Gateway Redundancy Facts

Gateway redundancy is a fault-tolerant approach for hosts to communicate outside their local subnet. Typically, hosts are
configured with a single default gateway (next-hop router) so they may communicate outside the local subnet. However (as
shown in the image below) if the default gateway should fail, the hosts are limited to communicating only within the subnet,
effectively disconnecting from the rest of the network. Even if there is a redundant router which could serve as a replacement
gateway, there is no dynamic method by which the hosts could switch to a new default gateway IP address.

Gateway redundancy protects against a single point of failure. In gateway redundancy, a group of two or more routers actively
manage a single virtual router MAC address and IP address (as seen below). This configuration ensures that if a router fails, a
backup router takes responsibility as the default gateway. With gateway redundancy, LAN clients send traffic to the virtual router,
but an actual router handles the forwarding of that traffic. The difference between a virtual and actual router is unnoticeable to
the clients.

Hot Standby Router Protocol (HSRP)

Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway.
The protocol consists of a virtual MAC address and IP address that are shared between two or more routers, and a process that
monitors both LAN and serial interfaces via a multicast protocol.
An HSRP group, a set of routers participating in HSRP that jointly emulate a virtual router, consists of the following entities or
roles:

Entity or
Role

Description
An active router which forwards traffic destined to the virtual IP address (see the illustration below).

Active
Router

A standby router which will become the active router should the existing active router fail (see the illustration
below).

Standby
Router

Virtual
Router

A virtual router which is not an actual router. It is a concept of the entire HSRP group acting as one virtual router. It
is assigned its own IP address and MAC address; however, the active router acting as the virtual router actually
forwards the packets.

Additional
HSRP
member
routers

Additional HSRP member routers are neither active nor standby, but they are configured to participate in the same
HSRP group. These routers forward any packets addressed to their assigned interface IP addresses but do not
forward packets destined for the virtual router because they are not the active router.

HSRP has the following router states:

Initial is the starting state of HSRP. All routers begin in this state. This state indicates that HSRP is not yet fully
operational.

Learn is when the router has not determined the virtual IP address and has not yet received a hello message from the
active router.

Listen is when the router knows the virtual IP address, but is neither the active router nor the standby router. This is the
state for additional HSRP member routers. The router in this state listens for hello messages, participating only if the
holdtime expires.

Speak is when the routers in the HSRP group are in the election process for the active and standby routers.

Standby is when the HSRP router is a candidate to become the next active router and sends periodic hello messages to
inform other routers in the HSRP group of its status.

Active is when the router forwards packets assigned to the virtual MAC and IP address of the HSRP group. It also sends
periodic hello messages to inform other routers in the HSRP group of its status.

Routers configured with HSRP exchange three types of multicast messages:

Message Description
The active router assumes and maintains its role through the use of hello messages. When the active router fails, the
other HSRP routers stop receiving the hello messages. The standby router assumes the role of active router when
the holdtime expires. The holdtime is the time between the receipt of a hello message and the presumption that the
sending router has failed. HSRP timer details include the following:

Hello

Hello messages are sent every 3 seconds by default.

Holdtime expires after 10 seconds by default.

Both timers can be configured with an msec parameter for faster failover times.

Note: All routers in the HSRP group should use the same timer values.
Coup

A coup message is sent by a standby router which wants to assume the function of the active router.

Resign

The active router sends the resign message when it is about to shut down or when a router that has a higher priority
sends a hello or coup message.

The active router is decided by the following:

On a per-group basis, the HSRP router can be configured with a priority value. The default is 100. It can be between 0255. The router with the highest priority becomes the active router if it initializes first.
Note: If several routers have the same priority, the physical IP address of the router's interface is used. The router with
the highest IP address becomes the active router.

A preemption configuration will force a specific router to be an active router if it has the highest priority for the group. If
the preempted active router fails, the standby router becomes the active router. If the preempted active router regains
service, it will become the active router again. Be aware of the following details:
o

If preemption is not enabled, the standby router which takes over for a failed router will remain the active router
even if the former active router regains service.

If preemption is enabled, the former active router regains service immediately after it receives a hello message
from the active router with a lower priority by sending a coup message. When a lower priority active router
receives a coup message from an active, higher priority router, the router changes to the Speak state and sends
a resign message.

Note: The transition through HSRP states is displayed with the debug standby EXEC command.
Be aware of the following HSRP details:

The virtual MAC address is XXXX.XX07.ACxx. The first six values in the address (XXXX.XX) represent the vendor
code. The last two values (xx) represent the HSRP group number in hexadecimal. For example, a virtual MAC address
for HSRP group 79 would be XXXX.XX07.AC4F

If a host sends an ARP request with the virtual router's IP address, the active router will return the virtual router's MAC
address.

One or more HSRP groups need to be configured for each VLAN or subnet. HSRP is not configured globally.

Using the VLAN ID as the HSRP group number makes troubleshooting easier. However, the group number is limited to
a value between 0 and 255.

To configure HSRP load sharing, configure at least two routers to participate in two HSRP groups.

Configure the first router to serve as the active router for the first HSRP group and the backup router for the
second HSRP group.

Configure the second router to serve as the active router for the second HSRP group and the backup router for
the first HSRP group.

An HSRP tracking feature monitors the active router's interface that is used to forward traffic from the hosts. If that
interface goes down, the priority of the HSRP group is reduced to allow the HSRP standby router to become the active
router.
o

The HSRP group priority of the active router is decreased by 10 by default, but can be configured. Careful
planning of standby priorities for all routers is needed to ensure that the HSRP standby tracking feature lowers
priorities enough for standby routers to take active roles.

If preemption is not enabled on the standby router, it will not send a coup message to become the active router
for the group.

When configuring routers in the HSRP group, at least one router in the group must be configured with the virtual IP
address. Other routers in the group will learn the virtual IP address because it is forwarded in the hello messages.

HSRP Command List

The following table lists commands used to configure and verify HSRP:
Use...
Router(config)#interface <type number>
Router(config-if)#standby <0-255> ip

To...
Enter interface configuration mode and
enable HSRP with a group number.

Router(config-if)#standby <0-255> ip <a.b.c.d>

Configure the HSRP standby group with a

virtual IP address.

Router(config-if)#standby <0-255> preempt

Configure HSRP for pre-emption so the

router may take over if it has a higher
priority than the current active router.

Router(config-if)#standby <0-255> priority <0-255>

Configure the HSRP group priority.

Router(config-if)#standby <0-255> track <interface type

number> <decrement value>

Monitors the active router's interface that is

used to forward traffic from the hosts, and
specifies the HSRP group priority amount
that is decremented if the interface goes
down.

Router(config-if)#standby <0-255> timers msec <hello-value>

Router(config-if)#standby <0-255> timers msec <holdtimevalue>

Router(config-if)#no standby <0-255> timers

Router(config-if)#standby <0-255> authentication <value>
Router(config-if)#standby <0-255> authentication md5 keystring 0|7 <value>

Configure the hello timer and hold timer

values for HSRP.
Reset the hello timer and hold timer values
back to their defaults, 3 and 10 seconds
respectively.
Configure the authentication as plain text
or encrypted text. This will authenticate
HSRP packets received from other routers
in the group.

Specifying 0 means the key value

is unencrypted.

Specifying 7 means the key value

is encrypted. The key-string
authentication key is automatically
encrypted if the service
password-encryption global
configuration command is
enabled.

Note: If you configure authentication, all

routers within the GLBP group must use
the same authentication string.

Router#show standby

Display the gateway redundancy

configuration and status of the configured
interfaces.

Router#debug standby

Displays HSRP state changes and

debugging information regarding
transmission and receipt of Hot Standby
Protocol packets. Use this command to
determine whether hot standby routers
recognize one another and take the proper
actions.

Examples
The following table provides example gateway redundancy configurations and descriptions:
Commands

RouterA(config)#interface vlan 10
RouterA(config-if)#standby 10 ip 10.2.2.1
RouterA(config-if)#standby 10 priority 100
RouterA(config-if)#end
RouterB(config)#interface vlan 10
RouterB(config-if)#standby 10 priority 90
RouterB(config-if)#end

RouterA(config)#interface vlan 10
RouterA(config-if)#standby 10 ip 10.2.2.1
RouterA(config-if)#standby 10 priority 150
RouterA(config-if)#interface vlan 20
RouterA(config-if)#standby 20 ip 10.3.3.1
RouterA(config-if)#standby 20 priority 100
RouterA(config-if)#end
RouterB(config)#interface vlan 10
RouterB(config-if)#standby 10 priority 100
RouterB(config-if)#interface vlan 20
RouterB(config-if)#standby 20 priority 150
RouterB(config-if)#end

Description
The first group of commands configures a single router
(RouterA) with one HSRP standby group for VLAN 10 with
a virtual address of 10.2.2.1 and a priority of 100. The
second group of commands configures a single router
(RouterB) with the same group yet a different priority.
This command set configures RouterA as the active router
for VLAN 10 because it has the highest priority. RouterB is
configured as the standby router.
Note: When configuring routers in the HSRP group, at least
one router in the group must be configured with the virtual
IP address. Other routers in the group will learn the virtual
IP address because it is forwarded in the hello messages.

The first group of commands configure a single router

(RouterA) with two HSRP standby groups on VLAN 10 and
20 with a virtual address of 10.2.2.1 and 10.3.3.1 with a
priority of 150 and 100, respectively. The second group of
commands configure a single router (RouterB) with the
same groups yet configures a different priority for each
VLAN.
This command set configures RouterA as the active router
for VLAN 10 and the standby router for VLAN 20. It is vice
versa for RouterB.