First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1721R)
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 Read Me First 1
CHAPTER 2 Configuring GLBP 3
Finding Feature Information 3

Restrictions for GLBP 3
Prerequisites for GLBP 3
Information About GLBP 4
GLBP Overview 4
GLBP Active Virtual Gateway 4
GLBP Virtual MAC Address Assignment 5
GLBP Virtual Gateway Redundancy 5
GLBP Virtual Forwarder Redundancy 6
GLBP Gateway Priority 6
GLBP Gateway Weighting and Tracking 6
GLBP MD5 Authentication 7
ISSU-GLBP 7
GLBP SSO 8
GLBP Benefits 8
How to Configure GLBP 9
Enabling and Verifying GLBP 9
Customizing GLBP 11
Configuring GLBP MD5 Authentication Using a Key String 13
Configuring GLBP MD5 Authentication Using a Key Chain 15
Configuring GLBP Text Authentication 17
Configuring GLBP Weighting Values and Object Tracking 18
Troubleshooting GLBP 20

iii
Contents
Configuration Examples for GLBP 22

Example: Customizing GLBP Configuration 22
Example: Configuring GLBP MD5 Authentication Using Key Strings 22
Example: Configuring GLBP MD5 Authentication Using Key Chains 22
Example: Configuring GLBP Text Authentication 23
Example: Configuring GLBP Weighting 23
Example: Enabling GLBP Configuration 23
Additional References for GLBP 23
Feature Information for GLBP 24
Glossary 26
CHAPTER 3 HSRP for IPv6 27

Prerequisites for HSRP for IPv6 27
Information About HSRP for IPv6 28
HSRP for IPv6 Overview 28
HSRP IPv6 Virtual MAC Address Range 28
HSRP IPv6 UDP Port Number 28
How to Enable HSRP for IPv6 28
Enabling an HSRP Group for IPv6 Operation 28
Enabling HSRP Version 2 29
Enabling and Verifying an HSRP Group for IPv6 Operation 29

Configuration Examples for HSRP for IPv6 31
Example: Configuration and Verification for an HSRP Group 31
Additional References 33
Feature Information for HSRP for IPv6 34
Glossary 35
CHAPTER 4 Configuring HSRP 37

Restrictions for HSRP 37
Information About HSRP 38
HSRP Operation 38
HSRP Version 2 Design 39

iv
Contents
HSRP Configuration Changes 40

HSRP Benefits 40
HSRP Groups and Group Attributes 41
HSRP Preemption 41
HSRP Priority and Preemption 41
How Object Tracking Affects the Priority of an HSRP Device 42
HSRP Addressing 42
HSRP Virtual MAC Addresses and BIA MAC Addresses 42
HSRP Timers 43
HSRP MAC Refresh Interval 43
HSRP Text Authentication 43
HSRP MD5 Authentication 43
HSRP Support for IPv6 44
HSRP Messages and States 45
HSRP Group Linking to IP Redundancy Clients 45
HSRP Object Tracking 45
HSRP Group Shutdown 46
HSRP Support for ICMP Redirect Messages 46
ICMP Redirects to Active HSRP Devices 46
ICMP Redirects to Passive HSRP Devices 48
ICMP Redirects to Non-HSRP Devices 48
Passive HSRP Advertisement Messages 48
ICMP Redirects Not Sent 48
HSRP Support for MPLS VPNs 49
HSRP Multiple Group Optimization 49
HSRP—ISSU 50
SSO HSRP 50
SSO Dual-Route Processors and Cisco Nonstop Forwarding 50
HSRP and SSO Working Together 50
HSRP BFD Peering 51
HSRP MIB Traps 52
How to Configure HSRP 52
Enabling HSRP 52
Delaying the Initialization of HSRP on an Interface 54

v
Contents
Configuring HSRP Priority and Preemption 56

Configuring HSRP Object Tracking 57
Configuring HSRP MD5 Authentication Using a Key String 59
Configuring HSRP MD5 Authentication Using a Key Chain 61
Troubleshooting HSRP MD5 Authentication 64
Configuring HSRP Text Authentication 64
Configuring HSRP Timers 66
Configuring an HSRP MAC Refresh Interval 67
Configuring Multiple HSRP Groups for Load Balancing 68
Improving CPU and Network Performance with HSRP Multiple Group Optimization 70
Enabling HSRP Support for ICMP Redirect Messages 72
Configuring HSRP Virtual MAC Addresses or BIA MAC Addresses 73
Linking IP Redundancy Clients to HSRP Groups 74
Changing to HSRP Version 2 75
Enabling SSO Aware HSRP 77

Verifying SSO Aware HSRP 78
Enabling HSRP MIB Traps 79
Configuring BFD Session Parameters on an Interface 80
Configuring HSRP BFD Peering 81
Verifying HSRP BFD Peering 83
Configuration Examples for HSRP 85
Example: Configuring HSRP Priority and Preemption 85
Example: Configuring HSRP Object Tracking 85
Example: Configuring HSRP Group Shutdown 86
Example: Configuring HSRP MD5 Authentication Using Key Strings 87
Example: Configuring HSRP MD5 Authentication Using Key Chains 87
Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains 87
Example: Configuring HSRP Text Authentication 88
Example: Configuring Multiple HSRP Groups for Load Balancing 88
Example: Improving CPU and Network Performance with HSRP Multiple Group Optimization 89
Example: Configuring HSRP Support for ICMP Redirect Messages 90
Example: Configuring HSRP Virtual MAC Addresses and BIA MAC Address 90
Example: Linking IP Redundancy Clients to HSRP Groups 91
Example: Configuring HSRP Version 2 91

vi
Contents
Example: Enabling SSO-Aware HSRP 92

Example: Enabling HSRP MIB Traps 92
Example: HSRP BFD Peering 93
Feature Information for HSRP 95
Glossary 99
CHAPTER 5 HSRP Version 2 101

Information About HSRP Version 2 101
HSRP Version 2 Design 101

How to Configure HSRP Version 2 102
Changing to HSRP Version 2 102
Configuration Examples for HSRP Version 2 104
Example: Configuring HSRP Version 2 104

Feature Information for HSRP Version 2 105
CHAPTER 6 HSRP MD5 Authentication 107

Information About HSRP MD5 Authentication 107
HSRP Text Authentication 107
HSRP MD5 Authentication 108
How to Configure HSRP MD5 Authentication 108
Configuring HSRP MD5 Authentication Using a Key Chain 108
Troubleshooting HSRP MD5 Authentication 111
Configuring HSRP Text Authentication 111
Configuration Examples for HSRP MD5 Authentication 113
Example: Configuring HSRP MD5 Authentication Using Key Strings 113
Example: Configuring HSRP MD5 Authentication Using Key Chains 113
Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains 114
Example: Configuring HSRP Text Authentication 114
Feature Information for HSRP MD5 Authentication 115

vii
Contents
CHAPTER 7 HSRP Support for ICMP Redirects 117

Information About HSRP Support for ICMP Redirects 117
HSRP Support for ICMP Redirect Messages 117
ICMP Redirects to Active HSRP Devices 118
ICMP Redirects to Passive HSRP Devices 119
ICMP Redirects to Non-HSRP Devices 119
Passive HSRP Advertisement Messages 119
ICMP Redirects Not Sent 120
How to Configure HSRP Support for ICMP Redirects 120
Enabling HSRP Support for ICMP Redirect Messages 120
Configuration Examples for HSRP Support for ICMP Redirects 121
Example: Configuring HSRP Support for ICMP Redirect Messages 121
Feature Information for HSRP Support for ICMP Redirects 123
CHAPTER 8 FHRP - HSRP Multiple Group Optimization 125

Information About FHRP - Multiple Group Optimization 125
HSRP Multiple Group Optimization 125
How to configure FHRP - Multiple Group Optimization 126
Configuring Multiple HSRP Groups for Load Balancing 126
Improving CPU and Network Performance with HSRP Multiple Group Optimization 127
Configuration Examples for FHRP - Multiple Group Optimization 129
Example: Configuring Multiple HSRP Groups for Load Balancing 129
Example: Improving CPU and Network Performance with HSRP Multiple Group Optimization 131
Feature Information for FHRP - HSRP Multiple Group Optimization 132
CHAPTER 9 FHRP - HSRP Group Shutdown 135

Information About FHRP - HSRP Group Shutdown 135
How Object Tracking Affects the Priority of an HSRP Device 135

viii
Contents
HSRP Object Tracking 135

HSRP Group Shutdown 136
How to Configure FHRP - HSRP Group Shutdown 136
Configuring HSRP Object Tracking 136
Configuring HSRP MD5 Authentication Using a Key String 138
Configuration Examples for FHRP - HSRP Group Shutdown 140
Example: Configuring HSRP Object Tracking 140
Example: Configuring HSRP Group Shutdown 141
Feature Information for FHRP - HSRP Group Shutdown 143
CHAPTER 10 SSO HSRP 145

Restrictions for SSO HSRP 145
Information About SSO HSRP 145
SSO HSRP 145
SSO Dual-Route Processors and Cisco Nonstop Forwarding 146
HSRP and SSO Working Together 146
How to Configure SSO HSRP 146
Enabling SSO Aware HSRP 146
Verifying SSO Aware HSRP 148
Configuration Examples for SSO HSRP 149
Example: Enabling SSO-Aware HSRP 149
Feature Information for SSO - HSRP 151
CHAPTER 11 HSRP - ISSU 153

Information About HSRP - ISSU 153
HSRP—ISSU 153
Feature Information for HSRP - ISSU 155
CHAPTER 12 FHRP - HSRP MIB 157

ix
Contents

Information About FHRP - HSRP MIB 157
HSRP MIB Traps 157
How to Configure FHRP - HSRP MIB 158
Enabling HSRP MIB Traps 158
Configuration Examples for FHRP - HSRP MIB 159
Example: Enabling HSRP MIB Traps 159
Feature Information for FHRP - HSRP-MIB 160
CHAPTER 13 HSRP Support for MPLS VPNs 163

Information About HSRP Support for MPLS VPNs 163
HSRP Support for MPLS VPNs 163
Feature Information for HSRP Support for MPLS VPNs 165
CHAPTER 14 Configuring VRRP 167

Restrictions for VRRP 167
Information About VRRP 168
VRRP Operation 168
VRRP Benefits 170
Multiple Virtual Router Support 171
VRRP Router Priority and Preemption 171
VRRP Advertisements 172
VRRP Object Tracking 172
How VRRP Object Tracking Affects the Priority of a Device 172
In Service Software Upgrade--VRRP 173
VRRP Support for Stateful Switchover 173
How to Configure VRRP 173
VRRP 173
EnablingVerifying VRRP 175
Configuring VRRP Object Tracking 177

x
Contents
Configuring VRRP Text Authentication 178

Configuration Examples for VRRP 180
Example: Configuring VRRP 180
Example: VRRP Object Tracking 181
Example: VRRP Object Tracking Verification 181
Example: VRRP Text Authentication 182
Example: VRRP MIB Trap 182
Feature Information for VRRP 184
Glossary 185
CHAPTER 15 VRRPv3 Protocol Support 187

Restrictions for VRRPv3 Protocol Support 188
Information About VRRPv3 Protocol Support 188
VRRPv3 Benefits 188
VRRP Device Priority and Preemption 189
VRRP Advertisements 190
How to Configure VRRPv3 Protocol Support 190
IPv6 VRRP Link Local Address 190
Enabling VRRPv3 on a Device 190
Creating and Customizing a VRRP Group 191
Configuring the Delay Period Before FHRP Client Initialization 193
Configuration Examples for VRRPv3 Protocol Support 194
Example: Enabling VRRPv3 on a Device 194
Example: Creating and Customizing a VRRP Group 195
Example: Configuring the Delay Period Before FHRP Client Initialization 195
Example: VRRP Status, Configuration, and Statistics Details 195
Additional References for VRRPv3 Protocol Support 196
Feature Information for VRRPv3 Protocol Support 197
Glossary 198
CHAPTER 16 VRRPv3: Object Tracking Integration 199

xi
Contents
Information About VRRPv3: Object Tracking Integration 199

VRRP Object Tracking 199
How VRRP Object Tracking Affects the Priority of a Device 200
How to Configure VRRPv3: Object Tracking Integration 200
Tracking an IPv6 Object using VRRPv3 200
Configuration Examples for VRRPv3: Object Tracking Integration 201
Example: Tracking an IPv6 Object using VRRPv3 201
Example: Verifying VRRP IPv6 Object Tracking 201
Additional References for VRRPv3: Object Tracking Integration 202
Feature Information for VRRPv3: Object Tracking Integration 203
CHAPTER 17 Virtual Router Redundancy Service 205

Restrictions for VRRS 206
Information About VRRS 206
VRRS Overview 206
Using VRRS with VRRP 206
VRRS Servers and Clients 207
VRRS Pathways and Pathway Manager 207
VRRS Pathways 207
VRRS Pathway Manager 207
How to Configure VRRS 208
Configuring VRRPv3 Control Groups 208
Configuring VRRS Pathways 209
Verifying VRRS 211
Configuration Examples for VRRS 214
Example: Configuring VRRPv3 Control Groups 214
Example: Configuring VRRS pathways 214
Feature Information for Virtual Router Redundancy Service 215

xii
CHAPTER 1
Read Me First
Important Information about Cisco IOS XE 16
Effective Cisco IOS XE Release 3.7.0E for Catalyst Switching and Cisco IOS XE Release 3.17S (for Access
and Edge Routing) the two releases evolve (merge) into a single version of converged release—the Cisco IOS
XE 16—providing one release covering the extensive range of access and edge products in the Switching and
Routing portfolio.
Feature Information
Use Cisco Feature Navigator to find information about feature support, platform support, and Cisco software
image support. An account on Cisco.com is not required.
Related References
• Cisco IOS Command References, All Releases
Obtaining Documentation and Submitting a Service Request

• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit
Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.

1
Read Me First

2
CHAPTER 2
Configuring GLBP
Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed device or circuit, like Hot Standby
Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP), while allowing packet load sharing
between a group of redundant devices.
• Finding Feature Information, on page 3
• Restrictions for GLBP, on page 3
• Prerequisites for GLBP, on page 3
• Information About GLBP, on page 4
• How to Configure GLBP, on page 9
• Configuration Examples for GLBP, on page 22
• Additional References for GLBP, on page 23
• Feature Information for GLBP, on page 24
• Glossary, on page 26
Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for GLBP

Enhanced Object Tracking (EOT) is not stateful switchover (SSO)-aware and cannot be used with GLBP in
SSO mode.
Prerequisites for GLBP

Before configuring GLBP, ensure that the devices can support multiple MAC addresses on the physical
interfaces. For each GLBP forwarder to be configured, an additional MAC address is used.

3
Configuring GLBP
Information About GLBP
Information About GLBP

GLBP Overview
GLBP provides automatic device backup for IP hosts configured with a single default gateway on an IEEE
802.3 LAN. Multiple first-hop devices on the LAN combine to offer a single virtual first-hop IP device while
sharing the IP packet forwarding load. Other devices on the LAN act as redundant GLBP devices that will
become active if any of the existing forwarding devices fail.
GLBP performs a similar function for the user as HSRP and VRRP. HSRP and VRRP allow multiple devices
to participate in a virtual device group configured with a virtual IP address. One member is elected to be the
active device to forward packets sent to the virtual IP address for the group. The other devices in the group
are redundant until the active device fails. These standby devices have unused bandwidth that the protocol is
not using. Although multiple virtual device groups can be configured for the same set of devices, the hosts
must be configured for different default gateways, which results in an extra administrative burden. The
advantage of GLBP is that it additionally provides load balancing over multiple devices (gateways) using a
single virtual IP address and multiple virtual MAC addresses. The forwarding load is shared among all devices
in a GLBP group rather than being handled by a single device while the other devices stand idle. Each host
is configured with the same virtual IP address, and all devices in the virtual device group participate in
forwarding packets. GLBP members communicate between each other through hello messages sent every 3
seconds to the multicast address 224.0.0.102, UDP port 3222 (source and destination).
GLBP Packet Types

GLBP uses 3 different packet types to operate. The packet types are Hello, Request, and Reply. The Hello
packet is used to advertise protocol information. Hello packets are multicast, and are sent when any virtual
gateway or virtual forwarder is in Speak, Standby or Active state. Request and Reply packets are used for
virtual MAC assignment. They are both unicast messages to and from the active virtual gateway (AVG).
GLBP Active Virtual Gateway

Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Other
group members provide backup for the AVG if the AVG becomes unavailable. The AVG assigns a virtual
MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding
packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active
virtual forwarders (AVFs) for their virtual MAC address.
The AVG is also responsible for answering Address Resolution Protocol (ARP) requests for the virtual IP
address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC
addresses.
Prior to Cisco IOS Release 15.0(1)M1 and 12.4(24)T2, when the no glbp load-balancing command is
configured, the AVG always responds to ARP requests with the MAC address of its AVF.
In Cisco IOS Release 15.0(1)M1 and 12.4(24)T2, and later releases, when the no glbp load-balancing
command is configured, if the AVG does not have an AVF, it preferentially responds to ARP requests with
the MAC address of the first listening virtual forwarder (VF), which will causes traffic to route via another
gateway until that VF migrates back to being the current AVG.
In the figure below, Router A (or Device A) is the AVG for a GLBP group, and is responsible for the virtual
IP address 10.21.8.10. Router A is also an AVF for the virtual MAC address 0007.b400.0101. Router B (or

4
Configuring GLBP
GLBP Virtual MAC Address Assignment
Device B) is a member of the same GLBP group and is designated as the AVF for the virtual MAC address
0007.b400.0102. Client 1 has a default gateway IP address of 10.21.8.10 and a gateway MAC address of
0007.b400.0101. Client 2 shares the same default gateway IP address but receives the gateway MAC address
0007.b400.0102 because Router B is sharing the traffic load with Router A.
Figure 1: GLBP Topology
If Router A becomes unavailable, Client 1 will not lose access to the WAN because Router B will assume
responsibility for forwarding packets sent to the virtual MAC address of Router A, and for responding to
packets sent to its own virtual MAC address. Router B will also assume the role of the AVG for the entire
GLBP group. Communication for the GLBP members continues despite the failure of a device in the GLBP
group.
GLBP Virtual MAC Address Assignment

A GLBP group allows up to four virtual MAC addresses per group. The AVG is responsible for assigning
the virtual MAC addresses to each member of the group. Other group members request a virtual MAC address
after they discover the AVG through hello messages. Gateways are assigned the next MAC address in sequence.
A virtual forwarder that is assigned a virtual MAC address by the AVG is known as a primary virtual forwarder.
Other members of the GLBP group learn the virtual MAC addresses from hello messages. A virtual forwarder
that has learned the virtual MAC address is referred to as a secondary virtual forwarder.
GLBP Virtual Gateway Redundancy

GLBP operates virtual gateway redundancy in the same way as HSRP. One gateway is elected as the AVG,
another gateway is elected as the standby virtual gateway, and the remaining gateways are placed in a listen
state.
If an AVG fails, the standby virtual gateway will assume responsibility for the virtual IP address. A new
standby virtual gateway is then elected from the gateways in the listen state.

5
Configuring GLBP
GLBP Virtual Forwarder Redundancy
GLBP Virtual Forwarder Redundancy

Virtual forwarder redundancy is similar to virtual gateway redundancy with an AVF. If the AVF fails, one of
the secondary virtual forwarders in the listen state assumes responsibility for the virtual MAC address.
The new AVF is also a primary virtual forwarder for a different forwarder number. GLBP migrates hosts
away from the old forwarder number using two timers that start as soon as the gateway changes to the active
virtual forwarder state. GLBP uses the hello messages to communicate the current state of the timers.
The redirect time is the interval during which the AVG continues to redirect hosts to the old virtual forwarder
MAC address. When the redirect time expires, the AVG stops using the old virtual forwarder MAC address
in ARP replies, although the virtual forwarder will continue to forward packets that were sent to the old virtual
forwarder MAC address.
The secondary holdtime is the interval during which the virtual forwarder is valid. When the secondary
holdtime expires, the virtual forwarder is removed from all gateways in the GLBP group. The expired virtual
forwarder number becomes eligible for reassignment by the AVG.
GLBP Gateway Priority

GLBP gateway priority determines the role that each GLBP gateway plays and what happens if the AVG
fails.
Priority also determines if a GLBP device functions as a backup virtual gateway and the order of ascendancy
to becoming an AVG if the current AVG fails. You can configure the priority of each backup virtual gateway
with a value of 1 through 255 using the glbp priority command.
In the "GLBP Topology" figure, if Router A (or Device A)—the AVG in a LAN topology—fails, an election
process takes place to determine which backup virtual gateway should take over. In this example, Router B
(or Device B) is the only other member in the group so it will automatically become the new AVG. If another
device existed in the same GLBP group with a higher priority, then the device with the higher priority would
be elected. If both devices have the same priority, the backup virtual gateway with the higher IP address would
be elected to become the active virtual gateway.
By default, the GLBP virtual gateway preemptive scheme is disabled. A backup virtual gateway can become
the AVG only if the current AVG fails, regardless of the priorities assigned to the virtual gateways. You can
enable the GLBP virtual gateway preemptive scheme using the glbp preempt command. Preemption allows
a backup virtual gateway to become the AVG, if the backup virtual gateway is assigned a higher priority than
the current AVG.
GLBP Gateway Weighting and Tracking

GLBP uses a weighting scheme to determine the forwarding capacity of each device in the GLBP group. The
weighting assigned to a device in the GLBP group can be used to determine whether it will forward packets
and, if so, the proportion of hosts in the LAN for which it will forward packets. Thresholds can be set to
disable forwarding when the weighting for a GLBP group falls below a certain value, and when it rises above
another threshold, forwarding is automatically reenabled.
The GLBP group weighting can be automatically adjusted by tracking the state of an interface within the
device. If a tracked interface goes down, the GLBP group weighting is reduced by a specified value. Different
interfaces can be tracked to decrement the GLBP weighting by varying amounts.
By default, the GLBP virtual forwarder preemptive scheme is enabled with a delay of 30 seconds. A backup
virtual forwarder can become the AVF if the current AVF weighting falls below the low weighting threshold

6
Configuring GLBP
GLBP MD5 Authentication
for 30 seconds. You can disable the GLBP forwarder preemptive scheme using the no glbp forwarder
preempt command or change the delay using the glbp forwarder preempt delay minimum command.
GLBP MD5 Authentication

GLBP MD5 authentication uses the industry-standard MD5 algorithm for improved reliability and security.
MD5 authentication provides greater security than the alternative plain text authentication scheme and protects
against spoofing software.
MD5 authentication allows each GLBP group member to use a secret key to generate a keyed MD5 hash that
is part of the outgoing packet. A keyed hash of an incoming packet is generated and, if the hash within the
incoming packet does not match the generated hash, the packet is ignored.
The key for the MD5 hash can either be given directly in the configuration using a key string or supplied
indirectly through a key chain. The key string cannot exceed 100 characters in length.
A device will ignore incoming GLBP packets from devices that do not have the same authentication
configuration for a GLBP group. GLBP has three authentication schemes:
• No authentication
• Plain text authentication
• MD5 authentication
GLBP packets will be rejected in any of the following cases:

• The authentication schemes differ on the device and in the incoming packet.
• MD5 digests differ on the device and in the incoming packet.
• Text authentication strings differ on the device and in the incoming packet.
ISSU-GLBP
GLBP supports In Service Software Upgrade (ISSU). ISSU allows a high-availability (HA) system to run in
Stateful Switchover (SSO) mode even when different versions of Cisco IOS software are running on the active
and standby Route Processors (RPs) or line cards.
ISSU provides the ability to upgrade or downgrade from one supported Cisco IOS release to another while
continuing to forward packets and maintain sessions, thereby reducing planned outage time. The ability to
upgrade or downgrade is achieved by running different software versions on the active RP and standby RP
for a short period of time to maintain state information between RPs. This feature allows the system to switch
over to a secondary RP running upgraded (or downgraded) software and continue forwarding packets without
session loss and with minimal or no packet loss. This feature is enabled by default.
For detailed information about ISSU, see the Cisco IOS In Service Software Upgrade Process in the Cisco
IOS High Availability Configuration Guide
For detailed information about ISSU on the 7600 series devices, see the ISSU and eFSU on Cisco 7600 Series
Routers document.

7
Configuring GLBP
GLBP SSO
GLBP SSO
With the introduction of the GLBP SSO functionality, GLBP is stateful switchover (SSO) aware. GLBP can
detect when a device is failing over to the secondary router processor (RP) and continue in its current group
state.
SSO functions in networking devices (usually edge devices) that support dual RPs. SSO provides RP redundancy
by establishing one of the RPs as the active processor and the other RP as the standby processor. SSO also
synchronizes critical state information between the RPs so that network state information is dynamically
maintained between RPs.
Without SSO-awareness, if GLBP is deployed on a device with redundant RPs, a switchover of roles between
the active RP and the standby RP results in the device relinquishing its activity as a GLBP group member and
then rejoining the group as if it had been reloaded. The GLBP SSO feature enables GLBP to continue its
activities as a group member during a switchover. GLBP state information between redundant RPs is maintained
so that the standby RP can continue the device’s activities within the GLBP during and after a switchover.
This feature is enabled by default. To disable this feature, use the no glbp sso command in global configuration
mode.
For more information, see the Stateful Swithover document in the Cisco IOS High Availability Configuration
Guide.
GLBP Benefits
Load Sharing
You can configure GLBP in such a way that traffic from LAN clients can be shared by multiple devices,
thereby sharing the traffic load more equitably among available devices.
Multiple Virtual Devices

GLBP supports up to 1024 virtual devices (GLBP groups) on each physical interface of a device and up to
four virtual forwarders per group.
Preemption
The redundancy scheme of GLBP enables you to preempt an active virtual gateway (AVG) with a higher
priority backup virtual gateway that has become available. Forwarder preemption works in a similar way,
except that forwarder preemption uses weighting instead of priority and is enabled by default.
Authentication
GLBP supports the industry-standard message digest 5 (MD5) algorithm for improved reliability, security,
and protection against GLBP-spoofing software. A device within a GLBP group with a different authentication
string than other devices will be ignored by other group members. You can alternatively use a simple text
password authentication scheme between GLBP group members to detect configuration errors.

8
Configuring GLBP
How to Configure GLBP
How to Configure GLBP

Enabling and Verifying GLBP
Perform this task to enable GLBP on an interface and verify its configuration and operation. GLBP is designed
to be easy to configure. Each gateway in a GLBP group must be configured with the same group number, and
at least one gateway in the GLBP group must be configured with the virtual IP address to be used by the
group. All other required parameters can be learned.
Before you begin

If VLANs are in use on an interface, the GLBP group number must be different for each VLAN.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group ip [ip-address [secondary]]
6. exit
7. show glbp [interface-type interface-number] [group] [state] [brief]
DETAILED STEPS
Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable
Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal
Step 3 interface type number Specifies an interface type and number, and enters interface
configuration mode.
Example:
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an interface.
Example:
Device(config-if)# ip address 10.21.8.32

255.255.255.0

9
Configuring GLBP
Enabling and Verifying GLBP

Step 5 glbp group ip [ip-address [secondary]] Enables GLBP on an interface and identifies the primary
IP address of the virtual gateway.
Example:
• After you identify a primary IP address, you can use
Device(config-if)# glbp 10 ip 10.21.8.10 the glbp group ip command again with the secondary
keyword to indicate additional IP addresses supported
by this group.
Step 6 exit Exits interface configuration mode, and returns the device
to global configuration mode.
Example:
Device(config-if)# exit
Step 7 show glbp [interface-type interface-number] [group] [state] (Optional) Displays information about GLBP groups on a
[brief] device.
Example: • Use the optional brief keyword to display a single line
of information about each virtual gateway or virtual
Device(config)# show glbp 10 forwarder.
Example
In the following example, sample output is displayed about the status of the GLBP group, named
10, on the device:
Device# show glbp 10
GigabitEthernet0/0/0 - Group 10
State is Active
2 state changes, last state change 23:50:33
Virtual IP address is 10.21.8.10
Hello time 5 sec, hold time 18 sec
Next hello sent in 4.300 secs
Redirect time 600 sec, forwarder time-out 7200 sec
Authentication text "stringabc"
Preemption enabled, min delay 60 sec
Active is local
Standby is unknown
Priority 254 (configured)
Weighting 105 (configured 110), thresholds: lower 95, upper 105
Track object 2 state Down decrement 5
Load balancing: host-dependent
There is 1 forwarder (1 active)
Forwarder 1
State is Active
1 state change, last state change 23:50:15
MAC address is 0007.b400.0101 (default)
Owner ID is 0005.0050.6c08
Redirection enabled
Preemption enabled, min delay 60 sec
Active is local, weighting 105

10
Configuring GLBP
Customizing GLBP
Customizing GLBP
Customizing the behavior of GLBP is optional. Be aware that as soon as you enable a GLBP group, that group
is operating. It is possible that if you first enable a GLBP group before customizing GLBP, the device could
take over control of the group and become the AVG before you have finished customizing the feature.
Therefore, if you plan to customize GLBP, it is a good idea to do so before enabling GLBP.
SUMMARY STEPS
1. enable
5. glbp group timers [msec] hellotime [msec] holdtime
6. glbp group timers redirect redirect timeout
7. glbp group load-balancing [host-dependent | round-robin | weighted]
8. glbp group priority level
9. glbp group preempt [delay minimum seconds]
10. glbp group client-cache maximum number [timeout minutes]
11. glbp group name redundancy-name
12. exit
13. no glbp sso
DETAILED STEPS

Device> enable

Example:
Step 3 interface type number Specifies an interface type and number, and enters interface
configuration mode.
Example:
Device(config)# interface fastethernet 0/0
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:

255.255.255.0

11
Configuring GLBP
Customizing GLBP

Step 5 glbp group timers [msec] hellotime [msec] holdtime Configures the interval between successive hello packets
sent by the AVG in a GLBP group.
Example:
• The holdtime argument specifies the interval in
Device(config-if)# glbp 10 timers 5 18 seconds before the virtual gateway and virtual
forwarder information in the hello packet is
considered invalid.
• The optional msec keyword specifies that the
following argument will be expressed in milliseconds,
instead of the default seconds.
Step 6 glbp group timers redirect redirect timeout Configures the time interval during which the AVG
continues to redirect clients to an AVF. The default is 600
Example:
seconds (10 minutes).
Device(config-if)# glbp 10 timers redirect 1800 • The timeout argument specifies the interval in seconds
28800 before a secondary virtual forwarder becomes invalid.
The default is 14,400 seconds (4 hours).
Note The zero value for the redirect argument cannot

be removed from the range of acceptable values
because preexisting configurations of Cisco IOS
software already using the zero value could be
negatively affected during an upgrade.
However, a zero setting is not recommended
and, if used, results in a redirect timer that never
expires. If the redirect timer does not expire,
and the device fails, new hosts continue to be
assigned to the failed device instead of being
redirected to the backup.
Step 7 glbp group load-balancing [host-dependent | Specifies the method of load balancing used by the GLBP
round-robin | weighted] AVG.
Example:
Device(config-if)# glbp 10 load-balancing

host-dependent
Step 8 glbp group priority level Sets the priority level of the gateway within a GLBP group.
Example: • The default value is 100.
Device(config-if)# glbp 10 priority 254
Step 9 glbp group preempt [delay minimum seconds] Configures the device to take over as AVG for a GLBP
group if it has a higher priority than the current AVG.
Example:
• This command is disabled by default.
Device(config-if)# glbp 10 preempt delay minimum
60 • Use the optional delay and minimum keywords and
the seconds argument to specify a minimum delay

12
Configuring GLBP
Configuring GLBP MD5 Authentication Using a Key String

interval in seconds before preemption of the AVG
takes place.
Step 10 glbp group client-cache maximum number [timeout (Optional) Enables the GLBP client cache.
minutes]
• This command is disabled by default.
Example:
• Use the number argument to specify the maximum
Device(config-if)# glbp 10 client-cache maximum
number of clients the cache will hold for this GLBP
1200 timeout 245 group. The range is from 8 to 2000.
• Use the optional timeout minutes keyword and
argument pair to configure the maximum amount of
time a client entry can stay in the GLBP client cache
after the client information was last updated. The
range is from 1 to 1440 minutes (one day).
Note For IPv4 networks, Cisco recommends setting

a GLBP client cache timeout value that is
slightly longer than the maximum expected
end-host Address Resolution Protocol (ARP)
cache timeout value.
Step 11 glbp group name redundancy-name Enables IP redundancy by assigning a name to the GLBP
group.
Example:
• The GLBP redundancy client must be configured with
Device(config-if)# glbp 10 name abc123 the same GLBP group name so the redundancy client
and the GLBP group can be connected.
Step 12 exit Exits interface configuration mode, and returns the device
to global configuration mode.
Example:
Step 13 no glbp sso (Optional) Disables GLBP support of SSO.

Example:
Device(config)# no glbp sso

SUMMARY STEPS
1. enable

13
Configuring GLBP
5. glbp group-number authentication md5 key-string [ 0 | 7] key

6. glbp group-number ip [ip-address [secondary]]
7. Repeat Steps 1 through 6 on each device that will communicate.
8. end
9. show glbp
DETAILED STEPS

Device> enable

Example:
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface Ethernet0/1
Example:

255.255.255.0
Step 5 glbp group-number authentication md5 key-string [ 0 | Configures an authentication key for GLBP MD5
7] key authentication.
Example: • The key string cannot exceed 100 characters in length.
Device(config-if)# glbp 1 authentication md5

• No prefix to the key argument or specifying 0 means
key-string d00b4r987654321a the key is unencrypted.
• Specifying 7 means the key is encrypted. The
key-string authentication key will automatically be
encrypted if the service password-encryption global
configuration command is enabled.
Step 6 glbp group-number ip [ip-address [secondary]] Enables GLBP on an interface and identifies the primary
Example:
Device(config-if)# glbp 1 ip 10.0.0.10
Step 7 Repeat Steps 1 through 6 on each device that will —

communicate.

14
Configuring GLBP
Configuring GLBP MD5 Authentication Using a Key Chain

Step 8 end Returns to privileged EXEC mode.
Example:
Device(config-if)# end
Step 9 show glbp (Optional) Displays GLBP information.

Example: • Use this command to verify your configuration. The
key string and authentication type will be displayed if
Device# show glbp configured.

Perform this task to configure GLBP MD5 authentication using a key chain. Key chains allow a different key
string to be used at different times according to the key chain configuration. GLBP will query the appropriate
key chain to obtain the current live key and key ID for the specified key chain.
SUMMARY STEPS
1. enable
3. key chain name-of-chain
4. key key-id
5. key-string string
6. exit
7. exit
10. glbp group-number authentication md5 key-chain name-of-chain
13. end
14. show glbp
15. show key chain
DETAILED STEPS

Device> enable

Example:

15
Configuring GLBP
Step 3 key chain name-of-chain Enables authentication for routing protocols and identifies
a group of authentication keys and enters key-chain
Example:
configuration mode.
Device(config)# key chain glbp2
Step 4 key key-id Identifies an authentication key on a key chain.

Example: • The value for the key-id argument must be a number.
Device(config-keychain)# key 100
Step 5 key-string string Specifies the authentication string for a key and enters
key-chain key configuration mode.
Example:
• The value for the string argument can be 1 to 80
Device(config-keychain-key)# key-string abc123 uppercase or lowercase alphanumeric characters; the
first character cannot be a numeral.
Step 6 exit Returns to key-chain configuration mode.

Example:
Device(config-keychain-key)# exit
Step 7 exit Returns to global configuration mode.

Example:
Device(config-keychain)# exit
configuration mode.
Example:
interface.
Example:

255.255.255.0
Step 10 glbp group-number authentication md5 key-chain Configures an authentication MD5 key chain for GLBP
name-of-chain MD5 authentication.
Example: • The key chain name must match the name specified
in Step 3.
Device(config-if)# glbp 1 authentication md5
key-chain glbp2

16
Configuring GLBP
Configuring GLBP Text Authentication

Example:

communicate.
Example:

key chain and authentication type will be displayed
Device# show glbp if configured.
Step 15 show key chain (Optional) Displays authentication key information.

Example:
Device# show key chain
Configuring GLBP Text Authentication

Text authentication provides minimal security. Use MD5 authentication if security is required.
SUMMARY STEPS
1. enable
5. glbp group-number authentication text string
8. end
9. show glbp
DETAILED STEPS


17
Configuring GLBP
Configuring GLBP Weighting Values and Object Tracking
Device> enable

Example:
configuration mode.
Example:
Example:

255.255.255.0
Step 5 glbp group-number authentication text string Authenticates GLBP packets received from other devices
in the group.
Example:
• If you configure authentication, all devices within the
Device(config-if)# glbp 10 authentication text GLBP group must use the same authentication string.
stringxyz
Example:

communicate.
Example:

Example: • Use this command to verify your configuration.
Device# show glbp

GLBP weighting is used to determine whether a GLBP group can act as a virtual forwarder. Initial weighting
values can be set and optional thresholds specified. Interface states can be tracked and a decrement value set
to reduce the weighting value if the interface goes down. When the GLBP group weighting drops below a

18
Configuring GLBP
specified value, the group will no longer be an active virtual forwarder. When the weighting rises above a
specified value, the group can resume its role as an active virtual forwarder.
SUMMARY STEPS
1. enable
3. track object-number interface type number {line-protocol | ip routing}
4. exit
6. glbp group weighting maximum [lower lower] [upper upper]
7. glbp group weighting track object-number [decrement value]
8. glbp group forwarder preempt [delay minimum seconds]
9. exit
10. show track [object-number | brief] [interface [brief] | ip route [ brief] | resolution | timers]
DETAILED STEPS

Device> enable

Example:
Step 3 track object-number interface type number {line-protocol Configures an interface to be tracked where changes in the
| ip routing} state of the interface affect the weighting of a GLBP
gateway, and enters tracking configuration mode.
Example:
• This command configures the interface and
Device(config)# track 2 interface POS 6/0/0 ip corresponding object number to be used with the glbp
routing weighting track command.
• The line-protocol keyword tracks whether the
interface is up. The ip routing keywords also check
that IP routing is enabled on the interface, and an IP
address is configured.

Example:
Device(config-track)# exit
Step 5 interface type number Enters interface configuration mode.

Example:

19
Configuring GLBP
Troubleshooting GLBP
Device(config)# interface GigabitEthernet 0/0/0
Step 6 glbp group weighting maximum [lower lower] [upper Specifies the initial weighting value, and the upper and
upper] lower thresholds, for a GLBP gateway.
Example:
Device(config-if)# glbp 10 weighting 110 lower 95

upper 105
Step 7 glbp group weighting track object-number [decrement Specifies an object to be tracked that affects the weighting
value] of a GLBP gateway.
Example: • The value argument specifies a reduction in the
weighting of a GLBP gateway when a tracked object
Device(config-if)# glbp 10 weighting track 2 fails.
decrement 5
Step 8 glbp group forwarder preempt [delay minimum Configures the device to take over as AVF for a GLBP
seconds] group if the current AVF for a GLBP group falls below
its low weighting threshold.
Example:
• This command is enabled by default with a delay of
Device(config-if)# glbp 10 forwarder preempt delay 30 seconds.
minimum 60
• Use the optional delay and minimum keywords and
the seconds argument to specify a minimum delay
interval in seconds before preemption of the AVF
takes place.
Step 9 exit Returns to privileged EXEC mode.

Example:
Step 10 show track [object-number | brief] [interface [brief] | ip Displays tracking information.
route [ brief] | resolution | timers]
Example:
Device# show track 2
GLBP introduces five privileged EXEC mode commands to enable display of diagnostic output concerning
various events relating to the operation of GLBP. The debug condition glbp,debug glbp errors, debug glbp
events, debug glbp packets, and debug glbp terse commands are intended only for troubleshooting purposes
because the volume of output generated by the software can result in severe performance degradation on the
device. Perform this task to minimize the impact of using the debug glbp commands.
This procedure will minimize the load on the device created by the debug condition glbpor debug glbp
command because the console port is no longer generating character-by-character processor interrupts. If you

20
Configuring GLBP
cannot connect to a console directly, you can run this procedure via a terminal server. If you must break the
Telnet connection, however, you may not be able to reconnect because the device may be unable to respond
due to the processor load of generating the debugging output.
Before you begin

This task requires a device running GLBP to be attached directly to a console.
SUMMARY STEPS
1. enable
3. no logging console
4. Use Telnet to access a device port and repeat Steps 1 and 2.
5. end
6. terminal monitor
7. debug condition glbp interface-type interface-number group [forwarder]
8. terminal no monitor
DETAILED STEPS

Device> enable

Example:
Step 3 no logging console Disables all logging to the console terminal.

Example: • To reenable logging to the console, use thelogging
console command in global configuration mode.
Device(config)# no logging console
Step 4 Use Telnet to access a device port and repeat Steps 1 and Enters global configuration mode in a recursive Telnet
2. session, which allows the output to be redirected away from
the console port.
Step 5 end Exits to privileged EXEC mode.

Example:
Device(config)# end
Step 6 terminal monitor Enables logging output on the virtual terminal.

Example:

21
Configuring GLBP
Configuration Examples for GLBP
Device# terminal monitor
Step 7 debug condition glbp interface-type interface-number Displays debugging messages about GLBP conditions.
group [forwarder]
• Try to enter only specific debug condition glbp or
Example: debug glbp commands to isolate the output to a certain
subcomponent and minimize the load on the processor.
Device# debug condition glbp GigabitEthernet0/0/0 Use appropriate arguments and keywords to generate
1 more detailed debug information on specified
subcomponents.
• Enter the specific no debug condition glbp or no
debug glbp command when you are finished.
Step 8 terminal no monitor Disables logging on the virtual terminal.

Example:
Device# terminal no monitor
Configuration Examples for GLBP

Example: Customizing GLBP Configuration
Device(config)# interface fastethernet 0/0
Device(config-if)# ip address 10.21.8.32 255.255.255.0
Device(config-if)# glbp 10 timers 5 18
Device(config-if)# glbp 10 timers redirect 1800 28800
Device(config-if)# glbp 10 load-balancing host-dependent
Device(config-if)# glbp 10 priority 254
Device(config-if)# glbp 10 preempt delay minimum 60
Device(config-if)# glbp 10 client-cache maximum 1200 timeout 245
Example: Configuring GLBP MD5 Authentication Using Key Strings

The following example shows how to configure GLBP MD5 authentication using a key string:
Device(config)# interface Ethernet 0/1

Device(config-if)# glbp 2 authentication md5 key-string ThisStringIsTheSecretKey
Example: Configuring GLBP MD5 Authentication Using Key Chains

In the following example, GLBP queries the key chain “AuthenticateGLBP” to obtain the current live key
and key ID for the specified key chain:

22
Configuring GLBP
Example: Configuring GLBP Text Authentication
Device(config)# key chain AuthenticateGLBP

Device(config-keychain-key)# key-string ThisIsASecretKey
Device(config-if)# glbp 2 authentication md5 key-chain AuthenticateGLBP
Example: Configuring GLBP Text Authentication

Device(config-if)# glbp 10 authentication text stringxyz
Example: Configuring GLBP Weighting

In the following example, the device is configured to track the IP routing state of the POS interface 5/0/0 and
6/0/0, an initial GLBP weighting with upper and lower thresholds is set, and a weighting decrement value of
10 is set. If POS interface 5/0/0 and 6/0/0 go down, the weighting value of the device is reduced.
Device(config)# track 1 interface POS 5/0/0 ip routing

Device(config)# track 2 interface POS 6/0/0 ip routing
Device(config)# interface fastethernet 0/0/0
Device(config-if)# glbp 10 weighting 110 lower 95 upper 105
Device(config-if)# glbp 10 weighting track 1 decrement 10
Device(config-if)# glbp 10 weighting track 2 decrement 10
Device(config-if)# glbp 10 forwarder preempt delay minimum 60
Example: Enabling GLBP Configuration

In the following example, the device is configured to enable GLBP, and the virtual IP address of 10.21.8.10
is specified for GLBP group 10:

Additional References for GLBP

Related Documents
Related Topic Document Title
GLBP commands: complete command syntax, Cisco IOS IP Application Services Command Reference
command mode, command history, defaults, usage
guidelines, and examples

23
Configuring GLBP
Feature Information for GLBP
In Service Software Upgrade (ISSU) configuration "In Service Software Upgrade" process module in the
Cisco IOS High Availability Configuration Guide
Key chains and key management commands: Cisco IOS IP Routing Protocol-Independent Command
complete command syntax, command mode, Reference
command history, defaults, usage guidelines, and
examples
Object tracking "Configuring Enhanced Object Tracking" module
Stateful Switchover The "Stateful Switchover" module in the Cisco IOS

High Availability Configuration Guide
VRRP "Configuring VRRP" module
HSRP "Configuring HSRP" module
GLBP Support for IPv6 “FHRP - GLBP Support for IPv6” module
Technical Assistance
Description Link
The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

online resources to download documentation, software,
and tools. Use these resources to install and configure
the software and to troubleshoot and resolve technical
issues with Cisco products and technologies. Access to
most tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and password.

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

24
Configuring GLBP
Table 1: Feature Information for GLBP
Feature Name Releases Feature Configuration Information
Gateway Load GLBP protects data traffic from a failed router or circuit, like HSRP and VRRP,
Balancing while allowing packet load sharing between a group of redundant routers.
Protocol
The following commands were introduced or modified by this feature: glbp
forwarder preempt, glbp ip , glbp load-balancing , glbp name, glbp preempt
, glbp priority , glbp sso , glbp timers , glbp timers redirect, glbp weighting
, glbp weighting track, show glbp.
GLBP MD5 MD5 authentication provides greater security than the alternative plain text
Authentication authentication scheme. MD5 authentication allows each GLBP group member
to use a secret key to generate a keyed MD5 hash that is part of the outgoing
packet. A keyed hash of an incoming packet is generated and, if the hash within
the incoming packet does not match the generated hash, the packet is ignored.
The following commands were modified by this feature: glbp authentication,
show glbp.
ISSU—GLBP GLBP supports In Service Software Upgrade (ISSU). ISSU allows a

high-availability (HA) system to run in Stateful Switchover (SSO) mode even
when different versions of Cisco IOS software are running on the active and
standby Route Processors (RPs) or line cards.
This feature provides customers with the same level of HA functionality for
planned outages due to software upgrades as is available with SSO for unplanned
outages. That is, the system can switch over to a secondary RP and continue
forwarding packets without session loss and with minimal or no packet loss.
This feature is enabled by default.
There are no new or modified commands for this feature.
SSO—GLBP GLBP is now SSO aware. GLBP can detect when a router is failing over to the
secondary RP and continue in its current GLBP group state.
Prior to being SSO aware, GLBP was not able to detect that a second RP was
installed and configured to take over in the event that the primary RP failed. When
the primary failed, the GLBP device would stop participating in the GLBP group
and, depending on its role, could trigger another router in the group to take over
as the active router. With this enhancement, GLBP detects the failover to the
secondary RP and no change occurs to the GLBP group. If the secondary RP fails
and the primary is still not available, then the GLBP group detects this and
re-elects a new active GLBP router.
The following commands were introduced or modified by this feature: debug
glbp events,glbp sso, show glbp.

25
Configuring GLBP
Glossary
Glossary
active RP—The Route Processor (RP) controls the system, provides network services, runs routing protocols
and presents the system management interface.
AVF—active virtual forwarder. One virtual forwarder within a GLBP group is elected as active virtual
forwarder for a specified virtual MAC address, and it is responsible for forwarding packets sent to that MAC
address. Multiple active virtual forwarders can exist for each GLBP group.
AVG—active virtual gateway. One virtual gateway within a GLBP group is elected as the active virtual
gateway, and is responsible for the operation of the protocol.
GLBP gateway—Gateway Load Balancing Protocol gateway. A router or gateway running GLBP. Each
GLBP gateway may participate in one or more GLBP groups.
GLBP group—Gateway Load Balancing Protocol group. One or more GLBP gateways configured with the
same GLBP group number on connected Ethernet interfaces.
ISSU—In Service Software Upgrade. A process that allows Cisco IOS XE software to be updated or otherwise
modified while packet forwarding continues. In most networks, planned software upgrades are a significant
cause of downtime. ISSU allows software to be modified while packet forwarding continues, which increases
network availability and reduces downtime caused by planned software upgrades.
NSF—nonstop forwarding. The ability of a router to continue to forward traffic to a router that may be
recovering from a failure. Also, the ability of a router recovering from a failure to continue to correctly forward
traffic sent to it by a peer.
RP—Route Processor. A generic term for the centralized control unit in a chassis. Platforms usually use a
platform-specific term, such as RSP on the Cisco 7500, the PRE on the Cisco 10000, or the SUP+MSFC on
the Cisco 7600.
RPR—Route Processor Redundancy. RPR provides an alternative to the High System Availability (HSA)
feature. HSA enables a system to reset and use a standby Route Processor (RP) if the active RP fails. Using
RPR, you can reduce unplanned downtime because RPR enables a quicker switchover between an active and
standby RP if the active RP experiences a fatal error.
RPR+—An enhancement to RPR in which the standby RP is fully initialized.
SSO—Stateful Switchover. Enables applications and features to maintain state information between an active
and standby unit.
standby RP—An RP that has been fully initialized and is ready to assume control from the active RP should
a manual or fault-induced switchover occur.
switchover—An event in which system control and routing protocol execution are transferred from the active
RP to the standby RP. Switchover may be a manual operation or may be induced by a hardware or software
fault. Switchover may include transfer of the packet forwarding function in systems that combine system
control and packet forwarding in an indivisible unit.
vIP—virtual IP address. An IPv4 address. There must be only one virtual IP address for each configured
GLBP group. The virtual IP address must be configured on at least one GLBP group member. Other GLBP
group members can learn the virtual IP address from hello messages.

26
CHAPTER 3
HSRP for IPv6
IPv6 routing protocols ensure device-to-device resilience and failover. However, in situations in which the
path between a host and the first-hop device fails, or the first-hop device itself fails, first hop redundancy
protocols (FHRPs) ensure host-to-device resilience and failover.
The Hot Standby Router Protocol (HSRP) protects data traffic in case of a gateway failure.
• Prerequisites for HSRP for IPv6, on page 27
• Information About HSRP for IPv6, on page 28
• How to Enable HSRP for IPv6, on page 28
• Configuration Examples for HSRP for IPv6, on page 31
• Additional References, on page 33
• Feature Information for HSRP for IPv6, on page 34

Prerequisites for HSRP for IPv6

HSRP version 2 must be enabled on an interface before HSRP for IPv6 can be configured.

27
HSRP for IPv6
Information About HSRP for IPv6
Information About HSRP for IPv6

HSRP for IPv6 Overview
The HSRP is an FHRP designed to allow for transparent failover of the first-hop IP device. HSRP provides
high network availability by providing first-hop routing redundancy for IP hosts on Ethernet configured with
a default gateway IP address. HSRP is used in a group of devices for selecting an active device and a standby
device. In a group of device interfaces, the active device is the device of choice for routing packets; the standby
device is the device that takes over when the active device fails or when preset conditions are met.
IPv6 hosts learn of available IPv6 devices through IPv6 neighbor discovery RA messages. These are multicast
periodically, or may be solicited by hosts. HSRP is designed to provide only a virtual first hop for IPv6 hosts.
An HSRP IPv6 group has a virtual MAC address that is derived from the HSRP group number, and a virtual
IPv6 link-local address that is, by default, derived from the HSRP virtual MAC address. Periodic RAs are
sent for the HSRP virtual IPv6 link-local address when the HSRP group is active. These RAs stop after a final
RA is sent when the group leaves the active state.
Periodic RAs for the interface link-local address stop after a final RA is sent while at least one virtual IPv6
link-local address is configured on the interface. No restrictions occur for the interface IPv6 link-local address
other than that mentioned for the RAs. Other protocols continue to receive and send packets to this address.
HSRP uses a priority mechanism to determine which HSRP configured device is to be the default active
device. To configure a device as the active device, you assign it a priority that is higher than the priority of
all the other HSRP-configured devices. The default priority is 100, so if you configure just one device to have
a higher priority, that device will be the default active device.
HSRP IPv6 Virtual MAC Address Range

HSRP IPv6 uses a different virtual MAC address block than does HSRP for IP:
0005.73A0.0000 through 0005.73A0.0FFF (4096 addresses)
HSRP IPv6 UDP Port Number

Port number 2029 has been assigned to HSRP IPv6.
How to Enable HSRP for IPv6

Enabling an HSRP Group for IPv6 Operation
HSRP version 2 must be enabled on an interface before HSRP IPv6 can be configured.

28
HSRP for IPv6
Enabling HSRP Version 2
Enabling HSRP Version 2
SUMMARY STEPS
1. enable
4. standby version {1 | 2}
DETAILED STEPS

Device> enable

Example:
Step 3 interface type number Specifies an interface type and number, and places the
device in interface configuration mode.
Example:
Step 4 standby version {1 | 2} Changes the version of the HSRP.

Example: • Version 1 is the default.
Device(config-if)# standby version 2
Enabling and Verifying an HSRP Group for IPv6 Operation

In this task, when you enter the standby ipv6 command, a link-local address is generated from the link-local
prefix, and a modified EUI-64 format interface identifier is generated in which the EUI-64 interface identifier
is created from the relevant HSRP virtual MAC address.
A link-local address is an IPv6 unicast address that can be automatically configured on any interface using
the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format.
Link-local addresses are used in the stateless autoconfiguration process. Nodes on a local link can use link-local
addresses to communicate; the nodes do not need site-local or globally unique addresses to communicate.
In IPv6, a device on the link advertises in RA messages any site-local and global prefixes, and its willingness
to function as a default device for the link. RA messages are sent periodically and in response to router
solicitation messages, which are sent by hosts at system startup.
A node on the link can automatically configure site-local and global IPv6 addresses by appending its interface
identifier (64 bits) to the prefixes (64 bits) included in the RA messages. The resulting 128-bit IPv6 addresses
configured by the node are then subjected to duplicate address detection to ensure their uniqueness on the

29
HSRP for IPv6
Enabling and Verifying an HSRP Group for IPv6 Operation
link. If the prefixes advertised in the RA messages are globally unique, then the IPv6 addresses configured
by the node are also guaranteed to be globally unique. Router solicitation messages, which have a value of
133 in the Type field of the ICMP packet header, are sent by hosts at system startup so that the host can
immediately autoconfigure without needing to wait for the next scheduled RA message.
SUMMARY STEPS
1. enable
3. ipv6 unicast-routing
5. standby [group-number] ipv6 {link-local-address | autoconfig}
6. standby [group-number] preempt [delay minimum seconds | reload seconds | sync seconds]
7. standby [group-number] priority priority
8. exit
9. show standby [type number [group]] [all | brief]
10. show ipv6 interface [brief] [interface-type interface-number] [prefix]
DETAILED STEPS

Device> enable

Example:
Step 3 ipv6 unicast-routing Enables the forwarding of IPv6 unicast datagrams.

Example: • The ipv6 unicast-routing command must be enabled
for HSRP for IPv6 to work.
Device(config)# ipv6 unicast-routing
Step 4 interface type number Specifies an interface type and number, and places the
device in interface configuration mode.
Example:
Step 5 standby [group-number] ipv6 {link-local-address | Activates the HSRP in IPv6.

autoconfig}
Example:
Device(config-if)# standby 1 ipv6 autoconfig

30
HSRP for IPv6
Configuration Examples for HSRP for IPv6

Step 6 standby [group-number] preempt [delay minimum Configures HSRP preemption and preemption delay.
seconds | reload seconds | sync seconds]
Example:
Device(config-if)# standby 1 preempt
Step 7 standby [group-number] priority priority Configures HSRP priority.

Example:
Device(config-if)# standby 1 priority 110
Step 8 exit Returns the device to privileged EXEC mode.

Example:
Step 9 show standby [type number [group]] [all | brief] Displays HSRP information.
Example:
Device# show standby
Step 10 show ipv6 interface [brief] [interface-type Displays the usability status of interfaces configured for
interface-number] [prefix] IPv6.
Example:
Device# show ipv6 interface GigabitEthernet 0/0/0
Configuration Examples for HSRP for IPv6

Example: Configuration and Verification for an HSRP Group
The following example shows configuration and verification for an HSRP group for IPv6 that consists
of Device1 and Device2. The show standby command is issued for each device to verify the device's
configuration:
Device 1 configuration
interface FastEthernet0/0.100
description DATA VLAN for PCs
encapsulation dot1Q 100
ipv6 address 2001:DB8:CAFE:2100::BAD1:1010/64
standby version 2
standby 101 priority 120
standby 101 preempt delay minimum 30
standby 101 authentication ese
standby 101 track Serial0/1/0.17 90
standby 201 ipv6 autoconfig

31
HSRP for IPv6
Example: Configuration and Verification for an HSRP Group
standby 201 preempt delay minimum 30

standby 201 track Serial0/1/0.17 90
Device1# show standby
FastEthernet0/0.100 - Group 101 (version 2)
State is Active
2 state changes, last state change 5w5d
Active virtual MAC address is 0000.0c9f.f065
Local virtual MAC address is 0000.0c9f.f065 (v2 default)
Authentication text "ese"
Preemption enabled, delay min 30 secs
Active router is local
Priority 120 (configured 120)
Track interface Serial0/1/0.17 state Up decrement 90
IP redundancy name is "hsrp-Fa0/0.100-101" (default)
State is Active
Virtual IP address is FE80::5:73FF:FEA0:C9
Active virtual MAC address is 0005.73a0.00c9
Local virtual MAC address is 0005.73a0.00c9 (v2 IPv6 default)
Standby router is FE80::20F:8FFF:FE37:3B70, priority 100 (expires in 7.856 sec)
Track interface Serial0/1/0.17 state Up decrement 90
Device 2 configuration
interface FastEthernet0/0.100
description DATA VLAN for Computers
encapsulation dot1Q 100
ipv6 address 2001:DB8:CAFE:2100::BAD1:1020/64
standby version 2
standby 101 preempt
standby 201 ipv6 autoconfig
standby 201 preempt
Device2# show standby
State is Standby
Active virtual MAC address is 0000.0c9f.f065
Local virtual MAC address is 0000.0c9f.f065 (v2 default)
Preemption enabled
MAC address is 0012.7fc6.8f0c
Standby router is local
Priority 100 (default 100)
State is Standby
Virtual IP address is FE80::5:73FF:FEA0:C9
Active virtual MAC address is 0005.73a0.00c9
Local virtual MAC address is 0005.73a0.00c9 (v2 IPv6 default)

32
HSRP for IPv6
Additional References

Preemption enabled
Active router is FE80::212:7FFF:FEC6:8F0C, priority 120 (expires in 7.548 sec)
MAC address is 0012.7fc6.8f0c
Standby router is local
Priority 100 (default 100)
Related Documents
Cisco IOS commands Cisco IOS Master Commands List, All Releases
VRRP commands Cisco IOS IP Application Services Command Reference
Object tracking Configuring Enhanced Object Tracking
Hot Standby Routing Protocol (HSRP) Configuring HSRP
In Service Software Upgrace (ISSU) "In Service Software Upgrade Process" in the High Availability
Configuration Guide
Gateway Load Balancing Protocol (GLBP) Configuring GLBP
Stateful Switchover The Stateful Switchover section in theHigh Availability

Configuration Guide
Standards
Standards Title
No new or modified standards are supported by this feature, and support for existing standards has not —
been modified by this feature.
MIBs
MIBs MIBs Link
VRRP MIB To locate and download MIBs for selected platforms, Cisco software releases, and feature sets,
use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs

33
HSRP for IPv6
Feature Information for HSRP for IPv6
RFCs
RFCs Title
RFC 2338 Virtual Router Redundancy Protocol
RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol
RFC 3768 Virtual Router Redundancy Protocol (VRRP)
Description Link

Feature Information for HSRP for IPv6

Table 2: Feature Information for HSRP for IPv6
Feature Name Releases Feature Information
HSRP for IPv6 Cisco IOS XE Release 3.1S The HSRP is an FHRP designed to
allow for transparent failover of the
Cisco IOS XE Release 3.9S
first-hop IPv6 router.
The following commands were
introduced or modified: show
standby, standby ipv6, standby
preempt, standby priority.
ISSU - HSRPv6 on VRF Interfaces Cisco IOS XE Release 3.1S This feature is supported in Cisco
IOS XE Release 3.1S.
NSF/SSO - HSRPv6 on VRF Cisco IOS XE Release 3.1S This feature is supported in Cisco
Interfaces IOS XE Release 3.1S.

34
HSRP for IPv6
Glossary
Glossary
• CPE --Customer premises equipment
• FHRP --First hop redundancy protocol
• GLBP --Gateway load balancing protocol
• HSRP --Hot standby routing protocol
• NA --Neighbor advertisement
• ND --Neighbor Discovery
• NS --Neighbor solicitation
• PE --Provider equipment
• RA --Router advertisement
• RS --Router solicitation

35
HSRP for IPv6
Glossary

36
CHAPTER 4
Configuring HSRP
The Hot Standby Router Protocol (HSRP) is a First Hop Redundancy Protocol (FHRP) designed to allow for
transparent failover of the first-hop IP device. HSRP provides high network availability by providing first-hop
routing redundancy for IP hosts on networks configured with a default gateway IP address. HSRP is used in
a group of routers for selecting an active device and a standby device. In a group of device interfaces, the
active device is the device of choice for routing packets; the standby device is the device that takes over when
the active device fails or when preset conditions are met.
• Restrictions for HSRP, on page 37
• Information About HSRP, on page 38
• How to Configure HSRP, on page 52
• Configuration Examples for HSRP, on page 85
• Feature Information for HSRP, on page 95

Restrictions for HSRP

• HSRP is designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs. HSRP is not
intended as a replacement for existing dynamic protocols.

37
Configuring HSRP
Information About HSRP
Information About HSRP

HSRP Operation
Most IP hosts have an IP address of a single device configured as the default gateway. When HSRP is used,
the HSRP virtual IP address is configured as the host’s default gateway instead of the IP address of the device.
HSRP is useful for hosts that do not support a discovery protocol (such as ICMP Router Discovery Protocol
[IRDP]) and cannot switch to a new device when their selected device reloads or loses power. Because existing
TCP sessions can survive the failover, this protocol also provides a more transparent recovery for hosts that
dynamically choose a next hop for routing IP traffic.
When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that
is shared among a group of devices running HSRP. The address of this HSRP group is referred to as the virtual
IP address. One of these devices is selected by the protocol to be the active device. The active device receives
and routes packets destined for the MAC address of the group. For n devices running HSRP, n+ 1 IP and
MAC addresses are assigned.
HSRP detects when the designated active device fails, at which point a selected standby device assumes
control of the MAC and IP addresses of the Hot Standby group. A new standby device is also selected at that
time.
HSRP uses a priority mechanism to determine which HSRP configured device is to be the default active
device. To configure a device as the active device, you assign it a priority that is higher than the priority of
all the other HSRP-configured devices. The default priority is 100, so if you configure just one device to have
a higher priority, that device will be the default active device.
Devices that are running HSRP send and receive multicast UDP-based hello messages to detect device failure
and to designate active and standby devices. When the active device fails to send a hello message within a
configurable period of time, the standby device with the highest priority becomes the active device. The
transition of packet forwarding functions between devices is completely transparent to all hosts on the network.
You can configure multiple Hot Standby groups on an interface, thereby making fuller use of redundant
devices and load sharing.
The figure below shows a network configured for HSRP. By sharing a virtual MAC address and IP address,
two or more devices can act as a single virtual router. The virtual device does not physically exist but represents
the common default gateway for devices that are configured to provide backup to each other. You do not need
to configure the hosts on the LAN with the IP address of the active device. Instead, you configure them with
the IP address (virtual IP address) of the virtual device as their default gateway. If the active device fails to
send a hello message within the configurable period of time, the standby device takes over and responds to
the virtual addresses and becomes the active device, assuming the active device duties.

38
Configuring HSRP
HSRP Version 2 Design
Figure 2: HSRP Topology

HSRP version 2 is designed to address the following restrictions in HSRP version 1:
• In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises
and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.
• In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands
the group number range from 0 to 4095.
• HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, you cannot
use HSRP active hello messages to identify which physical device sent the message because the source
MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte
identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated
with the interface MAC address.
• The multicast address 224.0.0.2 is used to send HSRP hello messages. This address can conflict with
Cisco Group Management Protocol (CGMP) leave processing.
Version 1 is the default version of HSRP.

HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the multicast
address of 224.0.0.2, used by HSRP version 1. This new multicast address allows CGMP leave processing to
be enabled at the same time as HSRP.
HSRP version 2 permits an expanded group number range, 0 to 4095, and consequently uses a new MAC
address range 0000.0C9F.F000 to 0000.0C9F.FFFF. The increased group number range does not imply that
an interface can, or should, support that many HSRP groups. The expanded group number range was changed
to allow the group number to match the VLAN number on subinterfaces.
When the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.

39
Configuring HSRP
HSRP Configuration Changes
HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value
(TLV) format. HSRP version 2 packets received by an HSRP version 1 device will have the type field mapped
to the version field by HSRP version 1 and subsequently ignored.
The Gateway Load Balancing Protocol (GLBP) also addresses the same restrictions relative to HSRP version
1 that HSRP version 2 does. See the Configuring GLBP document for more information on GLBP.
Jitter timers
Jitter timers are used in HSRP. They are recommended for timers running on services that work realtime and
scale. Jitter timers are intended to significantly improve the reliability of HSRP, and other FHRP protocols,
by reducing the chance of bunching of HSRP groups operations, and thus help reduce CPU and network traffic
spikes. In the case of HSRP, a given device may have up to 4000 operational groups configured. In order to
distribute the load on the device and network, the HSRP timers use a jitter. A given timer instance may take
up to 20% more than the configured value. For example, for a hold time set to 15 seconds, the actual hold
time may take 18 seconds.
In HSRP, the Hello timer (which sends the Hello Packet) has a negative Jitter, while the Holddown timer
(which checks for failure of a peer) has a positive jitter.
HSRP Configuration Changes

With CSCsv12265, an HSRP group may be configured with a virtual IP address that matches the subnet of
an IP address of a secondary interface.
When the virtual IP address of an HSRP group is configured with the same network ID as a secondary interface
IP address, the source address of HSRP messages is automatically set to the most appropriate interface address.
This configuration change allows the following configuration:
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0 secondary
standby 1 ip 192.168.1.254
standby 1 preempt
standby 2 ip 192.168.2.254 !Same network ID as secondary interface
Prior to CSCsv12265, an HSRP group remained in INIT state unless the HSRP virtual IP address had the
same network ID as the primary interface address.
In addition, the following warning message is displayed if an HSRP group address is configured when no
interface addresses are configured:
% Warning: address is not within a subnet on this interface
HSRP Benefits
Redundancy
HSRP employs a redundancy scheme that is time proven and deployed extensively in large networks.
Fast Failover
HSRP provides transparent fast failover of the first-hop device.

40
Configuring HSRP
HSRP Groups and Group Attributes
Preemption
Preemption allows a standby device to delay becoming active for a configurable amount of time.
Authentication
HSRP message digest 5 (MD5) algorithm authentication protects against HSRP-spoofing software and uses
the industry-standard MD5 algorithm for improved reliability and security.
HSRP Groups and Group Attributes

You can use the CLI to apply group attributes to:
• A single HSRP group—performed in interface configuration mode and applies to a group.
• All groups on the interface—performed in interface configuration mode and applies to all groups on the
interface.
• All groups on all interfaces—performed in global configuration mode and applies to all groups on all
interfaces.
HSRP Preemption
When a newly reloaded device becomes HSRP active, and there is already an HSRP active device on the
network, HSRP preemption may appear to not function. HSRP preemption may appear not function correctly
because the new HSRP active device did not receive any hello packets from the current HSRP active device,
and the preemption configuration never factored into the new device's decision making.
HSRP may appear to not function on some larger hardware platforms where there can be a delay in an interface
receiving packets.
In general, we recommend that all HSRP devices have the following configuration:
standby delay minimum 30 reload 60
The standby delay minimum reload interface configuration command delays HSRP groups from initializing
for the specified time after the interface comes up.
This is a different command than the standby preempt delay interface configuration command, which enables
HSRP preemption delay.
HSRP Priority and Preemption

Preemption enables the HSRP router with the highest priority to immediately become the active router. Priority
is determined first by the configured priority value, and then by the IP address. In case of ties, the primary IP
addresses are compared, and the higher IP address has priority. In each case, a higher value is of greater
priority. If you do not use the standby preempt interface configuration command in the configuration for a
router, that router will not become the active router, even if its priority is higher than all other routers.
A standby router with equal priority but a higher IP address will not preempt the active router.
When a router first comes up, it does not have a complete routing table. You can set a preemption delay that
allows preemption to be delayed for a configurable time period. This delay period allows the router to populate
its routing table before becoming the active router.

41
Configuring HSRP
How Object Tracking Affects the Priority of an HSRP Device
If preemption is not enabled, then a router may appear to preempt the active router if it does not receive any
Hello messages from the active router.

The priority of a device can change dynamically if it has been configured for object tracking and the object
that is being tracked goes down. The tracking process periodically polls the tracked objects and notes any
change of value. The changes in the tracked object are communicated to HSRP, either immediately or after
a specified delay. The object values are reported as either up or down. Examples of objects that can be tracked
are the line protocol state of an interface or the reachability of an IP route. If the specified object goes down,
the HSRP priority is reduced. The HSRP device with the higher priority can become the active device if it
has the standby preempt command configured.
HSRP Addressing
HSRP devices communicate between each other by exchanging HSRP hello packets. These packets are sent
to the destination IP multicast address 224.0.0.2 (reserved multicast address used to communicate to all
devices) on UDP port 1985. The active device sources hello packets from its configured IP address and the
HSRP virtual MAC address while the standby device sources hellos from its configured IP address and the
interface MAC address, which may or may not be the burned-in MAC address (BIA).
Because hosts are configured with their default gateway as the HSRP virtual IP address, hosts must communicate
with the MAC address associated with the HSRP virtual IP address. This MAC address will be a virtual MAC
address in the format of 0000.0C07.ACxy, where xy is the HSRP group number in hexadecimal based on the
respective interface. For example, HSRP group one will use the HSRP virtual MAC address of
0000.0C07.AC01. Hosts on the adjoining LAN segment use the normal Address Resolution Protocol (ARP)
process to resolve the associated MAC addresses.
address of 224.0.0.2, which is used by version 1. This new multicast address allows Cisco Group Management
Protocol (CGMP) leave processing to be enabled at the same time as HSRP.
address range 0000.0C9F.F000 to 0000.0C9F.FFFF.
HSRP Virtual MAC Addresses and BIA MAC Addresses

A device automatically generates a virtual MAC address for each HSRP device. However, some network
implementations, such as Advanced Peer-to-Peer Networking (APPN), use the MAC address to identify the
first hop for routing purposes. In this case, specify the virtual MAC address by using the standby mac-address
command in the group; the virtual IP address is unimportant for these protocols.
The standby use-bia command was implemented to overcome the limitations of using a functional address
for the HSRP MAC address on Token Ring interfaces. This command allows HSRP groups to use the burned-in
MAC address of an interface instead of the HSRP virtual MAC address. When HSRP runs on a multiple-ring,
source-routed bridging environment and the HSRP devices reside on different rings, configuring the standby
use-bia command can prevent confusion about the routing information field (RFI).
The standby use-bia command is used for an interface and the standby mac-address command is used for
an HSRP group.

42
Configuring HSRP
HSRP Timers
HSRP Timers
For HSRP version 1, nonactive devices learn timer values from the active device, unless millisecond timer
values are being used. If millisecond timer values are being used, all devices must be configured with the
millisecond timer values. This rule applies if either the hello time or the hold time is specified in milliseconds.
This configuration is necessary because the HSRP hello packets advertise the timer values in seconds. HSRP
version 2 does not have this limitation; it advertises the timer values in milliseconds.
Jitter timers
HSRP MAC Refresh Interval

When HSRP runs over FDDI, you can change the interval at which a packet is sent to refresh the MAC cache
on learning bridges and switches. HSRP hello packets on FDDI interfaces use the burned-in address (BIA)
instead of the MAC virtual address. Refresh packets keep the MAC cache on switches and learning bridges
current. Refresh packets are also used for HSRP groups configured as multigroup slaves because these do not
send regular Hello messages.
You can change the refresh interval on FDDI rings to a longer or shorter interval, thereby using bandwidth
more efficiently. You can prevent the sending of any MAC refresh packets if you do not need them (if you
have FDDI but do not have a learning bridge or switch).
HSRP Text Authentication

HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is text authentication.
HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example,
Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority
of 130, then Device A stops being the active device. If Device A has authentication configured such that the
spoof HSRP hello packets are ignored, Device A will remain the active device
HSRP packets will be rejected in any of the following cases:
• The authentication schemes differ on the device and in the incoming packets.
HSRP MD5 Authentication

Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple
plain text string. HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP

43
Configuring HSRP
HSRP Support for IPv6
portion of the multicast HSRP protocol packet. This functionality provides added security and protects against
the threat from HSRP-spoofing software.
MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5
authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part
of the outgoing packet. A keyed hash of an incoming packet is generated and if the hash within the incoming
packet does not match the generated hash, the packet is ignored.
The key for the MD5 hash can be either given directly in the configuration using a key string or supplied
indirectly through a key chain.
HSRP has two authentication schemes:
spoof HSRP hello packets are ignored, Device A will remain the active device.
HSRP Support for IPv6

Most IPv4 hosts have a single router’s IP address configured as the default gateway. When HSRP is used,
then the HSRP virtual IP address is configured as the host’s default gateway instead of the router’s IP address.
Simple load sharing may be achieved by using two HSRP groups and configuring half the hosts with one
virtual IP address and half the hosts with the other virtual IP address.
In contrast, IPv6 hosts learn of available IPv6 routers through IPv6 neighbor discovery Router Advertisement
(RA) messages. These are multicast periodically, or may be solicited by hosts. HSRP is designed to provide
only a virtual first hop for IPv6 hosts.
An HSRP IPv6 group has a virtual MAC address that is derived from the HSRP group number, and a virtual
IPv6 link-local address that is, by default, derived from the HSRP virtual MAC address. HSRP IPv6 uses the
MAC address range 0005.73A0.0000 to 0005.73A0.0FFF. Periodic RAs are sent for the HSRP virtual IPv6
link-local address when the HSRP group is active. These RAs stop after a final RA is sent when the group
leaves the active state.
Periodic RAs for the interface link-local address stop after a final RA is sent while at least one virtual IPv6
link-local address is configured on the interface. No restrictions occur for the interface IPv6 link-local address
other than that mentioned for the RAs. Other protocols continue to receive and send packets to this address.
HSRP uses a priority mechanism to determine which HSRP configured router is to be the default active router.
To configure a router as the active router, you assign it a priority that is higher than the priority of all the other
HSRP-configured routers. The default priority is 100, so if you configure just one router to have a higher
priority, that router will be the default active router.

44
Configuring HSRP
HSRP Messages and States
For more information see the "Configuring First Hop Redundancy Protocols in IPv6" chapter of the Cisco
IOS IPv6 Configuration Guide.
HSRP Messages and States

Devices configured with HSRP exchange three types of multicast messages:
• Coup—When a standby device wants to assume the function of the active device, it sends a coup message.
• Hello—The hello message conveys to other HSRP device the HSRP priority and state information of
the device.
• Resign—A device that is the active device sends this message when it is about to shut down or when a
device that has a higher priority sends a hello or coup message.
At any time, a device configured with HSRP is in one of the following states:
• Active—The device is performing packet-transfer functions.
• Init or Disabled—The device is not yet ready or able to participate in HSRP, possibly because the
associated interface is not up. HSRP groups configured on other devices on the network that are learned
via snooping are displayed as being in the Init state. Locally configured groups with an interface that is
down or groups without a specified interface IP address appear in the Init state.
• Learn—The device has not determined the virtual IP address and has not yet seen an authenticated hello
message from the active device. In this state, the device still waits to hear from the active device.
• Listen—The device is receiving hello messages.
• Speak—The device is sending and receiving hello messages.
• Standby—The device is prepared to assume packet-transfer functions if the active device fails.
HSRP uses logging Level 5 for syslog messages related to HSRP state changes to allow logging of an event
without filling up the syslog buffer on the device with low-priority Level 6 messaging.
HSRP Group Linking to IP Redundancy Clients

HSRP provides stateless redundancy for IP routing. HSRP by itself is limited to maintaining its own state.
Linking an IP redundancy client to an HSRP group provides a mechanism that allows HSRP to provide a
service to client applications so they can implement stateful failover.
IP redundancy clients are other Cisco IOS processes or applications that use HSRP to provide or withhold a
service or resource dependent upon the state of the group.
HSRP groups have a default name of hsrp-interface-group so specifying a group name is optional. For
example, Group 1 on Ethernet0/0 has a default group name of "hsrp-Et0/0-1."
HSRP Object Tracking

Object tracking separates the tracking mechanism from HSRP and creates a separate standalone tracking
process that can be used by any other process as well as HSRP. The priority of a device can change dynamically
when it has been configured for object tracking and the object that is being tracked goes down. Examples of

45
Configuring HSRP
HSRP Group Shutdown
objects that can be tracked are the line protocol state of an interface or the reachability of an IP route. If the
specified object goes down, the HSRP priority is reduced.
A client process such as HSRP, Virtual Router Redundancy Protocol (VRRP), or Gateway Load Balancing
Protocol (GLBP) can register its interest in tracking objects and then be notified when the tracked object
changes state.
For more information about object tracking, see the "Configuring Enhanced Object Tracking" document.
HSRP Group Shutdown

The FHRP—HSRP Group Shutdown feature enables you to configure an HSRP group to become disabled
(its state changed to Init) instead of having its priority decremented when a tracked object goes down. Use
the standby track command with the shutdown keyword to configure HSRP group shutdown.
If an object is already being tracked by an HSRP group, you cannot change the configuration to use the HSRP
Group Shutdown feature. You must first remove the tracking configuration using the no standby track
command and then reconfigure it using the standby track command with the shutdown keyword.
HSRP Support for ICMP Redirect Messages

By default, HSRP filtering of Internet Control Message Protocol (ICMP) redirect messages is enabled on
devices running HSRP.
ICMP is a network layer Internet protocol that provides message packets to report errors and other information
relevant to IP processing. ICMP can send error packets to a host and can send redirect packets to a host.
When HSRP is running, preventing hosts from discovering the interface (or real) IP addresses of devices in
the HSRP group is important. If a host is redirected by ICMP to the real IP address of a device, and that device
later fails, then packets from the host will be lost.
ICMP redirect messages are automatically enabled on interfaces configured with HSRP. This functionality
works by filtering outgoing ICMP redirect messages through HSRP, where the next hop IP address may be
changed to an HSRP virtual IP address.
ICMP Redirects to Active HSRP Devices

The next-hop IP address is compared to the list of active HSRP devices on that network; if a match is found,
then the real next-hop IP address is replaced with a corresponding virtual IP address and the redirect message
is allowed to continue.
If no match is found, then the ICMP redirect message is sent only if the device corresponding to the new next
hop IP address is not running HSRP. Redirects to passive HSRP devices are not allowed (a passive HSRP
device is a device running HSRP, but which contains no active HSRP groups on the interface).
For optimal operation, every device in a network that is running HSRP should contain at least one active
HSRP group on an interface to that network. Every HSRP device need not be a member of the same group.
Each HSRP device will snoop on all HSRP packets on the network to maintain a list of active devices (virtual
IP addresses versus real IP addresses).
Consider the network shown in the figure below, which supports the HSRP ICMP redirection filter.

46
Configuring HSRP
Figure 3: Network Supporting the HSRP ICMP Redirection Filter
If the host wants to send a packet to another host on Net D, then it first sends it to its default gateway, the
virtual IP address of HSRP group 1.
The following is the packet received from the host:
dest MAC = HSRP group 1 virtual MAC

source MAC = Host MAC
dest IP = host-on-netD IP
source IP = Host IP
Device R1 receives this packet and determines that device R4 can provide a better path to Net D, so it prepares
to send a redirect message that will redirect the host to the real IP address of device R4 (because only real IP
addresses are in its routing table).
The following is the initial ICMP redirect message sent by device R1:
dest MAC = Host MAC

source MAC = router R1 MAC
dest IP = Host IP
source IP = router R1 IP
gateway to use = router R4 IP
Before this redirect occurs, the HSRP process of device R1 determines that device R4 is the active HSRP
device for group 3, so it changes the next hop in the redirect message from the real IP address of device R4
to the virtual IP address of group 3. Furthermore, it determines from the destination MAC address of the
packet that triggered the redirect message that the host used the virtual IP address of group 1 as its gateway,
so it changes the source IP address of the redirect message to the virtual IP address of group 1.
The modified ICMP redirect message showing the two modified fields (*) is as follows:
dest MAC = Host MAC

dest IP = Host IP
source IP* = HSRP group 1 virtual IP
gateway to use* = HSRP group 3 virtual IP
This second modification is necessary because hosts compare the source IP address of the ICMP redirect
message with their default gateway. If these addresses do not match, the ICMP redirect message is ignored.

47
Configuring HSRP
ICMP Redirects to Passive HSRP Devices
The routing table of the host now consists of the default gateway, virtual IP address of group 1, and a route
to Net D through the virtual IP address of group 3.

ICMP redirects to passive HSRP devices are not permitted. Redundancy may be lost if hosts learn the real IP
addresses of HSRP devices.
In the "Network Supporting the HSRP ICMP Redirection Filter" figure, redirection to device R8 is not allowed
because R8 is a passive HSRP device. In this case, packets from the host to Net D will first go to device R1
and then be forwarded to device R4; that is, they will traverse the network twice.
A network configuration with passive HSRP devices is considered a misconfiguration. For HSRP ICMP
redirection to operate optimally, every device on the network that is running HSRP should contain at least
one active HSRP group.
ICMP Redirects to Non-HSRP Devices

ICMP redirects to devices not running HSRP on their local interface are permitted. No redundancy is lost if
hosts learn the real IP address of non-HSRP devices.
In the "Network Supporting the HSRP ICMP Redirection Filter" figure, redirection to device R7 is allowed
because R7 is not running HSRP. In this case, the next hop IP address is unchanged. The source IP address
is changed dependent upon the destination MAC address of the original packet. You can specify the no
standby redirect unknown command to stop these redirects from being sent.
Passive HSRP Advertisement Messages

Passive HSRP devices send out HSRP advertisement messages both periodically and when entering or leaving
the passive state. Thus, all HSRP devices can determine the HSRP group state of any HSRP device on the
network. These advertisements inform other HSRP devices on the network of the HSRP interface state, as
follows:
• Active—Interface has at least one active group. A single advertisement is sent out when the first group
becomes active.
• Dormant—Interface has no HSRP groups. A single advertisement is sent once when the last group is
removed.
• Passive—Interface has at least one nonactive group and no active groups. Advertisements are sent out
periodically.
You can adjust the advertisement interval and hold-down time using the standby redirect timers command.
ICMP Redirects Not Sent

If the HSRP device cannot uniquely determine the IP address used by the host when it sends the packet that
caused the redirect, the redirect message will not be sent. The device uses the destination MAC address in the
original packet to make this determination. In certain configurations, such as the use of the standby use-bia
interface configuration command specified on an interface, redirects cannot be sent. In this case, the HSRP
groups use the interface MAC address as their virtual MAC address. The device now cannot determine if the

48
Configuring HSRP
HSRP Support for MPLS VPNs
default gateway of the host is the real IP address or one of the HSRP virtual IP addresses that are active on
the interface.
The IP source address of an ICMP packet must match the gateway address used by the host in the packet that
triggered the ICMP packet, otherwise the host will reject the ICMP redirect packet. An HSRP device uses the
destination MAC address to determine the gateway IP address of the host. If the HSRP device is using the
same MAC address for multiple IP addresses, uniquely determining the gateway IP address of the host is not
possible, and the redirect message is not sent.
The following is sample output from the debug standby events icmp EXEC command if HSRP could not
uniquely determine the gateway used by the host:
10:43:08: HSRP: ICMP redirect not sent to 10.0.0.4 for dest 10.0.1.2
10:43:08: HSRP: could not uniquely determine IP address for mac 00d0.bbd3.bc22

HSRP support for a Multiprotocol Label Switching (MPLS) VPN interface is useful when an Ethernet LAN
is connected between two provider edge (PE) devices with either of the following conditions:
• A customer edge (CE) device with a default route to the HSRP virtual IP address
• One or more hosts with the HSRP virtual IP address configured as the default gateway
Each VPN is associated with one or more VPN routing and forwarding (VRF) instances. A VRF consists of
the following elements:
• IP routing table
• Cisco Express Forwarding table
• Set of interfaces that use the Cisco Express Forwarding forwarding table
• Set of rules and routing protocol parameters to control the information in the routing tables
VPN routing information is stored in the IP routing table and the Cisco Express Forwarding table for each
VRF. A separate set of routing and Cisco Express Forwarding tables is maintained for each VRF. These tables
prevent information from being forwarded outside a VPN and also prevent packets that are outside a VPN
from being forwarded to a device within the VPN.
HSRP adds ARP entries and IP hash table entries (aliases) using the default routing table instance. However,
a different routing table instance is used when VRF forwarding is configured on an interface, causing ARP
and ICMP echo requests for the HSRP virtual IP address to fail.
HSRP support for MPLS VPNs ensures that the HSRP virtual IP address is added to the correct IP routing
table and not to the default routing table.
HSRP Multiple Group Optimization

The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface
having its own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups
to have a detrimental impact on network traffic and CPU utilization.
Only one HSRP group is required on a physical interface for the purposes of electing active and standby
devices. This group is known as the master group. Other HSRP groups may be created on each subinterface

49
Configuring HSRP
HSRP—ISSU
and linked to the master group via the group name. These linked HSRP groups are known as client or slave
groups.
The HSRP group state of the client groups follows that of the master group. Client groups do not participate
in any sort of device election mechanism.
Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning
bridges. The refresh message may be sent at a much lower frequency compared with the protocol election
messages sent by the master group.
HSRP—ISSU
The In Service Software Upgrade (ISSU) process allows Cisco software to be updated or otherwise modified
while packet forwarding continues. In most networks, planned software upgrades are a significant cause of
downtime. ISSU allows Cisco software to be modified while packet forwarding continues, which increases
For detailed information about ISSU, see the Cisco IOS In Service Software Upgrade Process document in
the High Availability Configuration Guide.
SSO HSRP
SSO HSRP alters the behavior of HSRP when a device with redundant Route Processors (RPs) is configured
for stateful switchover (SSO) redundancy mode. When an RP is active and the other RP is standby, SSO
enables the standby RP to take over if the active RP fails.
With this functionality, HSRP SSO information is synchronized to the standby RP, allowing traffic that is
sent using the HSRP virtual IP address to be continuously forwarded during a switchover without a loss of
data or a path change. Additionally, if both RPs fail on the active HSRP device, then the standby HSRP device
takes over as the active HSRP device.
The feature is enabled by default when the redundancy mode of operation is set to SSO.
SSO Dual-Route Processors and Cisco Nonstop Forwarding

SSO is generally used with Cisco nonstop forwarding (NSF). Cisco NSF enables forwarding of data packets
to continue along known routes while the routing protocol information is being restored following a switchover.
With NSF, users are less likely to experience service outages.
HSRP and SSO Working Together

The SSO HSRP feature enables the Cisco IOS HSRP subsystem software to detect that a standby RP is installed
and the system is configured in SSO redundancy mode. Further, if the active RP fails, no change occurs to
the HSRP group itself and traffic continues to be forwarded through the current active gateway device.
Prior to introduction of the SSO HSRP feature, when the primary RP of the active device failed, it would stop
participating in the HSRP group and trigger another switch in the group to take over as the active HSRP
switch.

50
Configuring HSRP
HSRP BFD Peering
SSO HSRP is required to preserve the forwarding path for traffic destined to the HSRP virtual IP address
through an RP switchover.
Configuring SSO on the edge device enables the traffic on the Ethernet links to continue during an RP failover
without the Ethernet traffic switching over to an HSRP standby device (and then back, if preemption is
enabled).
Note You may want to disable SSO HSRP by using the no standby sso command if you have LAN segments that
should switch HSRP traffic to a redundant device while SSO maintains traffic flow for other connections.
HSRP BFD Peering

The HSRP BFD Peering feature introduces Bidirectional Forwarding Detection (BFD) in the Hot Standby
Router Protocol (HSRP) group member health monitoring system. HSRP supports BFD as a part of the HSRP
group member health monitoring system. Without BFD, HSRP runs as a process in a multiprocess system
and cannot be guaranteed to be scheduled in time to service large numbers of groups with hello and hold
timers, in milliseconds. BFD runs as a pseudopreemptive process and can therefore be guaranteed to run when
required. Only one BFD session between two devices can provide early failover notification for multiple
HSRP groups.
This feature is enabled by default. The HSRP standby device learns the real IP address of the HSRP active
device from the HSRP hello messages. The standby device registers as a BFD client and asks to be notified
if the active device becomes unavailable. When BFD determines that the connections between standby and
active devices has failed, it will notify HSRP on the standby device which will immediately take over as the
active device.
BFD provides a low-overhead, short-duration method of detecting failures in the forwarding path between
two adjacent devices, including the interfaces, data links, and forwarding planes. BFD is a detection protocol
that you enable at the interface and routing protocol levels. Cisco supports the BFD asynchronous mode,
which depends on the sending of BFD control packets between two systems to activate and maintain BFD
neighbor sessions between devices. Therefore, to create a BFD session, you must configure BFD on both
systems (or BFD peers). When BFD is enabled on the interfaces and at the device level for HSRP, a BFD
session is created, BFD timers are negotiated, and the BFD peers will begin to send BFD control packets to
each other at the negotiated interval.
BFD provides fast BFD peer failure detection times independently of all media types, encapsulations, topologies,
and routing protocols such as, Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol
(EIGRP), Hot Standby Router Protocol (HSRP), Intermediate System To Intermediate System (IS-IS), and
Open Shortest Path First (OSPF). By sending rapid failure detection notices to the routing protocols in the
local device to initiate the routing table recalculation process, BFD contributes to greatly reduce overall
network convergence time. The figure below shows a simple network with two devices running HSRP and
BFD.

51
Configuring HSRP
HSRP MIB Traps
Figure 4: HSRP BFD Peering
For more information about BFD, see the IP Routing: BFD Configuration Guide.
HSRP MIB Traps

HSRP MIB supports Simple Network Management Protocol (SNMP) Get operations, to allow network devices
to get reports about HSRP groups in a network from the network management station.
Enabling HSRP MIB trap support is performed through the CLI, and the MIB is used for getting the reports.
A trap notifies the network management station when a device leaves or enters the active or standby state.
When an entry is configured from the CLI, the RowStatus for that group in the MIB immediately goes to the
active state.
Cisco software supports a read-only version of the MIB, and set operations are not supported.
This functionality supports four MIB tables, as follows:
• cHsrpGrpEntry table defined in CISCO-HSRP-MIB.my
• cHsrpExtIfTrackedEntry, defined in CISCO-HSRP-EXT-MIB.my
• cHsrpExtSecAddrEntry, defined in CISCO-HSRP-EXT-MIB.my
• cHsrpExtIfEntry defined in CISCO-HSRP-EXT-MIB.my
The cHsrpGrpEntry table consists of all the group information defined in RFC 2281, Cisco Hot Standby Router
Protocol; the other tables consist of the Cisco extensions to RFC 2281, which are defined in
CISCO-HSRP-EXT-MIB.my.
How to Configure HSRP

Enabling HSRP
Perform this task to enable HSRP.
The standby ip interface configuration command activates HSRP on the configured interface. If an IP address
is specified, that address is used as the virtual IP address for the Hot Standby group. For HSRP to elect a
designated device, you must configure the virtual IP address for at least one of the devices in the group; it can
be learned on the other devices in the group.

52
Configuring HSRP
Enabling HSRP
Before you begin

You can configure many attributes in HSRP such as authentication, timers, priority, and preemption. You
should configure the attributes before enabling the HSRP group. This practice avoids authentication error
messages and unexpected state changes in other routers that can occur if the group is enabled first and then
there is a long enough delay (one or two hold times) before the other attribues are configured.
We recommend that you always specify an HSRP IP address.
SUMMARY STEPS
1. enable
4. ip address ip-address mask
5. standby [group-number] ip [ip-address [secondary]]
6. end
7. show standby [all] [brief]
8. show standby type number [group-number | all] [brief]
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Step 4 ip address ip-address mask Configures an IP address for an interface.

Example:

255.255.255.0
Step 5 standby [group-number] ip [ip-address [secondary]] Activates HSRP.

Example: • If you do not configure a group number, the default
group number is 0. The group number range is from
Device(config-if)# standby 1 ip 172.16.6.100 0 to 255 for HSRP version 1 and from 0 to 4095 for
HSRP version 2.

53
Configuring HSRP
Delaying the Initialization of HSRP on an Interface

• The value for the ip-address argument is the virtual
IP address of the virtual device. For HSRP to elect a
designated device, you must configure the virtual IP
address for at least one of the devices in the group; it
can be learned on the other devices in the group.

Example:
Step 7 show standby [all] [brief] (Optional) Displays HSRP information.

Example: • This command displays information for each group.
The all option displays groups that are learned or that
Device# show standby do not have the standby ip command configured.
Step 8 show standby type number [group-number | all] [brief] (Optional) Displays HSRP information about specific
groups or interfaces.
Example:
Device# show standby GigabitEthernet 0

The standby delay command is used to delay HSRP initialization either after a reload and/or after an interface
comes up. This configuration allows the interface and device time to settle down after the interface up event
and helps prevent HSRP state flapping.
We recommend that you use the standby minimum reload command if the standby timers command is
configured in milliseconds or if HSRP is configured on a VLAN interface.
SUMMARY STEPS
1. enable
5. standby delay minimum min-seconds reload reload-seconds
6. standby [group-number ] ip [ip-address [secondary]]
7. end
8. show standby delay [typenumber]
DETAILED STEPS


54
Configuring HSRP

Device> enable

Example:
configuration mode.
Example:
Step 4 ip address ip-address mask Specifies an IP address for an interface.

Example:

255.255.255.0
Step 5 standby delay minimum min-seconds reload (Optional) Configures the delay period before the
reload-seconds initialization of HSRP groups.
Example: • The min-seconds value is the minimum time (in
seconds) to delay HSRP group initialization after an
Device(config-if)# standby delay minimum 30 reload interface comes up. This minimum delay period applies
60 to all subsequent interface events.
• The reload-seconds value is the time period to delay
after the device has reloaded. This delay period applies
only to the first interface-up event after the device has
reloaded.
Note The recommended min-seconds value is 30 and

the recommended reload-seconds value is 60.
Step 6 standby [group-number ] ip [ip-address [secondary]] Activates HSRP.

Example:
Device(config-if)# standby 1 ip 10.0.0.3

255.255.255.0

Example:
Step 8 show standby delay [typenumber] (Optional) Displays HSRP information about delay periods.
Example:

55
Configuring HSRP
Configuring HSRP Priority and Preemption
Device# show standby delay
Configuring HSRP Priority and Preemption

SUMMARY STEPS
1. enable
6. standby [group-number] preempt [delay {minimum | reload | sync} seconds]
7. standby [group-number] ip ip-address [secondary]]
8. end
9. show standby [all] [brief]
10. show standby type number [group-number | all] [brief]
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Device(config)# interface GigabitEthernet0/0/0

Example:

255.255.255.0

Example: • The default priority is 100.

56
Configuring HSRP
Configuring HSRP Object Tracking

Step 6 standby [group-number] preempt [delay {minimum | Configures HSRP preemption and preemption delay.
reload | sync} seconds]
• The default delay period is 0 seconds; if the device
Example: wants to preempt, it will do so immediately. By
default, the device that comes up later becomes the
Device(config-if)# standby 1 preempt delay minimum standby.
380
Step 7 standby [group-number] ip ip-address [secondary]] Activates HSRP.

Example:

255.255.255.0

Example:
Step 9 show standby [all] [brief] (Optional) Displays HSRP information.

Example: • This command displays information for each group.
The all option displays groups that are learned or that
Device# show standby do not have the standby ip command configured.
Step 10 show standby type number [group-number | all] [brief] (Optional) Displays HSRP information about specific
groups or interfaces.
Example:
Device# show standby GigabitEthernet 0/0/0

Perform this task to configure HSRP to track an object and change the HSRP priority based on the state of
the object.
Each tracked object is identified by a unique number that is specified on the tracking CLI. Client processes
use this number to track a specific object.
SUMMARY STEPS
1. enable
4. exit
6. standby [group-number] track object-number [decrement priority-decrement] [shutdown]
8. end

57
Configuring HSRP
9. show track [object-number | brief] [interface [brief] | ip route [brief] | resolution | timers]
DETAILED STEPS

Device> enable

Example:
Step 3 track object-number interface type number {line-protocol Configures an interface to be tracked and enters tracking
| ip routing} configuration mode.
Example:
Device(config)# track 100 interface GigabitEthernet

0/0/0 line-protocol

Example:
configuration mode.
Example:
Step 6 standby [group-number] track object-number [decrement Configures HSRP to track an object and change the Hot
priority-decrement] [shutdown] Standby priority on the basis of the state of the object.
Example: • By default, the priority of the device is decreased by
10 if a tracked object goes down. Use the decrement
Device(config-if)# standby 1 track 100 decrement priority-decrement keyword and argument combination
20 to change the default behavior.
• When multiple tracked objects are down and
priority-decrement values have been configured, these
configured priority decrements are cumulative. If
tracked objects are down, but none of them were
configured with priority decrements, the default
decrement is 10 and it is cumulative.
• Use the shutdown keyword to disable the HRSP group
on the device when the tracked object goes down.

58
Configuring HSRP
Configuring HSRP MD5 Authentication Using a Key String

Note If an object is already being tracked by an HSRP
group, you cannot change the configuration to
use the HSRP Group Shutdown feature. You
must first remove the tracking configuration
using the no standby track command and then
reconfigure it using the standby track command
with the shutdown keyword.

Example: • The default group number is 0. The group number
range is from 0 to 255 for HSRP version 1 and from
Device(config-if)# standby 1 ip 10.10.10.0 0 to 4095 for HSRP version 2.

Example:
route [brief] | resolution | timers]
Example:
Device# show track 100 interface
Note Text authentication cannot be combined with MD5 authentication for an HSRP group at any one time. When
MD5 authentication is configured, the text authentication field in HSRP hello messages is set to all zeroes on
transmit and ignored on receipt, provided the receiving device also has MD5 authentication enabled.
Note If you are changing a key string in a group of devices, change the active device last to prevent any HSRP state
change. The active device should have its key string changed no later than one hold-time period, specified by
the standy timers interface configuration command, after the nonactive devices. This procedure ensures that
the nonactive devices do not time out the active device.
SUMMARY STEPS
1. enable
3. terminal interface type number

59
Configuring HSRP

7. standby [group-number] authentication md5 key-string [0 | 7] key [timeout seconds]
8. standby [group-number] ip [ip-address] [secondary]]
10. end
11. show standby
DETAILED STEPS

Device> enable

Example:
Step 3 terminal interface type number Configures an interface type and enters interface
configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:
Step 6 standby [group-number] preempt [delay {minimum | Configures HSRP preemption.

Example:
Step 7 standby [group-number] authentication md5 key-string Configures an authentication string for HSRP MD5
[0 | 7] key [timeout seconds] authentication.
Example: • The key argument can be up to 64 characters in length.
We recommended that at least 16 characters be used.

60
Configuring HSRP
Configuring HSRP MD5 Authentication Using a Key Chain

• No prefix to the key argument or specifying 0 means
Device(config-if)# standby 1 authentication md5
the key will be unencrypted.
key-string d00b4r987654321a timeout 30
• Specifying 7 means the key will be encrypted. The
• The timeout value is the period of time that the old
key string will be accepted to allow configuration of
all routers in a group with a new key.
Step 8 standby [group-number] ip [ip-address] [secondary]] Activates HSRP.

Example:

communicate.
Example:
Step 11 show standby (Optional) Displays HSRP information.

key string or key chain will be displayed if
Device# show standby configured.

Perform this task to configure HSRP MD5 authentication using a key chain. Key chains allow a different key
string to be used at different times according to the key chain configuration. HSRP will query the appropriate
SUMMARY STEPS
1. enable
4. key key-id
6. exit
7. exit

61
Configuring HSRP

12. standby [group-number] authentication md5 key-chain key-chain-name
15. end
16. show standby
DETAILED STEPS

Device> enable

Example:
Step 3 key chain name-of-chain Enables authentication for routing protocols, identifies a
group of authentication keys, and enters key-chain
Example:
configuration mode.
Device(config)# key chain hsrp1
Step 4 key key-id Identifies an authentication key on a key chain and enters
Example:
• The value for thekey-id argument must be a number.
Step 5 key-string string Specifies the authentication string for a key.

Example: • The value for the string argument can be 1 to 80
uppercase or lowercase alphanumeric characters; the
Device(config-keychain-key)# key-string mno172 first character cannot be a numeral

Example:

Example:

62
Configuring HSRP

configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

Example:
Step 12 standby [group-number] authentication md5 key-chain Configures an authentication MD5 key chain for HSRP
key-chain-name MD5 authentication.
in Step 3.
key-chain hsrp1

Example:

communicate.
Example:


63
Configuring HSRP
Troubleshooting HSRP MD5 Authentication

Perform this task if HSRP MD5 authentication is not operating correctly.
SUMMARY STEPS
1. enable
2. debug standby errors
DETAILED STEPS

Device> enable
Step 2 debug standby errors Displays error messages related to HSRP.

Example: • Error messages will be displayed for each packet that
fails to authenticate, so use this command with care.
Device# debug standby errors
Examples
In the following example, Device A has MD5 text string authentication configured, but Device B
has the default text authentication:
A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 confgd
but no tlv
B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth
failed
In the following example, both Device A and Device B have different MD5 authentication strings:
A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth
failed
B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth
failed
Configuring HSRP Text Authentication

SUMMARY STEPS
1. enable

64
Configuring HSRP

7. standby [group-number] authentication text string
10. end
11. show standby
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

Example:
Step 7 standby [group-number] authentication text string Configures an authentication string for HSRP text
authentication.
Example:
• The default string is cisco.

65
Configuring HSRP
Configuring HSRP Timers
Device(config-if)# standby 1 authentication text

authentication1

Example:
Step 9 Repeat Steps 1 through 8 on each device that will --

communicate.
Example:

Configuring HSRP Timers
Note We recommend configuring a minimum hello-time value of 250 milliseconds and a minimum hold-time value
of 800 milliseconds.
You can use the standby delay command to allow the interface to come up completely before HSRP initializes.
SUMMARY STEPS
1. enable
4. ip address ip-address mask [secondary]]
5. standby [group-number] timers [msec] hellotime [msec] holdtime
DETAILED STEPS


66
Configuring HSRP
Configuring an HSRP MAC Refresh Interval
Device> enable

Example:
configuration mode.
Example:
Device(config)# interface Gigabit Ethernet 0/0/1
Step 4 ip address ip-address mask [secondary]] Specifies a primary or secondary IP address for an interface.
Example:

255.255.255.0
Step 5 standby [group-number] timers [msec] hellotime [msec] Configures the time between hello packets and the time
holdtime before other devices declare the active Hot Standby or
standby device to be down.
Example:
Device(config-if)# standby 1 timers 5 15

Example:
Configuring an HSRP MAC Refresh Interval

SUMMARY STEPS
1. enable
5. standby mac-refresh seconds
DETAILED STEPS


67
Configuring HSRP
Configuring Multiple HSRP Groups for Load Balancing
Device> enable

Example:
configuration mode.
Example:
Example:

255.255.255.0
Step 5 standby mac-refresh seconds Changes the interval at which packets are sent to refresh
the MAC cache when HSRP is running over FDDI.
Example:
• This command applies to HSRP running over FDDI
Device(config-if)# standby mac-refresh 100 only.

Example:

Perform this task to configure multiple HSRP groups for load balancing.
Multiple HSRP groups enable redundancy and load-sharing within networks and allow redundant devices to
be more fully utilized. A device actively forwarding traffic for one HSRP group can be in standby or in the
listen state for another group.
If two devices are used, then Device A would be configured as active for group 1 and standby for group 2.
Device B would be standby for group 1 and active for group 2. Fifty percent of the hosts on the LAN would
be configured with the virtual IP address of group 1 and the remaining hosts would be configured with the
virtual IP address of group 2. See the Example: Configuring Multiple HSRP Groups for Load Balancing for
a diagram and configuration example.
SUMMARY STEPS
1. enable

68
Configuring HSRP

6. standby [group-number] preempt [delay {minimum | reload | sync} delay]
7. standby [group-number] ip [ip-address] secondary]
8. On the same device, repeat Steps 5 through 7 to configure the device attributes for different standby
groups.
9. exit
10. Repeat Steps 3 through 9 on another device.
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

reload | sync} delay]
Example:
Step 7 standby [group-number] ip [ip-address] secondary] Activates HSRP.

Example:

69
Configuring HSRP
Improving CPU and Network Performance with HSRP Multiple Group Optimization

Step 8 On the same device, repeat Steps 5 through 7 to configure For example, Device A can be configured as an active
the device attributes for different standby groups. device for group 1 and be configured as an active or
standby device for another HSRP group with different
priority and preemption values.
Step 9 exit Exits to global configuration mode.

Example:
Step 10 Repeat Steps 3 through 9 on another device. Configures multiple HSRP and enables load balancing on
another device.
Improving CPU and Network Performance with HSRP Multiple Group

Optimization
Perform this task to configure multiple HSRP client groups.
The standby follow command configures an HSRP group to become a slave of another HSRP group.
HSRP client groups follow the master HSRP with a slight, random delay so that all client groups do not change
at the same time.
Use the standby mac-refresh seconds command to directly change the HSRP client group refresh interval.
The default interval is 10 seconds and can be configured to as much as 255 seconds.
Note • Client or slave groups must be on the same physical interface as the master group.
• A client group takes its state from the group it is following. Therefore, the client group does not use its
timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client
group:

%Warning: This setting has no effect while following another group.
% Warning: This setting has no effect while following another group.
Device(config-if)# standby 1 preempt delay minimum 300
Before you begin

Configure the HSRP master group using the steps in the Configuring Multiple HSRP Groups for Load Balancing
section.
SUMMARY STEPS
1. enable

70
Configuring HSRP

6. standby group-number follow group-name
7. exit
8. Repeat Steps 3 through 6 to configure additional HSRP client groups.
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Example:

255.255.255.0
Step 5 standby mac-refresh seconds Configures the HSRP client group refresh interval.
Example:
Device(config-if)# standby mac-refresh 30
Step 6 standby group-number follow group-name Configures an HSRP group as a client group.
Example:
Device(config-if)# standby 1 follow HSRP1

Example:
Step 8 Repeat Steps 3 through 6 to configure additional HSRP Configures multiple HSRP client groups.
client groups.

71
Configuring HSRP
Enabling HSRP Support for ICMP Redirect Messages

By default, HSRP filtering of ICMP redirect messages is enabled on devices running HSRP. Perform this task
to reenable this feature on your device if it is disabled.
SUMMARY STEPS
1. enable
4. standby redirect [timers advertisement holddown] [unknown]
5. end
6. show standby redirect [ip-address] [interface-type interface-number] [active] [passive] [timers]
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Step 4 standby redirect [timers advertisement holddown] Enables HSRP filtering of ICMP redirect messages.
[unknown]
• You can also use this command in global configuration
Example: mode, which enables HSRP filtering of ICMP redirect
messages on all interfaces configured for HSRP.
Device(config-if)# standby redirect

Example:
Step 6 show standby redirect [ip-address] [interface-type (Optional) Displays ICMP redirect information on interfaces
interface-number] [active] [passive] [timers] configured with HSRP.
Example:
Device# show standby redirect

72
Configuring HSRP
Configuring HSRP Virtual MAC Addresses or BIA MAC Addresses
Configuring HSRP Virtual MAC Addresses or BIA MAC Addresses
Note You cannot use the standby use-bia and standby mac-address commands in the same configuration; they
are mutually exclusive.
The standby use-bia command has the following disadvantages:
• When a device becomes active the virtual IP address is moved to a different MAC address. The newly
active device sends a gratuitous ARP response, but not all host implementations handle the gratuitous
ARP correctly.
• Proxy ARP does not function when the standby use-bia command is configured. A standby device
cannot cover for the lost proxy ARP database of the failed device.
SUMMARY STEPS
1. enable
5. Enter one of the following commands:
• standby [group-number] mac-address mac-address
• or
• standby use-bia [scope interface]
• or
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:

73
Configuring HSRP
Linking IP Redundancy Clients to HSRP Groups

Step 4 ip address ip-address mask [secondary] Configures an IP address for an interface.
Example:

255.255.255.0
Step 5 Enter one of the following commands: Specifies a virtual MAC address for HSRP.
• standby [group-number] mac-address mac-address • This command cannot be used on a Token Ring
• or interface.
• standby use-bia [scope interface]
or
• or
Configures HSRP to use the burned-in address of the
Example: interface as its virtual MAC address.
Device(config-if)# standby 1 mac-address • The scope interface keywords specify that the
5000.1000.1060 command is configured just for the subinterface on
which it was entered, instead of the major interface.
Example:
Device(config-if)# standby use-bia

Example:
Linking IP Redundancy Clients to HSRP Groups

Before you begin
Within the client application, you must first specify the same name as configured in the standby name
command.
SUMMARY STEPS
1. enable
5. standby [group-number] name [redundancy-name]
DETAILED STEPS


74
Configuring HSRP
Changing to HSRP Version 2

Device> enable

Example:
configuration mode.
Example:

Example:

255.255.255.0
Step 5 standby [group-number] name [redundancy-name] Configures the name of the standby group.
Example: • HSRP groups have a default name of
hsrp-interface-group so specifying a group name is
Device(config-if)# standby 1 name HSRP-1 optional.

Example:

HSRP version 2 was introduced to prepare for further enhancements and to expand the capabilities beyond
what is possible with HSRP version 1. HSRP version 2 has a different packet format than HSRP version 1.
Note • HSRP version 2 is not available for ATM interfaces running LAN emulation.
• HSRP version 2 will not interoperate with HSRP version 1. An interface cannot operate both version 1
and version 2 because both versions are mutually exclusive. However, the different versions can be run
on different physical interfaces of the same device. You cannot change from version 2 to version 1 if
you have configured groups above the group number range allowed for version 1 (0 to 255).
SUMMARY STEPS
1. enable

75
Configuring HSRP

7. end
8. show standby
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Device(config)# interface vlan 400
Step 4 ip address ip-address mask Sets an IP address for an interface.

Example:

255.255.255.0
Step 5 standby version {1 | 2} Changes the HSRP version.

Example:

Example: • The group number range for HSRP version 2 is 0
through 4095. The group number range for HSRP
Device(config-if)# standby 400 ip 10.10.28.5 version 1 is 0 through 255.
Step 7 end Ends the current configuration session and returns to

privileged EXEC mode.
Example:

76
Configuring HSRP
Enabling SSO Aware HSRP

Example: • HSRP version 2 information will be displayed if
configured.

The SSO aware HSRP is enabled by default when the redundancy mode is set to SSO. Perform this task to
reenable HSRP to be SSO aware if it has been disabled.
SUMMARY STEPS
1. enable
3. redundancy
4. mode sso
5. exit
6. no standby sso
7. standby sso
8. end
DETAILED STEPS

Device> enable

Example:
Step 3 redundancy Enters redundancy configuration mode.

Example:
Device(config)# redundancy
Step 4 mode sso Enables the redundancy mode of operation to SSO.

Example: • HSRP is SSO aware on interfaces that are configured
for HSRP and the standby RP is automatically reset.

77
Configuring HSRP
Verifying SSO Aware HSRP
Device(config-red)# mode sso
Step 5 exit Exits redundancy configuration mode.

Example:
Device(config-red)# exit
Step 6 no standby sso Disables HSRP SSO mode for all HSRP groups.
Example:
Device(config)# no standby sso
Step 7 standby sso Enables the SSO HSRP feature if you have disabled the
functionality.
Example:
Device(config)# standby sso

Example:
Device(config)# end

To verify or debug HSRP SSO operation, perform the following steps from the active RP console.
SUMMARY STEPS
1. show standby
2. debug standby events ha
DETAILED STEPS
Step 1 show standby

Use the show standby command to display the state of the standby RP, for example:
Example:
State is Active (standby RP)
Active virtual MAC address is unknown
Local virtual MAC address is 000a.f3fd.5001 (bia)
Authentication text “authword”
Preemption enabled

78
Configuring HSRP
Enabling HSRP MIB Traps
Active router is unknown

Standby router is unknown
Group name is “name1” (cfgd)
Step 2 debug standby events ha

Use thedebug standby events ha command to display the active and standby RPs, for example:
Example:
Device# debug standby events ha
!Active RP
*Apr 27 04:13:47.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Listen into sync buffer
*Apr 27 04:13:47.855: HSRP: CF Sync send ok
*Apr 27 04:13:57.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Speak into sync buffer
*Apr 27 04:14:07.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Standby into sync buffer
*Apr 27 04:14:07.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Active into sync buffer
!Standby RP
*Apr 27 04:11:21.011: HSRP: RF CF client 32, entity 0 got msg len 24
*Apr 27 04:11:21.011: HSRP: Gi0/0/1 Grp 101 RF sync state Init -> Listen
*Apr 27 04:11:31.011: HSRP: Gi0/0/1 Grp 101 RF sync state Listen -> Speak
*Apr 27 04:11:41.071: HSRP: Gi0/0/1 Grp 101 RF sync state Speak -> Standby
*Apr 27 04:11:41.071: HSRP: Gi0/0/1 Grp 101 RF sync state Standby -> Active

SUMMARY STEPS
1. enable
3. snmp-server enable traps hsrp
4. snmp-server host host community-string hsrp
DETAILED STEPS

Device> enable

Example:

79
Configuring HSRP
Configuring BFD Session Parameters on an Interface
Step 3 snmp-server enable traps hsrp Enables the device to send SNMP traps and informs, and
HSRP notifications.
Example:
Device(config)# snmp-server enable traps hsrp
Step 4 snmp-server host host community-string hsrp Specifies the recipient of an SNMP notification operation,
and that HSRP notifications be sent to the host.
Example:
Device(config)# snmp-server host myhost.comp.com

public hsrp
Configuring BFD Session Parameters on an Interface

Perform this task to configure Bidirectional Forwarding Detection (BFD) on an interface by setting the baseline
BFD session parameters on the interface. Repeat the steps in this task for each interface on which you want
to run BFD sessions to BFD neighbors.
SUMMARY STEPS
1. enable
4. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier
5. end
DETAILED STEPS

Device> enable

Example:

Example:
Device(config)# interface FastEthernet 6/0

80
Configuring HSRP
Configuring HSRP BFD Peering

Step 4 bfd interval milliseconds min_rx milliseconds Enables BFD on the interface.
multiplier interval-multiplier
Example:
Device(config-if)# bfd interval 50 min_rx 50

multiplier 5
Step 5 end Exits interface configuration mode.

Example:

Perform this task to enable Hot Standby Router Protocol (HSRP) Bidirectional Forwarding Detection (BFD)
peering. Repeat the steps in this task for each interface over which you want to run BFD sessions to HSRP
peers.
HSRP supports BFD peering by default. If HSRP BFD peering is disabled, you can reenable it at the device
level to enable BFD support globally for all interfaces or you can reenable it on a per-interface basis at the
interface level.
Before you begin

Before you proceed with this task:
• HSRP must be running on all participating devices.
• Cisco Express Forwarding must be enabled.
SUMMARY STEPS
1. enable
3. ip cef [distributed]
7. standby bfd
8. exit
9. standby bfd all-interfaces
10. exit
11. show standby [neighbors]

81
Configuring HSRP
DETAILED STEPS

Device> enable

Example:
Step 3 ip cef [distributed] Enables Cisco Express Forwarding or distributed Cisco

Express Forwarding.
Example:
Device(config)# ip cef

Example:
Device(config)# interface FastEthernet 6/0
Step 5 ip address ip-address mask Configures an IP address for the interface.

Example:

255.255.255.0

Example:
Step 7 standby bfd (Optional) Enables HSRP support for BFD on the interface.
Example:
Device(config-if)# standby bfd
Step 8 exit Exits interface configuration mode.

Example:
Step 9 standby bfd all-interfaces (Optional) Enables HSRP support for BFD on all
interfaces.
Example:
Device(config)# standby bfd all-interfaces

82
Configuring HSRP
Verifying HSRP BFD Peering

Step 10 exit Exits global configuration mode.
Example:
Device(config)# exit
Step 11 show standby [neighbors] (Optional) Displays information about HSRP support for
BFD.
Example:
Device# show standby neighbors

To verify Hot Standby Router Protocol (HSRP) Bidirectional Forwarding Detection (BFD) peering, use any
of the following optional commands.
SUMMARY STEPS
1. show standby
2. show standby brief
3. show standby neighbors [type number]
4. show bfd neighbors
5. show bfd neighbors details
DETAILED STEPS
Step 1 show standby

Use the show standby command to display HSRP information.
Example:
FastEthernet2/0 - Group 1
State is Active
2 state changes, last state change 00:08:06
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Preemption enabled
Standby router is 10.0.0.2, priority 90 (expires in 8.268 sec)
BFD enabled !
Group name is "hsrp-Fa2/0-1" (default)
Step 2 show standby brief

Use the show standby brief command to display HSRP standby device information in brief.

83
Configuring HSRP
Example:
Device# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Et0/0 4 120 P Active local 172.24.1.2 172.24.1.254

Et1/0 6 120 P Active local FE80::A8BB:CCFF:FE00:3401 FE80::5:73FF:FEA0:6
Step 3 show standby neighbors [type number]

Use the show standby neighbors command to display information about HSRP peer devices on an interface.
Example:
Device1# show standby neighbors
HSRP neighbors on FastEthernet2/0

10.1.0.22
No active groups
Standby groups: 1
BFD enabled !
Device2# show standby neighbors
HSRP neighbors on FastEthernet2/0

10.0.0.2
Active groups: 1
No standby groups
BFD enabled !
Step 4 show bfd neighbors

Use the show bfd neighbors command to display a line-by-line listing of existing Bidirectional Forwarding Detection
(BFD) adjacencies.
Example:
Device# show bfd neighbors
IPv6 Sessions
NeighAddr LD/RD RH/RS State Int
FE80::A8BB:CCFF:FE00:3401 4/3 Up Up Et1/0

FE80::A8BB:CCFF:FE00:3401 4/3 Up Up Et1/0
Step 5 show bfd neighbors details

Use the details keyword to display BFD protocol parameters and timers for each neighbor.
Example:
Device# show bfd neighbors details
OurAddr NeighAddr LD/RD RH/RS Holdown(mult) State Int

10.0.0.2 10.0.0.1 5/0 Down 0 (0 ) Down Fa2/0
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 0, Received Multiplier: 0
Holdown (hits): 0(0), Hello (hits): 1000(55)
Rx Count: 0, Rx Interval (ms) min/max/avg: 0/0/0 last: 3314120 ms ago

84
Configuring HSRP
Configuration Examples for HSRP
Tx Count: 55, Tx Interval (ms) min/max/avg: 760/1000/872 last: 412 ms ago

Registered protocols: HSRP !
Last packet: Version: 1 - Diagnostic: 0
State bit: AdminDown - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 0 - Length: 0
My Discr.: 0 - Your Discr.: 0
Min tx interval: 0 - Min rx interval: 0
Min Echo interval: 0
Configuration Examples for HSRP

Example: Configuring HSRP Priority and Preemption
In the following example, Device A is configured to be the active device for group 1 because it has the higher
priority and standby device for group 2. Device B is configured to be the active device for group 2 and standby
device for group 1.
Device A Configuration

Device B Configuration

Example: Configuring HSRP Object Tracking

In the following example, the tracking process is configured to track the IP-routing capability of serial interface
1/0. HSRP on Gigabit Ethernet interface 0/0/0 then registers with the tracking process to be informed of any
changes to the IP-routing state of serial interface 1/0. If the IP state on serial interface 1/0 goes down, the
priority of the HSRP group is reduced by 10.
If both serial interfaces are operational, Device A will be the HSRP active device because it has the higher
priority. However, if IP routing on serial interface 1/0 in Device A fails, the HSRP group priority will be

85
Configuring HSRP
Example: Configuring HSRP Group Shutdown
reduced and Device B will take over as the active device, thus maintaining a default virtual gateway service
to hosts on the 10.1.0.0 subnet.
Device(config)# track 100 interface serial 1/0/0 ip routing

!
Device(config-if)# standby 1 track 100 decrement 10

!

In the following example, the tracking process is configured to track the IP-routing capability of Gigabit
Ethernet interface 0/0/0. HSRP on Gigabit Ethernet interface 0/0/1 then registers with the tracking process to
be informed of any changes to the IP-routing state of Gigabit Ethernet interface 0/0/0. If the IP state on Gigabit
Ethernet interface 0/0/0 goes down, the HSRP group is disabled.
If both Gigabit Ethernet interfaces are operational, Device A will be the HSRP active device because it has
the higher priority. However, if IP routing on Gigabit Ethernet interface 0/0/0 in Device A fails, the HSRP
group will be disabled and Device B will take over as the active device, thus maintaining a default virtual
gateway service to hosts on the 10.1.0.0 subnet.
Device(config)# track 100 interface GigabitEthernet 0/0/0 ip routing

!
Device(config-if)# standby 1 track 100 shutdown

!

86
Configuring HSRP
Example: Configuring HSRP MD5 Authentication Using Key Strings

The following example shows how to change the configuration of a tracked object to include the HSRP Group
Shutdown feature:
Device(config)# no standby 1 track 100 decrement 10

Device(config)# standby 1 track 100 shutdown

Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab timeout 30
Example: Configuring HSRP MD5 Authentication Using Key Chains

In the following example, HSRP queries the key chain “hsrp1” to obtain the current live key and key ID for
the specified key chain:

Device(config-keychain-key)# key-string 54321098452103ab
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Example: Configuring HSRP MD5 Authentication Using Key Strings and Key
Chains
The key ID for key-string authentication is always zero. If a key chain is configured with a key ID of zero,
then the following configuration will work:
Device 1


87
Configuring HSRP
Example: Configuring HSRP Text Authentication

Device 2

Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab

Device(config-if)# standby 1 authentication text company2
Example: Configuring Multiple HSRP Groups for Load Balancing

You can use HSRP or multiple HSRP groups when you configure load sharing. In the figure below, half of
the clients are configured for Router A, and half of the clients are configured for Router B. Together, the
configuration for Routers A and B establish two Hot Standby groups. For group 1, Router A is the default
active router because it has the assigned highest priority, and Router B is the standby router. For group 2,
Router B is the default active router because it has the assigned highest priority, and Router A is the standby
router. During normal operation, the two routers share the IP traffic load. When either router becomes
unavailable, the other router becomes active and assumes the packet-transfer functions of the router that is
unavailable. The standby preempt interface configuration command is necessary so that if a router goes
down and then comes back up, preemption occurs and restores load sharing.
Figure 5: HSRP Load Sharing Example

88
Configuring HSRP
Example: Improving CPU and Network Performance with HSRP Multiple Group Optimization
The following example shows Router A configured as the active router for group 1 with a priority of 110 and
Router B configured as the active router for group 2 with a priority of 110. The default priority level is 100.
Group 1 uses a virtual IP address of 10.0.0.3 and Group 2 uses a virtual IP address of 10.0.0.4.
Router A Configuration
Router(config)# hostname RouterA

!
Router(config)# interface GigabitEthernet 0/0/0
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# standby 1 priority 110
Router(config-if)# standby 1 preempt
Router(config-if)# standby 1 ip 10.0.0.3
Router B Configuration
Router(config)# hostname RouterB

!
Example: Improving CPU and Network Performance with HSRP Multiple Group
Optimization
The following example shows how to configure an HSRP client and master group:

Device(config-if)# no shutdown
! Client Hello message interval
!
Device(config-if)# ip vrf forwarding VRF2
Device(config-if)# standby 1 name HSRP1
!Server group
!
! Client group
!

89
Configuring HSRP
Example: Configuring HSRP Support for ICMP Redirect Messages

! Client group

Device A Configuration—Active for Group 1 and Standby for Group 2

Device B Configuration—Standby for Group 1 and Active for Group 2

Example: Configuring HSRP Virtual MAC Addresses and BIA MAC Address
In an Advanced Peer-to-Peer Networking (APPN) network, an end node is typically configured with the MAC
address of the adjacent network node. In the following example, if the end nodes are configured to use
4000.1000.1060, HSRP group 1 is configured to use the same MAC address:

Device(config-if)# standby 1 mac-address 4000.1000.1060
In the following example, the burned-in address of Token Ring interface 3/0 will be the virtual MAC address
mapped to the virtual IP address:
Device(config)# interface token 3/0

Device(config-if)# standby use-bia

90
Configuring HSRP
Example: Linking IP Redundancy Clients to HSRP Groups
Note You cannot use the standby use-bia command and the standby mac-address command in the same
configuration.
Example: Linking IP Redundancy Clients to HSRP Groups

The following example shows HSRP support for a static Network Address Translation (NAT) configuration.
The NAT client application is linked to HSRP via the correlation between the name specified by the standby
name command. Two devices are acting as HSRP active and standby, and the NAT inside interfaces are
HSRP enabled and configured to belong to the group named “group1.”
Active Device Configuration
Device(config)# interface BVI 10

Device(config-if)# ip address 192.168.5.54 255.255.255.255.0
Device(config-if)# no ip redirects
Device(config-if)# ip nat inside
Device(config-if)# standby 10 name group1
Device(config-if)# standby 10 track Ethernet 2/1
!
!
Device(config)# ip default-gateway 10.0.18.126
Device(config)# ip nat inside source static 192.168.5.33 10.10.10.5 redundancy group1
Device(config)# ip classless
Device(config)# ip route 10.10.10.0 255.255.255.0 Ethernet 2/1
Device(config)# no ip http server
Standby Device Configuration
Device(config)# interface BVI 10

Device(config-if)# ip address 192.168.5.56 255.255.255.255.0
Device(config-if)# no ip redirects
Device(config-if)# ip nat inside
Device(config-if)# standby 10 name group1
Device(config-if)# standby 10 track Ethernet 3/1
Device(config)# ip default-gateway 10.0.18.126
Device(config)# ip nat inside source static 192.168.5.33 3.3.3.5 redundancy group1
Device(config)# ip classless
Device(config)# ip route 10.0.32.231 255.255.255 Ethernet 3/1
Device(config)# no ip http server
Example: Configuring HSRP Version 2

The following example shows how to configure HSRP version 2 on an interface with a group number of 350:

91
Configuring HSRP
Example: Enabling SSO-Aware HSRP


The following example shows how to set the redundancy mode to SSO. HSRP is automatically SSO-aware
when this mode is enabled.
If SSO HSRP is disabled using the no standby sso command, you can reenable it as shown in the following
example:

Device(config-if)# standby priority 200
Device(config-if)# standby preempt
Device(config-if)# standby sso
Example: Enabling HSRP MIB Traps

The following examples show how to configure HSRP on two devices and enable the HSRP MIB trap support
functionality. As in many environments, one device is preferred as the active one. To configure a device’s
preference as the active device, configure the device at a higher priority level and enable preemption. In the
following example, the active device is referred to as the primary device. The second device is referred to as
the backup device:
Device A

Device(config-if)# standby ip 10.1.1.3
Device(config)# snmp-server host yourhost.cisco.com public hsrp
Device B
Device(config)#interface GigabitEthernet 1/0/0

Device(config)# snmp-server host myhost.cisco.com public hsrp

92
Configuring HSRP
Example: HSRP BFD Peering
Example: HSRP BFD Peering

Hot Standby Router Protocol (HSRP) supports Bidirectional Forwarding Detection (BFD) as a part of the
HSRP group member health monitoring system. Without BFD, HSRP runs as a process in a multiprocess
system and cannot be guaranteed to be scheduled in time to service large numbers of groups with millisecond
hello and hold timers. BFD runs as a pseudo-preemptive process and can therefore, be guaranteed to run when
required. Only one BFD session between two devices can provide early failover notification for multiple
HSRP groups.
In the following example, the standby bfd and the standby bfd all-interfaces commands are not displayed.
HSRP support for BFD is enabled by default when BFD is configured on a device or an interface by using
the bfd interval command. The standby bfd and standby bfd all-interfaces commands are needed only if
BFD has been manually disabled on a device or an interface.
Device A
DeviceA(config)# ip cef
DeviceA(config)# interface FastEthernet2/0
DeviceA(config-if)# no shutdown
DeviceA(config-if)# ip address 10.0.0.2 255.0.0.0
DeviceA(config-if)# ip router-cache cef
DeviceA(config-if)# bfd interval 200 min_rx 200 multiplier 3
DeviceA(config-if)# standby 1 ip 10.0.0.11
DeviceA(config-if)# standby 1 preempt
DeviceA(config-if)# standby 1 priority 110
DeviceA(config-if)# standby 2 ip 10.0.0.12
DeviceA(config-if)# standby 2 preempt
DeviceA(config-if)# standby 2 priority 110
Device B
DeviceB(config)# interface FastEthernet2/0

DeviceB(config-if)# ip address 10.1.0.22 255.255.0.0
DeviceB(config-if)# no shutdown
DeviceB(config-if)# bfd interval 200 min_rx 200 multiplier 3
DeviceB(config-if)# standby 1 ip 10.0.0.11
DeviceB(config-if)# standby 1 preempt
DeviceB(config-if)# standby 1 priority 90
DeviceB(config-if)# standby 2 ip 10.0.0.12
DeviceB(config-if)# standby 2 preempt
DeviceB(config-if)# standby 2 priority 80
Related Documents
HSRP commands: complete command syntax, Cisco IOS First Hop redundancy Protocols Command
command mode, command history, defaults, usage Reference

93
Configuring HSRP
HSRP for IPv6 “HSRP for IPv6” module
Troubleshooting HSRP Hot Standby Router Protocol: Frequently Asked

Questions
Standards
Standards Title
No new or modified standards are supported by this feature, and support for existing standards has not --
MIBs
MIBs MIBs Link
CISCO-HSRP-MIB To locate and download MIBs for selected platforms, Cisco software
CISCO-HSRP-EXT-MIB releases, and feature sets, use Cisco MIB Locator found at the
following URL:
RFCs
RFCs Title
RFC 792 Internet Control Message Protocol
RFC 1828 IP Authentication Using Keyed MD5
RFC 2281 Cisco Hot Standby Router Protocol
Description Link


94
Configuring HSRP
Feature Information for HSRP

Table 3: Feature Information for HSRP
FHRP—HSRP BFD Peering 15.2(1)S The FHRP—HSRP BFD Peering

feature introduces BFD in the
HSRP group member health
monitoring system. Previously,
group member monitoring relied
exclusively on HSRP multicast
messages, which are relatively large
and consume CPU memory to
produce and check. In architectures
where a single interface hosts a
large number of groups, there is a
need for a protocol with low CPU
memory consumption and
processing overhead. BFD
addresses this issue and offers sub
second health monitoring (failure
detection in milliseconds) at a
relatively low CPU impact.
introduced or modified by this
feature: debug standby events
neighbor,show standby,show
standby neighbors,standby bfd,
standby bfd all-interfaces.
FHRP—HSRP Group Shutdown 15.2(1)S The FHRP—HSRP Group

Shutdown feature enables you to
configure an HSRP group to
become disabled (its state changed
to Init) instead of having its priority
decremented when a tracked object
goes down.
modified by this feature:standby
track, show standby.

95
Configuring HSRP
FHRP—HSRP Multiple Group 15.2(1)S FHRP—HSRP Multiple Group

Optimization Optimization feature improves the
negotiation and maintenance of
multiple HSRP groups configured
on a subinterface. Only one HSRP
group is required on a physical
interface for the purposes of
electing active and standby routers.
This group is known as the master
group. Other HSRP groups may be
created on each subinterface and
linked to the master group via the
group name. These linked HSRP
groups are known as client or slave
groups.
feature: standby follow, show
standby.
FHRP—HSRP Support for IPv6 15.2(1)S Support for IPv6 was added.
For more information see the
"Configuring First Hop
Redundancy Protocols in IPv6"
module of the Cisco IOS IPv6
Configuration Guide.

96
Configuring HSRP
HSRP—ISSU 15.2(1)S The HSRP--ISSU feature enables

support for ISSU in HSRP.
The In Service Software Upgrade
(ISSU) process allows Cisco IOS
software to be updated or otherwise
modified while packet forwarding
continues. In most networks,
planned software upgrades are a
significant cause of downtime.
ISSU allows Cisco IOS software to
be modified while packet
forwarding continues, which
increases network availability and
reduces downtime caused by
planned software upgrades. This
document provides information
about ISSU concepts and describes
the steps taken to perform ISSU in
a system.
For more information about this
feature, see the "Cisco IOS In
Service Software Upgrade Process"
module in the Cisco IOS High
Availability Configuration Guide.
There are no new or modified
commands for this feature.
HSRP MD5 Authentication 15.2(1)S Prior to the introduction of the

HSRP MD5 Authentication feature,
HSRP authenticated protocol
packets with a simple plain text
string. The HSRP MD5
Authentication feature is an
enhancement to generate an MD5
digest for the HSRP portion of the
multicast HSRP protocol packet.
This feature provides added
security and protects against the
threat from HSRP-spoofing
software.
feature: show standby, standby
authentication.

97
Configuring HSRP
HSRP Support for ICMP Redirects 15.2(1)S The HSRP support for ICMP
Redirects feature enables ICMP
redirection on interfaces configured
with HSRP.
feature:
debug standby event , debug
standby events icmp,show
standby,standby redirects
HSRP Support for MPLS VPNs 15.2(1)S HSRP support for a Multiprotocol
Label Switching (MPLS) Virtual
Private Network (VPN) interface
is useful when an Ethernet LAN is
connected between two provider
edge (PE) routers with either of the
following conditions:
HSRP Version 2 15.2(1)S HSRP Version 2 feature was

introduced to prepare for further
enhancements and to expand the
capabilities beyond what is possible
with HSRP version 1. HSRP
version 2 has a different packet
format than HSRP version 1.
feature: show standby, standby ip,
standby version.
SSO—HSRP 15.2(1)S The SSO—HSRP feature alters the

behavior of HSRP when a router
with redundant RPs is configured
for SSO. When an RP is active and
the other RP is standby, SSO
enables the standby RP to take over
if the active RP fails.
feature: debug standby events,
standby sso.

98
Configuring HSRP
Glossary
Glossary
ARP—Address Resolution Protocol (ARP). ARP performs a required function in IP routing. ARP finds the
hardware address, also known as Media Access Control (MAC) address, of a host from its known IP address.
ARP maintains a cache (table) in which MAC addresses are mapped to IP addresses. ARP is part of all Cisco
IOS systems running IP.
active device—The primary device in an HSRP group that is currently forwarding packets for the virtual
device.
active RP—The active RP that controls the system, provides network services, runs the routing protocols,
and presents the system management interface.
client group—An HSRP group that is created on a subinterface and linked to the master group via the group
name.
HSRP—Hot Standby Router Protocol. Protocol that provides high network availability and transparent
network-topology changes. HSRP creates a router group with a lead device that services all packets sent to
the HSRP address. The lead device is monitored by other devices in the group, and if it fails, one of these
standby HSRP devices inherits the lead position and the HSRP group address.
ISSU—In Service Software Upgrade. A process that allows Cisco IOS software to be updated or otherwise
modified while packet forwarding continues. In most networks, planned software upgrades are a significant
cause of downtime. ISSU allows Cisco IOS software to be modified while packet forwarding continues, which
increases network availability and reduces downtime caused by planned software upgrades.
master group—An HSRP group that is required on a physical interface for the purposes of electing active
and standby devices.
RF—Redundancy Facility. A structured, functional interface used to notify its clients of active and standby
state progressions and events.
RP—Route Processor. A generic term for the centralized control unit in a chassis.
RPR—Route Processor Redundancy. RPR provides an alternative to the High System Availability (HSA)
feature. HSA enables a system to reset and use a standby Route Processor (RP) if the active RP fails. Using
RPR, you can reduce unplanned downtime because RPR enables a quicker switchover between an active and
standby RP if the active RP experiences a fatal error.
RPR+—An enhancement to RPR in which the standby RP is fully initialized.
standby group—The set of devices participating in HSRP that jointly emulate a virtual device.
standby device—The backup device in an HSRP group.
standby RP—The backup RP.
switchover—An event in which system control and routing protocol execution are transferred from the active
RP to the standby RP. Switchover may be a manual operation or may be induced by a hardware or software
fault. Switchover may include transfer of the packet forwarding function in systems that combine system
control and packet forwarding in an indivisible unit.
virtual IP address—The default gateway IP address configured for an HSRP group.
virtual MAC address—For Ethernet and FDDI, the automatically generated MAC address when HSRP is
configured. The standard virtual MAC address used is: 0000.0C07.ACxy, where xy is the group number in
hexadecimal. The functional address is used for Token Ring. The virtual MAC address is different for HSRP
version 2.

99
Configuring HSRP
Glossary

100
CHAPTER 5
HSRP Version 2
• Information About HSRP Version 2, on page 101
• How to Configure HSRP Version 2, on page 102
• Configuration Examples for HSRP Version 2, on page 104
• Feature Information for HSRP Version 2, on page 105

Information About HSRP Version 2

HSRP version 2 is designed to address the following restrictions in HSRP version 1:
• In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises
and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.
• In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands
the group number range from 0 to 4095.
• HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, you cannot
use HSRP active hello messages to identify which physical device sent the message because the source
MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte
identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated
with the interface MAC address.

101
HSRP Version 2
How to Configure HSRP Version 2
• The multicast address 224.0.0.2 is used to send HSRP hello messages. This address can conflict with
Cisco Group Management Protocol (CGMP) leave processing.
Version 1 is the default version of HSRP.

address of 224.0.0.2, used by HSRP version 1. This new multicast address allows CGMP leave processing to
be enabled at the same time as HSRP.
address range 0000.0C9F.F000 to 0000.0C9F.FFFF. The increased group number range does not imply that
an interface can, or should, support that many HSRP groups. The expanded group number range was changed
to allow the group number to match the VLAN number on subinterfaces.
When the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.
HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value
(TLV) format. HSRP version 2 packets received by an HSRP version 1 device will have the type field mapped
to the version field by HSRP version 1 and subsequently ignored.
The Gateway Load Balancing Protocol (GLBP) also addresses the same restrictions relative to HSRP version
1 that HSRP version 2 does. See the Configuring GLBP document for more information on GLBP.
Jitter timers
How to Configure HSRP Version 2

HSRP version 2 was introduced to prepare for further enhancements and to expand the capabilities beyond
what is possible with HSRP version 1. HSRP version 2 has a different packet format than HSRP version 1.
Note • HSRP version 2 is not available for ATM interfaces running LAN emulation.
• HSRP version 2 will not interoperate with HSRP version 1. An interface cannot operate both version 1
and version 2 because both versions are mutually exclusive. However, the different versions can be run
on different physical interfaces of the same device. You cannot change from version 2 to version 1 if
you have configured groups above the group number range allowed for version 1 (0 to 255).

102
HSRP Version 2
SUMMARY STEPS
1. enable
7. end
8. show standby
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Step 4 ip address ip-address mask Sets an IP address for an interface.

Example:

255.255.255.0
Step 5 standby version {1 | 2} Changes the HSRP version.

Example:

Example: • The group number range for HSRP version 2 is 0
through 4095. The group number range for HSRP
Device(config-if)# standby 400 ip 10.10.28.5 version 1 is 0 through 255.

Example:

103
HSRP Version 2
Configuration Examples for HSRP Version 2

Example: • HSRP version 2 information will be displayed if
configured.
Configuration Examples for HSRP Version 2

Example: Configuring HSRP Version 2
The following example shows how to configure HSRP version 2 on an interface with a group number of 350:

Related Documents

Questions
Standards
Standards Title

104
HSRP Version 2
Feature Information for HSRP Version 2
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title
Description Link



105
HSRP Version 2
Table 4: Feature Information for HSRP Version 2
HSRP Version 2 HSRP Version 2 feature was

introduced to prepare for further
enhancements and to expand the
capabilities beyond what is possible
with HSRP version 1. HSRP
version 2 has a different packet
format than HSRP version 1.
feature: show standby, standby ip,
standby version.

106
CHAPTER 6
• Information About HSRP MD5 Authentication, on page 107
• How to Configure HSRP MD5 Authentication, on page 108
• Configuration Examples for HSRP MD5 Authentication, on page 113
• Feature Information for HSRP MD5 Authentication, on page 115

Information About HSRP MD5 Authentication

HSRP Text Authentication
HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is text authentication.
spoof HSRP hello packets are ignored, Device A will remain the active device

107

Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple
plain text string. HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP
portion of the multicast HSRP protocol packet. This functionality provides added security and protects against
the threat from HSRP-spoofing software.
MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5
authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part
of the outgoing packet. A keyed hash of an incoming packet is generated and if the hash within the incoming
packet does not match the generated hash, the packet is ignored.
The key for the MD5 hash can be either given directly in the configuration using a key string or supplied
indirectly through a key chain.
HSRP has two authentication schemes:
spoof HSRP hello packets are ignored, Device A will remain the active device.
How to Configure HSRP MD5 Authentication

Perform this task to configure HSRP MD5 authentication using a key chain. Key chains allow a different key
string to be used at different times according to the key chain configuration. HSRP will query the appropriate
SUMMARY STEPS
1. enable
4. key key-id
6. exit
7. exit

108

12. standby [group-number] authentication md5 key-chain key-chain-name
15. end
16. show standby
DETAILED STEPS

Device> enable

Example:
Step 3 key chain name-of-chain Enables authentication for routing protocols, identifies a
group of authentication keys, and enters key-chain
Example:
configuration mode.
Step 4 key key-id Identifies an authentication key on a key chain and enters
Example:
• The value for thekey-id argument must be a number.
Step 5 key-string string Specifies the authentication string for a key.

Example: • The value for the string argument can be 1 to 80
uppercase or lowercase alphanumeric characters; the
Device(config-keychain-key)# key-string mno172 first character cannot be a numeral

Example:

Example:

109

configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

Example:
Step 12 standby [group-number] authentication md5 key-chain Configures an authentication MD5 key chain for HSRP
key-chain-name MD5 authentication.
in Step 3.
key-chain hsrp1

Example:

communicate.
Example:


110

Perform this task if HSRP MD5 authentication is not operating correctly.
SUMMARY STEPS
1. enable
2. debug standby errors
DETAILED STEPS

Device> enable
Step 2 debug standby errors Displays error messages related to HSRP.

Example: • Error messages will be displayed for each packet that
fails to authenticate, so use this command with care.
Examples
In the following example, Device A has MD5 text string authentication configured, but Device B
has the default text authentication:
A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 confgd
but no tlv
B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth
failed
In the following example, both Device A and Device B have different MD5 authentication strings:
A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth
failed
B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth
failed

SUMMARY STEPS
1. enable

111

7. standby [group-number] authentication text string
10. end
11. show standby
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

Example:
Step 7 standby [group-number] authentication text string Configures an authentication string for HSRP text
authentication.
Example:

112
Configuration Examples for HSRP MD5 Authentication
Device(config-if)# standby 1 authentication text

authentication1

Example:
Step 9 Repeat Steps 1 through 8 on each device that will --

communicate.
Example:

Configuration Examples for HSRP MD5 Authentication

Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab timeout 30
Example: Configuring HSRP MD5 Authentication Using Key Chains

In the following example, HSRP queries the key chain “hsrp1” to obtain the current live key and key ID for
the specified key chain:


113
Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains
Example: Configuring HSRP MD5 Authentication Using Key Strings and Key
Chains
The key ID for key-string authentication is always zero. If a key chain is configured with a key ID of zero,
then the following configuration will work:
Device 1

Device 2

Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab

Device(config-if)# standby 1 authentication text company2
Related Documents

Questions

114
Feature Information for HSRP MD5 Authentication
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title
Description Link



115
Table 5: Feature Information for HSRP MD5 Authentication
HSRP MD5 Authentication 12.2(25)S Prior to the introduction of the

HSRP MD5 Authentication feature,
12.2(33)SRA
HSRP authenticated protocol
12.2(33)SXH packets with a simple plain text
string. The HSRP MD5
12.2(50)SY
Authentication feature is an
12.3(2)T enhancement to generate an MD5
digest for the HSRP portion of the
15.0(1)S
multicast HSRP protocol packet.
15.0(1)SY This feature provides added
security and protects against the
Cisco IOS XE Release 2.1
threat from HSRP-spoofing
Cisco IOS XE 3.1.0SG software.
Cisco IOS XE Release 3.9S The following commands were
feature: show standby, standby
authentication.

116
CHAPTER 7
HSRP Support for ICMP Redirects
• Information About HSRP Support for ICMP Redirects, on page 117
• How to Configure HSRP Support for ICMP Redirects, on page 120
• Configuration Examples for HSRP Support for ICMP Redirects, on page 121
• Feature Information for HSRP Support for ICMP Redirects, on page 123

Information About HSRP Support for ICMP Redirects

HSRP Support for ICMP Redirect Messages
By default, HSRP filtering of Internet Control Message Protocol (ICMP) redirect messages is enabled on
devices running HSRP.
ICMP is a network layer Internet protocol that provides message packets to report errors and other information
relevant to IP processing. ICMP can send error packets to a host and can send redirect packets to a host.
When HSRP is running, preventing hosts from discovering the interface (or real) IP addresses of devices in
the HSRP group is important. If a host is redirected by ICMP to the real IP address of a device, and that device
later fails, then packets from the host will be lost.
ICMP redirect messages are automatically enabled on interfaces configured with HSRP. This functionality
works by filtering outgoing ICMP redirect messages through HSRP, where the next hop IP address may be
changed to an HSRP virtual IP address.

117

The next-hop IP address is compared to the list of active HSRP devices on that network; if a match is found,
then the real next-hop IP address is replaced with a corresponding virtual IP address and the redirect message
is allowed to continue.
If no match is found, then the ICMP redirect message is sent only if the device corresponding to the new next
hop IP address is not running HSRP. Redirects to passive HSRP devices are not allowed (a passive HSRP
device is a device running HSRP, but which contains no active HSRP groups on the interface).
For optimal operation, every device in a network that is running HSRP should contain at least one active
HSRP group on an interface to that network. Every HSRP device need not be a member of the same group.
Each HSRP device will snoop on all HSRP packets on the network to maintain a list of active devices (virtual
IP addresses versus real IP addresses).
Consider the network shown in the figure below, which supports the HSRP ICMP redirection filter.
Figure 6: Network Supporting the HSRP ICMP Redirection Filter
If the host wants to send a packet to another host on Net D, then it first sends it to its default gateway, the
virtual IP address of HSRP group 1.
The following is the packet received from the host:
dest MAC = HSRP group 1 virtual MAC

source MAC = Host MAC
dest IP = host-on-netD IP
source IP = Host IP
Device R1 receives this packet and determines that device R4 can provide a better path to Net D, so it prepares
to send a redirect message that will redirect the host to the real IP address of device R4 (because only real IP
addresses are in its routing table).
The following is the initial ICMP redirect message sent by device R1:
dest MAC = Host MAC

dest IP = Host IP

118
source IP = router R1 IP
gateway to use = router R4 IP
Before this redirect occurs, the HSRP process of device R1 determines that device R4 is the active HSRP
device for group 3, so it changes the next hop in the redirect message from the real IP address of device R4
to the virtual IP address of group 3. Furthermore, it determines from the destination MAC address of the
packet that triggered the redirect message that the host used the virtual IP address of group 1 as its gateway,
so it changes the source IP address of the redirect message to the virtual IP address of group 1.
The modified ICMP redirect message showing the two modified fields (*) is as follows:
dest MAC = Host MAC

dest IP = Host IP
source IP* = HSRP group 1 virtual IP
gateway to use* = HSRP group 3 virtual IP
This second modification is necessary because hosts compare the source IP address of the ICMP redirect
message with their default gateway. If these addresses do not match, the ICMP redirect message is ignored.
The routing table of the host now consists of the default gateway, virtual IP address of group 1, and a route
to Net D through the virtual IP address of group 3.

ICMP redirects to passive HSRP devices are not permitted. Redundancy may be lost if hosts learn the real IP
addresses of HSRP devices.
In the "Network Supporting the HSRP ICMP Redirection Filter" figure, redirection to device R8 is not allowed
because R8 is a passive HSRP device. In this case, packets from the host to Net D will first go to device R1
and then be forwarded to device R4; that is, they will traverse the network twice.
A network configuration with passive HSRP devices is considered a misconfiguration. For HSRP ICMP
redirection to operate optimally, every device on the network that is running HSRP should contain at least
one active HSRP group.
ICMP Redirects to Non-HSRP Devices

ICMP redirects to devices not running HSRP on their local interface are permitted. No redundancy is lost if
hosts learn the real IP address of non-HSRP devices.
In the "Network Supporting the HSRP ICMP Redirection Filter" figure, redirection to device R7 is allowed
because R7 is not running HSRP. In this case, the next hop IP address is unchanged. The source IP address
is changed dependent upon the destination MAC address of the original packet. You can specify the no
standby redirect unknown command to stop these redirects from being sent.
Passive HSRP Advertisement Messages

Passive HSRP devices send out HSRP advertisement messages both periodically and when entering or leaving
the passive state. Thus, all HSRP devices can determine the HSRP group state of any HSRP device on the
network. These advertisements inform other HSRP devices on the network of the HSRP interface state, as
follows:
• Active—Interface has at least one active group. A single advertisement is sent out when the first group
becomes active.

119
• Dormant—Interface has no HSRP groups. A single advertisement is sent once when the last group is
removed.
• Passive—Interface has at least one nonactive group and no active groups. Advertisements are sent out
periodically.
You can adjust the advertisement interval and hold-down time using the standby redirect timers command.

If the HSRP device cannot uniquely determine the IP address used by the host when it sends the packet that
caused the redirect, the redirect message will not be sent. The device uses the destination MAC address in the
original packet to make this determination. In certain configurations, such as the use of the standby use-bia
interface configuration command specified on an interface, redirects cannot be sent. In this case, the HSRP
groups use the interface MAC address as their virtual MAC address. The device now cannot determine if the
default gateway of the host is the real IP address or one of the HSRP virtual IP addresses that are active on
the interface.
The IP source address of an ICMP packet must match the gateway address used by the host in the packet that
triggered the ICMP packet, otherwise the host will reject the ICMP redirect packet. An HSRP device uses the
destination MAC address to determine the gateway IP address of the host. If the HSRP device is using the
same MAC address for multiple IP addresses, uniquely determining the gateway IP address of the host is not
possible, and the redirect message is not sent.
The following is sample output from the debug standby events icmp EXEC command if HSRP could not
uniquely determine the gateway used by the host:
10:43:08: HSRP: ICMP redirect not sent to 10.0.0.4 for dest 10.0.1.2
10:43:08: HSRP: could not uniquely determine IP address for mac 00d0.bbd3.bc22
How to Configure HSRP Support for ICMP Redirects

By default, HSRP filtering of ICMP redirect messages is enabled on devices running HSRP. Perform this task
to reenable this feature on your device if it is disabled.
SUMMARY STEPS
1. enable
4. standby redirect [timers advertisement holddown] [unknown]
5. end
6. show standby redirect [ip-address] [interface-type interface-number] [active] [passive] [timers]

120
Configuration Examples for HSRP Support for ICMP Redirects
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
Step 4 standby redirect [timers advertisement holddown] Enables HSRP filtering of ICMP redirect messages.
[unknown]
• You can also use this command in global configuration
Example: mode, which enables HSRP filtering of ICMP redirect
messages on all interfaces configured for HSRP.

Example:
Step 6 show standby redirect [ip-address] [interface-type (Optional) Displays ICMP redirect information on interfaces
interface-number] [active] [passive] [timers] configured with HSRP.
Example:
Device# show standby redirect
Configuration Examples for HSRP Support for ICMP Redirects

Device A Configuration—Active for Group 1 and Standby for Group 2


121

Device B Configuration—Standby for Group 1 and Active for Group 2

Related Documents

Questions
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:

122
Feature Information for HSRP Support for ICMP Redirects
RFCs
RFCs Title
Description Link


Table 6: Feature Information for HSRP Support for ICMP Redirects
HSRP Support for ICMP Redirects 12.1(3)T The HSRP support for ICMP
Redirects feature enables ICMP
12.2(50)SY
redirection on interfaces configured
15.0(1)S with HSRP.
15.0(1)SY The following commands were
feature:
Cisco IOS XE Release 3.9S
debug standby event , debug
standby events icmp,show
standby,standby redirects

123

124
CHAPTER 8
FHRP - HSRP Multiple Group Optimization
• Information About FHRP - Multiple Group Optimization, on page 125
• How to configure FHRP - Multiple Group Optimization, on page 126
• Configuration Examples for FHRP - Multiple Group Optimization, on page 129
• Feature Information for FHRP - HSRP Multiple Group Optimization, on page 132

Information About FHRP - Multiple Group Optimization

HSRP Multiple Group Optimization
The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface
having its own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups
to have a detrimental impact on network traffic and CPU utilization.
Only one HSRP group is required on a physical interface for the purposes of electing active and standby
devices. This group is known as the master group. Other HSRP groups may be created on each subinterface
and linked to the master group via the group name. These linked HSRP groups are known as client or slave
groups.
The HSRP group state of the client groups follows that of the master group. Client groups do not participate
in any sort of device election mechanism.

125
How to configure FHRP - Multiple Group Optimization
Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning
bridges. The refresh message may be sent at a much lower frequency compared with the protocol election
messages sent by the master group.
How to configure FHRP - Multiple Group Optimization

Perform this task to configure multiple HSRP groups for load balancing.
Multiple HSRP groups enable redundancy and load-sharing within networks and allow redundant devices to
be more fully utilized. A device actively forwarding traffic for one HSRP group can be in standby or in the
listen state for another group.
If two devices are used, then Device A would be configured as active for group 1 and standby for group 2.
Device B would be standby for group 1 and active for group 2. Fifty percent of the hosts on the LAN would
be configured with the virtual IP address of group 1 and the remaining hosts would be configured with the
virtual IP address of group 2. See the Example: Configuring Multiple HSRP Groups for Load Balancing for
a diagram and configuration example.
SUMMARY STEPS
1. enable
6. standby [group-number] preempt [delay {minimum | reload | sync} delay]
7. standby [group-number] ip [ip-address] secondary]
8. On the same device, repeat Steps 5 through 7 to configure the device attributes for different standby
groups.
9. exit
10. Repeat Steps 3 through 9 on another device.
DETAILED STEPS

Device> enable

Example:

126

configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

reload | sync} delay]
Example:
Step 7 standby [group-number] ip [ip-address] secondary] Activates HSRP.

Example:
Step 8 On the same device, repeat Steps 5 through 7 to configure For example, Device A can be configured as an active
the device attributes for different standby groups. device for group 1 and be configured as an active or
standby device for another HSRP group with different
priority and preemption values.

Example:
Step 10 Repeat Steps 3 through 9 on another device. Configures multiple HSRP and enables load balancing on
another device.
Improving CPU and Network Performance with HSRP Multiple Group

Optimization
Perform this task to configure multiple HSRP client groups.
The standby follow command configures an HSRP group to become a slave of another HSRP group.

127
HSRP client groups follow the master HSRP with a slight, random delay so that all client groups do not change
at the same time.
Use the standby mac-refresh seconds command to directly change the HSRP client group refresh interval.
The default interval is 10 seconds and can be configured to as much as 255 seconds.
Note • Client or slave groups must be on the same physical interface as the master group.
• A client group takes its state from the group it is following. Therefore, the client group does not use its
timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client
group:

%Warning: This setting has no effect while following another group.
Before you begin

Configure the HSRP master group using the steps in the Configuring Multiple HSRP Groups for Load Balancing
section.
SUMMARY STEPS
1. enable
6. standby group-number follow group-name
7. exit
8. Repeat Steps 3 through 6 to configure additional HSRP client groups.
DETAILED STEPS

Device> enable

Example:

128
Configuration Examples for FHRP - Multiple Group Optimization

configuration mode.
Example:
Example:

255.255.255.0
Step 5 standby mac-refresh seconds Configures the HSRP client group refresh interval.
Example:
Step 6 standby group-number follow group-name Configures an HSRP group as a client group.
Example:

Example:
Step 8 Repeat Steps 3 through 6 to configure additional HSRP Configures multiple HSRP client groups.
client groups.
Configuration Examples for FHRP - Multiple Group Optimization

You can use HSRP or multiple HSRP groups when you configure load sharing. In the figure below, half of
the clients are configured for Router A, and half of the clients are configured for Router B. Together, the
configuration for Routers A and B establish two Hot Standby groups. For group 1, Router A is the default
active router because it has the assigned highest priority, and Router B is the standby router. For group 2,
Router B is the default active router because it has the assigned highest priority, and Router A is the standby
router. During normal operation, the two routers share the IP traffic load. When either router becomes
unavailable, the other router becomes active and assumes the packet-transfer functions of the router that is
unavailable. The standby preempt interface configuration command is necessary so that if a router goes
down and then comes back up, preemption occurs and restores load sharing.

129
Figure 7: HSRP Load Sharing Example
The following example shows Router A configured as the active router for group 1 with a priority of 110 and
Router B configured as the active router for group 2 with a priority of 110. The default priority level is 100.
Group 1 uses a virtual IP address of 10.0.0.3 and Group 2 uses a virtual IP address of 10.0.0.4.
Router A Configuration
Router(config)# hostname RouterA

!
Router B Configuration
Router(config)# hostname RouterB

!

130
Example: Improving CPU and Network Performance with HSRP Multiple Group Optimization
Example: Improving CPU and Network Performance with HSRP Multiple Group
Optimization
The following example shows how to configure an HSRP client and master group:

! Client Hello message interval
!
Device(config-if)# standby 1 name HSRP1
!Server group
!
! Client group
!
! Client group
Related Documents

Questions

131
Feature Information for FHRP - HSRP Multiple Group Optimization
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title
Description Link

Feature Information for FHRP - HSRP Multiple Group

Optimization

132
Table 7: Feature Information for FHRP—HSRP Multiple Group Optimization
FHRP—HSRP Multiple Group 12.4(6)T FHRP—HSRP Multiple Group

Optimization Optimization feature improves the
12.2(33)SRB
negotiation and maintenance of
12.2(33)SXI multiple HSRP groups configured
on a subinterface. Only one HSRP
12.2(50)SY
group is required on a physical
15.0(1)S interface for the purposes of
electing active and standby devices.
15.0(1)SY
This group is known as the master
Cisco IOS XE Release 2.1 group. Other HSRP groups may be
created on each subinterface and
linked to the master group via the
group name. These linked HSRP
groups are known as client or slave
groups.
feature: standby follow, show
standby.

133

134
CHAPTER 9
FHRP - HSRP Group Shutdown
• Information About FHRP - HSRP Group Shutdown, on page 135
• How to Configure FHRP - HSRP Group Shutdown, on page 136
• Configuration Examples for FHRP - HSRP Group Shutdown, on page 140
• Feature Information for FHRP - HSRP Group Shutdown, on page 143

Information About FHRP - HSRP Group Shutdown

change of value. The changes in the tracked object are communicated to HSRP, either immediately or after
the HSRP priority is reduced. The HSRP device with the higher priority can become the active device if it
has the standby preempt command configured.
HSRP Object Tracking

Object tracking separates the tracking mechanism from HSRP and creates a separate standalone tracking
process that can be used by any other process as well as HSRP. The priority of a device can change dynamically

135
HSRP Group Shutdown
when it has been configured for object tracking and the object that is being tracked goes down. Examples of
objects that can be tracked are the line protocol state of an interface or the reachability of an IP route. If the
specified object goes down, the HSRP priority is reduced.
A client process such as HSRP, Virtual Router Redundancy Protocol (VRRP), or Gateway Load Balancing
Protocol (GLBP) can register its interest in tracking objects and then be notified when the tracked object
changes state.
For more information about object tracking, see the "Configuring Enhanced Object Tracking" document.
HSRP Group Shutdown

The FHRP—HSRP Group Shutdown feature enables you to configure an HSRP group to become disabled
(its state changed to Init) instead of having its priority decremented when a tracked object goes down. Use
the standby track command with the shutdown keyword to configure HSRP group shutdown.
How to Configure FHRP - HSRP Group Shutdown

Perform this task to configure HSRP to track an object and change the HSRP priority based on the state of
the object.
use this number to track a specific object.
SUMMARY STEPS
1. enable
4. exit
6. standby [group-number] track object-number [decrement priority-decrement] [shutdown]
8. end
9. show track [object-number | brief] [interface [brief] | ip route [brief] | resolution | timers]
DETAILED STEPS


136
Device> enable

Example:
Step 3 track object-number interface type number {line-protocol Configures an interface to be tracked and enters tracking
| ip routing} configuration mode.
Example:
Device(config)# track 100 interface GigabitEthernet

0/0/0 line-protocol

Example:
configuration mode.
Example:
Step 6 standby [group-number] track object-number [decrement Configures HSRP to track an object and change the Hot
priority-decrement] [shutdown] Standby priority on the basis of the state of the object.
Example: • By default, the priority of the device is decreased by
10 if a tracked object goes down. Use the decrement
Device(config-if)# standby 1 track 100 decrement priority-decrement keyword and argument combination
20 to change the default behavior.
• When multiple tracked objects are down and
priority-decrement values have been configured, these
configured priority decrements are cumulative. If
tracked objects are down, but none of them were
configured with priority decrements, the default
decrement is 10 and it is cumulative.
• Use the shutdown keyword to disable the HRSP group
on the device when the tracked object goes down.
Note If an object is already being tracked by an HSRP

group, you cannot change the configuration to
use the HSRP Group Shutdown feature. You
must first remove the tracking configuration
using the no standby track command and then
reconfigure it using the standby track command
with the shutdown keyword.

137

Example: • The default group number is 0. The group number
range is from 0 to 255 for HSRP version 1 and from
Device(config-if)# standby 1 ip 10.10.10.0 0 to 4095 for HSRP version 2.

Example:
route [brief] | resolution | timers]
Example:
Device# show track 100 interface
Note Text authentication cannot be combined with MD5 authentication for an HSRP group at any one time. When
MD5 authentication is configured, the text authentication field in HSRP hello messages is set to all zeroes on
transmit and ignored on receipt, provided the receiving device also has MD5 authentication enabled.
Note If you are changing a key string in a group of devices, change the active device last to prevent any HSRP state
change. The active device should have its key string changed no later than one hold-time period, specified by
the standy timers interface configuration command, after the nonactive devices. This procedure ensures that
the nonactive devices do not time out the active device.
SUMMARY STEPS
1. enable
7. standby [group-number] authentication md5 key-string [0 | 7] key [timeout seconds]
8. standby [group-number] ip [ip-address] [secondary]]
10. end
11. show standby

138
DETAILED STEPS

Device> enable

Example:
configuration mode.
Example:
interface.
Example:

255.255.255.0

Example:

Example:
Step 7 standby [group-number] authentication md5 key-string Configures an authentication string for HSRP MD5
[0 | 7] key [timeout seconds] authentication.
Example: • The key argument can be up to 64 characters in length.
We recommended that at least 16 characters be used.
key-string d00b4r987654321a timeout 30 • No prefix to the key argument or specifying 0 means
the key will be unencrypted.
• Specifying 7 means the key will be encrypted. The

139
Configuration Examples for FHRP - HSRP Group Shutdown

• The timeout value is the period of time that the old
key string will be accepted to allow configuration of
all routers in a group with a new key.
Step 8 standby [group-number] ip [ip-address] [secondary]] Activates HSRP.

Example:

communicate.
Example:

Configuration Examples for FHRP - HSRP Group Shutdown

Example: Configuring HSRP Object Tracking
In the following example, the tracking process is configured to track the IP-routing capability of serial interface
1/0. HSRP on Gigabit Ethernet interface 0/0/0 then registers with the tracking process to be informed of any
changes to the IP-routing state of serial interface 1/0. If the IP state on serial interface 1/0 goes down, the
priority of the HSRP group is reduced by 10.
If both serial interfaces are operational, Device A will be the HSRP active device because it has the higher
priority. However, if IP routing on serial interface 1/0 in Device A fails, the HSRP group priority will be
reduced and Device B will take over as the active device, thus maintaining a default virtual gateway service
to hosts on the 10.1.0.0 subnet.

!

140

!

In the following example, the tracking process is configured to track the IP-routing capability of Gigabit
Ethernet interface 0/0/0. HSRP on Gigabit Ethernet interface 0/0/1 then registers with the tracking process to
be informed of any changes to the IP-routing state of Gigabit Ethernet interface 0/0/0. If the IP state on Gigabit
Ethernet interface 0/0/0 goes down, the HSRP group is disabled.
If both Gigabit Ethernet interfaces are operational, Device A will be the HSRP active device because it has
the higher priority. However, if IP routing on Gigabit Ethernet interface 0/0/0 in Device A fails, the HSRP
group will be disabled and Device B will take over as the active device, thus maintaining a default virtual
gateway service to hosts on the 10.1.0.0 subnet.

!

!
The following example shows how to change the configuration of a tracked object to include the HSRP Group
Shutdown feature:
Device(config)# no standby 1 track 100 decrement 10

Device(config)# standby 1 track 100 shutdown

141
Related Documents

Questions
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title

142
Feature Information for FHRP - HSRP Group Shutdown
Description Link


Table 8: Feature Information for FHRP—HSRP Group Shutdown
FHRP—HSRP Group Shutdown 12.4(9)T The FHRP—HSRP Group

Shutdown feature enables you to
12.2(33)SRC
configure an HSRP group to
12.2(33)SXI become disabled (its state changed
to Init) instead of having its priority
12.2(50)SY
decremented when a tracked object
15.0(1)S goes down.
modified by this feature:standby
track, show standby.

143

144
CHAPTER 10
SSO HSRP
• Restrictions for SSO HSRP, on page 145
• Information About SSO HSRP, on page 145
• How to Configure SSO HSRP, on page 146
• Configuration Examples for SSO HSRP, on page 149
• Feature Information for SSO - HSRP, on page 151

Restrictions for SSO HSRP

• Enhanced Object Tracking (EOT) is not stateful switchover (SSO)-aware and cannot be used with HSRP
in SSO mode.
Information About SSO HSRP

SSO HSRP
SSO HSRP alters the behavior of HSRP when a device with redundant Route Processors (RPs) is configured
for stateful switchover (SSO) redundancy mode. When an RP is active and the other RP is standby, SSO
enables the standby RP to take over if the active RP fails.

145
SSO HSRP
With this functionality, HSRP SSO information is synchronized to the standby RP, allowing traffic that is
sent using the HSRP virtual IP address to be continuously forwarded during a switchover without a loss of
data or a path change. Additionally, if both RPs fail on the active HSRP device, then the standby HSRP device
takes over as the active HSRP device.
The feature is enabled by default when the redundancy mode of operation is set to SSO.

SSO is generally used with Cisco nonstop forwarding (NSF). Cisco NSF enables forwarding of data packets
to continue along known routes while the routing protocol information is being restored following a switchover.
With NSF, users are less likely to experience service outages.
HSRP and SSO Working Together

The SSO HSRP feature enables the Cisco IOS HSRP subsystem software to detect that a standby RP is installed
and the system is configured in SSO redundancy mode. Further, if the active RP fails, no change occurs to
the HSRP group itself and traffic continues to be forwarded through the current active gateway device.
Prior to introduction of the SSO HSRP feature, when the primary RP of the active device failed, it would stop
participating in the HSRP group and trigger another switch in the group to take over as the active HSRP
switch.
SSO HSRP is required to preserve the forwarding path for traffic destined to the HSRP virtual IP address
through an RP switchover.
Configuring SSO on the edge device enables the traffic on the Ethernet links to continue during an RP failover
without the Ethernet traffic switching over to an HSRP standby device (and then back, if preemption is
enabled).
How to Configure SSO HSRP

The SSO aware HSRP is enabled by default when the redundancy mode is set to SSO. Perform this task to
reenable HSRP to be SSO aware if it has been disabled.

146
SSO HSRP
SUMMARY STEPS
1. enable
3. redundancy
4. mode sso
5. exit
6. no standby sso
7. standby sso
8. end
DETAILED STEPS

Device> enable

Example:
Step 3 redundancy Enters redundancy configuration mode.

Example:
Step 4 mode sso Enables the redundancy mode of operation to SSO.

Example: • HSRP is SSO aware on interfaces that are configured
for HSRP and the standby RP is automatically reset.
Step 5 exit Exits redundancy configuration mode.

Example:
Device(config-red)# exit
Step 6 no standby sso Disables HSRP SSO mode for all HSRP groups.
Example:

147
SSO HSRP
Device(config)# no standby sso
Step 7 standby sso Enables the SSO HSRP feature if you have disabled the
functionality.
Example:
Device(config)# standby sso

Example:
Device(config)# end

To verify or debug HSRP SSO operation, perform the following steps from the active RP console.
SUMMARY STEPS
1. show standby
2. debug standby events ha
DETAILED STEPS
Step 1 show standby

Use the show standby command to display the state of the standby RP, for example:
Example:
State is Active (standby RP)
Active virtual MAC address is unknown
Local virtual MAC address is 000a.f3fd.5001 (bia)
Authentication text “authword”
Preemption enabled
Active router is unknown
Standby router is unknown
Group name is “name1” (cfgd)
Step 2 debug standby events ha

Use thedebug standby events ha command to display the active and standby RPs, for example:
Example:

148
SSO HSRP
Configuration Examples for SSO HSRP
Device# debug standby events ha
!Active RP
*Apr 27 04:13:47.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Listen into sync buffer
*Apr 27 04:13:57.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Speak into sync buffer
*Apr 27 04:14:07.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Standby into sync buffer
*Apr 27 04:14:07.755: HSRP: Gi0/0/1 Grp 101 RF Encode state Active into sync buffer
!Standby RP
*Apr 27 04:11:21.011: HSRP: Gi0/0/1 Grp 101 RF sync state Init -> Listen
*Apr 27 04:11:31.011: HSRP: Gi0/0/1 Grp 101 RF sync state Listen -> Speak
*Apr 27 04:11:41.071: HSRP: Gi0/0/1 Grp 101 RF sync state Speak -> Standby
*Apr 27 04:11:41.071: HSRP: Gi0/0/1 Grp 101 RF sync state Standby -> Active
Configuration Examples for SSO HSRP

The following example shows how to set the redundancy mode to SSO. HSRP is automatically SSO-aware
when this mode is enabled.
If SSO HSRP is disabled using the no standby sso command, you can reenable it as shown in the following
example:

Device(config-if)# standby sso
Related Documents

149
SSO HSRP

Questions
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title
Description Link


150
SSO HSRP
Feature Information for SSO - HSRP

Table 9: Feature Information for SSO—HSRP
SSO—HSRP 12.2(25)S The SSO—HSRP feature alters the

behavior of HSRP when a device
12.2(33)SRA
with redundant RPs is configured
12.2(33)SXH for SSO. When an RP is active and
the other RP is standby, SSO
12.2(50)SY
enables the standby RP to take over
15.0(1)S if the active RP fails.
feature: debug standby events,
Cisco IOS XE 3.1.0SG standby sso.

151
SSO HSRP

152
CHAPTER 11
HSRP - ISSU
• Information About HSRP - ISSU, on page 153
• Feature Information for HSRP - ISSU, on page 155

Information About HSRP - ISSU

HSRP—ISSU
The In Service Software Upgrade (ISSU) process allows Cisco software to be updated or otherwise modified
while packet forwarding continues. In most networks, planned software upgrades are a significant cause of
downtime. ISSU allows Cisco software to be modified while packet forwarding continues, which increases
For detailed information about ISSU, see the Cisco IOS In Service Software Upgrade Process document in
the High Availability Configuration Guide.

153
HSRP - ISSU
Related Documents

Questions
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title

154
HSRP - ISSU
Feature Information for HSRP - ISSU
Description Link


Table 10: Feature Information for HSRP—ISSU
HSRP—ISSU 12.2(31)SGA The HSRP—ISSU feature enables

support for ISSU in HSRP.
12.2(33)SRB1
The In Service Software Upgrade
15.0(1)S
(ISSU) process allows Cisco
Cisco IOS XE Release 2.1 software to be updated or otherwise
Cisco IOS XE 3.1.0SG
continues. In most networks,
planned software upgrades are a
significant cause of downtime.
ISSU allows Cisco software to be
continues, which increases network
availability and reduces downtime
caused by planned software
upgrades. This document provides
information about ISSU concepts
and describes the steps taken to
perform ISSU in a system.
For more information about this
feature, see the Cisco IOS In
Service Software Upgrade Process
module in the Cisco IOS High

155
HSRP - ISSU

156
CHAPTER 12
FHRP - HSRP MIB
• Information About FHRP - HSRP MIB, on page 157
• How to Configure FHRP - HSRP MIB, on page 158
• Configuration Examples for FHRP - HSRP MIB, on page 159
• Feature Information for FHRP - HSRP-MIB, on page 160

Information About FHRP - HSRP MIB

HSRP MIB Traps
HSRP MIB supports Simple Network Management Protocol (SNMP) Get operations, to allow network devices
to get reports about HSRP groups in a network from the network management station.
Enabling HSRP MIB trap support is performed through the CLI, and the MIB is used for getting the reports.
A trap notifies the network management station when a device leaves or enters the active or standby state.
When an entry is configured from the CLI, the RowStatus for that group in the MIB immediately goes to the
active state.
Cisco software supports a read-only version of the MIB, and set operations are not supported.
This functionality supports four MIB tables, as follows:
• cHsrpGrpEntry table defined in CISCO-HSRP-MIB.my
• cHsrpExtIfTrackedEntry, defined in CISCO-HSRP-EXT-MIB.my

157
FHRP - HSRP MIB
How to Configure FHRP - HSRP MIB
• cHsrpExtSecAddrEntry, defined in CISCO-HSRP-EXT-MIB.my

• cHsrpExtIfEntry defined in CISCO-HSRP-EXT-MIB.my
The cHsrpGrpEntry table consists of all the group information defined in RFC 2281, Cisco Hot Standby Router
Protocol; the other tables consist of the Cisco extensions to RFC 2281, which are defined in
CISCO-HSRP-EXT-MIB.my.
How to Configure FHRP - HSRP MIB

SUMMARY STEPS
1. enable
3. snmp-server enable traps hsrp
4. snmp-server host host community-string hsrp
DETAILED STEPS

Device> enable

Example:
Step 3 snmp-server enable traps hsrp Enables the device to send SNMP traps and informs, and
HSRP notifications.
Example:
Step 4 snmp-server host host community-string hsrp Specifies the recipient of an SNMP notification operation,
and that HSRP notifications be sent to the host.
Example:
Device(config)# snmp-server host myhost.comp.com

public hsrp

158
FHRP - HSRP MIB
Configuration Examples for FHRP - HSRP MIB
Configuration Examples for FHRP - HSRP MIB

Example: Enabling HSRP MIB Traps
The following examples show how to configure HSRP on two devices and enable the HSRP MIB trap support
functionality. As in many environments, one device is preferred as the active one. To configure a device’s
preference as the active device, configure the device at a higher priority level and enable preemption. In the
following example, the active device is referred to as the primary device. The second device is referred to as
the backup device:
Device A

Device(config)# snmp-server host yourhost.cisco.com public hsrp
Device B
Device(config)#interface GigabitEthernet 1/0/0

Device(config)# snmp-server host myhost.cisco.com public hsrp
Related Documents

Questions

159
FHRP - HSRP MIB
Feature Information for FHRP - HSRP-MIB
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title
Description Link



160
FHRP - HSRP MIB
Table 11: Feature Information for FHRP—HSRP-MIB
FHRP—HSRP-MIB 12.0(3)T The FHRP—HSRP-MIB feature

introduces support for the
12.0(12)S
CISCO-HRSP-MIB.

161
FHRP - HSRP MIB

162
CHAPTER 13
• Information About HSRP Support for MPLS VPNs, on page 163
• Feature Information for HSRP Support for MPLS VPNs, on page 165

Information About HSRP Support for MPLS VPNs

HSRP support for a Multiprotocol Label Switching (MPLS) VPN interface is useful when an Ethernet LAN
is connected between two provider edge (PE) devices with either of the following conditions:
• A customer edge (CE) device with a default route to the HSRP virtual IP address
• One or more hosts with the HSRP virtual IP address configured as the default gateway
Each VPN is associated with one or more VPN routing and forwarding (VRF) instances. A VRF consists of
the following elements:
• IP routing table
• Cisco Express Forwarding table
• Set of interfaces that use the Cisco Express Forwarding forwarding table
• Set of rules and routing protocol parameters to control the information in the routing tables

163
VPN routing information is stored in the IP routing table and the Cisco Express Forwarding table for each
VRF. A separate set of routing and Cisco Express Forwarding tables is maintained for each VRF. These tables
prevent information from being forwarded outside a VPN and also prevent packets that are outside a VPN
from being forwarded to a device within the VPN.
HSRP adds ARP entries and IP hash table entries (aliases) using the default routing table instance. However,
a different routing table instance is used when VRF forwarding is configured on an interface, causing ARP
and ICMP echo requests for the HSRP virtual IP address to fail.
HSRP support for MPLS VPNs ensures that the HSRP virtual IP address is added to the correct IP routing
table and not to the default routing table.
Related Documents

Questions
Standards
Standards Title
MIBs
MIBs MIBs Link
following URL:
RFCs
RFCs Title

164
Feature Information for HSRP Support for MPLS VPNs
RFCs Title
Description Link


Table 12: Feature Information for HSRP Support for MPLS VPNs
HSRP Support for MPLS VPNs 12.0(23)S HSRP support for a Multiprotocol
Label Switching (MPLS) Virtual
12.0(17)ST
Private Network (VPN) interface
12.2(28)SB is useful when an Ethernet LAN is
connected between two provider
12.2(17b)SXA
edge (PE) devices under certain
12.2(8)T conditions.
12.2(50)SY There are no new or modified
15.0(1)S
15.0(1)SY

165

166
CHAPTER 14
Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility
for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link
to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction
with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual
router master, with the other routers acting as backups in case the virtual router master fails.
This module explains the concepts related to VRRP and describes how to configure VRRP in a network.
• Restrictions for VRRP, on page 167
• Information About VRRP, on page 168
• How to Configure VRRP, on page 173
• Configuration Examples for VRRP, on page 180
• Feature Information for VRRP, on page 184

Restrictions for VRRP

• VRRP is designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs. VRRP is
not intended as a replacement for existing dynamic protocols.
• VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet
interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware
MPLS VPNs, and VLANs.

167
Configuring VRRP
Information About VRRP
• Because of the forwarding delay that is associated with the initialization of a BVI interface, you must
configure the VRRP advertise timer to a value equal to or greater than the forwarding delay on the BVI
interface. This setting prevents a VRRP router on a recently initialized BVI interface from unconditionally
taking over the master role. Use the bridge forward-time command to set the forwarding delay on the
BVI interface. Use the vrrp timers advertise command to set the VRRP advertisement timer.
Information About VRRP

VRRP Operation
There are several ways a LAN client can determine which router should be the first hop to a particular remote
destination. The client can use a dynamic process or static configuration. Examples of dynamic router discovery
are as follows:
• Proxy ARP—The client uses Address Resolution Protocol (ARP) to get the destination it wants to reach,
and a router will respond to the ARP request with its own MAC address.
• Routing protocol—The client listens to dynamic routing protocol updates (for example, from Routing
Information Protocol [RIP]) and forms its own routing table.
• ICMP Router Discovery Protocol (IRDP) client—The client runs an Internet Control Message Protocol
(ICMP) router discovery client.
The drawback to dynamic discovery protocols is that they incur some configuration and processing overhead
on the LAN client. Also, in the event of a router failure, the process of switching to another router can be
slow.
An alternative to dynamic discovery protocols is to statically configure a default router on the client. This
approach simplifies client configuration and processing, but creates a single point of failure. If the default
gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut
off from the rest of the network.
VRRP can solve the static configuration problem. VRRP enables a group of routers to form a single virtual
router. The LAN clients can then be configured with the virtual router as their default gateway. The virtual
router, representing a group of routers, is also known as a VRRP group.
VRRP is supported on Ethernet, Fast Ethernet, BVI, and Gigabit Ethernet interfaces, and on MPLS VPNs,
VRF-aware MPLS VPNs, and VLANs.
The figure below shows a LAN topology in which VRRP is configured. In this example, Routers A, B, and
C are VRRP routers (routers running VRRP) that comprise a virtual router. The IP address of the virtual router
is the same as that configured for the Ethernet interface of Router A (10.0.0.1).

168
Configuring VRRP
VRRP Operation
Figure 8: Basic VRRP Topology
Because the virtual router uses the IP address of the physical Ethernet interface of Router A, Router A assumes
the role of the virtual router master and is also known as the IP address owner. As the virtual router master,
Router A controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP
address. Clients 1 through 3 are configured with the default gateway IP address of 10.0.0.1.
Routers B and C function as virtual router backups. If the virtual router master fails, the router configured
with the higher priority will become the virtual router master and provide uninterrupted service for the LAN
hosts. When Router A recovers, it becomes the virtual router master again. For more detail on the roles that
VRRP routers play and what happens if the virtual router master fails, see the VRRP Router Priority and
Preemption section.
The figure below shows a LAN topology in which VRRP is configured so that Routers A and B share the
traffic to and from clients 1 through 4 and that Routers A and B act as virtual router backups to each other if
either router fails.

169
Configuring VRRP
VRRP Benefits
Figure 9: Load Sharing and Redundancy VRRP Topology
In this topology, two virtual routers are configured. (For more information, see the Multiple Virtual Router
Support section.) For virtual router 1, Router A is the owner of IP address 10.0.0.1 and virtual router master,
and Router B is the virtual router backup to Router A. Clients 1 and 2 are configured with the default gateway
IP address of 10.0.0.1.
For virtual router 2, Router B is the owner of IP address 10.0.0.2 and virtual router master, and Router A is
the virtual router backup to Router B. Clients 3 and 4 are configured with the default gateway IP address of
10.0.0.2.
VRRP Benefits
Redundancy
VRRP enables you to configure multiple routers as the default gateway router, which reduces the possibility
of a single point of failure in a network.
Load Sharing
You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple routers,
thereby sharing the traffic load more equitably among available routers.
Multiple Virtual Routers
Multiple IP Addresses
The virtual router can manage multiple IP addresses, including secondary IP addresses. Therefore, if you have
multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.
Preemption
The redundancy scheme of VRRP enables you to preempt a virtual router backup that has taken over for a
failing virtual router master with a higher priority virtual router backup that has become available.

170
Configuring VRRP
Multiple Virtual Router Support
Authentication
VRRP message digest 5 (MD5) algorithm authentication protects against VRRP-spoofing software and uses
the industry-standard MD5 algorithm for improved reliability and security.
Advertisement Protocol
VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18)
for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the
multicasts and allows test equipment to accurately identify VRRP packets on a segment. The IANA assigned
VRRP the IP protocol number 112.
VRRP Object Tracking

VRRP object tracking provides a way to ensure the best VRRP router is the virtual router master for the group
by altering VRRP priorities to the status of tracked objects such as the interface or IP route states.
Multiple Virtual Router Support

• Router processing capability
• Router memory capability
• Router interface support of multiple MAC addresses
In a topology where multiple virtual routers are configured on a router interface, the interface can act as a
master for one virtual router and as a backup for one or more virtual routers.
VRRP Router Priority and Preemption

An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines the role
that each VRRP router plays and what happens if the virtual router master fails.
If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this
router will function as a virtual router master.
Priority also determines if a VRRP router functions as a virtual router backup and the order of ascendancy to
becoming a virtual router master if the virtual router master fails. You can configure the priority of each virtual
router backup with a value of 1 through 254 using the vrrp priority command.
For example, if Router A, the virtual router master in a LAN topology, fails, an election process takes place
to determine if virtual router backups B or C should take over. If Routers B and C are configured with the
priorities of 101 and 100, respectively, Router B is elected to become virtual router master because it has the
higher priority. If Routers B and C are both configured with the priority of 100, the virtual router backup with
the higher IP address is elected to become the virtual router master.
By default, a preemptive scheme is enabled whereby a higher priority virtual router backup that becomes
available takes over for the virtual router backup that was elected to become virtual router master. You can
disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the virtual
router backup that is elected to become virtual router master remains the master until the original virtual router
master recovers and becomes master again.

171
Configuring VRRP
VRRP Advertisements
VRRP Advertisements
The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The
advertisements communicate the priority and state of the virtual router master. The VRRP advertisements are
encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP group. The
advertisements are sent every second by default; the interval is configurable.
Although the VRRP protocol as per RFC 3768 does not support millisecond timers, Cisco routers allow you
to configure millisecond timers. You need to manually configure the millisecond timer values on both the
primary and the backup routers. The master advertisement value displayed in the show vrrp command output
on the backup routers is always 1 second because the packets on the backup routers do not accept millisecond
values.
You must use millisecond timers where absolutely necessary and with careful consideration and testing.
Millisecond values work only under favorable circumstances, and you must be aware that the use of the
millisecond timer values restricts VRRP operation to Cisco devices only.

Object tracking is an independent process that manages creating, monitoring, and removing tracked objects
such as the state of the line protocol of an interface. Clients such as the Hot Standby Router Protocol (HSRP),
Gateway Load Balancing Protocol (GLBP), and VRRP register their interest with specific tracked objects and
act when the state of an object changes.
such as VRRP use this number to track a specific object.
The tracking process periodically polls the tracked objects and notes any change of value. The changes in the
tracked object are communicated to interested client processes, either immediately or after a specified delay.
The object values are reported as either up or down.
VRRP object tracking gives VRRP access to all the objects available through the tracking process. The tracking
process allows you to track individual objects such as a the state of an interface line protocol, state of an IP
route, or the reachability of a route.
VRRP provides an interface to the tracking process. Each VRRP group can track multiple objects that may
affect the priority of the VRRP device. You specify the object number to be tracked and VRRP is notified of
any change to the object. VRRP increments (or decrements) the priority of the virtual device based on the
state of the object being tracked.
How VRRP Object Tracking Affects the Priority of a Device

change of value. The changes in the tracked object are communicated to VRRP, either immediately or after
the VRRP priority is reduced. The VRRP device with the higher priority can now become the virtual device
master if it has the vrrp preempt command configured. See the “VRRP Object Tracking” section for more
information on object tracking.

172
Configuring VRRP
In Service Software Upgrade--VRRP
In Service Software Upgrade--VRRP

VRRP supports In Service Software Upgrade (ISSU). In Service Software Upgrade (ISSU) allows a
high-availability (HA) system to run in stateful switchover (SSO) mode even when different versions of
software are running on the active and standby Route Processors (RPs) or line cards.
ISSU provides the ability to upgrade or downgrade from one supported release to another while continuing
to forward packets and maintain sessions, thereby reducing planned outage time. The ability to upgrade or
downgrade is achieved by running different software versions on the active RP and standby RP for a short
period of time to maintain state information between RPs. This feature allows the system to switch over to a
secondary RP running upgraded (or downgraded) software and continue forwarding packets without session
loss and with minimal or no packet loss. This feature is enabled by default.
For detailed information about ISSU, see the In Service Software Upgrade Process document in the High
VRRP Support for Stateful Switchover

With the introduction of the VRRP Support for Stateful Switchover feature, VRRP is SSO aware. VRRP can
detect when a router is failing over to the secondary RP and continue in its current group state.
SSO functions in networking devices (usually edge devices) that support dual Route Processors (RPs). SSO
provides RP redundancy by establishing one of the RPs as the active processor and the other RP as the standby
processor. SSO also synchronizes critical state information between the RPs so that network state information
is dynamically maintained between RPs.
Prior to being SSO aware, if VRRP was deployed on a router with redundant RPs, a switchover of roles
between the active RP and the standby RP would result in the router relinquishing its activity as a VRRP
group member and then rejoining the group as if it had been reloaded. The SSO--VRRP feature enables VRRP
to continue its activities as a group member during a switchover. VRRP state information between redundant
RPs is maintained so that the standby RP can continue the router’s activities within the VRRP during and
after a switchover.
This feature is enabled by default. To disable this feature, use the no vrrp sso command in global configuration
mode.
For more information, see the Stateful Switchover document.
How to Configure VRRP

VRRP
Customizing the behavior of VRRP is optional. Be aware that as soon as you enable a VRRP group, that group
is operating. It is possible that if you first enable a VRRP group before customizing VRRP, the router could
take over control of the group and become the virtual router master before you have finished customizing the
feature. Therefore, if you plan to customize VRRP, it is a good idea to do so before enabling VRRP.
SUMMARY STEPS
1. enable

173
Configuring VRRP
VRRP

5. vrrp group description text
6. vrrp group priority level
7. vrrp group preempt [delay minimum seconds]
8. vrrp group timers learn
9. exit
10. no vrrp sso
DETAILED STEPS

Router> enable

Example:
Router# configure terminal

Example:
Router(config)#GigabitEthernet 0/0/0

Example:
Router(config-if)# ip address 172.16.6.5

255.255.255.0
Step 5 vrrp group description text Assigns a text description to the VRRP group.
Example:
Router(config-if)# vrrp 10 description

working-group
Step 6 vrrp group priority level Sets the priority level of the router within a VRRP group.
Example: • The default priority is 100.
Router(config-if)# vrrp 10 priority 110

174
Configuring VRRP
EnablingVerifying VRRP

Step 7 vrrp group preempt [delay minimum seconds] Configures the router to take over as virtual router master
for a VRRP group if it has a higher priority than the current
Example:
virtual router master.
Router(config-if)# vrrp 10 preempt delay minimum • The default delay period is 0 seconds.
380
• The router that is IP address owner will preempt,
regardless of the setting of this command.
Step 8 vrrp group timers learn Configures the router, when it is acting as virtual router
backup for a VRRP group, to learn the advertisement
Example:
interval used by the virtual router master.
Router(config-if)# vrrp 10 timers learn
Step 9 exit Exits interface configuration mode.

Example:
Router(config-if)# exit
Step 10 no vrrp sso (Optional) Disables VRRP support of SSO.

Example: • VRRP support of SSO is enabled by default.
Router(config)# no vrrp sso
SUMMARY STEPS
1. enable
5. vrrp group ip ip-address [secondary]
6. show vrrp [brief all] | interface]
7. show vrrp interface type number [brief]
8. end
DETAILED STEPS

Router> enable

175
Configuring VRRP

Example:

Example:
Router(config)# interfaceGigabitEthernet 0/0/0

Example:

255.255.255.0
Step 5 vrrp group ip ip-address [secondary] Enables VRRP on an interface.

Example: • After you identify a primary IP address, you can use
the vrrp ip command again with the secondary
Router(config-if)# vrrp 10 ip 172.16.6.1 keyword to indicate additional IP addresses supported
by this group.
Note All routers in the VRRP group must be

configured with the same primary address and a
matching list of secondary addresses for the
virtual router. If different primary or secondary
addresses are configured, the routers in the
VRRP group will not communicate with each
other and any misconfigured router will change
its state to master.
Step 6 show vrrp [brief all] | interface] (Optional) Displays a brief or detailed status of one or all
VRRP groups on the router.
Example:
Router(config-if)#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr
Group addr
BD10 1 100 9609 Y Backup 10.1.0.2 10.1.0.10
BD10 5 200 90218 Y Master 10.1.0.1 10.1.0.50
BD10 100 100 3609 Backup 10.1.0.2 10.1.0.100
Step 7 show vrrp interface type number [brief] (Optional) Displays the VRRP groups and their status on a
specified interface.
Example:

Router)config-if)#show vrrp interface bdi10
BDI10 - Group 10
G1
State is Master
Virtual MAC address is 0000.5e00.010a

176
Configuring VRRP
Configuring VRRP Object Tracking

Advertisement interval is 10.000 sec
Priority is 110
Master Router is 10.0.0.2 (local), priority is 110
Master Advertisement interval is 10.000 sec
Master Down interval is 30.570 sec
FLAGS: 1/1

Example:
Router(config-if)# end
Configuring VRRP Object Tracking
Note If a VRRP group is the IP address owner, its priority is fixed at 255 and cannot be reduced through object
tracking.
SUMMARY STEPS
1. enable
5. vrrp group ip ip-address
6. vrrp group priority level
7. vrrp group track object-number [decrement priority]
8. end
9. show track [object-number]
DETAILED STEPS

Router> enable

Example:
Step 3 track object-number interface type number {line-protocol Configures an interface to be tracked where changes in the
| ip routing} state of the interface affect the priority of a VRRP group.

177
Configuring VRRP
Configuring VRRP Text Authentication

Example: • This command configures the interface and
corresponding object number to be used with the vrrp
Router(config)# track 2 interface serial 6 track command.
line-protocol
• The line-protocol keyword tracks whether the interface
is up. The ip routing keyword also checks that IP
routing is enabled and active on the interface.
• You can also use the track ip route command to track
the reachability of an IP route or a metric type object.

Example:
Router(config)# interface Ethernet 2
Step 5 vrrp group ip ip-address Enables VRRP on an interface and identifies the IP address
of the virtual router.
Example:
Router(config-if)# vrrp 1 ip 10.0.1.20
Step 6 vrrp group priority level Sets the priority level of the router within a VRRP group.
Example:
Step 7 vrrp group track object-number [decrement priority] Configures VRRP to track an object.
Example:
Router(config-if)# vrrp 1 track 2 decrement 15

Example:
Step 9 show track [object-number] Displays tracking information.

Example:
Router# show track 1

Before you begin
Interoperability with vendors that may have implemented the RFC 2338 method is not enabled.

178
Configuring VRRP
Text authentication cannot be combined with MD5 authentication for a VRRP group at any one time. When
MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeros on
transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.
SUMMARY STEPS
1. enable
5. vrrp group authentication text text-string
6. vrrp group ip ip-address
7. Repeat Steps 1 through 6 on each router that will communicate.
8. end
DETAILED STEPS

Router> enable

Example:
configuration mode.
Example:
Ethernet 0/1
Example:

255.255.255.0
Step 5 vrrp group authentication text text-string Authenticates VRRP packets received from other routers
in the group.
Example:
• If you configure authentication, all routers within the
Router(config-if)# vrrp 1 authentication text VRRP group must use the same authentication string.
textstring1

179
Configuring VRRP
Configuration Examples for VRRP

Note All routers within the VRRP group must be
configured with the same authentication string.
If the same authentication string is not
configured, the routers in the VRRP group will
not communicate with each other and any
misconfigured router will change its state to
master.
Step 6 vrrp group ip ip-address Enables VRRP on an interface and identifies the IP address
of the virtual router.
Example:
Step 7 Repeat Steps 1 through 6 on each router that will —

communicate.
Example:
Configuration Examples for VRRP

Example: Configuring VRRP
In the following example, Router A and Router B each belong to three VRRP groups.
In the configuration, each group has the following properties:
• Group 1:
• Virtual IP address is 10.1.0.10.
• Router A will become the master for this group with priority 120.
• Advertising interval is 3 seconds.
• Preemption is enabled.
• Group 5:
• Router B will become the master for this group with priority 200.
• Advertising interval is 30 seconds.
• Preemption is enabled.
• Group 100:
• Router A will become the master for this group first because it has a higher IP address (10.1.0.2).
• Advertising interval is the default 1 second.
• Preemption is disabled.

180
Configuring VRRP
Example: VRRP Object Tracking
Router A
Router(config)#
Router(config)# interfaceGigabitEthernet 0/0/0interface GigabitEthernet 1/0/0
Router(config-if)# vrrp 1 authentication text cisco
Router(config-if)# vrrp 1 timers advertise 3
Router(config-if)# no vrrp 100 preempt
Router(config-if)# no shutdown
Router B
Router(config)#GigabitEthernet 0/0/0interface GigabitEthernet 1/0/0

Router(config-if)# vrrp 1 authentication text cisco
Router(config-if)# no vrrp 100 preempt
Router(config-if)# no shutdown
Example: VRRP Object Tracking

In the following example, the tracking process is configured to track the state of the line protocol on serial
interface 0/1. VRRP on Ethernet interface 1/0 then registers with the tracking process to be informed of any
changes to the line protocol state of serial interface 0/1. If the line protocol state on serial interface 0/1 goes
down, then the priority of the VRRP group is reduced by 15.
Router(config)# track 1 interface Serial 0/1 line-protocol

Router(config-track)# exit
Router(config)# interface Ethernet 1/0
Router(config-if)# vrrp 1 track 1 decrement 15
Example: VRRP Object Tracking Verification

The following examples verify the configuration shown in the Example: VRRP Object Tracking section:

181
Configuring VRRP
Example: VRRP Text Authentication
Router# show vrrp
Ethernet1/0 - Group 1
State is Master
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority is 105
Master Advertisement interval is 1.000 sec
Master Down interval is 3.531 sec
Router# show track
Track 1
Interface Serial0/1 line-protocol
Line protocol is Down (hw down)
1 change, last change 00:06:53
Tracked by:
VRRP Ethernet1/0 1
Example: VRRP Text Authentication

The following example shows how to configure VRRP text authentication using a text string:
Router(config)#GigabitEthernet 0/0/0interface GigabitEthernet 0/0/0

Router(config)# ip address 10.21.8.32 255.255.255.0
Router(config-if)# vrrp 10 authentication text stringxyz
Example: VRRP MIB Trap

Router(config)# snmp-server enable traps vrrp
Router(config)# snmp-server host 10.1.1.0 community abc vrrp
Related Documents
VRRP commands Cisco IOS IP Application Services Command Reference
Object tracking Configuring Enhanced Object Tracking
Hot Standby Routing Protocol (HSRP) Configuring HSRP
In Service Software Upgrace (ISSU) "In Service Software Upgrade Process" in the High Availability
Configuration Guide

182
Configuring VRRP
Gateway Load Balancing Protocol (GLBP) Configuring GLBP
Stateful Switchover The Stateful Switchover section in theHigh Availability

Configuration Guide
Standards
Standards Title
No new or modified standards are supported by this feature, and support for existing standards has not —
MIBs
MIBs MIBs Link
VRRP MIB To locate and download MIBs for selected platforms, Cisco software releases, and feature sets,
use Cisco MIB Locator found at the following URL:
RFCs
RFCs Title
RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol
RFC 3768 Virtual Router Redundancy Protocol (VRRP)
Description Link


183
Configuring VRRP
Feature Information for VRRP
Feature Information for VRRP

Table 13: Feature Information for VRRP
ISSU—VRRP 15.2(1)S VRRP supports In Service Software Upgrade (ISSU). ISSU allows a
high-availability (HA) system to run in Stateful Switchover (SSO) mode even
15.3(1)S
when different versions of Cisco IOS software are running on the active and
standby Route Processors (RPs) or line cards.
This feature provides customers with the same level of HA functionality for
planned outages due to software upgrades as is available with SSO for
unplanned outages. That is, the system can switch over to a secondary RP
and continue forwarding packets without session loss and with minimal or
no packet loss.
SSO—VRRP 15.2(1)S VRRP is now SSO aware. VRRP can detect when a router is failing over to
the secondary RP and continue in its current VRRP group state.
15.3(1)S
The following commands were introduced or modified by this feature: debug
vrrp ha,vrrp sso, show vrrp.
Virtual Router 15.2(1)S VRRP enables a group of routers to form a single virtual router to provide
Redundancy redundancy. The LAN clients can then be configured with the virtual router
15.3(1)S
Protocol as their default gateway. The virtual router, representing a group of routers,
is also known as a VRRP group.
The following commands were introduced by this feature: debug vrrp all,
debug vrrp error, debug vrrp events, debug vrrp packets, debug vrrp
state, show vrrp, show vrrp interface, vrrp authentication, vrrp
description, vrrp ip, vrrp preempt, vrrp priority, vrrp timers advertise,
vrrp timers learn.
VRRP Object 15.2(1)S The VRRP Object Tracking feature extends the capabilities of the VRRP to
Tracking allow tracking of specific objects within the router that can alter the priority
15.3(1)S
level of a virtual router for a VRRP group.
The following command was introduced by this feature: vrrp track.
The following command was modified by this feature: show track.

184
Configuring VRRP
Glossary
VRRP MIB—RFC The VRRP MIB--RFC 2787 feature enables an enhancement to the MIB for
2787 use with SNMP-based network management. The feature adds support for
configuring, monitoring, and controlling routers that use VRRP.
The following command was introduced by this feature: vrrp shutdown.
The following commands were modified by this feature: snmp-server enable
trapsandsnmp-server host.
FHRP—VRF The FHRP—VRF Aware VRRP feature enables VRRP support on MPLS
Aware VRRP VPN.
Glossary
virtual IP address owner —The VRRP router that owns the IP address of the virtual router. The owner is
the router that has the virtual router address as its physical interface address.
virtual router —One or more VRRP routers that form a group. The virtual router acts as the default gateway
router for LAN clients. Also known as a VRRP group.
virtual router backup —One or more VRRP routers that are available to assume the role of forwarding
packets if the virtual router master fails.
virtual router master —The VRRP router that is currently responsible for forwarding packets sent to the IP
addresses of the virtual router. Usually the virtual router master also functions as the IP address owner.
VRRP router --A router that is running VRRP.

185
Configuring VRRP
Glossary

186
CHAPTER 15
VRRPv3 Protocol Support
Virtual Router Redundancy Protocol (VRRP) enables a group of devices to form a single virtual device to
provide redundancy. The LAN clients can then be configured with the virtual device as their default gateway.
The virtual device, representing a group of devices, is also known as a VRRP group. The VRRP version 3
(v3) Protocol Support feature provides the capability to support IPv4 and IPv6 addresses while VRRP version
2 (v2) only supports IPv4 addresses. This module explains concepts related to VRRPv3 and describes how
to create and customize a VRRP group in a network. Benefits of using VRRPv3 Protocol Support include the
following:
• Interoperability in multi-vendor environments.
• VRRPv3 supports usage of IPv4 and IPv6 addresses while VRRPv2 only supports IPv4 addresses.
• Improved scalability through the use of VRRS Pathways.
Note In this module, VRRP and VRRPv3 are used interchangeably.

• Restrictions for VRRPv3 Protocol Support, on page 188
• Information About VRRPv3 Protocol Support, on page 188
• How to Configure VRRPv3 Protocol Support, on page 190
• Configuration Examples for VRRPv3 Protocol Support, on page 194
• Additional References for VRRPv3 Protocol Support, on page 196
• Feature Information for VRRPv3 Protocol Support , on page 197


187
Restrictions for VRRPv3 Protocol Support
Restrictions for VRRPv3 Protocol Support

• VRRPv3 is not intended as a replacement for existing dynamic protocols. VRRPv3 is designed for use
over multi-access, multicast, or broadcast capable Ethernet LANs.
• VRRPv3 is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit
Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs),
VRF-aware MPLS VPNs, and VLANs.
• Because of the forwarding delay that is associated with the initialization of a BVI interface, you must
not configure the VRRPv3 advertise timer to a value lesser than the forwarding delay on the BVI interface.
If you configure the VRRPv3 advertise timer to a value equal to or greater than the forwarding delay on
the BVI interface, the setting prevents a VRRP device on a recently initialized BVI interface from
unconditionally taking over the master role. Use the bridge forward-time command to set the forwarding
delay on the BVI interface. Use the vrrp timers advertise command to set the VRRP advertisement
timer.
• VRRPv3 does not support Stateful Switchover (SSO).
• VRRPv3 protocol does not support authentication.
• Full network redundancy can only be achieved if VRRP operates over the same network path as the
VRRS Pathway redundant interfaces. For full redundancy, the following restrictions apply:
• VRRS pathways should not share a different physical interface as the parent VRRP group or be
configured on a sub-interface having a different physical interface as the parent VRRP group.
• VRRS pathways should not be configured on Switch Virtual Interface (SVI) interfaces as long as
the associated VLAN does not share the same trunk as the VLAN on which the parent VRRP group
is configured.
Information About VRRPv3 Protocol Support

VRRPv3 Benefits
Support for IPv4 and IPv6
VRRPv3 supports IPv4 and IPv6 address families while VRRPv2 only supports IPv4 addresses.
Note When VRRPv3 is in use, VRRPv2 is unavailable. For VRRPv3 to be configurable, the fhrp version vrrp v3
command must be used in global configuration mode
Redundancy
VRRP enables you to configure multiple devices as the default gateway device, which reduces the possibility
of a single point of failure in a network.

188
VRRP Device Priority and Preemption
Load Sharing
You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple devices,
thereby sharing the traffic load more equitably between available devices.
Multiple Virtual Devices

VRRP supports up to 255 virtual devices (VRRP groups) on a device physical interface, subject to restrictions
in scaling. Multiple virtual device support enables you to implement redundancy and load sharing in your
LAN topology. In scaled environments, VRRS Pathways should be used in combination with VRRP control
groups.
Multiple IP Addresses
The virtual device can manage multiple IP addresses, including secondary IP addresses. Therefore, if you
have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.
Note To utilize secondary IP addresses in a VRRP group, a primary address must be configured on the same group.
Preemption
The redundancy scheme of VRRP enables you to preempt a virtual device backup that has taken over for a
failing virtual device master with a higher priority virtual device backup that has become available.
Note Preemption of a lower priority master device is enabled with an optional delay.
Advertisement Protocol
VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address for VRRP
advertisements. For IPv4, the multicast address is 224.0.0.18. For IPv6, the multicast address is
FF02:0:0:0:0:0:0:12. This addressing scheme minimizes the number of devices that must service the multicasts
and allows test equipment to accurately identify VRRP packets on a segment. The IANA has assigned VRRP
the IP protocol number 112.
VRRP Device Priority and Preemption

An important aspect of the VRRP redundancy scheme is VRRP device priority. Priority determines the role
that each VRRP device plays and what happens if the virtual device master fails.
If a VRRP device owns the IP address of the virtual device and the IP address of the physical interface, this
device will function as a virtual device master.
Priority also determines if a VRRP device functions as a virtual device backup and the order of ascendancy
to becoming a virtual device master if the virtual device master fails. You can configure the priority of each
virtual device backup with a value of 1 through 254 using the priority command (use the vrrp address-family
command to enter the VRRP configuration mode and access the priority option).
For example, if device A, the virtual device master in a LAN topology, fails, an election process takes place
to determine if virtual device backups B or C should take over. If devices B and C are configured with the

189
VRRP Advertisements
priorities of 101 and 100, respectively, device B is elected to become virtual device master because it has the
higher priority. If devices B and C are both configured with the priority of 100, the virtual device backup with
the higher IP address is elected to become the virtual device master.
By default, a preemptive scheme is enabled whereby a higher priority virtual device backup that becomes
available takes over from the virtual device backup that was elected to become virtual device master. You
can disable this preemptive scheme using the no preempt command (use the vrrp address-family command
to enter the VRRP configuration mode, and enter the no preempt command). If preemption is disabled, the
virtual device backup that is elected to become virtual device master remains the master until the original
virtual device master recovers and becomes master again.
Note Preemption of a lower priority master device is enabled with an optional delay.
VRRP Advertisements
The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The
advertisements communicate the priority and state of the virtual router master. The VRRP advertisements are
encapsulated into either IPv4 or IPv6 packets (based on the VRRP group configuration) and sent to the
appropriate multicast address assigned to the VRRP group. For IPv4, the multicast address is 224.0.0.18. For
IPv6, the multicast address is FF02:0:0:0:0:0:0:12. The advertisements are sent every second by default and
the interval is configurable.
Cisco routers allow you to configure millisecond timers, which is a change from VRRPv2. You need to
manually configure the millisecond timer values on both the primary and the backup routers. The master
advertisement value displayed in the show vrrp command output on the backup routers is always 1 second
because the packets on the backup routers do not accept millisecond values.
You must use millisecond timers where absolutely necessary and with careful consideration and testing.
Millisecond values work only under favorable circumstances. The use of the millisecond timer values is
compatible with third party vendors, as long as they also support VRRPv3. You can specify a timer value
between 100 milliseconds and 40000 milliseconds.
How to Configure VRRPv3 Protocol Support

IPv6 VRRP Link Local Address
VRRPv3 for IPv6 requires that a primary virtual link-local IPv6 address is configured to allow the group to
operate. After the primary link-local IPv6 address is established on the group, you can add the secondary
global addresses.
Enabling VRRPv3 on a Device

To enable VRRPv3 on a device, perform the following task:
SUMMARY STEPS
1. enable

190
Creating and Customizing a VRRP Group
3. fhrp version vrrp v3
4. end
DETAILED STEPS

Device> enable

Example:
Step 3 fhrp version vrrp v3 Enables the ability to configure VRRPv3 and VRRS.
Example: Note When VRRPv3 is in use, VRRPv2 is unavailable.
Device(config)# fhrp version vrrp v3

Example:
Device(config)# end

To create a VRRP group, perform the following task. Steps 6 to 14 denote customizing options for the group,
and they are optional:
SUMMARY STEPS
1. enable
5. vrrp group-id address-family {ipv4 | ipv6}
6. address ip-address [primary | secondary]
7. description group-description
8. match-address
9. preempt delay minimum seconds
10. priority priority-level
11. timers advertise interval
12. vrrpv2
13. vrrs leader vrrs-leader-name

191
14. shutdown
15. end
DETAILED STEPS

Device> enable

Example:
Example: Note When VRRPv3 is in use, VRRPv2 is
unavailable.

Example:
Step 5 vrrp group-id address-family {ipv4 | ipv6} Creates a VRRP group and enters VRRP configuration
mode.
Example:
Device(config-if)# vrrp 3 address-family ipv4
Step 6 address ip-address [primary | secondary] Specifies a primary or secondary address for the VRRP
group.
Example:
Note VRRPv3 for IPv6 requires that a primary virtual
Device(config-if-vrrp)# address 100.0.1.10 primary link-local IPv6 address is configured to allow
the group to operate. After the primary
link-local IPv6 address is established on the
group, you can add the secondary global
addresses.
Step 7 description group-description (Optional) Specifies a description for the VRRP group.
Example:
Device(config-if-vrrp)# description group 3
Step 8 match-address (Optional) Matches secondary address in the advertisement

packet against the configured address.
Example:
• Secondary address matching is enabled by default.

192
Configuring the Delay Period Before FHRP Client Initialization
Device(config-if-vrrp)# match-address
Step 9 preempt delay minimum seconds (Optional) Enables preemption of lower priority master
device with an optional delay.
Example:
• Preemption is enabled by default.
Device(config-if-vrrp)# preempt delay minimum 30
Step 10 priority priority-level (Optional) Specifies the priority value of the VRRP group.
Example: • The priority of a VRRP group is 100 by default.
Device(config-if-vrrp)# priority 3
Step 11 timers advertise interval (Optional) Sets the advertisement timer in milliseconds.
Example: • The advertisement timer is set to 1000 milliseconds
by default.
Device(config-if-vrrp)# timers advertise 1000
Step 12 vrrpv2 (Optional) Enables support for VRRPv2 simultaneously,

so as to interoperate with devices which only support
Example:
VRRP v2.
Device(config-if-vrrp)# vrrpv2 • VRRPv2 is disabled by default.
Step 13 vrrs leader vrrs-leader-name (Optional) Specifies a leader's name to be registered with
VRRS and to be used by followers.
Example:
• A registered VRRS name is unavailable by default.
Device(config-if-vrrp)# vrrs leader leader-1
Step 14 shutdown (Optional) Disables VRRP configuration for the VRRP

group.
Example:
• VRRP configuration is enabled for a VRRP group by
Device(config-if-vrrp)# shutdown default.

Example:
Device(config)# end
Configuring the Delay Period Before FHRP Client Initialization

To configure the delay period before the initialization of all FHRP clients on an interface, perform the following
task:
SUMMARY STEPS
1. enable

193
Configuration Examples for VRRPv3 Protocol Support
5. fhrp delay {[minimum] [reload] seconds}
6. end
DETAILED STEPS

Device> enable

Example:

Example:
Step 5 fhrp delay {[minimum] [reload] seconds} Specifies the delay period for the initialization of FHRP
clients after an interface comes up.
Example:
• The range is 0-3600 seconds.
Device(config-if)# fhrp delay minimum 5

Example:
Device(config)# end
Configuration Examples for VRRPv3 Protocol Support

Example: Enabling VRRPv3 on a Device
The following example shows how to enable VRRPv3 on a device:

194
Example: Creating and Customizing a VRRP Group
Device> enable
Device(config-if-vrrp)# end
Example: Creating and Customizing a VRRP Group

The following example shows how to create and customize a VRRP group:
Device> enable
Device(config)# interface gigabitethernet0/0
Device(config-if-vrrp)# address 100.0.1.10 primary
Device(config-if-vrrp)# description group 3
Device(config-if-vrrp)# match-address
Device(config-if-vrrp)# preempt delay minimum 30
Note In the above example, the fhrp version vrrp v3 command is used in the global configuration mode.
Example: Configuring the Delay Period Before FHRP Client Initialization

The following example shows how to configure the delay period before FHRP client initialization :
Device> enable
Device(config)# interface gigabitethernet0/0
Device(config-if)# fhrp delay minimum 5
Note In the above example, a five-second delay period is specified for the initialization of FHRP clients
after the interface comes up. You can specify a delay period between 0 and 3600 seconds.
Example: VRRP Status, Configuration, and Statistics Details

The following is a sample output of the status, configuration and statistics details for a VRRP group:
Device> enable
Device# show vrrp detail
Ethernet0/0 - Group 1 - Address-Family IPv4

195
Additional References for VRRPv3 Protocol Support
State is MASTER
State duration 3.707 secs
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 100
Master Advertisement interval is 1000 msec (expires in 686 msec)
Master Down interval is unknown
State is MASTER
State duration 3.707 secs
VRRPv3 Advertisements: sent 5 (errors 0) - rcvd 0
VRRPv2 Advertisements: sent 0 (errors 0) - rcvd 0
Group Discarded Packets: 0
VRRPv2 incompatibility: 0
IP Address Owner conflicts: 0
Invalid address count: 0
IP address configuration mismatch : 0
Invalid Advert Interval: 0
Adverts received in Init state: 0
Invalid group other reason: 0
Group State transition:
Init to master: 0
Init to backup: 1 (Last change Mon Jul 30 16:42:01.856)
Backup to master: 1 (Last change Mon Jul 30 16:42:05.469)
Master to backup: 0
Master to init: 0
Backup to init: 0
Device# exit
Additional References for VRRPv3 Protocol Support

Related Documents
Cisco IOS commands Master Commands List, All

Releases
FHRP commands First Hop Redundancy Protocols

Command Reference
Configuring VRRPv2 Configuring VRRP
Standards and RFCs
Standard/RFC Title
RFC5798 Virtual Router Redundancy Protocol
RFC 6527 Definitions of Managed Objects for the Virtual Router Redundancy Protocol Version 3
(VRRPv3)

196
Feature Information for VRRPv3 Protocol Support
MIBs
MIB MIBs Link

VRRPv3 To locate and download MIBs for selected platforms, Cisco software releases, and feature
MIB sets, use Cisco MIB Locator found at the following URL:
Description Link

Feature Information for VRRPv3 Protocol Support

Table 14: Feature Information for VRRPv3 Protocol Support
VRRPv3 Protocol Support Cisco IOS XE Release 3.8S VRRP enables a group of routers
to form a single virtual router to
provide redundancy. The LAN
clients can then be configured with
the virtual router as their default
gateway. The virtual router,
representing a group of routers, is
also known as a VRRP group. The
VRRPv3 Protocol Support feature
provides the capability to support
IPv4 and IPv6 addresses.
introduced or modified: fhrp delay,
show vrrp, vrrp address-family.

197
Glossary
Glossary
Virtual IP address owner—The VRRP router that owns the IP address of the virtual router. The owner is
the router that has the virtual router address as its physical interface address.
Virtual router—One or more VRRP routers that form a group. The virtual router acts as the default gateway
router for LAN clients. The virtual router is also known as a VRRP group.
Virtual router backup—One or more VRRP routers that are available to assume the role of forwarding
packets if the virtual router master fails.
Virtual router master—The VRRP router that is currently responsible for forwarding packets sent to the IP
addresses of the virtual router. Usually, the virtual router master also functions as the IP address owner.
VRRP router—A router that is running VRRP.

198
CHAPTER 16
VRRPv3: Object Tracking Integration
Virtual Router Redundancy Protocol (VRRP) enables a group of devices to form a single virtual device to
provide redundancy. The LAN clients then can be configured with the virtual device as the default gateway.
The virtual device, representing a group of devices, is also known as a VRRP group. The VRRPv3: Object
Tracking Integration feature allows you to track the behavior of an object and receive notifications of changes.
This module explains how object tracking, in particular the tracking of IPv6 objects, is integrated into VRRP
version 3 (VRRPv3) and describes how to track an IPv6 object using a VRRPv3 group. See the “VRRP Object
Tracking” section for more information on object tracking.
• Information About VRRPv3: Object Tracking Integration, on page 199
• How to Configure VRRPv3: Object Tracking Integration, on page 200
• Configuration Examples for VRRPv3: Object Tracking Integration, on page 201
• Additional References for VRRPv3: Object Tracking Integration, on page 202
• Feature Information for VRRPv3: Object Tracking Integration, on page 203

Information About VRRPv3: Object Tracking Integration

Object tracking is an independent process that manages creating, monitoring, and removing tracked objects
such as the state of the line protocol of an interface. Clients such as the Hot Standby Router Protocol (HSRP),
Gateway Load Balancing Protocol (GLBP), and VRRP register their interest with specific tracked objects and
act when the state of an object changes.

199
such as VRRP use this number to track a specific object.
The tracking process periodically polls the tracked objects and notes any change of value. The changes in the
tracked object are communicated to interested client processes, either immediately or after a specified delay.
The object values are reported as either up or down.
VRRP object tracking gives VRRP access to all the objects available through the tracking process. The tracking
process allows you to track individual objects such as a the state of an interface line protocol, state of an IP
route, or the reachability of a route.
VRRP provides an interface to the tracking process. Each VRRP group can track multiple objects that may
affect the priority of the VRRP device. You specify the object number to be tracked and VRRP is notified of
any change to the object. VRRP increments (or decrements) the priority of the virtual device based on the
state of the object being tracked.

change of value. The changes in the tracked object are communicated to VRRP, either immediately or after
the VRRP priority is reduced. The VRRP device with the higher priority can now become the virtual device
master if it has the vrrp preempt command configured. See the “VRRP Object Tracking” section for more
information on object tracking.
How to Configure VRRPv3: Object Tracking Integration

Tracking an IPv6 Object using VRRPv3
SUMMARY STEPS
3. vrrp group-id address-family ipv6
4. track object-number decrement number
5. end
DETAILED STEPS

Step 1 fhrp version vrrp v3 Enables you to configure Virtual Router Redundancy
Protocol version 3 (VRRPv3) and Virtual Router
Example:
Redundancy Service (VRRS) on a device.
Device(config)# fhrp version vrrp v3 Note When VRRPv3 is in use, VRRPv2 is unavailable.

200
Configuration Examples for VRRPv3: Object Tracking Integration

Step 2 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Step 3 vrrp group-id address-family ipv6 Creates a VRRP group for IPv6 and enters VRRP
configuration mode.
Example:
Step 4 track object-number decrement number Configures the tracking process to track the state of the IPv6
object using the VRRPv3 group. VRRP on Ethernet
Example:
interface 0/0 then registers with the tracking process to be
informed of any changes to the IPv6 object on the VRRPv3
Device(config-if-vrrp)# track 1 decrement 20
group. If the IPv6 object state on serial interface VRRPv3
goes down, then the priority of the VRRP group is reduced
by 20.

Example:
ConfigurationExamplesforVRRPv3:ObjectTrackingIntegration
Example: Tracking an IPv6 Object using VRRPv3
In the following example, the tracking process is configured to track the state of the IPv6 object using
the VRRPv3 group. VRRP on GigabitEthernet interface 0/0/0 then registers with the tracking process
to be informed of any changes to the IPv6 object on the VRRPv3 group. If the IPv6 object state on
serial interface VRRPv3 goes down, then the priority of the VRRP group is reduced by 20:

Device(config-if-vrrp)# track 1 decrement 20
Example: Verifying VRRP IPv6 Object Tracking

Device# show vrrp
Ethernet0/0 - Group 1 - Address-Family IPv4

State is BACKUP
State duration 1 mins 41.856 secs

201
Additional References for VRRPv3: Object Tracking Integration
Virtual MAC address is 0000.5E00.0101

Advertisement interval is 1000 msec
Preemption enabled
Priority is 80 (configured 100)
Master Router is 172.24.1.2, priority is 100
Master Advertisement interval is 1000 msec (learned)
Master Down interval is 3609 msec (expires in 3297 msec)
Device# show track ipv6 route brief
Track Type Instance Parameter State Last Change

601 ipv6 route 3172::1/32 metric threshold Down 00:08:55
602 ipv6 route 3192:ABCD::1/64 metric threshold Down 00:08:55
603 ipv6 route 3108:ABCD::CDEF:1/96 metric threshold Down 00:08:55
604 ipv6 route 3162::EF01/16 metric threshold Down 00:08:55
607 ipv6 route 7001::AAAA/64 metric threshold Down 00:08:55
608 ipv6 route 9999::BBBB/64 metric threshold Down 00:08:55
611 ipv6 route 1111::1111/64 reachability Down 00:08:55
612 ipv6 route 2222:3333::4444/64 reachability Down 00:08:55
Additional References for VRRPv3: Object Tracking Integration

Related Documents
Cisco IOS commands Cisco IOS Master Command List, All Releases
HSRP commands: complete command syntax, Cisco IOS First Hop Redundancy Protocols Command

Questions
RFCs
RFCs Title

202
Feature Information for VRRPv3: Object Tracking Integration
Description Link


Table 15: Feature Information for VRRPv3: Object Tracking Integration
VRRPv3: Object Tracking The VRRPv3: Object Tracking

Integration Integration feature allows you to
use a VRRPv3 group to track an
object.
introduced or modified: fhrp
version vrrp v3, show vrrp, track
(VRRP).

203

204
CHAPTER 17
Virtual Router Redundancy Service
Virtual Router Redundancy Service (VRRS) provides a multiclient information abstraction and management
service between the Virtual Router Redundancy Protocol (VRRP), VRRS pathways and optional VRRS
clients. The VRRS multiclient service provides a consistent interface with VRRP by abstracting over several
First Hop Redundancy Protocols (FHRPs) and providing an idealized view of their state. VRRS manages data
updates, allowing interested clients to register in one place and receive updates for named VRRP groups.
VRRP acts as a server that pushes VRRP status information out to VRRS pathways, and all registered VRRS
clients. Pathways and clients obtain status on all essential information provided by VRRP, including current
and previous redundancy states, active and inactive Layer 2 and Layer 3 addresses, and, in some cases,
information about other redundant gateways in the network. Pathways use this information in order to provide
scaled first-hop gateway redundancy across scaled interface environments. VRRS clients will also use this
information to provide stateless and stateful redundancy information to clients and protocols.
Note In this module, VRRP and VRRPv3 are used interchangeably.

• Restrictions for VRRS, on page 206
• Information About VRRS, on page 206
• How to Configure VRRS, on page 208
• Configuration Examples for VRRS, on page 214
• Feature Information for Virtual Router Redundancy Service , on page 215


205
Restrictions for VRRS
Restrictions for VRRS

• VRRS plug-ins must be configured on subinterfaces that are not configured with VRRP, but which share
a physical interface with a VRRP group it is following.
• VRRP Version 2 (VRRPv2) is configurable only on Gigabit Ethernet interfaces.
• VRRS is currently only available for use with VRRP Version 3 (VRRPv3).
Information About VRRS

VRRS Overview
VRRS improves the scalability of VRRP. VRRS provides a stateless redundancy service to VRRS pathways
and applications (VRRS clients) by monitoring VRRP. VRRS provides a database of the current VRRP state
and provides a “push” data service to the VRRS pathways and clients with which it communicates. VRRP
acts as a VRRS server. VRRS clients are other Cisco processes or applications that use VRRP to provide or
withhold a service or resource dependent upon the state of the group. VRRS pathways are special VRRS
clients that use the VRRS database information in order to provide scaled first–hop gateway redundancy
across scaled interface environments.
The VRRS by itself is limited to maintaining its own state. Linking a VRRS client to a VRRP group provides
a mechanism that allows VRRS to provide a service to client applications so that they can implement stateless
or stateful failover. Stateless failover is failover without syncing of state. Stateful failover requires
communication with a nominated backup before failure so that operational data is not lost when failover
occurs.
VRRS pathways operate in a similar way to clients, but are integrated with the VRRS architecture. They
provide a means to scale first–hop gateway redundancy by allowing the user the opportunity to configure a
virtual address across hundreds of interfaces. The “virtual gateway” state of a VRRS pathway follows the
state of an FHRP VRRS server.
Using VRRS with VRRP

VRRP provides server support for VRRS. The VRRP server pushes state and status information to VRRS
when an internal update occurs. VRRS updates its internal database upon receiving a server update, and then
sends push notifications to each of the VRRS clients associated with the shared name. Clients are interested
in the protocol state, virtual MAC (vMAC) address, and virtual IP address information associated with a
group. The association name between a client and a VRRP group is a character name string. The information
provided by VRRS allows clients to perform various activities that are dependent on the state of the associated
VRRP group.
VRRP notifies VRRS of its current state (master, backup, or nonoperational initial state [INIT]). The VRRP
state is then passed on to pathways or clients. A VRRP group should be configured with a name to activate
VRRS. Pathways or clients should be configured with the same name to bind them with VRRS.
The VRRP group name associates the VRRP group with any clients that are configured as part of VRRS with
the same name.

206
VRRS Servers and Clients
VRRS Servers and Clients

VRRP acts as the VRRS server. Pathways and clients act on the VRRP server state. When a VRRP group
changes state, VRRS pathways and clients act by altering their behaviour (performing tasks such as shutting
down interfaces or appending accounting logs) depending on the state received from VRRS.
VRRS Pathways and Pathway Manager

VRRS Pathways
A VRRS pathway is defined as an entity that will provide IPv4 or IPv6 traffic forwarding duties using the
following features on an Ethernet interface (such as a physical interface, subinterface, or a Switch Virtual
Interface [SVI]):
• vMAC address insertion and removal into the hardware driver using MACdb.
• Virtual IP (vIP) insertion and removal using the IPv4 and IPv6 APIs.
• Provision to associate the vIP with the interface burned-in address (BIA) MAC.
• Provision to associate the vMAC address with the interface–owned vIP.
• Maintain the association of a vMAC with a vIP on a LAN using the Address Resolution Protocol (ARP)
or Neighbor Discovery Protocol.
• Maintain the switching cache (content-addressable memory or [CAM]) of connected Layer 2 devices on
the LAN.
• Checkpoints all data and the pathway state with a High Availability module.
A Pathway will provide some of the above features using its association with either the VRRS Pathway L2
Controller or the VRRS Pathway L3 Controller.
VRRS Pathway Manager

The VRRS Pathway Manager provides the following features:
• Creates an association between one or more VRRS pathway instances and a single VRRS database name
entry.
• Pushes configuration and state information to associated registered pathways in response to a push from
VRRS.
• Provides debugging and show output to the user. The output is related to the state and configuration of
the VRRS pathway manager.
• Is Online Insertion and Removal (OIR)–aware and manages pathways that may be affected by OIR
events.
• Is Virtual Routing and Forwarding (VRF)–aware and manages pathways that may be affected by VRF
events.

207
How to Configure VRRS
How to Configure VRRS

Configuring VRRPv3 Control Groups
Perform the following task to configure a VRRP control group.
SUMMARY STEPS
1. enable
6. vrrp group-id address-family {ipv4 | ipv6}
7. address ip-address [primary | secondary]
8. vrrs leader vrrs-leader-name
9. end
DETAILED STEPS

Device> enable

Example:

Example:
Step 5 ip address ip-address mask Configures the IP address on the interface.

Example:

208
Configuring VRRS Pathways

255.255.255.224
Step 6 vrrp group-id address-family {ipv4 | ipv6} Creates a VRRP group and enters VRRP configuration
mode.
Example:
Step 7 address ip-address [primary | secondary] Specifies a primary or secondary address for the VRRP
group.
Example:
Device(config-if-vrrp)# address 209.165.202.141
Step 8 vrrs leader vrrs-leader-name Specifies a leader’s name to be registered with VRRS and
enables a VRRP group to control a VRRS pathway.
Example:
• It is possible for a single VRRP instance to control
Device(config-if-vrrp)# vrrs leader group1 more than one VRRS group. A registered VRRS name
is unavailable by default.

Example:

Perform the following task to configure a VRRP pathway.
SUMMARY STEPS
1. enable
6. vrrs pathway vrrs-leader-name
7. mac address mac-address
8. address ip-address
9. end
DETAILED STEPS


209
Device> enable

Example:

Example:
Step 5 ip address ip-address mask Configures the IP address on the interface.

Example:

255.255.255.224
Step 6 vrrs pathway vrrs-leader-name Defines the VRRS pathway for a VRRS group and enters
VRRS pathway configuration mode.
Example:
Device(config-if)# vrrs pathway group1
Step 7 mac address mac-address Specifies a MAC address used by a pathway.

Example:
Device(config-if-vrrs-pw)# mac address

fe24.fe24.fe24
Step 8 address ip-address Defines the virtual IP for a pathway.

Example: • Note A VRRP group is capable of controlling
more than one pathway.
Device(config-if-vrrs-pw)# address 209.165.201.10

Example: • Note Repeat steps 1 to 9 to configure more
pathways.
Device(config-if-vrrs-pw)# end

210
Verifying VRRS
Verifying VRRS
Perform this task to verify VRRS functions.
Note The show commands are not in any specific order. The show vrrs pathway command for different pathway
states (active, inactive, and “not ready”) is displayed below.
SUMMARY STEPS
1. enable
2. show vrrs pathway
5. show vrrs server
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode.
Example:
Device> enable
Step 2 show vrrs pathway

Displays VRRS pathway information for an active pathway with the tag name “group1” and VRRP in master state on
the VLAN interface.
Example:
Device# show vrrs pathway
Pathway ["group1"@Vlan42]
State is ACTIVE [VRRS push "ACTIVE"]
Virtual MAC is fe24.fe24.fe24 [Active] (0)
Address-family is v4
Options: Default Pathway=0, Owner Mode=0, Accept-Mode=1, Configured vMAC=1
Evaluation: No Shut=1, Connected=1, OIR=1, L2 Ready=1, L3 Ready=1, vMAC Ready=1,
vIP Ready=1
Virtual Address List: 209.165.201.10

Displays VRRS pathway information for an inactive pathway with the tag name “group1” and VRRP in backup state on
the Ethernet 0/1 interface.
Example:

211
Verifying VRRS
Pathway ["group1"@Et0/1]
State is INACTIVE [VRRS push "BACKUP"]
Virtual MAC is 0101.0101.0101 [Reserved] (0)
vIP Ready=1

Displays VRRS pathway information for a “not ready” pathway with the tag name “group1” and VRRP in backup state
on the Ethernet 0/1 interface.
Example:
State is NOT READY [VRRS push "INIT"]
vIP Ready=1
Step 5 show vrrs server

Displays VRRS server information.
Example:
State is INACTIVE [VRRS push "BACKUP"]
vIP Ready=1
The table below describes significant fields in the sample output:
Field Description
State Current state of VRRS on an interface. The values displayed

are “ACTIVE”, “INACTIVE”, “NOT READY”, or
“BACKUP”.
Virtual MAC Virtual MAC address that is reserved for an interface.
Address-family IPv4 or IPv6 address family.

212
Verifying VRRS
Field Description
Default Pathway Indicates that the pathway has been implicitly created from
a VRRP group, if the value is 1. If the value is 0, it indicates
that the pathway has been explicitly created using the vrrs
pathway command.
Owner Mode Indicates that the interface IP address is specified if the

value is 1.
Accept-Mode Indicates that traffic to a particular virtual IP address is

accepted if the value is 1.
Configured vMAC Indicates that a virtual MAC address is configured if the

value is 1.
No Shut Indicates that the interface has been set to no shutdown

mode if the value is 1.
Connected Indicates that the VRRS pathway is connected to a VRRS

group, if the value is 1.
OIR Indicates online insertion and removal (OIR) of interface

line cards on a device is complete if the value is 1.
L2 Ready Indicates that the Layer 2 interface is up if the value is 1.
L3 Ready Indicates that the Layer 3 interface is up if the value is 1.
vMAC Ready Indicates that the virtual MAC address has been assigned
to an interface if the value is 1.
vIP Ready Indicates that the virtual IP address has been assigned to an
interface if the value is 1.
Virtual Address List Address list of the virtual IPv4 or IPv6 addresses.
Interface Name of the interface where the pathway is defined.
vMAC Virtual MAC address that is assigned to an interface.
vIP Address Virtual IP address that is assigned to an interface.
Tags Connected The specific tag name that is currently connected to a

pathway on an interface.

213
Configuration Examples for VRRS
Configuration Examples for VRRS

Example: Configuring VRRPv3 Control Groups
The following example shows how to configure a VRRPv3 control group:
Device> enable
Device(config-if-vrrp)# address 209.165.202.141
Device(config-if-vrrp)# vrrs leader group1
Note In the above example, the fhrp version vrrp v3 command is used in global configuration mode.
Example: Configuring VRRS pathways

The following example shows how to configure a VRRS pathway:
Device> enable
Device(config-if)# vrrs pathway group1
Device(config-if-vrrs-pw)# mac address fe24.fe24.fe24
Device(config-if-vrrs-pw)# address 209.165.201.10
Device(config-if-vrrs-pw)# end
Note In the above example, the fhrp version vrrp v3 command is used in global configuration mode.
Related Documents
Cisco IOS commands Master Command List, All

Releases

214
Feature Information for Virtual Router Redundancy Service
FHRP commands First Hop Redundancy Protocols

Command Reference
Configuring VRRPv2 “Configuring VRRP” module in the

First Hop Redundancy Protocols
Configuration Guide
VRRPv3 Protocol Support “VRRPv3 Protocol Support”

module in the First Hop
Redundancy Protocols
Configuration Guide
Standards and RFCs
Standard/RFC Title
RFC5798 Virtual Router Redundancy Protocol
Description Link



215
Table 16: Feature Information for Virtual Router Redundancy Service
Virtual Router Redundancy Service Cisco IOS XE Release 3.8S The VRRS feature provides a
multiclient information abstraction
and management service between
VRRP, VRRS pathways, and
optional VRRS clients
introduced or modified: debug vrrs
all, debug vrrs database, debug
vrrs log, debug vrrs pathway, and
show vrrs.

216
INDEX
S
show standby command 29

IN-1
INDEX

IN-2

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17

Uploaded by

Copyright:

Available Formats

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17

CHAPTER 1 Read Me First 1

CHAPTER 2 Configuring GLBP 3

Finding Feature Information 3