How HSRP Works

The point of this blog is to help others who are currently seeking out their CCNP certification.  I will take topics from the "Implementing Cisco Switched Networks (SWITCH)" book and try to get as detailed as possible.  If you are like me, you need to see what is actually happening on the network to understand and remember the concepts of networking. I will begin with Cisco's proprietary standby protocol: HSRP.

What the book doesn't provide is a good visualization of how HSRP broadcasts packets during a failover or normal operation.  Please read RFC2281:

http://www.faqs.org/rfcs/rfc2281.html

From Cisco Academy Network:

“HSRP is a redundancy protocol developed by Cisco to provide gateway redundancy without any additional configuration on the end devices in the subnet. With HSRP configured between a set of routers, they work in concert to present the appearance of a single virtual router to the hosts on the LAN. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single virtual router.”



“The IP address of the virtual router will be configured as the default gateway for the workstations on a specific IP segment. When frames are to be sent from the workstation to the default gateway, the workstation uses ARP to resolve the MAC address associated with the IP address of the default gateway. The ARP resolution returns the MAC address of the virtual router. Frames sent to the MAC address of the virtual router can then be physically processed by the active router that is part of that virtual router group. The physical router that forwards this traffic is transparent to the end stations.”

“HSRP provides the mechanism for determining which router should take the active role in forwarding traffic. HSRP also has a mechanism to determine when that active role must be taken over by a standby router. The transition from one forwarding router to another is transparent to the end devices.”

Read on 5.3 – states,5.5 – events, 5.6 – actions.  These definitions have associated codes that will be referenced in a highly useful table for predicting the behavior of HSRP.  I will use this table to predict the behavior of shutting down an active HSRP router in my home lab.

HSRP states (Section 5.3):

1. Initial
This is the starting state and indicates that HSRP is not running.
This state is entered via a configuration change or when an
interface first comes up.
2. Learn
The router has not determined the virtual IP address, and not yet
seen an authenticated Hello message from the active router. In
this state the router is still waiting to hear from the active
router.
3. Listen
The router knows the virtual IP address, but is neither the active
router nor the standby router. It listens for Hello messages from
those routers.
4. Speak
The router sends periodic Hello messages and is actively
participating in the election of the active and/or standby router.
A router cannot enter Speak state unless it has the virtual IP
address.
5. Standby
The router is a candidate to become the next active router and
sends periodic Hello messages. Excluding transient conditions,
there MUST be at most one router in the group in Standby state.
6. Active
The router is currently forwarding packets that are sent to the
group's virtual MAC address. The router sends periodic Hello
messages. Excluding transient conditions, there MUST be at most
one router in Active state in the group.

HSRP Events (Section 5.5):
 
These are the events in the HSRP finite state machine.
           a - HSRP is configured on an enabled interface.
           b - HSRP is disabled on an interface or the interface is disabled.
           c - Active timer expiry. The Active timer was set to the Holdtime
           when the last Hello message was seen from the active router.
           d - Standby timer expiry. The Standby timer was set to the
           Holdtime when the last Hello message was seen from the standby
           router.
           e - Hello timer expiry. The periodic timer for sending Hello
           messages has expired.
           f - Receipt of a Hello message of higher priority from a router in
           Speak state.
           g - Receipt of a Hello message of higher priority from the active
           router.
           h - Receipt of a Hello message of lower priority from the active
                router.
           i - Receipt of a Resign message from the active router.
           j - Receipt of a Coup message from a higher priority router.
           k - Receipt of a Hello message of higher priority from the standby
           router.
           l - Receipt of a Hello message of lower priority from the standby
           router.

HSRP Actions (Section 5.6):

A Start Active Timer
         If this action occurred as the result of the receipt of a an
         authenticated Hello message from the active router, the Active
         timer is set to the Holdtime field in the Hello message.
         Otherwise the Active timer is set to the current Holdtime value
         in use by this router. The Active timer is then started.
B Start Standby Timer
         If this action occurred as the result of the receipt of an
         authenticated Hello message from the standby router, the
         Standby timer is set to the Holdtime field in the Hello
         message. Otherwise the Standby timer is set to the current
         hold time value in use by this router. The Standby timer is
         then started.

C Stop Active Timer

The Active timer is stopped.

D Stop Standby Timer

The Standby timer is stopped.
E Learn Parameters

This action is taken when an authenticated message is received
from the active router. If the virtual IP address for this
group was not manually configured, the virtual IP address MAY
be learned from the message. The router MAY learn Hellotime
and Holdtime values from the message.

F Send Hello Message
The router sends a Hello message with its current State,
Hellotime and Holdtime.

G Send Coup Message
The router sends a Coup message to inform the active router
that there is a higher priority router available.

H Send Resign Message
The router sends a Resign message to allow another router to
become the active router.

I Send Gratuitous ARP Message
The router broadcasts an ARP response packet advertising the
group's virtual IP address and virtual MAC address. The packet
is sent using the virtual MAC address as the source MAC address
in the link layer header, as well as within the ARP packet.

RFC 2281 Table:

                   

3 timers - active timer, standby timer, hello timer

1.       Active timer - monitor active router, expires in the holdtime

2.       Standby timer - monitor the standby router, started when hello message is seen from standby router

3.       Hello timer - expires once per hellotime period (default 3 seconds), if router is in speak/standby/active states it should generate a hello message upon hello timer expiry

Note: coup message is sent when a router wants to become and active router during preemption

Part 1 - shutting down active router in HSRP

1. Run continuous ping from laptop – 172.16.10.100 to gateway ip 172.16.10.1
2. Shut down all interfaces on DLS1.  Int range fa0/7 -12. Shutdown command
3.  On standby router - hold time expires (3 x hello), (CDFI/6 - stop active/standby timers, send hello message, send GARP, transition to active)

       

    4. Standby now sending advertise active messages:

   5. Gratuitous ARP sent after standby becomes active:

    6. Standby promotes to active.  ARPs for laptops mac address:

    7. Ping can now reply:

        

Part 2 – Preempt

1.       DLS1 comes back up and preempts. DLS2: ABH/4 - start active/standby timer, send resign message, transition to speak.  

2.       DLS1 router receives hello message of lower priority from DLS2 active router.

3.       DLS1 router: BGFI/6 - start standby timer, send coup, send hello, send GARP, transition to active.

4.       172.16.10.3 sends a coup message in the listen state, it wants to become active.  Next packet 172.16.10.3 says hello I’m active!  Send GARP.  172.16.10.4 sends hello message in speak state.

5.       Hello exchanged from original router saying I have higher priority:

6.       Active router now is the original router that went down

7.       Screenshot of DLS1 – 172.16.10.3

8.       Previous active Router goes from active -> speak (standby timer times out, transition from speak to standby)

9.       Screenshot of DLS2 – 172.16.10.4

10.   Standby router is local, speak -> standby (EA: learn, start active timer)

           Question for readers:

1.       Is the resign message a broadcast?  I did not receive this packet on my access port on ALS1

     Additional reading:

1. Visual animation of HSRP: visualland.net
2. RFC 2281: http://www.ietf.org/rfc/rfc2281.txt