Cisco Catalyst 6000 Series Switches

HSRP Group Limitation on Catalyst 6500/6000 Series Switches Frequently Asked Questions

Document ID: 29545

Updated: Jul 23, 2008



This document addresses the Frequently Asked Questions (FAQs) on Hot Standby Router Protocol (HSRP) group support or limitations on the Multilayer Switch Feature Card 1 (MSFC1), Multilayer Switch Feature Card 2 (MSFC2), Multilayer Switch Feature Card 3 (MSFC3 with Supervisor Engine 720), and the Multilayer Switch Feature Card 2A (MSFC2A with Supervisor Engine 32) on Catalyst 6500/6000 switches. For more information about HSRP and configuration examples, refer to Understanding and Troubleshooting HSRP Problems in Catalyst Switch Networks.

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Q. What is the maximum number of HSRP group IDs supported on various Supervisor Engines?

A. This table lists the maximum number of unique HSRP group IDs supported (system wide) on various Supervisor Engines with MSFC1, MSFC2, MSFC3 (Supervisor Engine 720), or MSFC2A (Supervisor Engine 32). The Policy Feature Card 1 (PFC1) or PFC3-equipped Supervisor Engine has a 256 unique HSRP group ID limit. The Policy Feature Card 2 (PFC2)-equipped Supervisor Engine has a 16 unique HSRP group ID limit.

Supervisor Engine Description Maximum Number of Unique HSRP Groups IDs (system wide)
WS-X6K-SUP1A-MSFC= Supervisor Engine 1 with PFC1 and MSFC1 256
WS-X6K-S1A-MSFC2= Supervisor Engine 1 with PFC1 and MSFC2 256
WS-X6K-S2-MSFC2= Supervisor Engine 2 with PFC2 and MSFC2 16
WS-X6K-S2U-MSFC2= Supervisor Engine 2 with PFC2 and MSFC2 (with additional DRAM memory) 16
WS-SUP720 Supervisor Engine 720 with PFC3 and MSFC3 256
WS-SUP720-3B Supervisor Engine 720 with PFC3B and MSFC3 256
WS-SUP720-3BXL Supervisor Engine 720 with PFC3BXL and MSFC3 256
WS-SUP32-GE-3B Supervisor Engine 32 with PFC3B and MSFC2A 256
WS-SUP32-10GE-3B Supervisor Engine 32 with PFC3B and MSFC2A 256

Q. Does the limit apply to both Catalyst OS (CatOS) Software-based and Cisco IOS® Software-based Catalyst 6500/6000s?

A. Yes. The limitation is due to the hardware design of the PFC. PFC1 or PFC3 support 256 well-known HSRP MAC-addresses. PFC2 supports 16 well-known HSRP MAC-addresses. Therefore, it does not depend on the system software being used.

Q. Do the HSRP group IDs configured on Supervisor Engine 2/MSFC2 have to be contiguous? Are there any other requirements?

A. The HSRP group IDs do not have to be contiguous. You can pick any 16 group IDs in the allowed group ID range (0-255). However, only 16 group IDs can be used from that range. MSFC1, MSFC3 (Supervisor Engine 720), or MSFC2A (Supervisor Engine 32) can use any number of group IDs from that range.

Q. Can I only configure a total of 16 HSRP VLAN interfaces or 16 HSRP processes in the Supervisor Engine 2-based system?

A. No. You can use the 16 unique group IDs on as many interfaces as you like. 16 HSRP groups does not mean that you can have only 16 HSRP processes or 16 VLAN interfaces with HSRP enabled. The only caveat is that you can only define up to 16 HSRP processes per interface. However, it is very unlikely that you would need more than 16 HSRP processes per interface in a well-designed network.

Q. What is the implication of using the same HSRP group ID on multiple interfaces?

A. When you define the same HSRP group ID on multiple interfaces, they share the same HSRP virtual MAC address. In most modern LAN switches, there are no issues because they maintain a per-VLAN MAC address table. However, if your network contains any third-party switches, which maintain a system wide MAC address table regardless of VLAN, you can experience problems. If VLANs are not specified to a HSRP group, the VLANs default to Group 0.

Q. I was able to configure more than 16 unique HSRP groups on Supervisor Engine 2 prior to Cisco IOS Software Release 12.1(8a)E5 (running on the MSFC2), and now I cannot. What has changed?

A. In releases earlier than Cisco IOS Software Release 12.1(8a)E5, the software allowed creation of more than 16 unique HSRP groups on Supervisor Engine 2-based systems. This is a software bug that has since been fixed. If you upgrade from a release earlier than Cisco IOS Software Release 12.1(8a)E5 to a later release, and you have configured more than 16 HSRP groups, plan for this software fix by following the 16 HSRP unique group ID limit. Cisco IOS Software Release 12.1(8a)EX fixes this issue for systems running Cisco IOS Software on Supervisor Engine 2. This limit does not apply to the Supervisor Engine 1-based or Supervisor Engine 720-based system.

Q. What happens when I configure more than 16 HSRP Standby Groups in Sup2/PFC2?

A. If you configure more than 16 HSRP Standby Groups you see a message similar to this:

%MLS-3-FIB_MAXHSRP:Maximum number of supported HSRP addresses (16) exceeded

This message indicates that the number of Hot Standby Router Protocol (HSRP) groups sent from the MSRP exceeds the number of HSRP groups supported by NMP.

You must configure a maximum of 16 HSRP groups in hardware in order for hardware switching to take place. If there are more than 16, those flows are not hardware switched, but are switched in software by the MSFC.

Verify the MAC address usage for each VLAN with the show mls cef mac command.

caution Caution: Identically numbered HSRP groups use the same virtual MAC address, which can cause errors if you configure bridging on the MSFC.

Note: Because of the restriction to 16 unique HSRP group numbers, CEF for PFC2 cannot support the standby use-bia HSRP command.

Q. Is it a normal behavior for a 4506 / 6509-E to disclose the MD5 hash configured for HSRP standby authentication? When the show standby command is issued, the MD5 hashes are shown decrypted, even though the configuration has a hash.

A. Yes, this is normal behavior. It has been done to facilitate troubleshooting and it happens while in level 15 mode (enable). A workaround for this is to configure key-chain instead.

Q. Is it possible to configure HSRP and VRRP on two interfaces of the same router?

A. HSRP and VRRP are not supported between two interfaces on the same router. They are meant to be used between interfaces on two or more different routers. Cisco IOS does not permit two or more interfaces or subinterfaces in a single router to be in the same IP subnet or for a subnet to overlap with another connected IP subnet on the same router.

Related Information

Updated: Jul 23, 2008
Document ID: 29545