSRP
Multiple Group Optimization provides a solution for reducing control traffic in a deployment consisting of many subinterfaces. By running the HSRP control
traffic for just one of the sessions, the control traffic is reduced for the subinterfaces with identical redundancy requirements.
All other sessions are subordinates of this primary session, and inherit their states from it.
Customizing
HSRP
Customizing the
behavior of HSRP is optional. Be aware that as soon as you enable a HSRP group,
that group is in operation.
SUMMARY STEPS
configure
router
hsrp
interfacetype
interface-path-id
address-family ipv4
hsrp
group-no
version
version-no
name
name
address
{
learn
|
address}
address
addresssecondary
authentication
string
bfd
fast-detect
mac-address
address
hsrp
group-no
slave
follow
mgo-session-name
address
ip-address
commit
DETAILED STEPS
Command or Action
Purpose
Step 1
configure
Step 2
router
hsrp
Example:
Router(config)# router hsrp
Enables HSRP
configuration mode.
Step 3
interfacetype
interface-path-id
Example:
Router(config-hsrp)# interface TenGigE 0/2/0/1
Enables HSRP
interface configuration mode on a specific interface.
Step 4
address-family ipv4
Example:
Router(config-hsrp-if)# address-family ipv4
Enables HSRP
address-family configuration mode on a specific interface.
Step 5
hsrp
group-no
version
version-no
Example:
Router(config-hsrp-ipv4)# hsrp 1 version 2
Enables HSRP
group configuration mode on a specific interface.
Note
The
version
keyword is available only if IPv4 address-family
is selected. By default, version is set to 2 for IPv6 address families.
Step 6
name
name
Example:
Router(config-hsrp-gp)# name s1
Configures an
HSRP session name.
Step 7
address
{
learn
|
address}
Example:
Router(config-hsrp-gp)# address learn
Enables hot
standby protocol for IP.
If an IP
address is specified, that address is used as the designated address for the
Hot Standby group. If no IP address is specified, the virtual address is
learned from the active router.
To configure the
secondary virtual IPv4 address for a router, use the
address secondary
command in the Hot Standby Router Protocol (HSRP)
virtual router submode.
Configures the
secondary virtual IPv4 address for a router.
Step 7
commit
Configuring the Subordinate Group to Inherit its State from a Specified Group
To instruct the subordinate group to inherit its state from a specified group, use the following steps:
SUMMARY STEPS
configure
router
hsrp
interfacetype
interface-path-id
address-family ipv4
hsrp
group-no
slave
followmgo-session-name
commit
DETAILED STEPS
Command or Action
Purpose
Step 1
configure
Step 2
router
hsrp
Example:
Router(config)# router hsrp
Enables HSRP
configuration mode.
Step 3
interfacetype
interface-path-id
Example:
Router(config-hsrp)# interface TenGigE 0/2/0/1
Enables HSRP
interface configuration mode on a specific interface.
Step 4
address-family ipv4
Example:
Router(config-hsrp-if)# address-family ipv4
Enables HSRP
address-family configuration mode on a specific interface.
Step 5
hsrp
group-no
slave
Example:
Router(config-hsrp-ipv4)# hsrp 2 slave
Enables HSRP
slave configuration mode on a specific interface.
Step 6
followmgo-session-name
Example:
Router(config-hsrp-slave)# follow m1
Instructs the subordinate group to inherit its state from a specified group.
Step 7
commit
Configuring a Subordinate Primary Virtual IPv4 Address
To configure the primary virtual IPv4 address for the subordinate group, use the subordinate primary virtual IPv4 address command in the HSRP slave submode.
SUMMARY STEPS
configure
router
hsrp
interfacetype
interface-path-id
address-family ipv4
hsrp
group-no
slave
addressip-address
commit
DETAILED STEPS
Command or Action
Purpose
Step 1
configure
Step 2
router
hsrp
Example:
Router(config)# router hsrp
Enables HSRP
configuration mode.
Step 3
interfacetype
interface-path-id
Example:
Router(config-hsrp)# interface TenGigE 0/2/0/1
Enables HSRP
interface configuration mode on a specific interface.
Step 4
address-family ipv4
Example:
Router(config-hsrp-if)# address-family ipv4
Enables HSRP
address-family configuration mode on a specific interface.
Step 5
hsrp
group-no
slave
Example:
Router(config-hsrp-ipv4)# hsrp 2 slave
Enables HSRP
slave configuration mode on a specific interface.
Step 6
addressip-address
Example:
Router(config-hsrp-slave)# address 10.2.3.2
Configures the primary virtual IPv4 address for the subordinate group.
Step 7
commit
Configuring a Secondary Virtual IPv4 address for the Subordinate Group
Perform this task to configure the secondary virtual IPv4 address for the subordinate group.
SUMMARY STEPS
configure
router vrrp
interfacetype
interface-path-id
address-family ipv4
vrrp group-no slave
addressaddresssecondary
commit
DETAILED STEPS
Command or Action
Purpose
Step 1
configure
Step 2
router vrrp
Example:
Router(config)# router vrrp
Enables VRRP configuration mode.
Step 3
interfacetype
interface-path-id
Example:
Router(config-vrrp)# interface TenGigE 0/2/0/1
Enables VRRP interface configuration mode on a specific interface.
Step 4
address-family ipv4
Example:
Router(config-vrrp-if)# address-family ipv4
Enables VRRP address-family configuration mode on a specific interface.
Step 5
vrrp group-no slave
Example:
Router(config-vrrp-address-family)# vrrp 2 slave
Enables VRRP slave configuration mode on a specific interface.
Enables HSRP
address-family configuration mode on a specific interface.
Step 5
hsrp
group-noversion
version-no
Example:
RP/0/RSP0/CPU0:router(config-hsrp-ipv4)# hsrp 1 version 2
Enables HSRP
group configuration mode on a specific interface.
Note
The
version
keyword is available only if IPv4
address-family is selected. By default, version is set to 2 for IPv6 address
families.
HSRP
version 2 provides an extended group range of 0-4095.
Step 6
namename
Example:
RP/0/RSP0/CPU0:router(config-hsrp-ipv4)# name s1
Configures an
HSRP session name.
Step 7
commit
BFD for HSRP
Bidirectional Forwarding Detection (BFD) is a network protocol used to detect faults between two forwarding engines. BFD sessions
can operate in one of the two modes, namely, asynchronous mode or demand mode. In asynchronous mode, both endpoints periodically
send hello packets to each other. If a number of those packets are not received, the session is considered down. In demand
mode, it is not mandatory to exchange hello packets; either of the hosts can send hello messages, if needed. Cisco supports
the BFD asynchronous mode.
Advantages of BFD
BFD provides failure detection in less than one second.
BFD supports all types of encapsulation.
BFD is not tied to any particular routing protocol, supports almost all routing protocols.
BFD Process
HSRP uses BFD to detect link failure and facilitate fast failover times without excessive control packet overhead.
The HSRP process creates BFD sessions as required. When a BFD session goes down, each Standby group monitoring the session
transitions to Active state.
HSRP does not participate in any state elections for 10 seconds after a transition to Active state triggered by a BFD session
going down.
Configuring BFD
For HSRP, configuration is applied under the existing HSRP-interface sub-mode, with BFD fast failure configurable per HSRP
group and the timers (minimum-interface and multiplier) configurable per interface. BFD fast failure detection is disabled
by default.
Enabling BFD
SUMMARY STEPS
configure
router
hsrp
interfacetype
interface-path-id
address-family ipv4
hsrp
[group number]
version
version-no
bfd
fast-detect
[peeripv4ipv4-addressinterface-typeinterface-path-id]
Enables HSRP
address-family configuration mode on a specific interface.
Step 6
commit
Modifying BFD timers
(multiplier)
Multiplier is the
number of consecutive BFD packets which must be missed from a BFD peer before
declaring that peer unavailable. The default multiplier is 3.
Enables HSRP
address-family configuration mode on a specific interface.
Step 6
commit
Enhanced Object
Tracking for HSRP and IP Static
A failure between the
active router and the core network cannot be detected using standard HSRP
failure detection mechanisms. Object tracking is used to detect such failures.
When such a failure occurs, the active router applies a priority decrement to
its HSRP session. If this causes its priority to fall below that of the standby
router, it will detect this from the HSRP control traffic, and then use this as
a trigger to preempt and take over the active role.
Cisco IOS XR software supports
up to 512 tracked objects.
The enhanced object
tracking for HSRP and IP Static feature provides first-hop redundancy as well
as default gateway selection based on IP Service Level Agreement (IPSLA).
See the
Routing Configuration Guide for Cisco ASR 9000 Series Routers, for more information about enhanced
object tracking for static routes.
Configuring object
tracking for HSRP
To enable tracking
of the named object with the specified decrement, use the following
configuration in the HSRP group sub mode.
Enable tracking
of the named object with the specified decrement.
Step 7
commit
Hot Restartability for HSRP
In the event of failure of a HSRP process in one active group, forced failovers in peer HSRP active router groups should be
prevented. Hot restartability supports warm RP failover without incurring forced failovers to peer HSRP routers for active
groups.
Configuration Examples for HSRP Implementation on Software
This section provides the following HSRP configuration examples:
Configuring an HSRP
Group: Example
The following is an
example of enabling HSRP on an interface and configuring HSRP group attributes:
The Cisco
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
To receive
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to
most tools on the Cisco Support website requires a Cisco.com user ID and
password.