Gateway Redundancy FactsGateway redundancy is a fault-tolerant approach for hosts to communicate outside their local subnet. Typically, hosts are configured with a single default gateway (next-hop router) so they may communicate outside the local subnet. However (as shown in the image below) if the default gateway should fail, the hosts are limited to communicating only within the subnet, effectively disconnecting from the rest of the network. Even if there is a redundant router which could serve as a replacement gateway, there is no dynamic method by which the hosts could switch to a new default gateway IP address.

Gateway redundancy protects against a single point of failure. In gateway redundancy, a group of two or more routers actively manage a single virtual router MAC address and IP address (as seen below). This configuration ensures that if a router fails, a backup router takes responsibility as the default gateway. With gateway redundancy, LAN clients send traffic to the virtual router, but an actual router handles the forwarding of that traffic. The difference between a virtual and actual router is unnoticeable to the clients.

Hot Standby Router Protocol (HSRP)Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway. The protocol consists of a virtual MAC address and IP address that are shared between two or more routers, and a process that monitors both LAN and serial interfaces via a multicast protocol. An HSRP group, a set of routers participating in HSRP that jointly emulate a virtual router, consists of the following entities or roles:Entity or RoleDescription

Active RouterAn active router which forwards traffic destined to the virtual IP address (see the illustration below).

Standby RouterA standby router which will become the active router should the existing active router fail (see the illustration below).

Virtual RouterA virtual router which is not an actual router. It is a concept of the entire HSRP group acting as one virtual router. It is assigned its own IP address and MAC address; however, the active router acting as the virtual router actually forwards the packets.

Additional HSRP member routersAdditional HSRP member routers are neither active nor standby, but they are configured to participate in the same HSRP group. These routers forward any packets addressed to their assigned interface IP addresses but do not forward packets destined for the virtual router because they are not the active router.

HSRP has the following router states: Initial is the starting state of HSRP. All routers begin in this state. This state indicates that HSRP is not yet fully operational. Learn is when the router has not determined the virtual IP address and has not yet received a hello message from the active router. Listen is when the router knows the virtual IP address, but is neither the active router nor the standby router. This is the state for additional HSRP member routers. The router in this state listens for hello messages, participating only if the holdtime expires. Speak is when the routers in the HSRP group are in the election process for the active and standby routers. Standby is when the HSRP router is a candidate to become the next active router and sends periodic hello messages to inform other routers in the HSRP group of its status. Active is when the router forwards packets assigned to the virtual MAC and IP address of the HSRP group. It also sends periodic hello messages to inform other routers in the HSRP group of its status. Routers configured with HSRP exchange three types of multicast messages: MessageDescription

HelloThe active router assumes and maintains its role through the use of hello messages. When the active router fails, the other HSRP routers stop receiving the hello messages. The standby router assumes the role of active router when the holdtime expires. The holdtime is the time between the receipt of a hello message and the presumption that the sending router has failed. HSRP timer details include the following: Hello messages are sent every 3 seconds by default. Holdtime expires after 10 seconds by default. Both timers can be configured with an msec parameter for faster failover times. Note: All routers in the HSRP group should use the same timer values.

CoupA coup message is sent by a standby router which wants to assume the function of the active router.

ResignThe active router sends the resign message when it is about to shut down or when a router that has a higher priority sends a hello or coup message.

The active router is decided by the following: On a per-group basis, the HSRP router can be configured with a priority value. The default is 100. It can be between 0-255. The router with the highest priority becomes the active router if it initializes first.Note: If several routers have the same priority, the physical IP address of the router's interface is used. The router with the highest IP address becomes the active router. A preemption configuration will force a specific router to be an active router if it has the highest priority for the group. If the preempted active router fails, the standby router becomes the active router. If the preempted active router regains service, it will become the active router again. Be aware of the following details: If preemption is not enabled, the standby router which takes over for a failed router will remain the active router even if the former active router regains service. If preemption is enabled, the former active router regains service immediately after it receives a hello message from the active router with a lower priority by sending a coup message. When a lower priority active router receives a coup message from an active, higher priority router, the router changes to the Speak state and sends a resign message. Note: The transition through HSRP states is displayed with the debug standby EXEC command.Be aware of the following HSRP details: The virtual MAC address is XXXX.XX07.ACxx. The first six values in the address (XXXX.XX) represent the vendor code. The last two values (xx) represent the HSRP group number in hexadecimal. For example, a virtual MAC address for HSRP group 79 would be XXXX.XX07.AC4F If a host sends an ARP request with the virtual router's IP address, the active router will return the virtual router's MAC address. One or more HSRP groups need to be configured for each VLAN or subnet. HSRP is not configured globally. Using the VLAN ID as the HSRP group number makes troubleshooting easier. However, the group number is limited to a value between 0 and 255. To configure HSRP load sharing, configure at least two routers to participate in two HSRP groups. Configure the first router to serve as the active router for the first HSRP group and the backup router for the second HSRP group. Configure the second router to serve as the active router for the second HSRP group and the backup router for the first HSRP group. An HSRP tracking feature monitors the active router's interface that is used to forward traffic from the hosts. If that interface goes down, the priority of the HSRP group is reduced to allow the HSRP standby router to become the active router. The HSRP group priority of the active router is decreased by 10 by default, but can be configured. Careful planning of standby priorities for all routers is needed to ensure that the HSRP standby tracking feature lowers priorities enough for standby routers to take active roles. If preemption is not enabled on the standby router, it will not send a coup message to become the active router for the group. When configuring routers in the HSRP group, at least one router in the group must be configured with the virtual IP address. Other routers in the group will learn the virtual IP address because it is forwarded in the hello messages. HSRP Command ListThe following table lists commands used to configure and verify HSRP:Use...To...

Router(config)#interface Router(config-if)#standby ip Enter interface configuration mode and enable HSRP with a group number.

Router(config-if)#standby ip Configure the HSRP standby group with a virtual IP address.

Router(config-if)#standby preempt Configure HSRP for pre-emption so the router may take over if it has a higher priority than the current active router.

Router(config-if)#standby priority Configure the HSRP group priority.

Router(config-if)#standby track Monitors the active router's interface that is used to forward traffic from the hosts, and specifies the HSRP group priority amount that is decremented if the interface goes down.

Router(config-if)#standby timers msec Router(config-if)#standby timers msec Configure the hello timer and hold timer values for HSRP.

Router(config-if)#no standby timers Reset the hello timer and hold timer values back to their defaults, 3 and 10 seconds respectively.

Router(config-if)#standby authentication Router(config-if)#standby authentication md5 key-string 0|7 Configure the authentication as plain text or encrypted text. This will authenticate HSRP packets received from other routers in the group. Specifying 0 means the key value is unencrypted. Specifying 7 means the key value is encrypted. The key-string authentication key is automatically encrypted if the service password-encryption global configuration command is enabled. Note: If you configure authentication, all routers within the GLBP group must use the same authentication string.

Router#show standby Display the gateway redundancy configuration and status of the configured interfaces.

Router#debug standbyDisplays HSRP state changes and debugging information regarding transmission and receipt of Hot Standby Protocol packets. Use this command to determine whether hot standby routers recognize one another and take the proper actions.

ExamplesThe following table provides example gateway redundancy configurations and descriptions:CommandsDescription

RouterA(config)#interface vlan 10RouterA(config-if)#standby 10 ip 10.2.2.1RouterA(config-if)#standby 10 priority 100RouterA(config-if)#end RouterB(config)#interface vlan 10RouterB(config-if)#standby 10 priority 90RouterB(config-if)#endThe first group of commands configures a single router (RouterA) with one HSRP standby group for VLAN 10 with a virtual address of 10.2.2.1 and a priority of 100. The second group of commands configures a single router (RouterB) with the same group yet a different priority. This command set configures RouterA as the active router for VLAN 10 because it has the highest priority. RouterB is configured as the standby router.Note: When configuring routers in the HSRP group, at least one router in the group must be configured with the virtual IP address. Other routers in the group will learn the virtual IP address because it is forwarded in the hello messages.

RouterA(config)#interface vlan 10RouterA(config-if)#standby 10 ip 10.2.2.1RouterA(config-if)#standby 10 priority 150RouterA(config-if)#interface vlan 20RouterA(config-if)#standby 20 ip 10.3.3.1RouterA(config-if)#standby 20 priority 100RouterA(config-if)#end RouterB(config)#interface vlan 10RouterB(config-if)#standby 10 priority 100RouterB(config-if)#interface vlan 20RouterB(config-if)#standby 20 priority 150RouterB(config-if)#endThe first group of commands configure a single router (RouterA) with two HSRP standby groups on VLAN 10 and 20 with a virtual address of 10.2.2.1 and 10.3.3.1 with a priority of 150 and 100, respectively. The second group of commands configure a single router (RouterB) with the same groups yet configures a different priority for each VLAN. This command set configures RouterA as the active router for VLAN 10 and the standby router for VLAN 20. It is vice versa for RouterB.