Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide 8.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Your software release might not support all the features documented in this module. For the latest caveats and feature information,
see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to
see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature
History table in this chapter.
Information About HSRP
HSRP is a first-hop redundancy protocol (FHRP) that allows a transparent failover of the first-hop IP router. HSRP provides
first-hop routing redundancy for IP hosts on Ethernet networks configured with a default router IP address. You use HSRP in
a group of routers for selecting an active router and a standby router. In a group of routers, the active router is the router
that routes packets; the standby router is the router that takes over when the active router fails or when preset conditions
are met.
Many host implementations do not support any dynamic router discovery mechanisms but can be configured with a default router.
Running a dynamic router discovery mechanism on every host is not practical for many reasons, including administrative overhead,
processing overhead, and security issues. HSRP provides failover services to these hosts.
When you use HSRP, you configure the HSRP virtual IP address as the host default router (instead of the IP address of the
actual router). The virtual IP address is an IPv4 or IPv6 address that is shared among a group of routers that run HSRP.
When you configure HSRP on a network segment, you provide a virtual MAC address and a virtual IP address for the HSRP group.
You configure the same virtual address on each HSRP-enabled interface in the group. You also configure a unique IP address
and MAC address on each interface that acts as the real address. HSRP selects one of these interfaces to be the active router.
The active router receives and routes packets destined for the virtual MAC address of the group.
HSRP detects when the designated active router fails. At that point, a selected standby router assumes control of the virtual
MAC and IP addresses of the HSRP group. HSRP also selects a new standby router at that time.
HSRP uses a priority designator to determine which HSRP-configured interface becomes the default active router. To configure
an interface as the active router, you assign it with a priority that is higher than the priority of all the other HSRP-configured
interfaces in the group. The default priority is 100, so if you configure just one interface with a higher priority, that
interface becomes the default active router.
Interfaces that run HSRP send and receive multicast User Datagram Protocol (UDP)-based hello messages to detect a failure
and to designate active and standby routers. When the active router fails to send a hello message within a configurable period
of time, the standby router with the highest priority becomes the active router. The transition of packet forwarding functions
between the active and standby router is completely transparent to all hosts on the network.
You can configure multiple HSRP groups on an interface.
A network configured for HSRP. By sharing a virtual MAC address and a virtual IP address, two or more interfaces can act as
a single virtual router.
The virtual router does not physically exist but represents the common default router for interfaces that are configured to
provide backup to each other. You do not need to configure the hosts on the LAN with the IP address of the active router.
Instead, you configure them with the IP address of the virtual router (virtual IP address) as their default router. If the
active router fails to send a hello message within the configurable period of time, the standby router takes over, responds
to the virtual addresses, and becomes the active router, assuming the active router duties. From the host perspective, the
virtual router remains the same.
Packets received on a routed port destined for the HSRP virtual IP address terminate on the local router, regardless of whether
that router is the active HSRP router or the standby HSRP router. This includes ping and Telnet traffic. Packets received
on a Layer 2 (VLAN) interface destined for the HSRP virtual IP address terminate on the active router.
HSRP for
IPv4
HSRP routers
communicate with each other by exchanging HSRP hello packets. These packets are
sent to the destination IP multicast address 224.0.0.2 (reserved multicast
address used to communicate to all routers) on UDP port 1985. The active router
sources hello packets from its configured IP address and the HSRP virtual MAC
address while the standby router sources hellos from its configured IP address
and the interface MAC address, which might be the burned-in address (BIA). The
BIA is the last six bytes of the MAC address that is assigned by the
manufacturer of the network interface card (NIC).
Because hosts are
configured with their default router as the HSRP virtual IP address, hosts must
communicate with the MAC address associated with the HSRP virtual IP address.
This MAC address is a virtual MAC address, 0000.0C07.ACxy, where xy is the HSRP
group number in hexadecimal based on the respective interface. For example,
HSRP group 1 uses the HSRP virtual MAC address of 0000.0C07.AC01. Hosts on the
adjoining LAN segment use the normal Address Resolution Protocol (ARP) process
to resolve the associated MAC addresses.
HSRP version 2 uses
the new IP multicast address 224.0.0.102 to send hello packets instead of the
multicast address of 224.0.0.2, which is used by version 1. HSRP version 2
permits an expanded group number range of 0 to 4095 and uses a new MAC address
range of 0000.0C9F.F000 to 0000.0C9F.FFFF.
Note
On the HSRP Standby,
HSRP adds the HSRP virtual IP address with a cookie "deadbeef".
HSRP for IPv6
IPv6 hosts learn of available IPv6 routers through IPv6 neighbor discovery (ND) router advertisement (RA) messages. These
messages are multicast periodically, or might be solicited by hosts, but the time delay for detecting when a default route
is down might be 30 seconds or more. HSRP for IPv6 provides a much faster switchover to an alternate default router than the
IPv6 ND protocol provides, less than a second if the milliseconds timers are used. HSRP for IPv6 provides a virtual first
hop for IPv6 hosts.
When you configure an IPv6 interface for HSRP, the periodic RAs for the interface link-local address stop after IPv6 ND sends
a final RA with a router lifetime of zero. No restrictions occur for the interface IPv6 link-local address. Other protocols
continue to receive and send packets to this address.
IPv6 ND sends periodic RAs for the HSRP virtual IPv6 link-local address when the HSRP group is active. These RAs stop after
a final RA is sent with a router lifetime of 0 when the HSRP group leaves the active state. HSRP uses the virtual MAC address
for active HSRP group messages only (hello, coup, and redesign).
HSRP for IPv6 uses the following parameters:
HSRP version 2
UDP port 2029
Virtual MAC address range from 0005.73A0.0000 through 0005.73A0.0FFF
Multicast link-local IP destination address of FF02::66
Hop limit set to 255
HSRP for IPv6 Addresses
An HSRP IPv6 group has a virtual MAC address that is derived from the HSRP group number and a virtual IPv6 link-local address
that is derived, by default, from the HSRP virtual MAC address. The default virtual MAC address for an HSRP IPv6 group is
always used to form the virtual IPv6 link-local address, regardless of the actual virtual MAC address used by the group.
The following table shows the MAC and IP addresses used for IPv6 neighbor discovery packets and HSRP packets.
Table 1. HSRP and IPv6 ND Addresses
Packet
MAC Source Address
IPv6 source Address
IPv6 Destination Address
Link-layer Address Option
Neighbor solicitation (NS)
Interface MAC address
Interface IPv6 address
—
Interface MAC address
Router solicitation (RS)
Interface MAC address
Interface IPv6 address
—
Interface MAC address
Neighbor advertisement (NA)
Interface MAC address
Interface IPv6 address
Virtual IPv6 address
HSRP virtual MAC address
Route advertisement (RA)
Interface MAC address
Interface IPv6 address
—
HSRP virtual MAC address
HSRP (inactive)
Interface MAC address
Interface IPv6 address
—
—
HSRP (active)
Virtual MAC address
Interface IPv6 address
—
—
HSRP does not add IPv6 link-local addresses to the Unicast Routing Information Base (URIB). There are also no secondary virtual
IP addresses for link-local addresses.
For global unicast addresses, HSRP adds the virtual IPv6 address to the URIB and IPv6, but does not register the virtual IPv6
addresses to ICMPv6. ICMPv6 redirects are not supported for HSRP IPv6 groups.
Multiple Group
Optimization for HSRP
Beginning with Cisco NX-OS Release 6.2(2), HSRP supports multiple group
optimization (MGO). MGO optimizes performance and bandwidth when multiple HSRP
groups are configured on many subinterfaces. MGO requires only one HSRP group,
known as the master group, on the physical interface for the purpose of
electing active and standby routers.
You can create other HSRP groups on
subinterfaces of the physical interface or a different interface, such as an
SVI interface, and link these to the master HSRP group. These groups are known
as slave groups. Slave groups follow their master group state so that they do
not participate in any HSRP election mechanisms. Master groups send hello
messages at their configured rates. Slave groups send hello messages at a
reduced rate, which is called the mac-refresh interval rate. This process is
required so that the slave groups can send out periodic messages in order to
refresh MAC addresses in switches and learning bridges.
HSRP Versions
Cisco NX-OS supports HSRP version 1 by default. You can configure an interface to use HSRP version 2.
HSRP version 2 has the following enhancements to HSRP version 1:
Expands the group number range. HSRP version 1 supports group numbers from 0 to 255. HSRP version 2 supports group numbers
from 0 to 4095.
For IPv4, uses the IPv4 multicast address 224.0.0.102 or the IPv6 multicast address FF02::66 to send hello packets instead of the multicast address of 224.0.0.2, which is used by HSRP version 1.
Uses the MAC address range from 0000.0C9F.F000 to 0000.0C9F.FFFF for IPv4 and 0005.73A0.0000 through 0005.73A0.0FFF for IPv6 addresses. HSRP version 1 uses the MAC address range 0000.0C07.AC00 to 0000.0C07.ACFF.
Adds support for MD5 authentication.
When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new virtual MAC address.
HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value (TLV) format.
HSRP version 2 packets received by an HSRP version 1 router are ignored.
HSRP Authentication
HSRP message digest 5 (MD5) algorithm authentication protects against HSRP-spoofing software and uses the industry-standard
MD5 algorithm for improved reliability and security. HSRP includes the IPv4 or IPv6 address in the authentication TLVs.
HSRP Messages
Routers that are configured with HSRP exchange the following three types of multicast messages:
Hello—The hello message conveys the HSRP priority and state information of the router to other HSRP routers.
Coup—When a standby router wants to assume the function of the active router, it sends a coup message.
Resign—A router that is the active router sends this message when it is about to shut down or when a router that has a higher
priority sends a hello or coup message.
HSRP Load Sharing
HSRP allows you to configure multiple groups on an interface. You can configure two overlapping IPv4 HSRP groups to load share
traffic from the connected hosts while providing the default router redundancy expected from HSRP. The following figure shows
an example of a load-sharing HSRP IPv4 configuration.
Note
HSRP for IPv6 load-balances by default. If there are two HSRP IPv6 groups on the subnet, then hosts learn of both groups from
their router advertisements and choose to use one so that the load is shared between the advertised routers.
Object Tracking and HSRP
You can use object tracking to modify the priority of an HSRP interface based on the operational state of another interface.
Object tracking allows you to route to a standby router if the interface to the main network fails.
Two objects that you can track are the line protocol state of an interface or the reachability of an IP route. If the specified
object goes down, Cisco NX-OS reduces the HSRP priority by the configured amount.
vPC and HSRP
HSRP interoperates with virtual port channels (vPCs). vPCs allow links that are physically connected to two different Cisco
Nexus devices to appear as a single port channel by a third device. See the Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, for more information on vPCs.
vPC forwards traffic through both the active HSRP router and the standby HSRP router.
Note
You should configure HSRP on the primary vPC peer device as active and HSRP on the vPC secondary device as standby.
vPC Peer Gateway and HSRP
Some third-party devices can ignore the HSRP virtual MAC address and instead use the source MAC address of an HSRP router.
in a vPC environment, the packets using this source MAC address may be sent across the vPC peer link, causing a potential
dropped packet. Configure the vPC peer gateway to enable the HSRP routers to directly handle packets sent to the local vPC
peer MAC address and the remote vPC peer MAC address, as well as the HSRP virtual MAC address. See the Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, for more information on the vPC peer gateway.
For mixed-chassis configurations where the vPC peer link is configured on an F-series module, configure the vPC peer gateway
exclude option to exclude the Layer 3 backup route that traverses the vPC peer link. See the Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, for more information on the vPC peer gateway exclude option.
FabricPath Anycast
HSRP
Cisco NX-OS Release 6.2(2) and later releases facilitate further
scalability at the spine layer by providing support for more than two nodes.
You can create an anycast bundle, which is an association between a set of
VLANs and an anycast switch ID. The set of VLANs or the HSRP group elects an
active router and a standby router. The remaining routers in the group are in
listen state.
All of the HSRP routers that have a
configured anycast switch ID advertise the ID through FabricPath IS-IS. The
active HSRP router is the only router that uses the anycast switch ID in its
hello packets. The leaf switches learn that the anycast switch ID is reachable
by all of the routers in the group.
All of the first hop gateways at the spine layer need to function in
active-active forwarding mode. IP packets are received by any of the spine
switches with the destination set as the gateway MAC address, and these packets
are terminated and locally forwarded.
BFD
This feature supports bidirectional forwarding detection (BFD). BFD is a detection protocol that provides fast-forwarding
and path-failure detection times. BFD provides subsecond failure detection between two adjacent devices and can be less CPU-intensive
than protocol hello messages because some of the BFD load can be distributed onto the data plane on supported modules. See
the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, for more information.
High Availability and Extended Nonstop Forwarding
HSRP supports stateful restarts and stateful switchovers. A stateful restart occurs when the HSRP process fails and is restarted.
A stateful switchover occurs when the active supervisor switches to the standby supervisor. Cisco NX-OS applies the run-time configuration after the switchover.
If HSRP hold timers are configured for short time periods, these timers might expire during a controlled switchover or in-service
software upgrade (ISSU). Ping to a virtual IP is also unreachable during this timer expiry period. HSRP supports extended non-stop forwarding (NSF)
to temporarily extend these HSRP hold timers during a controlled switchover or ISSU.
With extended NSF configured, HSRP sends hello messages with the extended timers. HSRP peers update their hold timers with
these new values. The extended timers prevent unnecessary HSRP state changes during the switchover or ISSU. After the switchover
or ISSU event, HSRP restores the hold timers to their original configured values. If the switchover fails, HSRP restores the
hold timers after the extended hold timer values expire.
Virtualization Support
HSRP supports virtual routing and forwarding (VRF) instances. VRFs exist within virtual device contexts (VDCs). By default, Cisco NX-OS places you in the default VDC and default VRF unless you specifically configure another VDC and VRF.
If you change the VRF membership of an interface, Cisco NX-OS removes all Layer 3 configuration, including HSRP.
HSRP VIP
Starting with Cisco NX-OS Release 7.2(0)D1(1), the Hot Standby Router Protocol (HSRP) Virtual IP (VIP) feature provides support
for an HSRP Virtual IP configuration to be in a different subnet than that of the interface subnet. This feature is supported
only for IPv4 address and not for IPv6. The following are the enhancements:
Enhance ARP to source with VIP from Supervisor Engine (SUP) for hosts, when the hosts in VIP subnet are referenced by static
route to VLAN configuration.
Support periodic ARP synchronization to vPC peer if the HSRP VIP feature is enabled.
Allow VIP address as the Layer 3 source address and gateway address for all communications with a Dynamic Host Configuration
Protocol (DHCP) server.
Enhance DHCP relay agent to relay DHCP packets with VIP address as source address instead of SVI IP address.
Note
HSRP subnet VIP should be configured in the virtual port channel (vPC) topology. The HSRP VIP feature works only on HSRP with
vPC topologies.
Note
In a subnet VIP configuration, the VIP address must be in a different subnet than the interface IP subnet. Without the subnet
VIP configuration, the VIP address must be in the same subnet of the interface IP subnet.
The following is an example for VIP subnet address configuration wherein the VIP address is not configured in the same subnet
of the interface IP subnet.
The following is an example for VIP address mismatch. Here the VIP address is not in the same subnet of the interface IP subnet.
switch# configure terminal
switch(config)# feature hsrp
switch(config)# feature interface-vlan
switch(config)# interface vlan 2
switch(config-if)# ip address 192.0.2.1/24
switch(config-if)# hsrp 2
switch(config-if-hsrp)# ip 209.165.201.1
!ERROR: Invalid IP address(Mismatch with IP subnet)!
The following is an example for VIP address mismatch. Here the VIP subnet address is configured along with VIP address in
the same subnet of the interface IP subnet.
switch# configure terminal
switch(config)# feature hsrp
switch(config)# feature interface-vlan
switch(config)# interface vlan 2
switch(config-if)# ip address 192.0.2.1/24
switch(config-if)# hsrp 2
switch(config-if-hsrp)# ip 192.0.2.10/24
!ERROR: Invalid IP address(Mismatch with IP subnet)!
Prerequisites for HSRP
You must enable the HSRP feature in a device before you can configure and enable any HSRP groups.
Guidelines and
Limitations for HSRP
HSRP has the following
configuration guidelines and limitations:
When host connected to HSRP standby sends ping to HSRP Virtual IP, HSRP Active responds to the ping however the ping packets
(transient traffic) get punted to the SUP on HSRP standby before reaching HSRP Active.
You must configure
an IP address for the interface on which you configure HSRP and enable that
interface before HSRP becomes active.
You must configure
HSRP version 2 when you configure an IPv6 interface for HSRP.
For IPv4, the
virtual IP address must be in the same subnet as the interface IP address.
The value of the first 2 digits of a type 7 key string configured by using the key-string 7text-string command has to be between 0 and 15. For example, you can configure 07372b557e2c1a as the key string value in which case the
sum value of the first 2 digits will be 7. But, you cannot configure 85782916342021 as the key string value because the value
of the first 2 digits will be 85. We recommend unconfiguring any type 7 key strings that do not adhere to this value or to
configure a type 0 string.
We recommend that
you do not configure more than one first-hop redundancy protocol on the same
interface.
HSRP version 2
does not interoperate with HSRP version 1. An interface cannot operate both
version 1 and version 2 because both versions are mutually exclusive. However,
the different versions can be run on different physical interfaces of the same
router.
You cannot change
from version 2 to version 1 if you have configured groups above the group
number range allowed for version 1 (0 to 255).
HSRP for IPv4 is
supported with BFD. HSRP for IPv6 is not supported with BFD.
Cisco NX-OS
removes all Layer 3 configurations on an interface when you change the
interface VRF membership, port channel membership, or when you change the port
mode to Layer 2.
If you configure
virtual MAC addresses with vPC, you must configure the same virtual MAC address
on both vPC peers.
For mixed-chassis
configurations where the vPC peer link is configured on an F-series module,
configure the vPC peer gateway exclude option to exclude the Layer 3 backup
route that traverses the vPC peer link.
You cannot use the
HSRP MAC address burned-in option on a VLAN interface that is a vPC member.
If you have not
configured authentication, the
show
hsrp command displays the following string:
Authentication text "cisco"
The following is
the default behavior of HSRP as defined in RFC 2281: If no authentication data is
configured, the RECOMMENDED default value is 0x63 0x69 0x73 0x63 0x6F 0x00 0x00
0x00.
Anycast HSRP does not support BFD.
HSRP for MGO has
the following limitations:
Master groups
and slave groups are not restricted to the same interface.
HSRP for MGO
supports only HSRP version 2.
Master and
slave groups must have the same address types.
Configuring an
HSRP group as a slave group clears the group's other configurations, such as
its virtual IP address, without notification, so you must enter the
follow command
before you enter the
ipip-address
command.
Bidirectional
forwarding (BFD) is not applicable to slave groups.
HSRP for MGO
supports both IPv4 and IPv6 interfaces and works for all Layer 3 interfaces on
which a regular HSRP group works.
An HSRP group
cannot be configured as both a master and slave group at the same time.
Default Settings for HSRP Parameters
Default HSRP Parameters
Parameters
Default
HSRP
Disabled
Authentication
Enabled as text for version 1, with cisco as the password
HSRP version
Version 1
Preemption
Disabled
Priority
100
Virtual MAC address
Derived from HSRP group number
Configuring HSRP
Enabling HSRP
You must globally enable HSRP before you can configure and enable any HSRP groups.
Before you begin
Confirm that you are in the correct VDC. To change the VDC, use
the
switchto
vdc command.
You can configure the HSRP version. If you change the version for existing groups, Cisco NX-OS reinitializes HSRP for those groups because the virtual MAC address changes. The HSRP version applies to all groups on the
interface
Note
IPv6 HSRP groups must be configured as HSRP version 2.
You can configure an HSRP group on an IPv4 interface and configure the virtual IP address and virtual MAC address for the
HSRP group.
Before you begin
You must enable HSRP.
Cisco NX-OS enables an HSRP group once you configure the virtual IP address on any member interface in the group. You must configure
HSRP attributes such as authentication, timers, and priority before you enable the HSRP group.
Confirm that you are in the correct VDC. To change the VDC, use
the
switchto
vdc command.
SUMMARY STEPS
switch#
configure
terminal
switch(config)# interfacetype number
switch(config-if)# ipip-address/length
switch(config-if)# hsrpgroup-number [ipv4]
switch(config-if-hsrp)# ip [ip-address [secondary]]
(Optional) switch(config-if)# show hsrp [groupgroup-number] [ipv4]
DETAILED STEPS
Command or Action
Purpose
Step 1
switch#
configure
terminal
Enters global
configuration mode.
Step 2
switch(config)# interfacetype number
Enters interface configuration mode.
Step 3
switch(config-if)# ipip-address/length
Configures the IPv4 address of the interface.
Step 4
switch(config-if)# hsrpgroup-number [ipv4]
Creates an HSRP group and enters hsrp configuration mode. The range for HSRP version 1 is from 0 to 255. The range is for
HSRP version 2 is from 0 to 4095. The default value is 0.
Step 5
switch(config-if-hsrp)# ip [ip-address [secondary]]
Configures the virtual IP address for the HSRP group and enables the group. This address should be in the same subnet as the
IPv4 address of the interface.
Saves the change
persistently through reboots and restarts by copying the running configuration
to the startup configuration.
Step 9
(Optional) switch(config-if)# show hsrp [groupgroup-number] [ipv4]
(Optional)
Displays HSRP information.
Example
The following example shows how to configure an HSRP group on Ethernet 1/2:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# ip 192.0.2.2/8
switch(config-if)# hsrp 2
switch(config-if-hsrp)# ip 192.0.2.1
switch(config-if-hsrp)# exit
switch(config-if)# no shutdown
switch(config-if)# copy running-config startup-config
Configuring an HSRP
Group for IPv6
You can configure an
HSRP group on an IPv6 interface and configure the virtual IP address and
virtual MAC address for the HSRP group. When you configure an HSRP group for
IPv6, HSRP generates a link-local address from the link-local prefix. HSRP also
generates a modified EUI-64 format interface identifier in which the EUI-64
interface identifier is created from the relevant HSRP virtual MAC address.
There are no HSRP IPv6 secondary addresses.
Before you begin
You must enable HSRP.
Ensure that you
have enabled HSRP version 2 on the interface where you want to configure an
IPv6 HSRP group.
Ensure that you
have configured HSRP attributes such as authentication, timers, and priority
before you enable the HSRP group.
Confirm that you are in the correct VDC. To change the VDC, use
the
switchto
vdc command.
Creates an IPv6
HSRP group and enters hsrp configuration mode. The range for HSRP version 2 is
from 0 to 4095. The range is for HSRP version 2 is from 0 to 4095. The default
value is 0.
Step 7
switch(config-if-hsrp)#
ip
[ipv6-address
[secondary]]
Configures the
virtual IPv6 address for the HSRP group and enables the group.
Step 8
switch(config-if-hsrp)#
ip
autoconfig
Autoconfigures
the virtual IPv6 address for the HSRP group from the calculated link-local
virtual IPv6 address and enables the group.
You can configure
HSRP for MGO to optimize performance when scaling by configuring master and
slave groups. Slave groups follow the master group state, which minimizes the
number of hello messages that are sent. Cisco NX-OS enables an HSRP group once
you configure its virtual IP address.
We recommend that
you configure master groups on the same parent interface as their slave groups
to allow the slave groups to have the same redundancy requirements as the
master group. If a failure occurs on the master link, all the slave groups are
brought down as well, even if the links on which they are configured remain up.
Before you begin
Ensure that you
have enabled the HSRP feature.
Configure HSRP attributes
such as authentication, timers, and priority before you enable an HSRP group as
a master group.
Ensure that you are in the
correct VDC (or use the
switchto
vdc command).
SUMMARY STEPS
switch#
configure
terminal
switch(config)#
interfacetype/number
switch(config-if)#
ip addressip-address/length
switch(config-if)#
hsrp version 2
switch(config-if)#
hsrpgroup-number [ipv6]
switch(config-if-hsrp)#
name [master-group-name]
switch(config-if-hsrp)#
ip [ip-address
[secondary]]
switch(config-if-hsrp)#
exit
switch(config-if)#
no shutdown
switch(config-if)#
show hsrp [brief] [groupgroup-number] [ipv4]
[ipv6]
switch(config-if)#
show hsrp mgo [namename] [brief]
DETAILED STEPS
Command or Action
Purpose
Step 1
switch#
configure
terminal
Enters global
configuration mode.
Step 2
switch(config)#
interfacetype/number
Enters interface configuration mode and configures an interface
type.
Step 3
switch(config-if)#
ip addressip-address/length
Configures the IP address of the interface.
Step 4
switch(config-if)#
hsrp version 2
Configures the HSRP version. Because MGO supports only HSRP
version 2, you must set the HSRP version to version 2. Version 1 is the
default.
Step 5
switch(config-if)#
hsrpgroup-number [ipv6]
Creates an HSRP group and enters HSRP configuration mode. The
range for the HSRP group number is from 0 to 4095. The no form of this command
removes the group.
Step 6
switch(config-if-hsrp)#
name [master-group-name]
Specifies a master group name. The name command changes a regular
HSRP group into a master group. If you do not specify a name, a unique name is
automatically generated. The no form of this command returns the master group
to a regular HSRP group.
Step 7
switch(config-if-hsrp)#
ip [ip-address
[secondary]]
Configures the virtual IP address for the HSRP group and enables
the master group.
Step 8
switch(config-if-hsrp)#
exit
Exits the HSRP configuration mode.
Step 9
switch(config-if)#
no shutdown
Enables the interface.
Step 10
switch(config-if)#
show hsrp [brief] [groupgroup-number] [ipv4]
[ipv6]
(Optional)
Displays HSRP information.
Step 11
switch(config-if)#
show hsrp mgo [namename] [brief]
(Optional)
Displays the relationships between HSRP groups that are in use for
MGO and their slave sessions. The name keyword restricts the output to the
session with a matching configured name. The brief keyword provides a summary
of each MGO session with the associated slave sessions.
Example
The following example shows how to configure an HSRP master group on
Ethernet interface 1/1:
switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# ip address 11.0.0.1/24
switch(config-if)# hsrp version 2
switch(cofig-if)# hsrp 11
switch(config-if-hsrp)# name master1
switch(config-if-hsrp)# ip 11.0.0.100
switch(config-if-hsrp)# exit
switch(config-if)# no shutdown
switch(config-if)# show hsrp group 11
switch(config-if)# show hsrp mgo name master1
Configuring an HSRP
Slave Group
If a failure occurs in a slave link
that belongs to a different interface than the master group, the slave group is
brought down, regardless of the state of the group it is following.
You can configure HSRP for MGO to optimize performance when scaling by
configuring master and slave groups. Slave groups follow the master group
state, which minimizes the number of hello messages that are sent. Cisco NX-OS
enables an HSRP group once you configure its virtual IP address.
We recommend that you configure master groups on the same parent
interface as their slave groups to allow the slave groups to have the same
redundancy requirements as the master group. If a failure occurs on the master
link, all the slave groups are brought down as well, even if the links on which
they are configured remain up.
Before you begin
Ensure that you have enabled the HSRP feature.
Configure HSRP attributes
such as authentication, timers, and priority before you enable an HSRP group as
a master group.
Ensure that you are in the
correct VDC (or use the
switchto vdc command).
switch(config-if)#
show hsrp [brief] [groupgroup-number] [ipv4]
[ipv6]
switch(config-if)#
show hsrp mgo [namename] [brief]
DETAILED STEPS
Command or Action
Purpose
Step 1
switch#
configure terminal
Enters global configuration mode.
Step 2
switch(config)#
interfacetype/number
Enters interface configuration mode and configures an interface
type.
Step 3
switch(config-if)#
ip addressip-address/length
Configures the IP address of the interface.
Step 4
switch(config-if)#
hsrp version 2
Configures the HSRP version. Because MGO supports only HSRP
version 2, you must set the HSRP version to version 2. Version 1 is the
default.
Step 5
switch(config-if)#
hsrp mac refreshseconds
(Optional)
Configures the MAC refresh interval for the HSRP slave group. You
can use this command to minimize the number of hello messages that are sent out
and reduce HSRP protocol overheads and CPU utilization when multiple
subinterfaces are configured.
This command is not available for individual subinterfaces. It
applies to all groups on all subinterfaces. The default is 60 seconds. The
range is from 0 to 10000.
Step 6
switch(config-if)#
hsrpgroup-number [ipv6]
Creates an HSRP group and enters HSRP configuration mode. The
range for the HSRP group number is from 0 to 4095. The no form of this command
removes the group.
Configuring an HSRP group as a slave group clears the group’s
other configurations, such as its virtual IP address without notification, so
you must enter the follow command before you enter the ip ip-address command.
Slave groups may forward reference master group names that are
undefined.
The no form of this command returns the slave group to a regular
HSRP group.
Step 8
switch(config-if-hsrp)#
ip [ip-address]
Configures the virtual IP address for the HSRP group and enables
the slave group.
Step 9
switch(config-if-hsrp)#
exit
Exits the HSRP configuration mode.
Step 10
switch(config-if)#
no shutdown
Enables the interface.
Step 11
switch(config-if)#
show hsrp [brief] [groupgroup-number] [ipv4]
[ipv6]
(Optional)
Displays HSRP information.
Step 12
switch(config-if)#
show hsrp mgo [namename] [brief]
(Optional)
Displays the relationships between HSRP groups that are in use for
MGO and their slave sessions. The name keyword restricts the output to the
session with a matching configured name. The brief keyword provides a summary
of each MGO session with the associated slave sessions.
Example
The following example shows how to configure an HSRP slave group on
Ethernet interface 1/2:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# ip address 12.0.0.1/24
switch(config-if)# hsrp version 2
switch(cofig-if)# hsrp 12
switch(config-if-hsrp)# follow master1
switch(config-if-hsrp)# ip 12.0.0.100
switch(config-if-hsrp)# exit
switch(config-if)# no shutdown
switch(config-if)# show hsrp group 11
switch(config-if)# show hsrp mgo name master1
Configuring the HSRP Virtual MAC Address Manually
You can override the default virtual MAC address that HSRP derives from the configured group number. You must configure the
same virtual MAC address on both vPC peers of a vPC link.
Creates an HSRP group and enters hsrp configuration mode. The range for HSRP version 1 is from 0 to 255. The range is for
HSRP version 2 is from 0 to 4095. The default value is 0.
Step 4
switch(config-if-hsrp)# mac-addressstring
Configures the virtual MAC address for an HSRP group. The string uses the standard MAC address format (xxxx.xxxx.xxxx).
Configuring the HSRP
Virtual MAC Address Using Burned-in MAC Address
You can override the
default virtual MAC address that HSRP derives from the configured group number.
You must configure the same virtual MAC address on both vPC peers of a vPC
link.
Configures HSRP
to use the burned-in MAC address of the interface for the HSRP virtual MAC
address. Optionally, you can configure HSRP to use the burned-in MAC address
for all groups on this interface by using the
scope
interface keyword.
Note
Proxy ARP
breaks when HSRP is configured with
use-bia command. A standby router cannot cover for the
lost proxy ARP database of the failed router.
When the
use-bia option is configured, the ARP process on the
HSRP active device mistakenly sees the HSRP group as the standby device because
of the lack of virtual address that it looks for. As a result, both the HSRP
active and the standby devices suppress ARP replies to proxy ARP requests.
Configuring MAC Address Table Reservation for HSRP
Before Release 8.4(6), the behaviour was to enable HSRP Virtual MAC reservation. Beginning with Cisco NX-OS Release 8.4(6),
the default behaviour is changed. If required you can enable default Virtual MAC reservation.
You can add MAC reservation for the HSRP Virtual MAC for all VLANs this overrides the default behaviour. By default, If SVI
interface is shut on both vPC+peers, the mac reservation is removed. This configuration overrides and MAC reservation is assigned.Enable
Virtual MAC reservation with below configuration commands:
Configures MAC reservation for the HSRP Virtual MAC for all VLANs.
Step 3
switch(config)# interface vlan [vlan_id]
Configures on specific VLANs.
Step 4
switch(config-if)# shutdown
Disables the interface.
Step 5
(Optional) switch(config-if)# show mac address-table vlan[ vlan_id]address[string]
Displays the MAC address table for specific VLAN ID.
Example
The following example configures the MAC address table reservation for HSRP:
switch# configure terminal
switch(config)# mac address-table reserve-hsrp-vmac
switch(config)# interface vlan
<1-4094> Vlan interface number
switch(config)# interface vlan 1001
switch(config-if)# shutdown
switch(config-if)# show mac address-table vlan 1001
Note: MAC table entries displayed are getting read from software.
Use the 'hardware-age' keyword to get information related to 'Age'
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link, E - EVPN entry
(T) - True, (F) - False , ~~~ - use 'hardware-age' keyword to retrieve age info
VLAN/BD MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 1001 0000.0044.0004 static - F F 10.0.3590
* 1001 0005.73a0.03e9 static - F F 10.0.3590
* 1001 8c60.4f9e.4fc2 static - F F 10.0.3590
* 1001 d867.d904.3ec3 dynamic ~~~ F F Po1
switch(config-if)# show mac address-table vlan 1001 address
E.E.E MAC Address (Option 1)
EE-EE-EE-EE-EE-EE MAC Address (Option 2)
EE:EE:EE:EE:EE:EE MAC Address (Option 3)
EEEE.EEEE.EEEE MAC Address (Option 4)
switch(config-if)# show mac address-table vlan 1001 address 0000.0044.0004
Note: MAC table entries displayed are getting read from software.
Use the 'hardware-age' keyword to get information related to 'Age'
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link, E - EVPN entry
(T) - True, (F) - False , ~~~ - use 'hardware-age' keyword to retrieve age info
VLAN/BD MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 1001 0000.0044.0004 static - F F 10.0.3590
switch(config-if)#
Clearing MAC Address Table Reservation for HSRP
If you shut the SVI interface on both vPC+peers, the HSRP Virtual MAC address reservation is not removed in the MAC address
table.
The below mentioned configuration was introduced specifically in Cisco NX-OS Release 8.2(8) to disable MAC address table reservation
for specific VLAN ID or range of VLAN IDs or all VLANs and to override the default settings.
Note
From Cisco NX-OS Release 8.4(6), this feature has no effect on on HSRP Virtual MAC address reservation.
Procedure
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config-if)# mac address-table system-mac-reservation-disable vlan [vlan_id]
Clears the MAC address table reservation on VLAN.
Step 3
(Optional) switch(config-if)# show running-config interface vlan[ vlan_id]address[string]
Displays the running configuration on specific VLAN ID.
Example
The following example clears the MAC address table reservation for HSRP:
switch(config-if)# mac address-table system-mac-reservation-disable vlan
<1-4095> Vlan id range
all For all the vlans
switch(config-if)# mac address-table system-mac-reservation-disable vlan 1001
switch(config)# show run interface vlan 1001
!Command: show running-config interface Vlan1001
!Running configuration last done at: Wed Jun 1 10:13:17 2022
!Time: Wed Jun 1 10:13:36 2022
version 8.4(6)
interface Vlan1001
no shutdown
no ip redirects
ip address 10.10.1.3/24
ipv6 address 10:10:1::3/64
no ipv6 redirects
ip router ospf 100 area 0.0.0.0
ipv6 router ospfv3 100 area 0.0.0.0
ip pim sparse-mode
hsrp version 2
hsrp 1001
mac-address 0000.0044.0004
ip 10.10.1.1
hsrp 1001 ipv6
ip 10:10:1::1
switch(config)#
Authenticating HSRP
You can configure HSRP to authenticate the protocol using cleartext or MD5 digest authentication. MD5 authentication uses
a key chain. For more details, see the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.
Before you begin
You must enable HSRP.
You must configure the same authentication and keys on all members of the HSRP group.
Ensure that you have created the key chain if you are using MD5 authentication.
Confirm that you are in the correct VDC. To change the VDC, use
the
switchto
vdc command.
Configures cleartext authentication for HSRP on this interface by using the authentication text command, or you can configure MD5 authentication for HSRP on this interface using the authentication md5 command. If you configure MD5 authentication, you can use a key chain or key string. If you use a key string, you can optionally
set the timeout for when HSRP only accepts a new key. The range is from 0 to 32767 seconds.
You can configure an HSRP group to adjust its priority based on the availability of other interfaces or routes. The priority
of a device can change dynamically if it has been configured for object tracking and the object that is being tracked goes
down.
The tracking process periodically polls the tracked objects and notes any value change. The value change triggers HSRP to
recalculate the priority. The HSRP interface with the higher priority becomes the active router if you configure the HSRP
interface for preemption.
Specifies an object to be tracked that affects the weighting of an HSRP interface.
The value argument specifies a reduction in the priority of an HSRP interface when a tracked object fails. The range is from
1 to 255. The default is 10.
Configures the router to take over as the active router for an HSRP group if it has a higher priority than the current active
router. This command is disabled by default. The range is from 0 to 3600 seconds.
You can configure
the HSRP priority on an interface. HSRP uses the priority to determine which
HSRP group member acts as the active router. If you configure HSRP on a
vPC-enabled interface, you can optionally configure the upper and lower
threshold values to control when to fail over to the vPC trunk. If the standby
router priority falls below the lower threshold, HSRP sends all standby router
traffic across the vPC trunk to forward through the active HSRP router. HSRP
maintains this scenario until the standby HSRP router priority increases above
the upper threshold.
For
IPv6 HSRP groups, if all group members have the same priority, HSRP selects the
active router based on the IPv6 link-local address.
For IPv4 HSRP
groups, HSRP selects the active router based on the interface IP address when
the priority is same.
Note
Prior to Cisco
NX-OS Release 7.2(0)D1(1), if the HSRP peer has a higher source interface IP
address than the existing HSRP active peer and if preemption is enabled, the
HSRP peer that has the same priority as the existing HSRP active peer preempts
the existing HSRP active peer in the network.
After Cisco NX-OS
Release 7.2(0)D1(1), even if the HSRP peer has a higher source interface IP
address than the existing HSRP active peer and if preemption is enabled, the
HSRP peer that has the same priority as the existing HSRP active peer does not
preempt the existing HSRP active peer in the network.
Creates an HSRP
group and enters hsrp configuration mode. The range for HSRP version 1 is from
0 to 255. The range is for HSRP version 2 is from 0 to 4095. The default value
is 0.
Sets the
priority level used to select the active router in an HSRP group in interface
configuration mode. The level range is from 0 to 255. The default is 100.
Optionally, sets the upper and lower threshold values used by vPC to determine
when to fail over to the vPC trunk. The lower-value range is from 1 to 255. The
default is 1. The upper-value range is from 1 to 255. The default is 255.
You can optionally customize the behavior of HSRP. Be aware that as soon as you enable an HSRP group by configuring a virtual
IP address, that group is now operational. If you first enable an HSRP group before customizing HSRP, the router could take
control over the group and become the active router before you finish customizing the feature. If you plan to customize HSRP,
you should do so before you enable the HSRP group. To customize HSRP, use the following commands in HSRP configuration mode.
Configures the router to take over as an active router for an HSRP group if it has a higher priority than the current active
router. This command is disabled by default. The range is from 0 to 3600 seconds.
Configures the hello and hold time for this HSRP member as follows:
hellotime—The interval between successive hello packets sent. The range is from 1 to 254 seconds.
holdtime—The interval before the information in the hello packet is considered invalid. The range is from 3 to 255.
The optional msec keyword specifies that the argument is expressed in milliseconds instead of the default seconds. The timer
ranges for milliseconds are as follows:
hellotime—The interval between successive hello packets sent. The range is from 255 to 999 milliseconds.
holdtime—The interval before the information in the hello packet is considered invalid. The range is from 750 to 3000 milliseconds.
Example
The following example shows how to customize HSRP in HSRP configuration mode:
You can optionally customize the behavior of HSRP. Be aware that as soon as you enable an HSRP group by configuring a virtual
IP address, that group is now operational. If you first enable an HSRP group before customizing HSRP, the router could take
control over the group and become the active router before you finish customizing the feature. If you plan to customize HSRP,
you should do so before you enable the HSRP group. To customize HSRP, use the following commands in interface configuration
mode.
SUMMARY STEPS
switch#
configure
terminal
switch(config)# interfaceinterface-typeslot/port
switch(config-if)# hsrp delay minimumseconds
switch(config-if)# hsrp delay reloadseconds
DETAILED STEPS
Command or Action
Purpose
Step 1
switch#
configure
terminal
Enters global
configuration mode.
Step 2
switch(config)# interfaceinterface-typeslot/port
Enters interface configuration mode.
Step 3
switch(config-if)# hsrp delay minimumseconds
Specifies the minimum amount of time that HSRP waits after a group is enabled before participating in the group. The range
is from 0 to 10000 seconds. The default is 0.
Step 4
switch(config-if)# hsrp delay reloadseconds
Specifies the minimum amount of time that HSRP waits after reload before participating in the group. The range is from 0 to
10000 seconds. The default is 0.
Example
The following example shows how to customize HSRP in interface configuration mode:
You can configure HSRP to use extended hold timers to support extended NSF during a controlled (graceful) switchover or ISSU,
including software upgrades and supervisor switchovers. You should configure extended hold timers on all HSRP routers.
You must configure extended hold timers on all HSRP routers if you configure extended hold timers. If you configure a nondefault
hold timer, you should configure the same value on all HSRP routers when you configure HSRP extended hold timers.
HSRP extended hold timers are not applied if you configure millisecond hello and hold timers for HSRPv1. This statement does
not apply to HSRPv2.
Displays
the HSRP status for a group or interface for virtual forwarders in the active,
init, learn, listen, or standby state. Use the
all keyword to see all states, including disabled.
Displays a
brief summary of the HSRP status for a group or interface for virtual
forwarders in the active, init, learn, listen, or standby state. Use the
all keyword to see all states, including disabled.
show hsrp mgo [namename]
[brief]
Displays
the relationships between HSRP groups that are in use for MGO and their slave
sessions.
Configuration
Examples for HSRP
This example shows how to enable HSRP on an interface with MD5
authentication and interface tracking:
key chain hsrp-keys
key 0
key-string 7 zqdest
accept-lifetime 00:00:00 Jun 01 2008 23:59:59 Sep 12 2008
send-lifetime 00:00:00 Jun 01 2008 23:59:59 Aug 12 2008
key 1
key-string 7 uaeqdyito
accept-lifetime 00:00:00 Aug 12 2008 23:59:59 Dec 12 2008
send-lifetime 00:00:00 Sep 12 2008 23:59:59 Nov 12 2008
feature hsrp
track 2 interface ethernet 2/2 ip
interface ethernet 1/2
ip address 192.0.2.2/8
hsrp 1
authenticate md5 key-chain hsrp-keys
priority 90
track 2 decrement 20
ip 192.0.2.10
no shutdown
This example shows how to configure the HSRP priority on an interface: