In this article I am going to show you how Router Redundancy (First Hop Redundancy Protocols) can help us use multiple connections to other subnets or internet transparently.

You know that (without extra software) devices can be configured with only one default gateway and if that gateway fails for some reason, devices cannot reach to other subnets.

Assuming that we have two or more routers in the same subnet, we can use a mechanism to use one of them as standby gateway or even use all of them simultaneously and make them take the burden of a failed member.

There are some proprietary or standard protocols to achieve this goal. Using these protocols, we still configure clients with only one gateway. The IP address belongs to a group of routers in the same subnet agreeing to work as a standby group.

For Cisco routers the first and oldest protocol is Hot Standby Routing Protocol (HSRP). In this protocol, all routers are assigned the same virtual IP address but they have their own IP address as well. Clients should receive this virtual IP address by DHCP server configured with default gateway option.



For layer 2 communication, a virtual MAC address is sent in response to clients’ ARP request for the virtual IP address. This MAC address has a special format: 0000.0C07.ACXX Where XX is the group number converted to hexadecimal.

For example if we configure group number as 2 the virtual MAC address would be 0000.0c07.ac02 or if the group number is 95 the MAC address would be 0000.0c07.ac5F .

In the following topology I have configured R1 and R2 as border routers connecting to internet (here, INTERNET). There is a loopback interface (100.100.100.100) acting as a server in the internet and PCs (like PC1) try to reach it.

PC1 is a VPC on GNS3 and the IP configuration and a ping to the server is demonstrated here. Note that R1 is the default gateway.

PC1> ip 10.10.12.101 /24 10.10.12.1 Checking for duplicate address... PC1 : 10.10.12.101 255.255.255.0 gateway 10.10.12.1 PC1> ping 100.100.100.100 100.100.100.100 icmp_seq=1 ttl=254 time=77.337 ms 100.100.100.100 icmp_seq=2 ttl=254 time=94.205 ms 100.100.100.100 icmp_seq=3 ttl=254 time=15.965 ms 100.100.100.100 icmp_seq=4 ttl=254 time=109.927 ms 100.100.100.100 icmp_seq=5 ttl=254 time=125.094 ms

In my configuration, R1 and R2 have a default route:

R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0

R2(config)#ip route 0.0.0.0 0.0.0.0 s0/1

And INTERNET has two default route to reach to my network:

Internet(config)#ip route 10.10.12.0 255.255.255.0 s0/0 Internet(config)#ip route 10.10.12.0 255.255.255.0 s0/1

And this is a sample traceroute from PC1:

PC1> trace 100.100.100.100 trace to 100.100.100.100, 8 hops max, press Ctrl+C to stop 1 10.10.12.1 46.970 ms 15.740 ms 16.131 ms 2 *121.1.1.100 123.363 ms (ICMP type:3, code:3, Destination port unreachable)

Configuration Time!

The following is a sample configuration on R1 and R2. In this configuration I assign a group number of 1 to the routers. Both routers should agree on group number and some other features such as authentication.

The preempt argument is very important. If a router is configured to preempt and it is the active router, it will always claim its roll. If for some reason this router fails and later come back to normal operation it will become the active router and force other routers to become standby.

Note that the priority argument ( a number between 1 and 255) will determine the active router.

We use standby command to configure HSRP. The virtual IP address must be in the same subnet as the routers and also not allocated to any other device. It is better to exclude it from DHCP scope:

R1(config)#int f0/0 R1(config-if)#standby 1 ip 10.10.12.200 R1(config-if)#standby 1 priority 150 R1(config-if)#standby 1 preempt

R2(config-if)#standby 1 ip 10.10.12.200 R2(config-if)#standby 1 priority 100 R2(config-if)#standby 1 preempt

Note that I configured R1’s priority higher than R2 so this is the active router. Here is the verification command:

R1(config-if)#do sh standby FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:02:54 Virtual IP address is 10.10.12.200 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.088 secs Preemption enabled Active router is local Standby router is 10.10.12.2, priority 100 (expires in 7.636 sec) Priority 150 (configured 150) Group name is "hsrp-Fa0/0-1" (default)

On R1 you can read State is Active and Standby router is 10.10.12.2 . This means both routers know about each other. This is important since in some situation you see both routers are active and they do not show any standby (that is obviously an issue).

Now I should advertise this virtual IP as default gateway to clients:

PC1> ip 10.10.12.101 /24 10.10.12.200 Checking for duplicate address... PC1 : 10.10.12.101 255.255.255.0 gateway 10.10.12.200

And check their reachability to other subnets in normal condition and R1’s failure .

PC1> ping 100.100.100.100 100.100.100.100 icmp_seq=1 ttl=254 time=140.267 ms 100.100.100.100 icmp_seq=2 ttl=254 time=110.326 ms 100.100.100.100 icmp_seq=3 ttl=254 time=54.728 ms 100.100.100.100 icmp_seq=4 ttl=254 time=141.142 ms 100.100.100.100 icmp_seq=5 ttl=254 time=78.291 ms PC1> trace 100.100.100.100 trace to 100.100.100.100, 8 hops max, press Ctrl+C to stop 1 10.10.12.1 30.223 ms 15.401 ms 15.494 ms 2 *121.1.1.100 45.514 ms (ICMP type:3, code:3, Destination port unreachable)

R1(config-if)#shut

Now R2 should be the active router:

R2(config-if)#do sh standby FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:00:29 Virtual IP address is 10.10.12.200 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.220 secs Preemption enabled Active router is local Standby router is unknown Priority 100 (default 100) Group name is "hsrp-Fa0/0-1" (default)

And PC1 should not notice any problem:

PC1> ping 100.100.100.100 100.100.100.100 icmp_seq=1 ttl=252 time=156.371 ms 100.100.100.100 icmp_seq=2 ttl=252 time=140.948 ms 100.100.100.100 icmp_seq=3 ttl=252 time=109.506 ms 100.100.100.100 icmp_seq=4 ttl=252 time=154.087 ms 100.100.100.100 icmp_seq=5 ttl=252 time=125.182 ms PC1> trace 100.100.100.100 trace to 100.100.100.100, 8 hops max, press Ctrl+C to stop 1 10.10.12.2 109.490 ms 31.675 ms 13.148 ms 2 *122.2.2.100 48.909 ms (ICMP type:3, code:3, Destination port unreachable)

And R2 is the exit point!

Multiple HSRP (MHSRP)

It is not wise to use only one of the connections and use the other one as standby. We can create multiple instances on a router so why not create 2 instances, each with its own IP address and assign active role to a different router for each instance!

Here is a sample configuration. In this configuration R1 is active for group 1 and standby for group 2. R2 is the opposite. Some clients (such as PC1) are configured to use group 1 as gateway and others (such as PC2) use group 2):

R1(config)#int f0/0 R1(config-if)#standby 1 ip 10.10.12.201 R1(config-if)#standby 1 preempt R1(config-if)#standby 1 priority 150 R1(config-if)#standby 2 ip 10.10.12.202 R1(config-if)#standby 2 preempt R1(config-if)#standby 2 priority 100

R2(config)#int f0/0 R2(config-if)#standby 1 ip 10.10.12.201 R2(config-if)#standby 1 preempt R2(config-if)#standby 1 priority 100 R2(config-if)#standby 2 ip 10.10.12.202 R2(config-if)#standby 2 preempt R2(config-if)#standby 2 priority 150

To verify I run show standby command on R1 and R2.

R1#sh standby FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:19:11 Virtual IP address is 10.10.12.201 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.568 secs Preemption enabled Active router is local Standby router is 10.10.12.2, priority 100 (expires in 6.856 sec) Priority 150 (configured 150) Group name is "hsrp-Fa0/0-1" (default) FastEthernet0/0 - Group 2 State is Standby 4 state changes, last state change 00:16:21 Virtual IP address is 10.10.12.202 Active virtual MAC address is 0000.0c07.ac02 Local virtual MAC address is 0000.0c07.ac02 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.948 secs Preemption enabled Active router is 10.10.12.2, priority 150 (expires in 9.020 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Fa0/0-2" (default)

R2#sh standby FastEthernet0/0 - Group 1 State is Standby 1 state change, last state change 00:18:18 Virtual IP address is 10.10.12.201 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.452 secs Preemption enabled Active router is 10.10.12.1, priority 150 (expires in 7.300 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Fa0/0-1" (default) FastEthernet0/0 - Group 2 State is Active 1 state change, last state change 00:18:37 Virtual IP address is 10.10.12.202 Active virtual MAC address is 0000.0c07.ac02 Local virtual MAC address is 0000.0c07.ac02 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.504 secs Preemption enabled Active router is local Standby router is 10.10.12.1, priority 100 (expires in 8.160 sec) Priority 150 (configured 150) Group name is "hsrp-Fa0/0-2" (default)

Andthe configuration and the result of trace on PC1 and PC2:

PC1> ip 10.10.12.101 /24 10.10.12.201 Checking for duplicate address... PC1 : 10.10.12.101 255.255.255.0 gateway 10.10.12.201 PC1> trace 100.100.100.100 trace to 100.100.100.100, 8 hops max, press Ctrl+C to stop 1 10.10.12.1 43.211 ms 21.145 ms 10.303 ms 2 **121.1.1.100 46.351 ms (ICMP type:3, code:3, Destination port unreachable)

PC2> ip 10.10.12.102 /24 10.10.12.202 Checking for duplicate address... PC1 : 10.10.12.102 255.255.255.0 gateway 10.10.12.202 PC2> trace 100.100.100.100 trace to 100.100.100.100, 8 hops max, press Ctrl+C to stop 1 10.10.12.2 65.363 ms 10.147 ms 10.166 ms 2 *122.2.2.100 42.219 ms (ICMP type:3, code:3, Destination port unreachable)

Hope you enjoy this!