HSRP Router Election

Highest Priority value (active router)

Default priority = 100
Highest IP address on interface (priority is tied) becomes active router.
states:1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active
Only the standby (the one with the second-highest priority) router monitors the
hello messages from the active router.
By default, hellos are sent every 3 seconds. If hellos are
missed for the duration of the holdtime timer (default 10 seconds, or three times
the hello
timer), the active router is presumed to be down. The standby router is then clear to
assume the active role.
Switch(config-if)# standby group priority priority
Switch(config-if)# standby 1 priority 200
Switch(config-if)# standby group timers [msec] hello [msec] holdtime
The holdtime always should be at least three times the hello timer.
Switch(config-if)# standby 1 timers msec 100 msec 300
Note: Be aware that decreasing the HSRP hello time allows a router failure
to be detected
more quickly. At the same time, HSRP hellos will be sent more often,
increasing the
amount of traffic on the interface.

Normally, after the active router fails and the standby becomes active, the original
active
router cannot immediately become active when it is restored.
You can configure a router to preempt or immediately take over the active role if its
priority is the highest at any time.
Switch(config-if)# standby group preempt [delay [minimum seconds] [reload
seconds]]
Add the minimum keyword to force the router to wait for seconds (0 to 3600 seconds) before attempting to overthrow an active router with a lower priority.
Add the reload keyword to force the router to wait for seconds (0 to 3600 seconds)
after it has been reloaded or restarted.
The local router should not become the active gateway before
its routing table is fully populated; otherwise, it might not be capable of routing traffic properly.
HSRP also can use an authentication method to prevent unexpected devices from
spoofing or participating in HSRP.
Plain-Text HSRP Authentication
Switch(config-if)# standby group authentication string
MD5 Authentication
Switch(config-if)# standby group authentication md5 key-string [0 | 7] string
Alternatively, you can define an MD5 key string as a key on a key chain.
Switch(config)# key chain chain-name
Switch(config-keychain)# key key-number
Switch(config-keychain-key)# key-string [0 | 7] string
Switch(config)# interface type mod/num
Switch(config-if)# standby group authentication md5 key-chain chain-name

Tip: HSRP MD5 authentication was introduced into some Catalyst switch
platforms with
Cisco IOS Software Release 12.2(25)S. At the time of this writing, this
feature is available
only on the Catalyst 3560 and 3750.
Conceding the Election
HSRP has a mechanism for detecting link failures and swaying the election, giving
another router an opportunity to take over the active role.
To configure interface tracking, use the following interface configuration command:
Switch(config-if)# standby group track type mod/num [decrementvalue]
By default, the decrementvalue for an interface is 10.
You also should be aware
that the only way another router can take over the active role after interface
tracking reduces the priority is if the following two conditions are met:
Another router now has a higher HSRP priority.
That same router is using preempt in its HSRP configuration.
Without preemption, the active role cannot be given to any other router.
A group of clients sends packets to it for forwarding, and it has one or more links to
the rest of the world. If one of those links fails, the router remains active. If all of
those links fail, the router still remains active.
HSRP Gateway Addressing
Each router has a common gateway IP address, the virtual router address, which is
kept alive by HSRP. This address also is referred to as the HSRP address or the
standby address.
The actual interface address and the virtual (standby) address must be configured
to be in the same IP subnet.
Switch(config-if)# standby group ip ip-address [secondary]

For the virtual router address, HSRP defines a special MAC address of the form
0000.0c07.acxx, where
xx represents the HSRP group number as a two-digit hex value.
For example, HSRP
Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10,
and so on.

Load Balancing with HSRP

The standby router and its uplink essentially sit
idle until a router failure occurs.
Load balancing traffic across two uplinks to two HSRP routers with a single
HSRP group
is not possible. Then how is it possible to load balance with HSRP? The
trick is to use two
HSRP groups:
One group assigns an active router to one switch.
The other group assigns another active router to the other switch

Verification
Router# show standby [brief] [vlan vlan-id | type mod/num]
Displaying the HSRP Router Role of a Switch: CatalystA
CatalystA# show standby vlan 50 brief
P indicates configured to preempt.
|
Interface

Grp Prio P State

Vl50

1 200 P Active

Vl50

100

Active addr

local

Standby addr

192.168.1.11

Standby 192.168.1.11

local

CatalystA#
CatalystA# show standby vlan 50
Vlan50 - Group 1
Local state is Active, priority 200, may preempt
Hellotime 3 sec, holdtime 10 sec

Group addr

192.168.1.1
192.168.1.2

Next hello sent in 2.248

Virtual IP address is 192.168.1.1 configured
Active router is local
Standby router is 192.168.1.11 expires in 9.860
Virtual mac address is 0000.0c07.ac01
Authentication text MyKey
2 state changes, last state change 00:11:58
IP redundancy name is hsrp-Vl50-1 (default)
Vlan50 - Group 2
Local state is Standby, priority 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 1.302
Virtual IP address is 192.168.1.2 configured
Active router is 192.168.1.11, priority 200 expires in 7.812
Standby router is local
Authentication text MyKey
4 state changes, last state change 00:10:04
IP redundancy name is hsrp-Vl50-2 (default)
CatalystA#
Displaying the HSRP Router Role of a Switch: CatalystB
CatalystB# show standby vlan 50 brief
P indicates configured to preempt.
|
Interface
Vl50
Vl50

Grp Prio P State

1 100

Active addr

Standby 192.168.1.10

2 200 P Active

local

Standby addr

local

192.168.1.10

Group addr

192.168.1.1
192.168.1.2

CatalystB#
CatalystB# show standby vlan 50
Vlan50 - Group 1
Local state is Standby, priority 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.980
Virtual IP address is 192.168.1.1 configured
Active router is 192.168.1.10, priority 200 expires in 8.128
Standby router is local
Authentication text MyKey
1 state changes, last state change 00:01:12
IP redundancy name is hsrp-Vl50-1 (default)
Vlan50 - Group 2
Local state is Active, priority 200, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.888
Virtual IP address is 192.168.1.2 configured
Active router is local
Standby router is 192.168.1.10 expires in 8.500
Virtual mac address is 0000.0c07.ac02
Authentication text MyKey
1 state changes, last state change 00:01:16
CatalystB#
Virtual Router Redundancy Protocol
(VRRP) is a standards-based alternative to HSRP.

VRRP provides one redundant gateway address from a group of routers. The active
router is called the master router, whereas all others are in the backup state. The
master router is the one with the highest router priority in the VRRP group.
VRRP group numbers range from 0 to 255; router priorities range from 1 to 254.
254 is the highest.
100 is the default.
The virtual router MAC address is of the form 0000.5e00.01xx, where xx is a twodigit
hex VRRP group number.
VRRP advertisements are sent at 1-second intervals. Backup routers optionally can
learn the advertisement interval from the master router.
By default, all VRRP routers are configured to preempt the current master router if
their priorities are greater.
VRRP has no mechanism for tracking interfaces to allow more capable routers to
take over the master role.
Note: VRRP sends its advertisements to the multicast destination address
224.0.0.18 (VRRP), using IP protocol 112. VRRP was introduced in Cisco IOS
Software Release 12.0(18)ST for routers. At press time, VRRP is available only for
the Catalyst 4500 (Cisco IOS Release 12.2[31]SG), Catalyst 6500 Supervisor 2 (Cisco
IOS Software Release 12.2[9]ZA or later) and Catalyst 6500 Supervisor 720 (Cisco
IOS Software Release 12.2[17a]SX4 or later).
VRRP Configuration Commands

Configuring Load Balancing with VRRP

Verification

Displaying Switch Roles for VRRP Load Balancing

Verifying VRRP Status for Multiple VRRP Groups

Gateway Load Balancing Protocol

You should now know how both HSRP and VRRP can effectively provide a redundant
gateway (virtual router) address. You can accomplish load balancing by configuring
only multiple HSRP/VRRP groups to have multiple virtual router addresses.
The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol
designed to overcome the limitations of existing redundant router protocols.

Note: GLBP was introduced in Cisco IOS Software Release 12.2(14)S for
routers. At the
time of this writing, GLBP is available only for the Catalyst 6500
Supervisor 2 with IOS
Release 12.2(14)SY4 or later and Supervisor 720 with IOS Release
12.2(17a)SX4 switch platforms.
Instead of having just one active router performing forwarding for the virtual router
address, all routers in the group can participate and offer load balancing by
forwarding a portion of the overall traffic.
As a client sends an ARP request looking for the virtual router address, GLBP sends
back an ARP reply with the virtual MAC address of a selected router in the group.
The result is that all clients use the same gateway address but have differing MAC
addresses for it.
Active Virtual Gateway
Active virtual gateway (AVG) is the router having the highest priority value, or the
highest IP address in the group, if there is no highest priority.
The AVG answers all ARP requests for the virtual router address.
The AVG also assigns the necessary virtual MAC addresses to each of the routers
participating in the GLBP group. Up to four virtual MAC addresses can be used in
any group.
Each of these routers is referred to as an active virtual forwarder (AVF), forwarding
traffic received on its virtual MAC address. Other routers in the group serve as
backup or secondary virtual forwarders, in case the AVF fails. The AVG also assigns
secondary roles.
Switch(config-if)# glbp group priority level
GLBP group numbers range from 0 to 1023. The router priority can be 1 to 255 (255
is the highest priority), defaulting to 100.
Switch(config-if)# glbp group preempt [delay minimum seconds]
AVG sends periodic hello messages to each of the other GLBP peers. In addition, it
expects to receive hello messages from each of them.
Hello messages are sent at hellotime intervals, with a default of 3 seconds. If hellos
are not received from a peer within a holdtime, defaulting to 10 seconds, that peer
is presumed to have failed.

Switch(config-if)# glbp group timers [msec] hellotime [msec] holdtime

You always should make the holdtime at least three times greater than the hellotime
to give some tolerance to missed or delayed hellos from a functional peer.
Tip: Although you can use the previous command to configure the GLBP
timers on each peer router, it is not necessary. Instead, just configure the
timers on the router you have identified as the AVG. The AVG will
advertise the timer values it is using, and every other peer will learn those
values if they have not already been explicitly set.
Active Virtual Forwarder
Each router participating in the GLBP group can become an AVF, if the AVG assigns
it that role, along with a virtual MAC address. The virtual MAC addresses always
have the form 0007.b4xx.xxyy. The 16-bit value denoted by xx.xx represents six
zero bits followed by a 10-bit GLBP group number. The 8-bit yy value is the virtual
forwarder number.
The redirect timer is used to determine when the AVG will stop using the old virtual
MAC address in ARP replies. The AVF corresponding to the old address continues to
act as a gateway for any clients that try to use it.
When the timeout timer expires, the old MAC address and the virtual forwarder
using it are flushed from all the GLBP peers. The AVG assumes that the previously
failed AVF will not return to service, so the resources assigned to it must be
reclaimed. At this point, clients still using the old MAC address in their ARP caches
must refresh the entry to obtain the new virtual MAC address.
The redirect timer defaults to 600 seconds (10 minutes) and can range from 0 to
3600 seconds (1 hour). The timeout timer defaults to 14,400 seconds (4 hours) and
can range from
700 to 64,800 seconds (18 hours).
Switch(config-if)# glbp group timers redirect redirect timeout
GLBP also can use a weighting function to determine which router becomes the AVF
for a virtual MAC address in a group. Each router begins with a maximum weight
value (1 to 254). As specific interfaces go down, the weight is decreased by a
configured amount. GLBP uses thresholds to determine when a router can and
cannot be the AVF. If the weight falls below the lower threshold, the router must give
up its AVF role. When the weight rises above the upper threshold, the router can
resume its AVF role.
By default, a router receives a maximum weight of 100. If you want to make a
dynamic weighting adjustment, GLBP must know which interfaces to track and how

to adjust the weight. You first must define an interface as a tracked object with the
following global configuration command:
Switch(config)# track object-number interface type mod/num {line-protocol | ip
routing}
GLBP Load Balancing
Switch(config-if)# glbp group load-balancing [round-robin | weighted |
host-dependent]
Enabling GLBP
Switch(config-if)# glbp group ip [ip-address [secondary]]

Notice that CatalystA is shown to be the AVG because it has a dash in the
Fwd column and is in the Active state.
CatalystA# show glbp
Vlan50 - Group 1
State is Active
7 state changes, last state change 03:28:05
Virtual IP address is 192.168.1.1
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.672 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Preemption enabled, min delay 0 sec
Active is local

Standby is 192.168.1.11, priority 150 (expires in 9.632 sec)

Priority 200 (configured)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
There are 3 forwarders (1 active)
Forwarder 1
State is Active
3 state changes, last state change 03:27:37
MAC address is 0007.b400.0101 (default)
Owner ID is 00d0.0229.b80a
Redirection enabled
Preemption enabled, min delay 30 sec
Active is local, weighting 100
Forwarder 2
State is Listen
MAC address is 0007.b400.0102 (learnt)
Owner ID is 0007.b372.dc4a
Redirection enabled, 598.308 sec remaining (maximum 600 sec)
Time to live: 14398.308 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 192.168.1.11 (primary), weighting 100 (expires in 8.308 sec)
Forwarder 3
State is Listen
MAC address is 0007.b400.0103 (learnt)
Owner ID is 00d0.ff8a.2c0a
Redirection enabled, 599.892 sec remaining (maximum 600 sec)

Time to live: 14399.892 sec (maximum 14400 sec)

Preemption enabled, min delay 30 sec
Active is 192.168.1.12 (primary), weighting 100 (expires in 9.892 sec)
CatalystA#
Verifying Gateway Redundancy