Configuring IP Services

Configuring the Hot Standby Router Protocol

Verifying HSRP Support for MPLS VPNs

The following example shows how to use show EXEC commands to verify that the HSRP virtual IP address is in the correct ARP and CEF tables:

Router# show ip arp vrf vrf1

Protocol

Address

Age (min)

Hardware Addr

Type

Interface

Internet

10.2.0.1

-

00d0.bbd3.bc22

ARPA

Ethernet0/2

Internet

10.2.0.20

-

0000.0c07.ac01

ARPA

Ethernet0/2

Router# show ip cef

vrf vrf1

 

 

 

Prefix

 

Next Hop

Interface

 

 

0.0.0.0/0

 

10.3.0.4

Ethernet0/3

 

 

0.0.0.0/32

 

receive

 

 

 

10.1.0.0/16

10.2.0.1

Ethernet0/2

 

 

10.2.0.0/16

attached

Ethernet0/2

 

 

10.2.0.1/32

receive

 

 

 

10.2.0.20/32

receive

 

 

 

224.0.0.0/24

receive

 

 

 

255.255.255.255/32

receive

 

 

 

Enabling HSRP Support for ICMP Redirect Messages

Previously, ICMP redirect messages were automatically disabled on interfaces configured with HSRP. ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides many diagnostic functions and can send and redirect error packets to the host. See the section “Enabling ICMP Redirect Messages” earlier in this chapter for more information on ICMP redirect messages.

When running HSRP, it is important to prevent hosts from discovering the interface (or real) MAC addresses of routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router, and that router later fails, then packets from the host will be lost.

With Cisco IOS Release 12.1(3)T and later, ICMP redirect messages are automatically enabled on interfaces configured with HSRP. This functionality works by filtering outgoing ICMP redirect messages through HSRP, where the next hop IP address may be changed to an HSRP virtual IP address.

Redirects to Active HSRP Routers

The next-hop IP address is compared to the list of active HSRP routers on that network; if a match is found, then the real next-hop IP address is replaced with a corresponding virtual IP address and the redirect message is allowed to continue.

If no match is found, then the ICMP redirect message is sent only if the router corresponding to the new next hop IP address is not running HSRP. Redirects to passive HSRP routers are not allowed (a passive HSRP router is a router running HSRP, but which contains no active HSRP groups on the interface).

For optimal operation, every router in a network that is running HSRP should contain at least one active HSRP group on an interface to that network. Every HSRP router need not be a member of the same group. Each HSRP router will snoop on all HSRP packets on the network to maintain a list of active routers (virtual IP addresses versus real IP addresses).

Consider the network shown in Figure 18, which supports the HSRP ICMP redirection filter.

Cisco IOS IP Configuration Guide

IPC-105

Page 151
Image 151
Cisco Systems 78-11741-02 Enabling Hsrp Support for Icmp Redirect Messages, Verifying Hsrp Support for Mpls VPNs, IPC-105