Chapter 27 Hot Standby Router Protocol and Virtual Router Redundancy Protocol

Information About HSRP and VRRP

Feature Information for HSRP and VRRP, page 27-11

Information About HSRP and VRRP

Overview of HSRP and VRRP

Text Authentication

Preemption

Overview of HSRP and VRRP

HSRP provides network redundancy for IP networks, which helps maximum network uptime. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single virtual router. The members of the virtual router group continuously exchange status messages. This way, one router can assume the routing responsibility of another, should it go out of commission for either planned or unplanned reasons. Hosts continue to forward IP packets to a consistent IP and MAC address, and the changeover of devices doing the routing is transparent.

A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails. VRRP enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network. You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple routers, to balance the load on available routers.

Text Authentication

HSRP and VRRP ignore unauthenticated protocol messages. The default authentication type is text authentication. HSRP or VRRP authentication protects against false hello packets causing a denial-of-service attack. For example, Router A has a priority of 120 and is the active router. If a host sends spoof hello packets with a priority of 130, then Router A stops being the active router. If Router A has authentication configured such that the spoof hello packets are ignored, Router A will remain the active router. Packets will be rejected in any of the following cases:

The authentication schemes differ on the router and in the incoming packets.

Text authentication strings differ on the router and in the incoming packets.

Preemption

Preemption occurs when a virtual router backup with a higher priority takes over a virtual router backup that was elected to become a virtual router master and a preemptive scheme is enabled automatically. When a newly reloaded router becomes active, despite an active router already existent on the network, it may appear that preemption is not functioning but it is not true. The new active router did not receive any hello packets from the current active router, and the preemption configuration never factored into the new routers decision making.

In general, we recommend that all HSRP routers have the following configuration:

standby delay minimum 30 reload 60

 

Cisco ASR 901 Series Aggregation Services Router Software Configuration Guide

27-2

OL-23826-09

Page 552
Image 552
Cisco Systems A9014CFD Information About Hsrp and Vrrp, Overview of Hsrp and Vrrp, Text Authentication, Preemption, 27-2