IP Addresses and Services Configuration Guide for Cisco 8000 Series Routers, IOS XR Release 7.5.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes the concepts and tasks you will use to configure Hot Standby Router Protocol (HSRP).
Implement HSRP
The Hot Standby Router Protocol (HSRP) is an IP routing redundancy protocol designed to allow for transparent failover at
the first-hop IP router. HSRP provides high network availability, because it routes IP traffic from hosts on networks without
relying on the availability of any single router. HSRP is used in a group of routers for selecting an active router and a
standby router. (An active router is the router of choice for routing packets; a standby router is a router that takes over
the routing duties when an active router fails, or when preset conditions are met.)
General Restrictions for HSRP Configuration
These are some restrictions to consider before you implement HSRP on supported interfaces on the Cisco 8000 platform.
Either HSRP or VRRP redundancy protocol is supported at a time on a particular interface and its sub-interfaces. For example,
VRRP on Bundle-Ether 1 and HSRP on Bundle-Ether 1.1 is not supported. Similarly VRRP on GigabitEthernet0/0/0/0.1 and HSRP
on GigabitEthernet0/0/0/0.2 is also not supported.
Information About Implementing HSRP
To implement HSRP on Cisco IOS XR software, you need to understand the following concepts:
HSRP Overview
HSRP is useful for hosts that do not support a router discovery protocol (such as Internet Control Message Protocol [ICMP]
Router Discovery Protocol [IRDP]) and cannot switch to a new router when their selected router reloads or loses power. Because
existing TCP sessions can survive the failover, this protocol also provides a more transparent recovery for hosts that dynamically
choose a next hop for routing IP traffic.
When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among a group
of routers running HSRP. The address of this HSRP group is referred to as the virtual IP address. One of these devices is selected by the protocol to be the active router. The active router receives and routes packets destined for the MAC address of the group. For n routers running HSRP, n + 1 IP and MAC addresses are assigned.
HSRP detects when the designated active router fails, at which point a selected standby router assumes control of the MAC
and IP addresses of the HSRP group. A new standby router is also selected at that time.
Devices that are running HSRP send and receive multicast User Datagram Protocol (UDP) based hello packets to detect router
failure and to designate active and standby routers.
HSRP Groups
An HSRP group consists of two or more routers running HSRP that are configured to provide hot standby services for one another.
HSRP uses a priority scheme to determine which HSRP-configured router is to be the default active router. To configure a router
as the active router, you assign it a priority that is higher than the priority of all the other HSRP-configured routers.
The default priority is 100, so if you configure just one router to have a higher priority, that router will be the default
active router.
HSRP works by the exchange of multicast messages that advertise priority among the HSRP group. When the active router fails
to send a hello message within a configurable period of time, the standby router with the highest priority becomes the active
router. The transition of packet-forwarding functions between routers is completely transparent to all hosts on the network.
The following figure shows routers configured as members of a single HSRP group.
All hosts on the network are configured to use the IP address of the virtual router (in this case, 1.0.0.3) as the default
gateway.
A single router interface can also be configured to belong to more than one HSRP group. The following figure shows routers
configured as members of multiple HSRP groups.
In the figure above, the Ethernet interface 0 of Router A belongs to group 1. Ethernet interface 0 of Router B belongs to
groups 1, 2, and 3. The Ethernet interface 0 of Router C belongs to group 2, and the Ethernet interface 0 of Router D belongs
to group 3. When you establish groups, you might want to align them along departmental organizations. In this case, group
1 might support the Engineering Department, group 2 might support the Manufacturing Department, and group 3 might support
the Finance Department.
Router B is configured as the active router for groups 1 and 2 and as the standby router for group 3. Router D is configured
as the active router for group 3. If Router D fails for any reason, Router B assumes the packet-transfer functions of Router
D and maintains the ability of users in the Finance Department to access data on other subnets.
Note
A different virtual MAC address (VMAC) is required for each sub interface. VMAC is determined from the group ID. Therefore,
a unique group ID is required for each sub interface configured, unless the VMAC is configured explicitly.
Note
We recommend that you disable Spanning Tree Protocol (STP) on switch ports to which the virtual routers are connected. Enable
RSTP or rapid-PVST on the switch interfaces if the switch supports these protocols.
HSRP and ARP
When a router in an HSRP group goes active, it sends a number of ARP responses containing its virtual IP address and the virtual
MAC address. These ARP responses help switches and learning bridges update their port-to-MAC maps. These ARP responses also
provide routers configured to use the burned-in address of the interface as its virtual MAC address (instead of the preassigned
MAC address or the functional address) with a means to update the ARP entries for the virtual IP address. Unlike the gratuitous
ARP responses sent to identify the interface IP address when an interface comes up, the HSRP router ARP response packet carries
the virtual MAC address in the packet header. The ARP data fields for IP address and media address contain the virtual IP
and virtual MAC addresses.
Preemption
The HSRP preemption feature enables the router with highest priority to immediately become the active router. Priority is
determined first by the priority value that you configure, and then by the IP address. In each case, a higher value is of
greater priority.
When a higher-priority router preempts a lower-priority router, it sends a coup message. When a lower-priority active router
receives a coup message or hello message from a higher-priority active router, it changes to the speak state and sends a resign
message.
ICMP Redirect Messages
Internet Control Message Protocol (ICMP) is a network layer Internet protocol that provides message packets to report errors
and other information relevant to IP processing. ICMP provides many diagnostic functions and can send and redirect error packets
to the host. When running HSRP, it is important to prevent hosts from discovering the interface (or real) MAC addresses of
routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router, and that router later fails,
then packets from the host are lost.
ICMP redirect messages are automatically enabled on interfaces configured with HSRP. This functionality works by filtering
outgoing ICMP redirect messages through HSRP, where the next-hop IP address may be changed to an HSRP virtual IP address.
To support ICMP redirects, redirect messages are filtered through HSRP, where the next-hop IP address is changed to an HSRP
virtual address. When HSRP redirects are turned on, ICMP interfaces with HSRP do this filtering. HSRP keeps track of all HSRP
routers by sending advertisements and maintaining a real IP address to virtual IP address mapping to perform the redirect
filtering.
HSRP over BVI
Table 1. Feature History Table
Feature Name
Release Information
Feature Description
HSRP over BVI
Release 7.5.2
Hot Standby Router Protocol (HSRP) runs on top of interfaces of multiple routers in the same home network that has only Cisco
routers. It allows a group of routers to behave as a single virtual default gateway router, thereby providing default gateway
redundancy and minimizing traffic loss. HSRP now supports Bridge-Group Virtual Interface (BVI) on Cisco Silicon One Q100 systems,
which means that HSRP sessions can run between BVI interfaces of multiple routers.
The Hot Standby Router Protocol (HSRP) allows multiple routers to act as a single virtual
router in a LAN which is resilient to the failure of any single one of them. The
participating routers share a virtual IP address and associated virtual MAC address,
used by the hosts as the default first-hop. The protocol ensures that one and only one
router in the group, which is the active router is forwarding packets on behalf of the
virtual router. A second router, which is the standby router is elected to replace the
active router should it fail.
Bridge Group Virtual Interface (BVI) is a virtual interface which provides Layer 3 or
routed functionality to a bridge group. Layer 2 functionality is applicable to the
interfaces which are part of a bridge group and BVI is the routed interface for that
bridge group.
Topology
This topology showcases how HSRP functions over BVI.
In this topology, PE1 and PE2 are paired in a redundant group. This group provides Layer 3 gateway service to CE1 and CE2.
HSRP is configured over BVI interfaces on PE1 and PE2. HSRP ensures one BVI is the active gateway. The other is the standby
gateway.
You can configure one of the BVIs to be active and the other BVI as standby by setting the HSRP priority value. The active
BVI is programmed with the virtual MAC address chosen by HSRP. Hosts, CE1 and CE2 send the traffic to the virtual destination
MAC address and the active BVI forwards the traffic.
During failover, the standby BVI becomes active and is programmed with the virtual MAC address. The traffic from the hosts
is forwarded through this active BVI.
Supported Scale and Systems
HSRP over Bridge Virtual Interfaces (BVIs) is supported:
On the Cisco Silicon One Q100 ASIC-based systems and Cisco Silicon One Q200 ASIC-based systems. You can configure upto 512
HSRP groups (IPv4 and IPv6 combined) over BVIs on both the Cisco Silicon One Q100 systems and Cisco Silicon One Q200 systems.
Where the underlay IRB bridge domains consist of bridge members on L2 main or subinterfaces. Only physical and bundle interfaces
are supported for L2 bridging in IRB.
For IPv4 and IPv6 configurations, in both the default and VRF tables.
On both the fixed and distributed systems.
Restrictions
Consider these restrictions before you configure HSRP over BVI.
The minimum supported HSRP Hello timer is 100 ms. At the minimum timer, a total of 50 sessions are supported. Above 100 ms
timers, the sessions scale goes up proportionately. A maximum of 1024 HSRP groups and 1024 HSRP sessions are supported.
Configure HSRP over BVI
To configure HSRP sessions over BVI, you must complete the following configurations on
PE1 and PE2:
Configure a set of interfaces as Layer 2 interfaces and a set of VLAN
sub-interfaces.
Configure a bridge group.
Configure a BVI.
Configure HSRP over BVI.
Configuration Example
/* Enter the global configuration mode and configure a set of interfaces as Layer 2 interfaces and a set of VLAN sub-interfaces */
Router# configure
Router(config)# interface HundredGigE0/0/1/0.1 l2transport
Router(config-subif)# encapsulation dot1q 1
Router(config-subif)# rewrite ingress tag pop 1 symmetric
Router(config-subif)# commit
Router(config-subif)# exit
Router(config)# interface HundredGigE0/0/1/1.1 l2transport
Router(config-subif)# encapsulation dot1q 1
Router(config-subif)# rewrite ingress tag pop 1 symmetric
Router(config-subif)# commit
Router(config-subif)# exit
/* Enter the Layer 2 VPN configuration mode and configure a bridge group */
Router(config)# l2vpn
Router(config-l2vpn)# bridge group 5
Router(config-l2vpn-bg)# bridge-domain 5
Router(config-l2vpn-bg-bd)# interface HundredGigE0/0/1/0.1
Router(config-l2vpn-bg-bd-ac)# exit
Router(config-l2vpn-bg-bd)# interface HundredGigE0/0/1/1.1
Router(config-l2vpn-bg-bd-ac)# exit
Router(config-l2vpn-bg-bd)# routed interface BVI 10
Router(config-l2vpn-bg-bd-bvi)# commit
Router(config-l2vpn-bg-bd-bvi)# exit
/* Configure a BVI in the global configuration mode */
Router(config)# interface BVI 10
Router(config-if)# ipv4 address 209.165.200.225 255.255.255.0
Router(config-if)# ipv6 address 2001:DB8:A:B::1/64
Router(config-if)# commit
/* Configure HSRP over BVI in the global configuration mode for IPv4 address */
Router(config)# router HSRP
Router(config-hsrp)# interface BVI 10
Router(config-hsrp-if)# address-family ipv4
Router(config-hsrp-ipv4)# HSRP 10
Router(config-hsrp-gp)# priority 101
Router(config-hsrp-gp)# address 209.165.200.226
Router(config-hsrp-gp)# commit
/* Configure HSRP over BVI in the global configuration mode for IPv6 address */
Router(config)# router HSRP
Router(config-hsrp)# interface BVI 10
Router(config-hsrp-if)# address-family ipv6
Router(config-hsrp-ipv6)# HSRP 11
Router(config-hsrp-gp)# address global 2001:DB8:A:B::2
Router(config-hsrp-gp)# address linklocal autoconfig
Router(config-hsrp-gp)# commit
Verification
Use the following command to verify the bridge domain details:
Router# show l2vpn bridge-domain detail
Legend: pp = Partially Programmed.
Bridge group: 5, bridge-domain: 5, id: 1, state: up, ShgId: 0, MSTi: 0
Coupled state: disabled
VINE state: BVI Resolved
MAC learning: enabled
MAC withdraw: enabled
MAC withdraw for Access PW: enabled
MAC withdraw sent on: bridge port up
MAC withdraw relaying (access to access): disabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 32768, Action: none, Notification: syslog
MAC limit reached: no, threshold: 75%
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 Snooping: disabled
DHCPv4 Snooping profile: none
IGMP Snooping: disabled
IGMP Snooping profile: none
MLD Snooping profile: none
Storm Control: disabled
Bridge MTU: 1500
MIB cvplsConfigIndex: 2
Filter MAC addresses:
P2MP PW: disabled
Multicast Source: Not Set
Create time: 26/05/2020 17:08:54 (00:11:30 ago)
No status change since creation
ACs: 3 (3 up), VFIs: 0, PWs: 0 (0 up), PBBs: 0 (0 up), VNIs: 0 (0 up)
List of ACs:
AC: BVI10, state is up
Type Routed-Interface
MTU 1514; XC ID 0x80000001; interworking none
BVI MAC address:
c472.95a6.8b90
Virtual MAC addresses:
0000.5e00.010a
0000.5e00.020b
Split Horizon Group: Access
AC: HundredGigE0/0/1/0.1, state is up
Type VLAN; Num Ranges: 1
Rewrite Tags: []
VLAN ranges: [1, 1]
MTU 1500; XC ID 0x1; interworking none
MAC learning: enabled
Use the following command to show the hsrp details:
Router# show hsrp ipv4 detailBVI10 - IPv4 vrID 10
State is Master
2 state changes, last state change 00:11:57
State change history:
May 26 17:08:59.470 UTC Init -> Backup Delay timer expired
May 26 17:09:03.075 UTC Backup -> Master Master down timer expired
Last resign sent: NeverLast resign received: Never
Virtual IP address is 209.165.200.226
Virtual MAC address is 0000.5E00.010a, state is active
Master router is local
Version is 2
Advertise time 1 secs
Master Down Timer 3.605 (3 x 1 + (155 x 1/256))
Minimum delay 1 sec, reload delay 5 sec
Current priority 101
Configured priority 101, may preempt
minimum delay 0 secs
Router# show hsrp ipv6 detail
BVI10 - IPv6 vrID 11
State is Master
2 state changes, last state change 00:04:29
State change history:
May 26 17:16:43.476 UTC Init -> Backup Virtual IP configured
May 26 17:16:47.085 UTC Backup -> Master Master down timer expired
Last resign sent: Never
Last resign received: Never
Virtual IP address is fe80::200:5eff:fe00:20b
Secondary Virtual IP address is 2001:db8:a:b::2
Virtual MAC address is 0000.5E00.020b, state is active
Master router is local
Version is 3
Advertise time 1 secs
Master Down Timer 3.609 (3 x 1 + (156 x 1/256))
Minimum delay 1 sec, reload delay 5 sec
Current priority 100
Configured priority 100, may preempt
minimum delay 0 secs
Router# show hsrp interface BVI10 detail
BVI10 - IPv4 vrID 10
State is Master
2 state changes, last state change 00:12:35
State change history:
May 26 17:08:59.470 UTC Init -> Backup Delay timer expired
May 26 17:09:03.075 UTC Backup -> Master Master down timer expired
Last resign sent: Never
Last resign received: Never
Virtual IP address is 209.165.200.226
Virtual MAC address is 0000.5E00.010a, state is active
Master router is local
Version is 2
Advertise time 1 secs
Master Down Timer 3.605 (3 x 1 + (155 x 1/256))
Minimum delay 1 sec, reload delay 5 sec
Current priority 101
Configured priority 101, may preempt
minimum delay 0 secs
BVI10 - IPv6 vrID 11
State is Master
2 state changes, last state change 00:04:51
State change history:
May 26 17:16:43.476 UTC Init -> Backup Virtual IP configured
May 26 17:16:47.085 UTC Backup -> Master Master down timer expired
Last resign sent: Never
Last resign received: Never
Virtual IP address is fe80::200:5eff:fe00:20b
Secondary Virtual IP address is 2001:db8:a:b::2
Virtual MAC address is 0000.5E00.020b, state is active
Master router is local
Version is 3
Advertise time 1 secs
Master Down Timer 3.609 (3 x 1 + (156 x 1/256))
Minimum delay 1 sec, reload delay 5 sec
Current priority 100
Configured priority 100, may preempt
minimum delay 0 secs