Hello and welcome to the second post in the IP Services Series for the new CCNA exam. In the last post we discussed all you need to know about DHCP for the CCNA exam. You can read the article here. In this post, we will examine another important concept that is relevant for both the CCNA exam and the real world: first hop redundancy protocols.

First hop redundancy protocols (FHRP) are protocols that are used to ensure high availability of the default gateway on a network. Your device has an IP address and a default gateway that connects it to other networks and the internet. What happens when that router goes down? If there is no backup, you have to try to fix it or replace before operations can continue. Even if you have a backup router available, you would still experience significant downtime while trying to restore normalcy to operations. This is why FHRPs were designed.

There are many kinds of FHRPS. For the CCNA exam, you are required to learn about the three below;

  1. Hot standby router protocol (HSRP)
  2. Virtual router redundancy protocol (VRRP)
  3. Gateway load balancing protocol (GLBP)

Hot Standby Redundancy Protocol

HSRP is a Cisco proprietary protocol designed to provide transparent failover between routers. As the name implies, when router interfaces are in an HSRP group, only one of the interfaces is active, while the others serve as backups. The active router is the router with the highest priority in the group. When this router fails, the router with the next highest priority takes over as the active router.

A device can only be assigned one default gateway, so who takes that address? The answer is nobody. The routers are assigned individual IP addresses in the same subnet but the default gateway address would be a virtual IP address that is assigned to the HSRP group. Similarly, a MAC address is also generated for the HSRP group. The MAC address is usually in the format 0000.0c07.acXX where XX is the group number. You should pay attention to this if you are troubleshooting errors.

Tip: You should also permit the IP and MAC addresses in any security filters you might set (e.g., access-lists or port security configurations). This can save you a lot of hassle.

HSRP neighbors communicate by sending “Hello” packets to a multicast address every 3 seconds. The multicast address is 224.0.0.2 (and 224.0.0.102 for version 2). If the group members do not receive a “hello” packet within 10 seconds (the default hold time), the router is deemed to be down and the next backup router in line takes over. The default HSRP timers can be adjusted if you need faster responses.

Let’s examine an example: In the diagram below, R1 and R2 would act as default gateways in the same HSRP group. To make R1 the active, we would set the priority as 110 (to make it higher than the default, which is 100).

Article2Pic1

The configuration is shown below;

The “standby 1 ip” command sets the virtual IP address for HSRP group 1. The priority has also been set to 110. Similarly, the configuration of R2 is shown below:

Notice that the individual ip addresses for R1 and R2 are 192.168.2.2 and 192.168.2.3, respectively. However the default gateway for the client has been set to 192.168.2.1

Now let us test connectivity to the internet:

To be sure that R1 is the active router, when we issue a traceroute to the address, the first hop is 192.168.2.2 (R1’s individual IP address).

1-06202013

Now, to test failover, we would issue an extended ping, and then unplug R1’s FastEthernet 0/0 interface.

We can see that we lose 2 pings before the standby router kicks in and the connection is restored. We can check the router that is being used by doing a traceroute from the end user.

From this trace, we can see that R2 (192.168.2.3) has become the active router.

So what happens when we restore the cable at R1? Even after restoring the cable, a new trace from the device still goes through R2 (192.168.2.3):

This is because, by default, preemption is disabled on HSRP. This means that when a router with a higher priority comes back online, it will not preempt the active router. We can see this in the output of the show standby in any of the routers.

2-06202013

Because preemption is disabled on R1, we can see in the output that even though R1 has a greater priority (110), the active router is R2 (192.168.2.3). In order to ensure that R1 becomes the active router when it comes back online, we should enable preemption on the routers. This is done as shown below:

As we can see in the snippet above, once the command is entered, R1 becomes the active router again because it has the higher priority.

So far, we have tested HSRP by manipulating the Fa0/0 interface of R1 and thereby making the router inaccessible. However, it is possible that R1 loses its connectivity to the internet through f0/1 while its F0/0 is still intact. In this case, it will be useless for R1 to remain as the default gateway of the network. In order to ensure failover when an interface goes down, we need to track that interface. HSRP tracking can be configured as shown below:

The command ensures that the line protocol of the FastEthernet 0/1 interface of R1 is tracked and, when it goes down, the priority is decreased by 30. Since R2’s priority is 100 (by default) and preemption is enabled, R2 would become the default gateway of the network when F0/1 goes down.

To test this, we will use a continuous ping to 4.2.2.2 and shutdown R1’s F0/1 interface.

Notice we do not see any ping fail. This is because the change happens really fast. Let’s look at the command line on R1 and see what happens:

3-06202013

From the logs on the console, we can see that the line protocol goes down and R1 moves from active to standby. Also, if we look at the output of the show standby, we can see that the priority has become 80.

4-06202013

What happens when R1’s FastEthernet Fa0/1 is restored? The priority returns to 110 and, since preemption is enabled, R1 becomes the active router again.

So we have seen how HSRP is configured, the role of preemption and how we can track other interfaces to enhance the high availability of our gateways. Can we track more complex features, such as reachability to an IP address? Yes we can, but that involves using IP SLA, which is beyond the scope of this article (and the CCNA exam). However, with the features we have learnt, we can increase the redundancy in our networks using HSRP.

Virtual Router Redundancy Protocol (VRRP)

VRRP is the open standard protocol version of HSRP. It pretty much does the same thing as HSRP except that it uses different names. In HSRP, we have active and standby routers but, in VRRP, they are called master and backup routers. Another difference is that the multicast address used in VRRP is 224.0.0.0.18. Also, the MAC address that is used by HSRP is 00-00-5E-00-01-XX, where XX is the group number. By default, VRRP is faster than HSRP. This is because its “hello” timer is 1sec. Details of the Implementation of VRRP can be found in RFC5798 (http://tools.ietf.org/html/rfc5798). To put things in perspective, I have summarized the major differences between HSRP and VRRP in the table below:

Hot Standby Router Protocol (HSRP) Virtual Redundancy Router Protocol (VRRP)
Cisco Proprietary Industry Standard
Uses Multicast Address 224.0.0.2 or 224.0.0.102 Uses Multicast Address 224.0.0.18
Uses Virtual Mac address 0000.0c07.acXX Uses Virtual MAC Address 0000.5E00.01XX
Described in RFC 2281 Described in RFC 5798
Preemption Disabled by Default Preemption Enabled by Default
“Hello” Timer Is 3 Seconds “Hello” Timer Is 1 Second

To implement the failover that we have implemented so far using HSRP, the similar VRRP configuration would be:

5-06202013

From the configuration above, the interface tracking is done by linking the track to an object and then configuring that track object to track interface FastEthernet 0/1’s line protocol. This achieves exactly the same result as the HSRP command “standby 1 track fastethernet0/1 30.”

To test the tracking and preemption features, we can shut down the interface F0/1 on R1 and check the impact on the VRRP.

6-06202013

We can see that because preemption is enabled by default, R1’s state changes from master to backup in the VRRP configuration.

To check the VRRP status on the router, use the “show vrrp” command;

Notice that preemption is enabled in the output and the priority of R1has been reduced to 80 because the object being tracked is down.

Whew! Now we have learned about the first two FHRPs. We would break off this article here and continue with the third FHRP (gateway load balancing protocol) in the next article in this series. I will leave you with a thought: So far, with HSRP and VRRP, only one of the routers is in use at a particular time. What if we want to be able to load-balance between our gateway routers while maintaining redundancy? Is this achievable? Let me know your thoughts in the comments section.