FHRP (First Hop Redundancy

Protocols)
-| Generic term for any protocol that provides redundancy for client default gateway.
-| If client has only one gateway, that fails, client’s network will be down.

-| Cisco proprietary FHRP:

 HSRP (Hot Standby Redundancy Protocol)
 HSRPv2
 GLBP (Gateway Load Balancing Protocol)

-| Open Standard FHRP:

 VRRP (Virtual Router Redundancy Protocol)

Characteristics of FHRP:
-| Require two or more routers as gateway.
-| Hello / Keepalive messages exchange between routers.
-| One router elects as the “Active” router for clients.
-| Sub-second failover.
-| Routers share “virtual-IP” and ”virtual-MAC”.
-| Need to specify group. (Virtual MAC forms from group number.)
-| By default, Group number is 0.
-| Active/Master Router is always the owner of virtual IP and MAC.
 HSRP
-| Hot Standby Routing Protocol.
-| Cisco Proprietary.
-| Uses UDP port 1985.
-| Use multicast IP address [Link] for Hello/Keepalive message.
-| Uses multicast MAC address  01-00-5E-00-00-02.
-| Two roles:
 Active and Standby. (If there is more than 2 routers, it will be in LISTEN state.)
-| Only Active and Standby routers are exchanging Hello/Keepalive messages.

-| “Active” router election:

 HSRP router with highest priority is considered “Active”.
 Default priority = 100.
 If the priority is same, then the router with highest IP address of the HSRP Broadcast
domain with all other HSRP routers, will be considered as “Active”.

HSRP Group:
-| This is a locally significant number.
-| All the routers in the same broadcast domain / VLAN should be under same HSRP
group.
-| After mentioning Group number, virtual MAC will be created.

HSRP Virtual MAC:

 [Link]  XX refers to the group number in hexadecimal.
-| HSRP default Timers:
 Hello timer – 3 Sec
 Hold timer – 10 sec (or 3x Hello)
 Device(config-if)# standby [group-number] timers <hello-time> <hold-time>
-| By default, Preemption is disabled.
 If Preemption is enabled: Router role will change according to configuration or any other
change.
 If Preemption is disabled: Router role will not change according to configuration or any
other change.
 HSRP Preemption can be delayed to allow time for other protocols to re-build their
tables.

 Coup message:
- If preemption is enabled and any router wants to be Active router, then that router
will send Coup message.

-| HSRP Hello / Advertisement packet:

Packet Field Description
The Op Code describes the type of message that the packet contains.
Possible values are: 0 - hello, 1 - coup, and 2 - resign.
 Hello messages are sent to indicate that a router runs HSRP and is
able to become the active router.
 Coup messages are sent when a router wishes to become the
active router.
Op Code (1  Resign messages are sent when a router no longer wishes to be
octet) the active router.
Each router in the standby group implements a state machine. The
state field describes the current state of the router that sends the
message. These are details on the individual states: 0 - initial, 1 - learn,
State (1 octet) 2 - listen, 4 - speak, 8 - standby, and 16 - active.
This field is only meaningful in hello messages. It contains the
Hellotime (1 approximate period between the hello messages that the router sends.
octet) The time is given in seconds.
This field is only meaningful in hello messages. It contains the amount
Holdtime (1 of time that the routers wait for a hello message before they initiate a
octet) state change.
This field is used to elect the active and standby routers. In a
comparison of the priorities of two routers, the router with the highest
Priority (1 value becomes the active router. The tie breaker is the router with the
octet) higher IP address.
Group (1
octet) This field identifies the standby group.
Authentication
Data (8
octets) This field contains a cleartext, eight-character password.
If the virtual IP address is not configured on a router, the address can be
Virtual IP learned from the hello message from the active router. An address is
Address (4 only learned if no HSRP standby IP address has been configured, and
octets) the hello message is authenticated (if authentication is configured).
-| HSRP doesn’t have any load-sharing feature.
-| MHSRP (Multi-group HSRP) can be used for load sharing.

MHSRP:
-| Multiple Group is configured under the interface.
-| According to Group priority, router will work as Active, Standby or Listen state for
each group.

-| HSRP Authentication:
 Plain text
Device(config-if)# standby <group-id> authentication <password>
 MD5
Device(config-if)# standby <group-id> authentication md5 key-string [0|7] <string>
Or,
Device(config-if)# standby <group-id> authentication md5 key-chain <key_name>
(NTP should be configured.)
-| HSRP 6 States:
Disabled:
-| HSRP not running.
-| Interface is down.

INIT (Initial):
-| Interface just came up.
-| HSRP is initializing.

Learn:
-| Router hasn’t learnt virtual ip address yet.
-| Waiting to learn virtual ip address from Hello message by active router.

Listen:
-| Router knows about the virtual ip address.
-| Router is neither active nor standby.

Speak:
-| When a router interface first come up with configured virtual IP address, he announce
himself as Active router.

Active / Standby:
-| According to priority or IP address, router will be Active or Standby.
-|When Active router is sending Hello packet, source MAC is as Virtual MAC.

-| When Standby router is sending Hello packet, source MAC is as Physical

interface’s MAC.

-| HSRP Object Tracking:

-| HSRP can track objects (typically interfaces).
-| If tracked object fails, HSRP priority is reduced by configurable amount (default=10).
-| HSRP Configuration:
Device(config-if)# standby <group-id> ip <virtual-ip>  Enabling HSRP in the interface.
Device(config-if)# standby <group-id> priority <priority>  Configuring priority.
Device(config-if)# standby <group-id> preempt  Enabling Preemption.

R1 R2 R3
int fa 0/0 int fa 0/0 int fa 0/0
standby 1 ip standby 1 ip standby 1 ip [Link]
[Link] [Link] standby 1 priority 150
standby 1 priority standby 1 priority standby 1 preempt
200 100 standby 1 track fa 0/1
standby 1 preempt standby 1 preempt 51
standby 1 track fa standby 2 ip standby 2 ip [Link]
0/1 101 [Link] standby 2 priority 100
standby 2 ip standby 2 priority standby 2 preempt
[Link] 200 standby 3 ip [Link]
standby 2 priority standby 2 preempt standby 3 priority 200
150 standby 2 track fa 0/1 standby 3 preempt
standby 2 preempt 101 standby 3 track fa 0/1
standby 2 track fa standby 3 ip
-| HSRP Verification Commands:
Device# show standby
Device# show standby brief

-| HSRP Troubleshooting Commands:

Device# debug arp
Device# debug standby errors
Device# debug standby events
Device# debug standby packets
 VRRP
-| Open Standard.
-| IP protocol 112.
-| Uses multicast IP address [Link] for Hello/Keepalive message.
-| Uses multicast MAC address  01-00-5E-00-00-12.
-| Master router replies to ARP request for virtual IP address.

-| Preemption is enabled by default.

 If Preemption is enabled: Router role will change according to configuration or any other
change.
 If Preemption is disabled: Router role will not change according to configuration or any
other change.
-| Default Priority 100.
-| HSRP Virtual MAC:
 0000.5e00.01XX  XX refers to the group number in hexadecimal.
-| Two roles:
 1 Master
 All others Backup.
-| Only Master router is exchanging Hello/Keepalive messages.

-| “Master” router election:

 VRRP router with highest priority is considered “Master”.
 Default priority = 100.
If the priority is same, then the router with highest IP address of the VRRP Broadcast domain
with all other VRRP routers, will be considered as “Master”.

-| Like HSRP, VRRP doesn’t have any load-sharing feature.

-| MVRRP (Multi-group VRRP) can be used for load sharing.
VRRP default Timers:
-| Hello timer – 1 Sec
-| Hold timer – 3.6 sec

Optimizing VRRP Timers:

-| Only Master router send Hello in VRRP broadcast domain.
-| All routers in VRRP group must share the same Hello timer.
-| When increasing VRRP Hello timer on Master, all other routers must “learn” the new timer.
Device(config-if)# vrrp <group-number> timers advertise <hello-time>
 Device(config-if)# vrrp <group-id> timers learn
 By default, Backup routers don’t see the timer field in Hello message.
 If we increase Hello timer on any Back-up router, that router will become Master. Then
we have multiple Master for a single group.
-| When decreasing Hello timer or in msec Hello timer, router advertise the 1 sec Hello timer
in Hello message.
 We have to manually configure the msec Hello timer value on every router manually.
 Device(config-if)# vrrp <group-number> timers advertise msec <hello-time>

IP Header Description of VRRP Hello packet:

 Source Address: The primary IP address of the interface the packet is being sent from.
 Destination Address: The IP multicast address as assigned by the IANA for VRRP is:
[Link].
 TTL: The TTL must be set to 255. A VRRP router receiving a packet with the TTL not
equal to 255, must discard the packet.
 Protocol: IP protocol for VRRP is 112(decimal).
L2 Header Description of VRRP Hello packet:
 Source MAC: 00-00-5E-00-01-XX (XX = 0xVRID)
 Destination MAC: 01-00-5E-00-00-12

VRRP Hello / Advertisement packet:

  Version: VRRP protocol version.
 Type: Type of VRRP packet. (VRRP Hello/Advertise packet = Type 1)
 Virtual Router ID: Group number.
 Priority: VRRP priority value (1-254). The priority value zero (0) means that the router
will not participate in VRRP Master Election.
 Authentication Type: Plain text or MD5.
 Advertisement Interval: Hello interval (By default, 1 sec)
 Checksum: Used to detect data corruption in the VRRP message.
 IP Address: Virtual IP address.

VRRP Object Tracking:

-| VRRP can track objects (typically interfaces).
-| If tracked object fails, HSRP priority is reduced by configurable amount (default=10).

VRRP Configuration:
Device(config-if)# vrrp <group-id> ip <virtual-ip>  Enabling vrrp in the interface.
Device(config-if)# vrrp <group-id> priority <priority>  Configuring priority.
VRRP Authentication:
 Plain text :
Device(config-if)# vrrp <group-id> authentication <password>
 MD5 :
Device(config-if)# vrrp <group-id> authentication md5 key-string [0|7] <string>
Or,
Device(config-if)# vrrp <group-id> authentication md5 key-chain <key_name>
(NTP should be configured.)

R1 R2 R3
track 1 interface fa 0/1 ip routing track 1 interface fa 0/1 ip routing track 1 interface fa 0/1 ip routing
int fa 0/0 int fa 0/0 int fa 0/0
vrrp 1 ip [Link] vrrp 1 ip [Link] vrrp 1 ip [Link]
vrrp 1 priority 200 vrrp 1 priority 100 vrrp 1 priority 150
vrrp 1 track 1 decrement 101 vrrp 2 ip [Link] vrrp 1 track 1 decrement 51
vrrp 2 ip [Link] vrrp 2 priority 200 vrrp 2 ip [Link]
vrrp 2 priority 150 vrrp 2 track 1 decrement 101 vrrp 2 priority 100
vrrp 2 track 1 decrement 51 vrrp 3 ip [Link] vrrp 3 ip [Link]
vrrp 3 ip [Link] vrrp 3 priority 150 vrrp 3 priority 200
vrrp 3 priority 100 vrrp 3 track 1 decrement 51 vrrp 3 track 1 decrement 101
VRRP Verification Commands:
Device# show vrrp
Device# show vrrp brief

HSRP VRRP
Cisco proprietary. Open standard.

Use UDP port 1985. Use IP protocol number 112.

For GLBP, UDP port 3222.

1 active, 1 standby, several candidates. 1 Master , several backups.

Active and Standby, both routers send Only Master router send Hello message.
Hello message.
Virtual IP is different from active and Virtual IP can be the same as the real IP
standby real IP address. address of one of the group members.
Virtual MAC : [Link]XX Virtual MAC : [Link]XX

Uses multicast IP [Link]. Uses multicast IP [Link].

(For GLBP, [Link])

Uses multicast MAC 01-00-5E-00-00-02. Uses multicast MAC 01-00-5E-00-00-12.

Default timer: Hello=3 sec ; Hold=10sec Default timer: Hello=1 sec ; Hold=3sec
(For GLBP also same.)
Preemption is disabled by default. Preemption is enabled by default.

Authentication supported. Authentication no longer supported.

 GLBP
-| Gateway Load-Balancing Protocol.
-| Cisco Proprietary.
-| Provides gateway redundancy and per-host load-balancing.
-| AVG (Active Virtual Gateway) in charge of determining host-to-gateway allocations.