Guest

Support

show vrrp through synguard (virtual server)

  • Viewing Options

  • PDF (467.3 KB)
  • Feedback
show vrrp

Table Of Contents

show vrrp

show vrrp interface

show vrrs clients

show vrrs group

show vrrs plugin database

show vrrs summary

snmp-server enable traps slb

special-vj

standby arp gratuitous

standby authentication

standby bfd

standby bfd all-interfaces

standby delay minimum reload

standby follow

standby ip

standby mac-address

standby mac-refresh

standby name

standby preempt

standby priority

standby redirect

standby redirects (global)

standby send arp

standby sso

standby timers

standby track

standby use-bia

standby version

start-forwarding-agent

sticky (firewall farm datagram protocol)

sticky (firewall farm TCP protocol)

sticky (virtual server)

synguard (virtual server)


show vrrp

To display a brief or detailed status of one or all configured Virtual Router Redundancy Protocol (VRRP) groups on the router, use the show vrrp command in privileged EXEC mode.

show vrrp [all | brief]

Syntax Description

all

(Optional) Provides VRRP group information about all VRRP groups, including groups in a disabled state.

brief

(Optional) Provides a summary view of the group information.


Command Modes

Privileged EXEC (#)

Command History

Release
Modification

12.0(18)ST

This command was introduced.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.3(2)T

This command was enhanced to display the state of a tracked object.

12.3(14)T

This command was enhanced to display message digest algorithm 5 (MD5) authentication for a VRRP using text strings, key chains, or key strings.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SRC

This command was enhanced to display synchronized state information from the active route processor (RP).

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.4(24)T

This command was modified. The output was modified to hide configured passwords when MD5 key-string or text authentication is configured.

Cisco IOS XE Release 2.6

This command was modified. The output was modified to display information about configured Virtual Router Redundancy Service (VRRS) names.


Usage Guidelines

If no group is specified, the status for all groups is displayed.

Examples

The following is sample output from the show vrrp command:

Router# show vrrp

Ethernet1/0 - Group 1 
State is Master
Virtual IP address is 10.2.0.10 
Virtual MAC address is 0000.5e00.0101 
Advertisement interval is 3.000 sec 
Preemption is enabled 
 min delay is 0.000 sec 
Priority 100 
 Track object 1 state down decrement 15
Master Router is 10.2.0.1 (local), priority is 100 
Master Advertisement interval is 3.000 sec 
Master Down interval is 9.609 sec

Ethernet1/0 - Group 2 
State is Master 
Virtual IP address is 10.0.0.20 
Virtual MAC address is 0000.5e00.0102 
Advertisement interval is 1.000 sec 
Preemption is enabled 
 min delay is 0.000 sec 
Priority 95 
Master Router is 10.0.0.1 (local), priority is 95 
Master Advertisement interval is 1.000 sec 
Master Down interval is 3.628 sec

The following sample output shows the MD5 authentication for a VRRP group using a key string:

Router# show vrrp

Ethernet0/1 - Group 1
State is Master
Virtual IP address is 10.21.0.10
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption is enabled
 min delay is 0.000 sec
Priority is 100
Authentication MD5, key-string
Master Router is 10.21.0.1 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec

The following is sample output from the show vrrp command in Cisco IOS Release 12.2(33)SRC or later releases, displaying peer RP state information:

Router# show vrrp

Ethernet0/0 - Group 1  
  State is Init (standby RP, peer state is Master)
  Virtual IP address is 172.24.1.1
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 255 
  Master Router is 172.24.1.1 (local), priority is 255 
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.003 sec

The following sample output displays information about a configured VRRS group name:

Router# show vrrp 

 Gige0/0/0 - Group 1 
State is Master 
Virtual IP address is 10.0.0.7 
Virtual MAC address is 0000.5e00.0101 
Advertisement interval is 1.000 sec 
Preemption enabled 
Priority is 100 
VRRS Group name CLUSTER1 ! Configured VRRS Group Name 
Master Router is 10.0.0.1 (local), priority is 100 
Master Advertisement interval is 1.000 sec 
Master Down interval is 3.609 sec 

Table 95 describes the significant fields shown in the displays.

Table 95 show vrrp Field Descriptions 

Field
Description

Ethernet1/0 - Group

Interface type and number, and VRRP group number.

State is

Role this interface plays within VRRP (Master or Backup).

(standby RP, peer state is Master)

State of the peer RP.

Virtual IP address is

Virtual IP address for this group.

Virtual MAC address is

Virtual MAC address for this group.

Advertisement interval is

Interval at which the router will send VRRP advertisements when it is the master virtual router. This value is configured with the vrrp timers advertise command.

Preemption is

Preemption is either enabled or disabled.

Priority

Priority of the interface.

Master Router is

IP address of the current master virtual router.

priority is

Priority of the current master virtual router.

Master Advertisement interval is

Advertisement interval, in seconds, of the master virtual router.

Master Down interval is

Calculated time, in seconds, that the master virtual router can be down before the backup virtual router takes over.

Track object

Object number representing the object to be tracked.

state

State value (up or down) of the object being tracked.

decrement

Amount by which the priority of the router is decremented (or incremented) when the tracked object goes down (or comes back up).

Authentication MD5, key-string

The currently configured authentication mechanism for this group. Values for this field include "MD5" for Message Digest 5 encryption, as shown in the second example, "text, string `my_secret_password'" for plain text, and "key-chain `the_chain_i'm_looking_at'."


The following is sample output from the show vrrp command with the brief keyword:

Router# show vrrp brief

Interface	     Grp  Prio   Time   Own  Pre  State    Master addr    Group addr
Ethernet1/0    1   100    3609          P  Master   10.0.0.4        10.0.0.10
Ethernet1/0    2   105    3589          P  Master   10.0.0.4        10.0.0.20

Table 96 describes the fields shown in the display.

Table 96 show vrrp brief Field Descriptions 

Field
Description

Interface

Interface type and number.

Grp

VRRP group to which this interface belongs.

Prio

VRRP priority number for this group.

Time

Calculated time that the master virtual router can be down before the backup virtual router takes over.

Own

IP address owner.

Pre

Preemption status. P indicates that preemption is enabled. If this field is empty, preemption is disabled.

State

Role this interface plays within VRRP (master or backup).

Master addr

IP address of the master virtual router.

Group addr

IP address of the virtual router.


Related Commands

Command
Description

vrrp ip

Enables VRRP on an interface and identifies the IP address of the virtual router.


show vrrp interface

To display the Virtual Router Redundancy Protocol (VRRP) groups and their status on a specified interface, use the show vrrp interface command in user EXEC or privileged EXEC mode.

show vrrp interface type number [brief]

Syntax Description

type

Interface type.

number

Interface number.

brief

(Optional) Provides a summary view of the group information.


Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release
Modification

12.0(18)ST

This command was introduced.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.4(24)T

This command was modified. The output was modified to hide configured passwords when MD5 key-string or text authentication is configured.


Examples

The following is sample output from the show vrrp interface command:

Router# show vrrp interface ethernet 1/0

Ethernet1/0 - Group 1
State is Master
Virtual IP address is 10.2.0.10
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 3.000 sec
Preemption enabled, delay min 4 secs
Priority is 100
Master Router is 10.2.0.1 (local), priority is 100
Master Advertisement interval is 3.000 sec
Master Down interval is 9.609 sec

Ethernet1/0 - Group 2
State is Master
Virtual IP address is 10.0.0.20
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption enabled, delay min 2 sec
Priority is 95
Authentication MD5, key-string
Master Router is 10.0.0.1 (local), priority is 95
Master Advertisement interval is 1.000 sec
Master Down interval is 3.628 sec

Table 97 describes the significant fields shown in the display.

Table 97 show vrrp interface Field Descriptions 

Field
Description

Ethernet1/0 - Group 1

Interface type and number, and VRRP group number.

State is

Role this interface plays within VRRP (master or backup).

Virtual IP address is

Virtual IP address for this group.

Virtual MAC is

Virtual MAC address for this group.

Advertisement interval is

Interval at which the router will send VRRP advertisements when it is the master virtual router. This value is configured with the vrrp timers advertise command.

Preemption

Preemption is either enabled or disabled.

delay min

If preemption is enabled, delay min is the minimum time (in seconds) that a router will wait before preempting the current master router. This field is displayed only if the delay is set at greater than 0 seconds.

Authentication MD5, key-string

The currently configured authentication mechanism for this group. Possible values for this field include "MD5" for Message Digest 5 encryption, as shown in the example above. Other messages not displayed in the example include "text, string "`my_secret_password'" for plain text and "key-chain `the_chain_i'm_looking_at'."

Priority is 100

Priority of this group on this interface.

Master Router is 10.2.0.1 (local)

IP address of the current master virtual router.

Priority is 100

Priority of the current master router.

Master Advertisement interval

Advertisement interval of the master virtual router.

Master Down interval

Calculated time that the master virtual router can be down before the backup virtual router takes over.


Related Commands

Command
Description

vrrp ip

Enables VRRP and identifies the IP address of the virtual router.

vrrp timers advertise

Configures the interval between successive advertisements by the master virtual router in a VRRP group.


Related Commands

show vrrs clients

To display a list of Virtual Router Redundancy Service (VRRS) clients, use the show vrrs clients command in user EXEC or privileged EXEC mode.

show vrrs clients

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)
User EXEC (>)

Command History

Release
Modification

Cisco IOS XE Release 2.6

This command was introduced.


Usage Guidelines

Use the show vrrs clients command to display a list of VRRS clients currently active on the router. The display contains the client IDs, client priority, whether the client is interested in all VRRS groups, and the client name.

The client ID is a dynamic integer value assigned to the client when it registers with VRRS. If the client ID for a particular client is different between two versions of a Cisco IOS XE image, it means there is a change in initialization order in the two images.

The client priority is a priority that the client chooses during registration with VRRS. The client priority dictates the order in which clients receive server notifications.

Examples

The following example displays a list VRRS clients:

Router# show vrrs clients

ID  Priority  All-groups  Name
------------------------------
1   High      No          VRRS-Plugins
2   Low       Yes         VRRS-Accounting
3   Normal    No          PPPOE-VRRS-CLIENT 

Table 98 describes the significant fields shown in the display.

Table 98 show vrrs clients Field Descriptions 

Field
Description

Priority

Priority of the client.

All-groups

Indicates whether a client is registered for all current and future VRRS groups.

Name

Name of the client.


Related Commands

Command
Description

show vrrp

Displays a brief or detailed status of one or all configured VRRP groups on the router.

show vrrs group

Display information about VRRS groups.

show vrrs plugin database

Displays details about the internal VRRS plug-in database.

show vrrs summary

Displays a summary of all VRRS groups.


show vrrs group

To display information about Virtual Router Redundancy Service (VRRS) groups, use the show vrrs group command in user EXEC or privileged EXEC mode.

show vrrs group [group-name]

Syntax Description

group-name

Name of a VRRS group.


Command Default

Information about all VRRS groups is displayed.

Command Modes

Privileged EXEC (#)
User EXEC (>)

Command History

Release
Modification

Cisco IOS XE Release 2.6

This command was introduced.


Usage Guidelines

Use the show vrrs group command to display details of a VRRS redundancy group, if a group name is specified. If no group name is specified, details of all VRRS groups configured or added by clients on the router are displayed.

Examples

The following example displays information about all currently configured VRRS groups:

Router# show vrrs group

DT-CLUSTER-3
Server Not configured, state INIT, old state INIT, reason Protocol 
  Address family IPv4, Virtual address 0.0.0.0, Virtual mac 0000.0000.0000 
  Active interface address 0.0.0.0, standby interface address 0.0.0.0 
Client 5 VRRS TEST CLIENT, priority Low 

DT-CLUSTER-2
Server VRRP, state BACKUP, old state INIT, reason HA SSO 
  Address family IPv4, Virtual address 10.1.1.1, Virtual mac 0000.5e00.0102 
  Active interface address 10.1.1.3, standby interface address 10.1.1.2 
Client 1 VRRS-Plugins, priority High 
Client 2 VRRS-Accounting, priority Low 
Client 3 PPPOE-VRRS-CLIENT, priority Normal 

DT-CLUSTER-1 
Server VRRP, state ACTIVE, old state INIT, reason HA SSO 
  Address family IPv4, Virtual address 10.1.1.1, Virtual mac 0000.5e00.0101 
  Active interface address 10.1.1.2, standby interface address 10.0.0.0 
Client 1 VRRS-Plugins, priority High 
Client 2 VRRS-Accounting, priority Low 
Client 3 PPPOE-VRRS-CLIENT, priority Normal 

Table 99 describes the significant fields shown in the display.

Table 99 show vrrs group Field Descriptions 

Field
Description

state

Current state of the server.

old state

Previous state of the server

reason

Reason for the last server state change.

Address family IPv4

Address family for this VRRS group.

Virtual address 0.0.0.0

Virtual IP address for this VRRS group.

Virtual mac 0000.0000.0000

Virtual MAC address for this VRRS group.

Client 1

Client ID of a VRRS client.

VRRS-Plugins

Client name.

priority High

Priority of this client.


Related Commands

Command
Description

show vrrp

Displays a brief or detailed status of one or all configured VRRP groups on the router.

show vrrs clients

Displays a list of VRRS clients.

show vrrs plugin database

Displays details about the internal VRRS plug-in database.

show vrrs summary

Displays a summary of all VRRS groups.


show vrrs plugin database

To display details about the internal Virtual Router Redundancy Service (VRRS) plug-in database, use the show vrrs plugin database command in user EXEC or privileged EXEC mode.

show vrrs plugin database

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)
User EXEC (>)

Command History

Release
Modification

Cisco IOS XE Release 2.6

This command was introduced.


Usage Guidelines

Use the show vrrs plugin database command to display details of the internal VRRS plug-in database. This command maps an interface-specific configuration with a VRRS redundancy group.

The output display includes; name, server connection status, VRRS State (simple), MAC address, test control indicator, VRRS client handle, and the plug-in interface list.

Examples

The following example displays information about the internal VRRS plug-in database:

Router# show vrrs plugin database

VRRS Plugin Database 
------------------------------------------------ 
Name = VRRS_NAME_1 
Server connection = Live 
State = Disabled 
MAC addr = 0000.5e00.0101 
Test Control = False 
Client Handle = 3741319170 
Interface list = 
                 gige0/0/0.2 
                 gige0/0/0.3 
------------------------------------------------ 
Name = VRRS_NAME_2 
Server connection = Diconnected 
State = Disabled 
MAC addr = 0000.0000.0000 
Test Control = False 
Client Handle = 603979779 
Interface list = 
                 gige0/0/0.4 
------------------------------------------------ 

Related Commands

Command
Description

show vrrp

Displays a brief or detailed status of one or all configured VRRP groups on the router.

show vrrs clients

Displays a list of VRRS clients.

show vrrs group

Display information about VRRS groups.

show vrrs summary

Displays a summary of all VRRS groups.


show vrrs summary

To display a summary of all Virtual Router Redundancy Service (VRRS) groups, use the show vrrs summary command in user EXEC or privileged EXEC configuration mode.

show vrrs summary

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)
User EXEC (>)

Command History

Release
Modification

Cisco IOS XE Release 2.6

This command was introduced.


Usage Guidelines

Use the show vrrs summary command to display a summary of VRRS groups either configured on a router or added by a client. The display includes the following group information: name, server, state, and virtual address.

Examples

The following example displays a summary of VRRS groups:

Router# show vrrs summary

Group                                             Server State Virtual-address 
------------------------------------------------------------------------------ 
DT-CLUSTER-3                                      UNKNOW INIT   0.0.0.0 
DT-CLUSTER-2                                      VRRP   BACKUP 10.1.1.1 
DT-CLUSTER-1                                      VRRP   ACTIVE 10.1.1.2 

Table 100 describes the significant fields shown in the display.

Table 100 show vrrs summary Field Descriptions 

Field
Description

Group

VRRS group name.

Server

The server which serves the VRRS group.

State

State of the server for the VRRS group.

Virtual-address

Virtual address associated with the VRRS group.


Related Commands

Command
Description

show vrrp

Displays a brief or detailed status of one or all configured VRRP groups on the router.

show vrrs clients

Displays a list of VRRS clients.

show vrrs group

Display information about VRRS groups.

show vrrs plugin database

Displays details about the internal VRRS plug-in database.


snmp-server enable traps slb

To enable IOS SLB traps for real- and virtual-server state changes, use the snmp-server enable traps slb command in global configuration mode. To disable the traps use the no form of this command.

snmp-server enable traps slb {real | virtual}

no snmp-server enable traps slb {real | virtual}

Syntax Description

real

Enables traps for real server state changes.

virtual

Enables traps for virtual server state changes.


Defaults

IOS SLB traps for real- and virtual-server state changes are not enabled.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.1(11b)E

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Examples

The following example enables IOS SLB traps for real server state changes:

Router(config)# snmp-server enable traps slb real

special-vj

To enable the special Van Jacobson (VJ) format of TCP header compression so that context IDs are included in compressed packets, use the special-vj command in IPHC profile configuration mode. To disable the special VJ format and return to the default VJ format, use the no form of this command.

special-vj

no special-vj

Syntax Description

This command has no arguments or keywords.

Command Default

Context IDs are not included in compressed packets.

Command Modes

IPHC profile configuration (config-iphcp)

Command History

Release
Modification

12.4(15)T12

This command was introduced.

15.0(1)M2

This command was integrated into Cisco IOS Release 15.0(1)M2.


Usage Guidelines

If the special-vj command is configured on a VJ profile, each compressed packet will include the context ID.

To enable the special VJ format of TCP header compression, use the ip header-compression special-vj command in interface configuration mode.

Examples

The following example shows how to enable the special VJ format of TCP header compression:

Router(config)# iphc-profile p1 van-jacobson 
Router(config-iphcp)# special-vj 
Router(config-iphcp)# end

Related Commands

Command
Description

ip header-compression special-vj

Enables the special VJ format of TCP header compression.

show ip tcp header-compression

Displays TCP/IP header compression statistics.


standby arp gratuitous

To configure the number of gratuitous Address Resolution Protocol (ARP) packets sent by a Hot Standby Router Protocol (HSRP) group when it transitions to the active state, and how often the ARP packets are sent, use the standby arp gratuitous command in interface configuration mode. To configure HSRP to send the default number of gratuitous of ARP packets at the default interval when an HSRP group changes to the active state, use the no form of this command.

standby arp gratuitous [count number] [interval seconds]

no standby arp gratuitous

Syntax Description

count number

(Optional) Specifies the number of gratuitous ARP packets to send after an HSRP group is activated. The range is 0 to 60. The default is 2. 0 sends continuous gratuitous ARP packets.

interval seconds

(Optional) Specifies the interval, in seconds, at which HSRP gratuitous ARP packets are sent. The range is 3 to 1800 seconds. The default is 3 seconds.


Command Default

HSRP sends one gratuitous ARP packet when a group becomes active, and then another two and four seconds later.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.2(33)SXI

This command was introduced.


Usage Guidelines

You can configure HSRP to send a gratuitous ARP packet from one or more HSRP active groups. By default, HSRP sends one gratuitous ARP packet when a group becomes active, and then another two and four seconds later.

Use the standby arp gratuitous command in interface configuration mode to configure the number of gratuitous ARP packets sent by an Active HSRP group, and how often they are sent. The count and interval keywords can be specified in any order. If both the count and interval keywords are set to their default values, the standby arp gratuitous command does not appear in the running configuration.

Use the standby send arp command in EXEC mode to configure HSRP to send a single gratuitous ARP packet when an HSRP group becomes active.

Examples

The following example shows how to configure HSRP to send three gratuitous ARP packets every 4 seconds:

Router(config-if)# standby arp gratuitous count 3 interval 4

Related Commands

Command
Description

debug standby events

Displays events related to HSRP.

show standby arp gratuitous

Displays the number of gratuitous ARP packets sent by HSRP and how often they are sent.

standby send arp

Configures HSRP to send a single gratuitous ARP packet for each active HSRP group.


standby authentication

To configure an authentication string for the Hot Standby Router Protocol (HSRP), use the standby authentication command in interface configuration mode. To delete an authentication string, use the no form of this command.

standby [group-number] authentication {text string | md5 {key-string [0 | 7] key [timeout seconds] | key-chain name-of-chain}} 

no standby [group-number] authentication {text string | md5 {key-string [0 | 7] key [timeout seconds] | key-chain name-of-chain}}

Syntax Description

group-number

(Optional) Group number on the interface to which this authentication string applies. The default group number is 0.

text string

Authentication string. It can be up to eight characters long. The default string is cisco.

md5

Message Digest 5 (MD5) authentication.

key-string key

Specifies the secret key for MD5 authentication. The key can contain up to 64 characters. We recommend using at least 16 characters.

0

(Optional) Unencrypted key. If no prefix is specified, the text also is unencrypted.

7

(Optional) Encrypted key.

timeout seconds

(Optional) Duration in seconds that HSRP will accept message digests based on both the old and new keys.

key-chain name-of-chain

Identifies a group of authentication keys.


Command Default

No text authentication string is configured.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

10.0

This command was introduced.

12.1

The text keyword was added.

12.3(2)T

The md5 keyword and associated parameters were added.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.


Usage Guidelines

The authentication string is sent unencrypted in all HSRP messages when using the standby authentication text string option. The same authentication string must be configured on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and the Hot Standby timer values from other routers configured with HSRP.

When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.

If password encryption is configured with the service password-encryption command, the software saves the key string as encrypted text.

The timeout seconds is the duration that the HSRP group will accept message digests based on both the old and new keys. This allows time for configuration of all routers in a group with the new key. HSRP route flapping can be minimized by changing the keys on all the routers, provided that the active router is changed last. The active router should have its key string changed no later than one holdtime period, specified by the standby timers interface configuration command, after the non-active routers. This procedure ensures that the non-active routers do not time out the active router.

Examples

The following example configures "company1" as the authentication string required to allow Hot Standby routers in group 1 to interoperate:

interface ethernet 0
 standby 1 authentication text company1

The following example configures MD5 authentication using a key string named "345890":

interface Ethernet0/1
 standby 1 ip 10.21.0.12
 standby 1 priority 110
 standby 1 preempt
 standby 1 authentication md5 key-string 345890 timeout 30

The following example configures MD5 authentication using a key chain. HSRP queries the key chain "hsrp1" to obtain the current live key and key ID for the specified key chain:

key chain hsrp1
 key 1
  key-string 543210

interface Ethernet0/1
 standby 1 ip 10.21.0.10
 standby 1 priority 110
 standby 1 preempt
 standby 1 authentication md5 key-chain hsrp1

Related Commands

Command
Description

service password-encryption

Encrypts passwords.

standby timers

Configures the time between hello packets and the time before other routers declare the active Hot Standby or standby router to be down.


standby bfd

To reenable Hot Standby Router Protocol (HSRP) Bidirectional Forwarding Detection (BFD) peering if it has been disabled on an interface, use the standby bfd command in interface configuration mode. To disable HSRP support for BFD, use the no form of this command.

standby bfd

no standby bfd

Syntax Description

This command has no arguments or keywords.

Command Default

HSRP support for BFD is enabled.

Command Modes

Interface configuration

Command History

Release
Modification

12.4(11)T

This command was introduced.


Usage Guidelines

HSRP BFD peering is enabled by default when the router is configured for BFD. Use this command to reenable HSRP BFD peering on the specified interface when it has previously been manually disabled.

To enable HSRP BFD peering globally on the router, use the standby bfd all-interfaces command in global configuration mode.

Examples

The following example shows how to reenable HSRP BFD peering if it has been disabled:

Router(config)# interface ethernet0/0
Router(config-if)# standby bfd

Related Commands

Command
Description

bfd

Sets the baseline BFD session parameters on an interface.

debug standby events neighbor

Displays HSRP neighbor events.

show bfd neighbor

Displays a line-by-line listing of existing BFD adjacencies.

show standby

Displays HSRP information.

show standby neighbors

Displays information about HSRP neighbors.

standby bfd all-interfaces

Reenables HSRP BFD peering on all interfaces if it has been disabled.

standby ip

Activates HSRP.


standby bfd all-interfaces

To reenable Hot Standby Router Protocol (HSRP) Bidirectional Forwarding Detection (BFD) peering on all interfaces if it has been disabled, use the standby bfd all-interfaces command in global configuration mode. To disable HSRP support for BFD peering, use the no form of this command.

standby bfd all-interfaces

no standby bfd all-interfaces

Syntax Description

This command has no arguments or keywords.

Command Default

HSRP BFD peering is enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.4(11)T

This command was introduced.


Usage Guidelines

The HSRP BFD peering feature introduces BFD in the HSRP group member health monitoring system. Previously, group member monitoring relied exclusively on HSRP multicast messages, which are relatively large and consume CPU memory to produce and check. In architectures where a single interface hosts a large number of groups, there is a need for a protocol with low CPU memory consumption and processing overhead. BFD addresses this issue and offers subsecond health monitoring (failure detection in milliseconds) with a relatively low CPU impact. This command is enabled by default.

To enable HSRP support for BFD on a per-interface basis, use the standby bfd command in interface configuration mode.

Examples

The following example shows how to reenable HSRP BFD peering if it has been disabled on a router:

Router(config)# standby bfd all-interfaces

Related Commands

Command
Description

bfd

Sets the baseline BFD session parameters on an interface.

debug standby events neighbor

Displays HSRP neighbor events.

show bfd neighbor

Displays a line-by-line listing of existing BFD adjacencies.

show standby

Displays information about HSRP.

show standby neighbors

Displays information about HSRP neighbors.

standby bfd

Reenables HSRP BFD peering for a specified interface if it has been disabled.

standby ip

Activates HSRP.


standby delay minimum reload

To configure the delay period before the initialization of Hot Standby Router Protocol (HSRP) groups, use the standby delay minimum reload command in interface configuration mode. To disable the delay period, use the no form of this command.

standby delay minimum min-seconds reload reload-seconds

no standby delay minimum min-seconds reload reload-seconds

Syntax Description

min-seconds

Minimum time (in seconds) to delay HSRP group initialization after an interface comes up. This minimum delay period applies to all subsequent interface events.

The valid range is 0 to 300 seconds. The default is 1 second. The recommended value is 30 seconds.

reload-seconds

Time (in seconds) to delay after the router has reloaded. This delay period applies only to the first interface-up event after the router has reloaded.

The valid rang is 0 to 300 seconds. The default is 5 seconds. The recommended value is 60 seconds.


Command Default

HSRP group initialization is not delayed.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.2

This command was introduced.

12.2(14)SX

Support for this command was added for the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Cisco IOS Release 12.2(17d)SXB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.


Usage Guidelines

If the active router fails or is removed from the network, then the standby router will automatically become the new active router. If the former active router comes back online, you can control whether it takes over as the active router by using the standby preempt command.

However, in some cases, even if the standby preempt command is not configured, the former active router will resume the active role after it reloads and comes back online. Use the standby delay minimum reload command to set a delay period for HSRP group initialization. This command allows time for the packets to get through before the router resumes the active role.

We recommend that all HSRP routers have the standby delay minimum reload configured with a minimum delay time of 30 seconds and a minimum reload time of 60 seconds.

The delay will be cancelled if an HSRP packet is received on an interface.

The standby delay minimum reload interface configuration command delays HSRP groups from initializing for the specified time after the interface comes up.

This command is separate from the standby preempt delay interface configuration command, which enables HSRP preemption delay.

Examples

The following example sets the minimum delay period to 30 seconds and the delay period after the first reload to 120 seconds:

interface ethernet 0
 ip address 10.20.0.7 255.255.0.0
 standby delay minimum 30 reload 60
 standby 3 ip 10.20.0.21
 standby 3 timers msec 300 msec 700
 standby 3 priority 100

Related Commands

Command
Description

show standby delay

Displays HSRP information about delay periods.

standby preempt

Configures the HSRP preemption and preemption delay.

standby timers

Configures the time between hello packets and the time before other routers declare the active HSRP or standby router to be down.


standby follow

To configure a Hot Standby Router Protocol (HSRP) group to become an IP redundancy client of another HSRP group, use the standby follow command in interface configuration mode. To remove the configuration of an HSRP group as a client group, use the no form of this command.

standby group-number follow group-name

no standby group-number follow group-name

Syntax Description

group-number

Group number on the interface for which HSRP is being activated. The default is 0.

group-name

Specifies the name of the master group for the client group to follow.


Command Default

HSRP groups are not configured as client groups.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.4(6)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.


Usage Guidelines

The standby follow command configures an HSRP group to become an IP redundancy client of another HSRP group.

Client or slave groups must be on the same physical interface as the master group.

A client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group:

Router(config-if)# standby 1 priority 110
%Warning: This setting has no effect while following another group.

Router(config-if)# standby 1 timers 5 15
% Warning: This setting has no effect while following another group.

Router(config-if)# standby 1 preempt delay minimum 300
    % Warning: This setting has no effect while following another group.

HSRP client groups follow the master HSRP with a slight, random delay so that all client groups do not change at the same time.

You cannot configure an HSRP group to follow another HSRP group if that group is itself being followed by another HSRP group.

Use the show standby command to display complete information about an HSRP client group.

Examples

The following example shows how to configure HSRP group 2 as a client to the HSRP1 master group:

standby 2 follow HSRP1

Related Commands

Command
Description

show standby

Displays HSRP information.


standby ip

To activate the Hot Standby Router Protocol (HSRP), use the standby ip command in interface configuration mode. To disable HSRP, use the no form of this command.

standby [group-number] ip [ip-address [secondary]]

no standby [group-number] ip [ip-address]

Syntax Description

group-number

(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2.

ip-address

(Optional) IP address of the Hot Standby router interface.

secondary

(Optional) Indicates the IP address is a secondary Hot Standby router interface. Useful on interfaces with primary and secondary addresses; you can configure primary and secondary HSRP addresses.


Defaults

The default group number is 0.
HSRP is disabled by default.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

10.0

This command was introduced.

10.3

The group-number argument was added.

11.1

The secondary keyword was added.

12.3(4)T

The group number range was expanded for HSRP version 2.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

The standby ip command activates HSRP on the configured interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the designated address is learned through the standby function. For HSRP to elect a designated router, at least one router on the cable must have been configured with, or have learned, the designated address. Configuration of the designated address on the active router always overrides a designated address that is currently in use.

When the standby ip command is enabled on an interface, the handling of proxy Address Resolution Protocol (ARP) requests is changed (unless proxy ARP was disabled). If the Hot Standby state of the interface is active, proxy ARP requests are answered using the MAC address of the Hot Standby group. If the interface is in a different state, proxy ARP responses are suppressed.

When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.

HSRP version 2 permits an expanded group number range from 0 to 4095. The increased group number range does not imply that an interface can, or should, support that many HSRP groups. The expanded group number range was changed to allow the group number to match the VLAN number on subinterfaces.

Examples

The following example activates HSRP for group 1 on Ethernet interface 0. The IP address used by the Hot Standby group will be learned using HSRP.

interface ethernet 0
 standby 1 ip

In the following example, all three virtual IP addresses appear in the ARP table using the same (single) virtual MAC address. All three virtual IP addresses are using the same HSRP group (group 0).

ip address 10.1.1.1. 255.255.255.0
ip address 10.2.2.2. 255.255.255.0 secondary
ip address 10.3.3.3. 255.255.255.0 secondary
ip address 10.4.4.4. 255.255.255.0 secondary
standby ip 10.1.1.254
standby ip 10.2.2.254 secondary
standby ip 10.3.3.254 secondary

standby mac-address

To specify a virtual Media Access Control (MAC) address for the Hot Standby Router Protocol (HSRP), use the standby mac-address command in interface configuration mode. To revert to the standard virtual MAC address (000.0C07.ACxy), use the no form of this command.

standby [group-number] mac-address mac-address

no standby [group-number] mac-address

Syntax Description

group-number

(Optional) Group number on the interface for which HSRP is being activated. The default is 0.

mac-address

MAC address.


Command Default

If this command is not configured, and the standby use-bia command is not configured, the standard virtual MAC address is used: 0000.0C07.ACxy, where xy is the group number in hexadecimal. This address is specified in RFC 2281, Cisco Hot Standby Router Protocol (HSRP).

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

11.2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command cannot be used on a Token Ring interface.

HSRP is used to help end stations locate the first-hop gateway for IP routing. The end stations are configured with a default gateway. However, HSRP can provide first-hop redundancy for other protocols. Some protocols, such as Advanced Peer-to-Peer Networking (APN), use the MAC address to identify the first hop for outing purposes. In this case, it is often necessary to be able to specify the virtual MAC address; the virtual IP address is unimportant for these protocols. Use the standby mac-address command to specify the virtual MAC address.

The MAC address specified is used as the virtual MAC address when the router is active.

This command is intended for certain APPN configurations. The parallel terms are shown in Table 101.

Table 101 Parallel Terms Between APPN and IP

APPN
IP

End node

Host

Network Node

Router or gateway


In an APPN network, an end node is typically configured with the MAC address of the adjacent network node. Use the standby mac-address command in the routers to set the virtual MAC address to the value used in the end nodes.

Examples

If the end nodes are configured to use 4000.1000.1060 as the MAC address of the network node, the following example shows the command used to configure HSRP group 1 with the virtual MAC address:

Router(config-if)# standby 1 mac-address 4000.1000.1060

Related Commands

Command
Description

show standby

Displays HSRP information.

standby use-bia

Configures HSRP to use the burned-in address of the interface as its virtual MAC address.


standby mac-refresh

To change the interval at which packets are sent to refresh the Media Access Control (MAC) cache when the Hot Standby Router Protocol (HSRP) is running over FDDI, use the standby mac-refresh command in interface configuration mode. To restore the default value, use the no form of this command.

standby mac-refresh seconds

no standby mac-refresh

Syntax Description

seconds

Number of seconds in the interval at which a packet is sent to refresh the MAC cache. The maximum value is 255 seconds. The default is 10 seconds.


Defaults

seconds: 10 seconds

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command applies to HSRP running over FDDI only. Packets are sent every 10 seconds to refresh the MAC cache on learning bridges or switches. By default, the MAC cache entries age out in 300 seconds (5 minutes).

All other routers participating in HSRP on the FDDI ring receive the refresh packets, although the packets are intended only for the learning bridge or switch. Use this command to change the interval. Set the interval to 0 if you want to prevent refresh packets (if you have FDDI but do not have a learning bridge or switch).

Examples

The following example changes the MAC refresh interval to 100 seconds. Therefore, a learning bridge would need to miss three packets before the entry ages out.

standby mac-refresh 100

standby name

To configure the name of the standby group, use the standby name command in interface configuration mode. To disable the name, use the no form of this command.

standby name group-name

no standby name group-name

Syntax Description

group-name

Specifies the name of the standby group.


Defaults

The Hot Standby Router Protocol (HSRP) is disabled.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.0(2)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

The name specifies the HSRP group used. The HSRP group name must be unique on the router.

Examples

The following example specifies the standby name as SanJoseHA:

interface ethernet0
 ip address 10.0.0.1 255.0.0.0
 standby ip 10.0.0.10
 standby name SanJoseHA
 standby preempt delay sync 100
 standby priority 110

Related Commands

Command
Description

ip mobile home-agent redundancy

Configures the home agent for redundancy.


standby preempt

To configure Hot Standby Router Protocol (HSRP) preemption and preemption delay, use the standby preempt command in interface configuration mode. To restore the default values, use the no form of this command.

standby [group-number] preempt [delay {minimum seconds | reload seconds | sync seconds}]

no standby [group-number] preempt [delay {minimum seconds | reload seconds | sync seconds}]

Syntax Description

group-number

(Optional) Group number on the interface to which the other arguments in this command apply.

delay

(Optional) Required if either the minimum, reload, or sync keywords are specified.

minimum seconds

(Optional) Specifies the minimum delay period in seconds. The seconds argument causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

reload seconds

(Optional) Specifies the preemption delay, in seconds, after a reload only. This delay period applies only to the first interface-up event after the router has reloaded.

sync seconds

(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds.


Defaults

The default group number is 0.
The default delay is 0 seconds; if the router wants to preempt, it will do so immediately.
By default, the router that comes up later becomes the standby.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

11.3

This command was introduced.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.0(2)T

The minimum and sync keywords were added.

12.2

The behavior of the command changed such that standby preempt and standby priority must be entered as separate commands.

12.2

The reload keyword was added.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2(33)SXH

The behavior of the command changed such that standby preempt and standby priority must be entered as separate commands.


Usage Guidelines


Note Cisco IOS 12.2SX software releases earlier than Cisco IOS Release 12.2(33)SXH use the syntax from Cisco IOS Release 12.1, which supports preempt as a keyword for the standby priority command. Cisco IOS Release 12.2(33)SXH and later releases use Cisco IOS Release 12.2 syntax, which requires standby preempt and standby priority to be entered as separate commands.


When the standby preempt command is configured, the router is configured to preempt, which means that when the local router has a Hot Standby priority higher than the current active router, the local router should attempt to assume control as the active router. If preemption is not configured, the local router assumes control as the active router only if it receives information indicating no router is in the active state (acting as the designated router).

This command is separate from the standby delay minimum reload interface configuration command, which delays HSRP groups from initializing for the specified time after the interface comes up.

When a router first comes up, it does not have a complete routing table. If it is configured to preempt, it will become the active router, yet it is unable to provide adequate routing services. Solve this problem by configuring a delay before the preempting router actually preempts the currently active router.

When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.

IP redundancy clients can prevent preemption from taking place. The standby preempt delay sync seconds command specifies a maximum number of seconds to allow IP redundancy clients to prevent preemption. When this expires, then preemption takes place regardless of the state of the IP redundancy clients.

The standby preempt delay reload seconds command allows preemption to occur only after a router reloads. This provides stabilization of the router at startup. After this initial delay at startup, the operation returns to the default behavior.

The no standby preempt delay command will disable the preemption delay but preemption will remain enabled. The no standby preempt delay minimum seconds command will disable the minimum delay but leave any synchronization delay if it was configured.

When the standby follow command is used to configure an HSRP group to become an IP redundancy client of another HSRP group, the client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group:

Router(config-if)# standby 1 preempt delay minimum 300
    % Warning: This setting has no effect while following another group.

Examples

In the following example, the router will wait for 300 seconds (5 minutes) before attempting to become the active router:

interface ethernet 0
 standby ip 172.19.108.254
 standby preempt delay minimum 300 

standby priority

To configure Hot Standby Router Protocol (HSRP) priority, use the standby priority command in interface configuration mode. To restore the default values, use the no form of this command.

standby [group-number] priority priority

no standby [group-number] priority priority

Syntax Description

group-number

(Optional) Group number on the interface to which the other arguments in this command apply. The default group number is 0.

priority

Priority value that prioritizes a potential Hot Standby router. The range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. The default priority value is 100. The router in the HSRP group with the highest priority value becomes the active router.


Defaults

The default group number is 0.
The default priority is 100.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

11.3

This command was introduced.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2

The behavior of the command changed such that standby preempt and standby priority must be entered as separate commands.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2(33)SXH

The behavior of the command changed such that standby preempt and standby priority must be entered as separate commands.


Usage Guidelines


Note Cisco IOS 12.2SX software releases earlier than Cisco IOS Release 12.2(33)SXH use the syntax from Cisco IOS Release 12.1, which supports preempt as a keyword for the standby priority command. Cisco IOS Release 12.2(33)SXH and later releases use Cisco IOS Release 12.2 syntax, which requires standby preempt and standby priority to be entered as separate commands.


When group number 0 is used, the number 0 is written to NVRAM, providing backward compatibility.

The assigned priority is used to help select the active and standby routers. Assuming that preemption is enabled, the router with the highest priority becomes the designated active router. In case of ties, the primary IP addresses are compared, and the higher IP address has priority.

Note that the priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router or a tracked object goes down.

When the standby follow command is used to configure an HSRP group to become an IP redundancy client of another HSRP group, the client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group:

Router(config-if)# standby 1 priority 110
%Warning: This setting has no effect while following another group.

Examples

In the following example, the router has a priority of 120 (higher than the default value):

interface ethernet 0
 standby ip 172.19.108.254
 standby priority 120 
 standby preempt delay 300

Related Commands

Command
Description

standby track

Configures an interface so that the Hot Standby priority changes based on the availability of other interfaces.


standby redirect

To enable Hot Standby Router Protocol (HSRP) filtering of Internet Control Message Protocol (ICMP) redirect messages, use the standby redirect command in interface configuration mode. To disable the HSRP filtering of ICMP redirect messages, use the no form of this command.

standby redirect [timers advertisement holddown] [unknown]

no standby redirect [unknown]

Syntax Description

timers

(Optional) Adjusts HSRP router advertisement timers.

advertisement

(Optional) HSRP Router advertisement interval in seconds. This is an integer from 10 to 180. The default is 60 seconds.

holddown

(Optional) HSRP router holddown interval in seconds. This is an integer from 61 to 3600. The default is 180 seconds.

unknown

(Optional) Allows sending of ICMP packets when the next hop IP address contained in the packet is unknown in the HSRP table of real IP addresses and active virtual IP addresses. The no standby redirect unknown command stops the redirects from being sent.


Command Default

HSRP filtering of ICMP redirect messages is enabled if HSRP is configured on an interface.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.1(3)T

This command was introduced.

12.2

The following keywords and arguments were added to the command:

timers advertisement holdtime

unknown

12.3(2)T

The enable and disable keywords were deprecated.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.


Usage Guidelines

The standby redirect command can be configured globally or on a per-interface basis. When HSRP is first configured on an interface, the setting for that interface will inherit the global value. If the filtering of ICMP redirects is explicitly disabled on an interface, then the global command cannot reenable this functionality.

With the standby redirect command enabled, the real IP address of a router can be replaced with a virtual IP address in the next hop address or gateway field of the redirect packet. HSRP looks up the next hop IP address in its table of real IP addresses versus virtual IP addresses. If HSRP does not find a match, the HSRP router allows the redirect packet to go out unchanged. The host HSRP router is redirected to a router that is unknown, that is, a router with no active HSRP groups. You can specify the no standby redirect unknown command to stop these redirects from being sent.

Examples

The following example shows how to allow HSRP to filter ICMP redirect messages on interface Ethernet 0:

interface ethernet 0
 ip address 10.0.0.1 255.0.0.0
 standby redirect
 standby 1 ip 10.0.0.11

The following example shows how to change the HSRP router advertisement interval to 90 seconds and the holddown timer to 270 seconds on interface Ethernet 0:

interface ethernet 0
 ip address 10.0.0.1 255.0.0.0
 standby redirect timers 90 270
 standby 1 ip 10.0.0.11

Related Commands

Command
Description

show standby

Displays the HSRP information.

show standby redirect

Displays ICMP redirect information on interfaces configured with the HSRP.


standby redirects (global)

To configure Internet Control Message Protocol (ICMP) redirect messages with a Hot Standby Router Protocol (HSRP) virtual IP address as the gateway IP address, use the standby redirects command in global configuration mode. To disable the configuration, use the no form of this command.

standby redirects [disable | enable]

no standby redirects

Syntax Description

disable

(Optional) Disables the gateway address configuration.

enable

(Optional) Enables the gateway address configuration.


Command Default

The HSRP virtual IP address is configured as the gateway IP address.

Command Modes

Global configuration (config)

Command History

Release
Modification

15.0(1)M

This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.

12.2(33)SRC

This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.

12.2(33)SXI

This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1 and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.


Examples

The following example shows how to disable the gateway address configuration:

Router# configure terminal
Router(config)# standby redirects disable

Related Commands

Command
Description

show standby redirect

Displays ICMP redirect information on interfaces configured with the HSRP.


standby send arp

To configure Hot Standby Router Protocol (HSRP) to send a single gratuitous ARP packet for each active HSRP group, use the standby send arp command in user EXEC or privileged EXEC mode.

standby send arp [interface-type interface-number [group-number]]

Syntax Description

interface-type interface-number

(Optional) Interface type and number of the interface out of which ARP packets are sent.

group-number

(Optional) Group number on the interface to which the other arguments in this command apply.


Command Default

HSRP sends gratuitous ARP packets from an HSRP group when it changes to the Active state.

Command Modes

User EXEC
Privileged EXEC(#)

Command History

Release
Modification

12.2(33)SXI

This command was introduced.


Usage Guidelines

Use the standby send arp command to cause a single gratuitous ARP packet to be sent for each active group. HSRP checks that the virtual IP address is entered correctly in the ARP cache prior to sending a gratuitous ARP packet. If the ARP entry is incorrect then HSRP will try to re-add it. This enables you to ensure that a host ARP cache is updated prior to starting heavy CPU-usage processes or configurations.

Static or alias ARP entries cannot be overwritten by HSRP.

You can use the standby arp gratuitous command in interface configuration mode to configure the number of gratuitous ARP packets sent by an active HSRP group, and how often they are sent.

Examples

The following example shows how to configure HSRP to check that an ARP cache is refreshed prior to sending a gratuitous ARP packet:

Router# standby send arp ethernet0/0 1 

Related Commands

Command
Description

debug standby events

Displays events related to HSRP.

show standby arp gratuitous

Displays the number of gratuitous ARP packets sent by HSRP and how often they are sent.

standby arp gratuitous

Configures the number of gratuitous ARP packets sent by an active HSRP group, and how often they are sent.


standby sso

To enable the Hot Standby Router Protocol (HSRP) Stateful Switchover (SSO), use the standby sso command in global configuration mode. To disable HSRP SSO, use the no form of this command.

standby sso

no standby sso

Syntax Description

This command has no arguments or keywords.

Command Default

HSRP SSO is enabled when redundancy mode SSO is configured.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.2(25)S

This command was introduced.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.


Usage Guidelines

Use the standby sso command to enable HSRP SSO. This is the default when redundancy mode SSO is configured. When standby SSO is enabled, traffic sent using an HSRP virtual IP address continues through the HSRP group member using the current path while a Route Processor (RP) switchover occurs. The HSRP state is maintained and kept synchronized across the redundant RPs within the chassis.

If you want the traffic to switch to a redundant device (another chassis) even though the redundant RP is capable of taking over, then the feature can be disabled by using the no form of the command. If the command is disabled and if the primary HSRP router fails, the HSRP state is not maintained across RP switchover and traffic targeted to the HSRP virtual IP address is handled by the standby HSRP router.

Examples

The following example shows how to reenable standby SSO for HSRP if it has been disabled:

standby sso

Related Commands

Command
Description

debug standby events

Displays standby events related to HSRP.

show standby

Displays HSRP information.


standby timers

To configure the time between hello packets and the time before other routers declare the active Hot Standby or standby router to be down, use the standby timers command in interface configuration mode. To restore the timers to their default values, use the no form of this command.

standby [group-number] timers [msec] hellotime [msec] holdtime

no standby [group-number] timers [msec] hellotime [msec] holdtime

Syntax Description

group-number

(Optional) Group number on the interface to which the timers apply. The default is 0.

msec

(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.

hellotime

Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hello interval is in milliseconds. This is an integer from 15 to 999.

holdtime

Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000.

Where:

x is the hellotime + 50 milliseconds, then rounded up to the nearest
1 second

y is greater than or equal to 3 times the hellotime and is not less than
50 milliseconds.


Defaults

The default group number is 0.
The default hello interval is 3 seconds.
The default hold time is 10 seconds.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

10.0

This command was introduced.

11.2

The msec keyword was added.

12.2

The minimum values of hellotime and holdtime in milliseconds changed.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

The standby timers command configures the time between standby hello packets and the time before other routers declare the active or standby router to be down. Routers or access servers on which timer values are not configured can learn timer values from the active or standby router. The timers configured on the active router always override any other timer settings. All routers in a Hot Standby group should use the same timer values. Normally, holdtime is greater than or equal to 3 times the value of hellotime. The range of values for holdtime force the holdtime to be greater than the hellotime. If the timer values are specified in milliseconds, the holdtime is required to be at least three times the hellotime value and not less than 50 milliseconds.

Some HSRP state flapping can occasionally occur if the holdtime is set to less than 250 milliseconds, and the processor is busy. It is recommended that holdtime values less than 250 milliseconds be used on Cisco 7200 platforms or better, and on Fast-Ethernet or FDDI interfaces or better. Setting the process-max-time command to a suitable value may also help with flapping.

The value of the standby timer will not be learned through HSRP hellos if it is less than 1 second.

When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.

When the standby follow command is used to configure an HSRP group to become an IP redundancy client of another HSRP group, the client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group:

Router(config-if)# standby 1 timers 5 15
    % Warning: This setting has no effect while following another group.

Examples

The following example sets, for group number 1 on Ethernet interface 0, the time between hello packets to 5 seconds, and the time after which a router is considered to be down to 15 seconds:

interface ethernet 0
 standby 1 ip 
 standby 1 timers 5 15 

The following example sets, for the Hot Router interface located at 172.19.10.1 on Ethernet interface 0, the time between hello packets to 300 milliseconds, and the time after which a router is considered to be down to 900 milliseconds:

interface ethernet 0
 standby ip 172.19.10.1 
 standby timers msec 300 msec 900 

The following example sets, for the Hot Router interface located at 172.18.10.1 on Ethernet interface 0, the time between hello packets to 15 milliseconds, and the time after which a router is considered to be down to 50 milliseconds. Note that the holdtime is larger than three times the hellotime because the minimum holdtime value in milliseconds is 50.

interface ethernet 0
 standby ip 172.18.10.1 
 standby timers msec 15 msec 50 

standby track

To configure the Hot Standby Router Protocol (HSRP) to track an object and change the Hot Standby priority on the basis of the state of the object, use the standby track command in interface configuration mode. To remove the tracking, use the no form of this command.

Cisco IOS XE Release 2.1 and Later Releases

standby track {object-number | interface-type interface-number [decrement priority-decrement]} [shutdown]

no standby track {object-number | interface-type interface-number}

Cisco IOS Release 12.2(33)SXH, 12.2(33)SRB, and Later Releases

standby track {object-number | interface-type interface-number [decrement priority-decrement]} [shutdown]

no standby track {object-number | interface-type interface-number}

Cisco IOS Release 12.4(9)T and Later Releases

standby track {object-number [priority-decrement] | interface-type interface-number [decrement priority-decrement]} [shutdown]

no standby track {object-number | interface-type interface-number}

Cisco IOS Release 12.2(15)T and Later Releases

standby track {object-number [priority-decrement] | interface-type interface-number [decrement priority-decrement]}

no standby track {object-number | interface-type interface-number}

Cisco IOS Releases 12.2(13)T, 12.2(14)SX, 12.2(17dSXB), 12.2(33)SRA, and Earlier Releases

standby track interface-type interface-number [interface-priority]

no standby track interface-type interface-number [interface-priority]

Syntax Description

object-number

Object number that represents the object to be tracked. The range is from 1 to 1000. The default is 1.

interface-type

Interface type (combined with interface number) that will be tracked.

interface-number

Interface number (combined with interface type) that will be tracked.

decrement priority-decrement

(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the tracked object goes down (or comes back up). The range is from 1 to 255. The default is 10.

shutdown

(Optional) Changes the HSRP group to the Init state on the basis of the state of a tracked object.

interface-priority

(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). The range is from 0 to 255. The default is 10.

group-number

(Optional) Group number to which the tracking applies.


Command Default

There is no tracking.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

10.3

This command was introduced.

12.2(15)T

This command was enhanced to allow HSRP to track objects other than the interface line-protocol state.

12.2(14)SX

Support for this command was introduced on the Cisco 7600 series routers running a Supervisor Engine 720.

12.2(17d)SXB

This command was integrated into Cisco IOS release 12.2(17d)SXB.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(9)T

The shutdown keyword was added.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.1(3)T

This command was modified. The valid range of the object-number argument increased to 1000.

15.1(1)S

This command was modified. The valid range for the object-number argument increased to 1000.


Usage Guidelines

This command ties the Hot Standby priority of the router to the availability of its tracked objects. Use the track interface command or track ip route command to track an interface object or an IP-route object. The HSRP client can register its interest in the tracking process by using the standby track command and take action when the object changes.

When a tracked object goes down, the Hot Standby priority decreases by 10. If an object is not tracked, its state changes do not affect the Hot Standby priority. For each object configured for Hot Standby, you can configure a separate list of objects to be tracked.

The optional priority-decrement and interface-priority arguments specify how much to decrement the Hot Standby priority when a tracked object goes down. When the tracked object comes back up, the priority is incremented by the same amount.

When multiple tracked objects are down, the decrements are cumulative, whether configured with priority-decrement or interface-priority values or not.

The optional shutdown keyword configures the HSRP group to change to the Init state and become disabled rather than having its priority decremented when a tracked object goes down.

Use the no standby group-number track command to delete all tracking configuration for a group.

When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.

The standby track command syntax prior to Cisco IOS Release 12.2(15)T is still supported. Using the older form of the command syntax will cause a tracked object to be created in the new tracking process. This tracking information can be displayed using the show track command.


Note Using the command syntax of standby track prior to Cisco IOS Release 12.2(15)T results in the same performance as using the new standby track command syntax.


If you configure HSRP to track an interface, and that interface is physically removed as in the case of an Online Insertion and Removal (OIR) operation, then HSRP regards the interface as always down. You cannot remove the HSRP interface-tracking configuration. To prevent this situation, use the no standby track command before you physically remove the interface.

If an object is already being tracked by an HSRP group, you cannot change the configuration to use the HSRP Group Shutdown feature that disables the HSRP group. You must first remove the tracking configuration using the no standby track command and then reconfigure it using the standby track command with the shutdown keyword.

As of Cisco IOS Release 15.1(3)T, a maximum of 1000 objects can be tracked. Although 1000 tracked objects can be configured, each tracked object uses CPU resources. The amount of available CPU resources on a router is dependent upon variables such as traffic load and how other protocols are configured and run. The ability to use 1000 tracked objects is dependent upon the available CPU. Testing should be conducted on site to ensure that the service works under the specific site traffic conditions.

Examples

In the following example, the tracking process is configured to track the IP-routing capability of serial interface 1/0. HSRP on Ethernet interface 0/0 then registers with the tracking process to be informed of any changes to the IP-routing state of serial interface 1/0. If the IP state on serial interface 1/0 goes down, the priority of the HSRP group is reduced by 10.

If both serial interfaces are operational, Router A will be the HSRP active router because it has the higher priority. However, if IP routing on serial interface 1/0 in Router A fails, the HSRP group priority will be reduced and Router B will take over as the active router, thus maintaining a default virtual gateway service to hosts on the 10.1.0.0 subnet.

Router A Configuration

Router(config)# track 100 interface serial1/0 ip routing
Router(config-track)# exit
Router(config)# interface Ethernet0/0
Router(config-if)# ip address 10.1.0.21 255.255.0.0
Router(config-if)# standby 1 ip 10.1.0.1
Router(config-if)# standby 1 preempt
Router(config-if)# standby 1 priority 105
Router(config-if)# standby 1 track 100 decrement 10

Router B Configuration

Router(config)# track 100 interface serial1/0 ip routing
Router(config-track)# exit
Router(config)# interface Ethernet0/0
Router(config-if)# ip address 10.1.0.22 255.255.0.0
Router(config-if)# standby 1 ip 10.1.0.1
Router(config-if)# standby 1 preempt
Router(config-if)# standby 1 priority 11
Router(config-if)# standby 1 track 100 decrement 10

The following example shows how to change the configuration of a tracked object to include the HSRP Group Shutdown feature:

Router(config-if)# no standby 1 track 101 decrement 10
Router(config-if)# standby 1 track 101 shutdown

Related Commands

Command
Description

show standby

Displays HSRP information.

show track

Displays information about objects that are tracked by the tracking process.

standby preempt

Configures HSRP preemption and preemption delay.

standby priority

Configures Hot Standby priority of potential standby routers.

track interface

Configures an interface to be tracked and enters tracking configuration mode.

track ip route

Tracks the state of an IP route and enters tracking configuration mode.


standby use-bia

To configure the Hot Standby Router Protocol (HSRP) to use the burned-in address of the interface as its virtual MAC address, instead of the preassigned MAC address (on Ethernet and FDDI) or the functional address (on Token Ring), use the standby use-bia command in interface configuration mode. To restore the default virtual MAC address, use the no form of this command.

standby use-bia [scope interface]

no standby use-bia

Syntax Description

scope interface

(Optional) Specifies that this command is configured just for the subinterface on which it was entered, instead of the major interface.


Command Default

HSRP uses the preassigned MAC address on Ethernet and FDDI, or the functional address on Token Ring.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

11.2

This command was introduced.

12.1

The behavior was modified to allow multiple standby groups to be configured for an interface configured with this command.

12.2(14)SX

Support for this command was added for the Cisco 7600 series routers loaded with a Supervisor Engine 720.

12.2(17d)SXB

Support for this command was extended into Cisco IOS Release 12.2(17d)SXBon the Cisco 7600 series routers loaded with a Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.


Usage Guidelines


Note This command is not supported on Cisco 7600 series routers that are configured with a Policy Feature Card, version 2 (PFC2). The PFC2 supports a maximum of 16 unique HSRP-group numbers. You can use the same HSRP-group numbers in different VLANs. If you configure more than 16 HSRP groups, this restriction prevents use of the VLAN number as the HSRP-group number.


For an interface with this command configured, multiple standby groups can be configured. Hosts on the interface must have a default gateway configured. We recommend that you set the no ip proxy-arp command on the interface. It is desirable to configure the standby use-bia command on a Token Ring interface if there are devices that reject ARP replies with source hardware addresses set to a functional address.

When HSRP runs on a multiple-ring, source-routed bridging environment and the HRSP routers reside on different rings, configuring the standby use-bia command can prevent confusion about the routing information field.

Without the scope interface keywords, the standby use-bia command applies to all subinterfaces on the major interface. The standby use-bia command may not be configured both with and without the scope interface keywords at the same time.


Note Identically numbered HSRP groups use the same virtual MAC address, which might cause errors if you configure bridge groups.


Examples

In the following example, the burned-in address of Token Ring interface 4/0 will be the virtual MAC address mapped to the virtual IP address:

Router(config)# interface token4/0
Router(config-if)# standby use-bia

standby version

To change the version of the Hot Standby Router Protocol (HSRP), use the standby version command in interface configuration mode. To change to the default version, use the no form of this command.

standby version {1 | 2}

no standby version

Syntax Description

1

Specifies HSRP version 1.

2

Specifies HSRP version 2.


Defaults

HSRP version 1 is the default HSRP version.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 3.1S

This command was integrated into Cisco IOS XE Release 3.1S.


Usage Guidelines

HSRP version 2 addresses limitations of HSRP version 1 by providing an expanded group number range of 0 to 4095.

HSRP version 2 does not interoperate with HSRP version 1. An interface cannot operate both version 1 and version 2 because both versions are mutually exclusive. However, the different versions can be run on different physical interfaces of the same router. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2. You cannot change from version 2 to version 1 if you have configured groups above 255. Use the no standby version command to set the HSRP version to the default version, version 1.

If an HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.

Examples

The following example shows how to configure HSRP version 2 on an interface with a group number of 500:

! 
interface vlan500
 standby version 2
 standby 500 ip 172.20.100.10 
 standby 500 priority 110 
 standby 500 preempt 
 standby 500 timers 5 15

Related Commands

Command
Description

show standby

Displays HSRP information.


start-forwarding-agent

To start the forwarding agent, use the start-forwarding-agent command in CASA-port configuration mode.

start-forwarding-agent port-number [password [seconds]]

Syntax Description

port-number

Port numbers on which the Forwarding Agent will listen for wildcards broadcast from the services manager. This must match the port number defined on the services manager.

password

(Optional) Text password used for generating the MD5 digest.

seconds

(Optional) Duration (in seconds) during which the Forwarding Agent will accept the new and old password. Valid range is from 0 to 3600 seconds. The default is 180 seconds.


Defaults

The default initial number of affinities is 5000.
The default maximum number of affinities is 30,000.

Command Modes

CASA-port configuration (config-casa)

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

The forwarding agent must be started before you can configure any port information for the forwarding agent.

Examples

The following example specifies that the forwarding agent will listen for wildcard and fixed affinities on port 1637:

start-forwarding-agent 1637

Related Commands

Command
Description

forwarding-agent

Specifies the port on which the forwarding agent will listen for wildcard and fixed affinities.


sticky (firewall farm datagram protocol)

To assign all connections from a client to the same firewall, use the sticky command in firewall farm datagram protocol configuration mode. To remove the client/server coupling, use the no form of this command.

sticky seconds[netmask netmask] [source | destination]

no sticky

Syntax Description

seconds

Sticky timer duration in seconds. Valid values range from 0 to 65535.

netmask netmask

(Optional) Places the virtual server as part of a sticky subnet, for coupling of services.

source

(Optional) Bases sticky on source IP address.

destination

(Optional) Bases sticky on destination IP address.


Defaults

Virtual servers are not associated with any groups.

Command Modes

Firewall farm datagram protocol configuration (config-slb-fw-udp)

Command History

Release
Modification

12.1(3a)E

This command was introduced.

12.2(12c)E

The source and destination keywords were added.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Examples

The following example specifies that if a client's subsequent request for a firewall farm is made within 60 seconds of the previous request, then the same firewall is used for the connection:

Router(config)# ip slb firewallfarm FIRE1
Router(config-slb-fw)# protocol datagram
Router(config-slb-fw-udp)# sticky 60

Related Commands

Command
Description

protocol datagram

Enters firewall farm datagram protocol configuration mode.

show ip slb firewallfarm

Displays information about the firewall farm configuration.

show ip slb sticky

Displays information about the IOS SLB database.


sticky (firewall farm TCP protocol)

To assign all connections from a client to the same firewall, use the sticky command in firewall farm TCP protocol configuration mode. To remove the client/server coupling, use the no form of this command.

sticky seconds [netmask netmask] [source | destination]

no sticky

Syntax Description

seconds

Sticky timer duration in seconds. Valid values range from 0 to 65535.

netmask netmask

(Optional) Places the virtual server as part of a sticky subnet, for coupling of services.

source

(Optional) Bases sticky on source IP address.

destination

(Optional) Bases sticky on destination IP address.


Defaults

Virtual servers are not associated with any groups.

Command Modes

Firewall farm TCP protocol configuration (config-slb-fw-tcp)

Command History

Release
Modification

12.1(3a)E

This command was introduced.

12.2(12c)E

The source and destination keywords were added.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Examples

The following example specifies that if a client's subsequent request for a firewall farm is made within 60 seconds of the previous request, then the same firewall is used for the connection:

Router(config)# ip slb firewallfarm FIRE1
Router(config-slb-fw)# protocol tcp
Router(config-slb-fw-tcp)# sticky 60

Related Commands

Command
Description

protocol tcp

Enters firewall farm TCP protocol configuration mode.

show ip slb firewallfarm

Displays information about the firewall farm configuration.

show ip slb sticky

Displays information about the IOS SLB database.


sticky (virtual server)

To assign all connections from a client to the same real server, use the sticky command in SLB virtual server configuration mode. To remove the client/server coupling, use the no form of this command.

sticky {duration [group group-id] [netmask netmask] | asn msid [group group-id] | gtp imsi [group group-id] | radius calling-station-id | radius framed-ip [group group-id] | radius username [msid-cisco] [group group-id]}

no sticky {duration [group group-id] [netmask netmask] | asn msid [group group-id] | gtp imsi [group group-id] | radius calling-station-id | radius framed-ip [group group-id] | radius username [msid-cisco] [group group-id]}

Syntax Description

duration

Sticky timer duration in seconds. Valid values range from 0 to 65535.

group group-id

(Optional) Places the virtual server in the specified sticky group, for coupling of services. All virtual servers that have the same sticky group ID share the sticky entry for a user. In essence, the group keyword and group-id argument tie multiple virtual servers together. Valid values range from 0 to 255.

netmask netmask

(Optional) Places the virtual server as part of the specified sticky subnet, for coupling of services. Client sessions whose source IP addresses fall within the netmask are directed to the same real server.

asn msid

Enables IOS SLB to load-balance Access Service Network (ASN) sessions to the same real server that processed all previous sessions for a given Mobile Station ID (MSID).

gtp imsi

Enables IOS SLB to load-balance general packet radio service (GPRS) Tunneling Protocol (GTP) Packet Data Protocol (PDP) context create requests to the same real server that processed all previous create requests for a given International Mobile Subscriber ID (IMSI).

radius calling-station-id

Enables IOS SLB to create the IOS SLB RADIUS calling-station-ID sticky database and direct RADIUS requests from a given calling station ID to the same service gateway.

radius framed-ip

Enables IOS Server Load Balancing (IOS SLB) to create the IOS SLB RADIUS framed-IP sticky database and direct RADIUS requests and non-RADIUS flows from a given end user to the same service gateway.

radius username

Enables IOS SLB to create the IOS SLB RADIUS username sticky database and direct RADIUS requests from a given end user to the same service gateway.

msid-cisco

(Optional) Enables IOS SLB to support Cisco PDSNs that provide MSID-based access (also known as MSID-based access, Cisco variant).


Defaults

Sticky connections are not tracked.
Virtual servers are not associated with any groups.

Command Modes

SLB virtual server configuration (config-slb-vserver)

Command History

Release
Modification

12.0(7)XE

This command was introduced.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.2

This command was integrated into Cisco IOS Release 12.2.

12.1(2)E

The netmask keyword and netmask argument were added.

12.1(11b)E

The radius framed-ip keywords were added.

12.1(12c)E

The radius username and msid-cisco keywords were added.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(14)ZA5

The radius calling-station-id keywords were added.

12.2(18)SXE

The gtp imsi keywords were added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SRE

The asn msid keywords were added.


Usage Guidelines

The last real server that was used for a connection from a client is stored for the set duration seconds. If a new connection from the client to the virtual server is initiated during that time, the same real server that was used for the previous connection is chosen for the new connection. If two virtual servers are placed in the same group, coincident connection requests for those services from the same IP address are handled by the same real server.

In Virtual Private Network (VPN) server load balancing, remember the following requirements:

For IPsec flows, you must specify a sticky connection between the User Datagram Protocol (UDP) virtual server and the Encapsulation Security Payload (ESP) virtual server.

For PPTP flows, you must specify a sticky connection between the TCP virtual server and the Generic Routing Encapsulation (GRE) virtual server.

You must specify a duration of at least 15 seconds.

In general packet radio service (GPRS) load balancing and the Home Agent Director, the sticky command is not supported.

In RADIUS load balancing, remember the following requirements:

If you configure the sticky radius framed-ip command, you must also configure the virtual command with the service radius keywords specified.

If you configure the sticky radius calling-station-id command or the sticky radius username command, you must also configure the virtual command with the service radius keywords specified, and you must configure the sticky radius framed-ip command.

You cannot configure both the sticky radius calling-station-id command and the sticky radius username command on the same virtual server.

If you configure the sticky radius calling-station-id command, you must configure all RADIUS maps to match against the RADIUS calling station ID attribute.

If you configure the sticky radius username command, you must configure all RADIUS maps to match against the RADIUS username attribute.

For GTP load balancing:

IOS SLB creates a sticky database object when it processes the first GTP PDP create request for a given IMSI. IOS SLB removes the sticky object when it receives a notification to do so from the real server, or as a result of inactivity. When the last PDP belonging to an IMSI is deleted on the GGSN, it sends a notification to IOS SLB to remove the sticky object.

If you configure the sticky gtp imsi command, you must also configure the virtual command with the service gtp keywords specified.

For ASN load balancing, if you configure the sticky asn msid command, you must also configure the virtual command with the service asn keywords specified.

Examples

The following example specifies that if a client's subsequent request for a virtual server is made within 60 seconds of the previous request, then the same real server is used for the connection. This example also places the virtual server in group 10.

Router(config)# ip slb vserver VS1
Router(config-slb-vserver)# sticky 60 group 10

Related Commands

Command
Description

show ip slb sticky

Displays information about the IOS SLB database.

show ip slb vservers

Displays information about the virtual servers defined to IOS SLB.

virtual

Configures the virtual server attributes.


synguard (virtual server)

To limit the rate of TCP SYNchronize sequence numbers (SYNs) handled by a virtual server to prevent a SYN flood denial-of-service attack, use the synguard command in SLB virtual server configuration mode. To remove the threshold, use the no form of this command.

synguard syn-count [interval]

no synguard

Syntax Description

syn-count

Number of unacknowledged SYNs that are allowed to be outstanding to a virtual server. Valid values range from 0 (off) to 4294967295. The default is 0.

interval

(Optional) Interval, in milliseconds, for SYN threshold monitoring. Valid values range from 50 to 5000. The default is 100 milliseconds (ms).


Defaults

The default number of unacknowledged SYNs that are allowed to be outstanding to a virtual server is 0 (off).
The default interval is 100 ms.

Command Modes

SLB virtual server configuration (config-slb-vserver)

Command History

Release
Modification

12.0(7)XE

This command was introduced.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.2

This command was integrated into Cisco IOS Release 12.2.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

In general packet radio service (GPRS) load balancing and the Home Agent Director, the synguard command has no meaning and is not supported.

Examples

The following example sets the threshold of unacknowledged SYNs to 50:

Router(config)# ip slb vserver PUBLIC_HTTP
Router(config-slb-vserver)# synguard 50

Related Commands

Command
Description

show ip slb vservers

Displays information about the virtual servers defined to IOS SLB.

virtual

Configures the virtual server attributes.