Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.1 T

HSRP Support for ICMP Redirects

Downloads

Table Of Contents

HSRP Support for ICMP Redirects

Feature Overview

Redirects to Active HSRP Routers

Redirects to Passive HSRP Routers

Redirects to Non-HSRP Routers

Passive HSRP Router Advertisements

Redirects Not Sent

Benefits

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Verifying the State of HSRP Groups

Monitoring and Maintaining ICMP Redirects

Configuration Examples

Command Reference

show standby

standby redirects

Debug Commands

debug standby events icmp

Glossary


HSRP Support for ICMP Redirects

This feature module describes the HSRP Support for ICMP Redirects feature. The document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Monitoring and Maintaining ICMP Redirects

Configuration Examples

Command Reference

Debug Commands

Glossary

Feature Overview

This feature enables Internet Control Message Protocol (ICMP) redirection on interfaces configured with the Hot Standby Router Protocol (HSRP).

HSRP provides network redundancy in a way that ensures that user traffic will immediately and transparently recover from "first hop" failures in network edge devices. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single "virtual router" to the hosts on a LAN. The HSRP group may consist of an active router, a standby router to replace the active router should it fail, and one or more listening routers. The active and standby routers periodically exchange status messages in order to detect when a router goes down. The address of this HSRP group is referred to as the "virtual IP address."

ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides many diagnostic functions and can send and redirect error packets to hosts.

When running HSRP, it is important to prevent hosts from discovering the interface (or real) MAC addresses of routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router, and that router later fails, then packets from the host will be lost. Previously, ICMP redirect messages were automatically disabled on interfaces configured with HSRP.

The HSRP Support for ICMP Redirects feature now enables ICMP redirects on interfaces configured with HSRP. This functionality works by filtering outgoing ICMP redirect messages through HSRP, where the next hop IP address may be changed to an HSRP virtual IP address.

Redirects to Active HSRP Routers

The next hop IP address is compared to the list of active HSRP routers on that network; if a match is found, then the real next-hop IP address is replaced with a corresponding virtual IP address and the redirect message is allowed to continue.

If no match is found, then the ICMP redirect message is sent only if the router corresponding to the new next hop IP address is not running HSRP. Redirects to passive HSRP routers are not allowed (a passive HSRP router is a router running HSRP, but which contains no active HSRP groups on the interface).

For optimal operation, every router in a network that is running HSRP should contain at least one active HSRP group on an interface to that network. Every HSRP router need not be a member of the same group. Each HSRP router will snoop on all HSRP packets on the network to maintain a list of active routers (virtual IP addresses versus real IP addresses).

Consider the network shown in Figure 1, which supports the HSRP ICMP redirection filter.

Figure 1 Network Supporting the HSRP ICMP Redirection Filter

If the host wants to send a packet to another host on Net D, then it first sends it to its default gateway, the virtual IP address of HSRP group 1.

Packet from host: 

   dest MAC         = HSRP group 1 virtual MAC

   source MAC       = Host MAC

   dest IP          = host-on-netD IP

   source IP        = Host IP

Router R1 receives this packet and determines that router R4 can provide a better path to Net D, so it prepares to send a redirect message that will redirect the host to the real IP address of router R4 (because only real IP addresses are in its routing table):

Initial ICMP redirect message: 

   dest MAC         = Host MAC

   source MAC       = router R1 MAC

   dest IP          = Host IP

   source IP        = router R1 IP

   gateway to use   = router R4 IP

Before this redirect occurs, the HSRP process of router R1 determines that router R4 is the active HSRP router for group 3, so it changes the next hop in the redirect message from the real IP address of router R4 to the virtual IP address of group 3.

Furthermore, it determines from the destination MAC address of the packet that triggered the redirect message that the host used the virtual IP address of group 1 as its gateway, so it changes the source IP address of the redirect message to the virtual IP address of group 1.

The modified ICMP redirect message showing the two modified fields (*) is as follows: 

   dest MAC         = Host MAC

   source MAC       = router R1 MAC

   dest IP          = Host IP

   source IP*       = HSRP group 1 virtual IP

   gateway to use*  = HSRP group 3 virtual IP

This second modification is necessary because hosts compare the source IP address of the ICMP redirect message with their default gateway. If these addresses do not match, the ICMP redirect message is ignored. The routing table of the host now consists of the default gateway, virtual IP address of group 1, and a route to Net D through the virtual IP address of group 3.

Redirects to Passive HSRP Routers

Redirects to passive HSRP routers are not permitted. Redundancy may be lost if hosts learn the real IP addresses of HSRP routers.

In the previous example, redirects to router R8 are not allowed because R8 is a passive HSRP router. In this case, packets from the host to Net D will first go to router R1 and then be forwarded to router R4, that is, they will traverse the network twice.

A network configuration with passive HSRP routers is considered a misconfiguration. For HSRP ICMP redirection to operate optimally, every router on the network that is running HSRP should contain at least one active HSRP group.

Redirects to Non-HSRP Routers

Redirects to routers not running HSRP on their local interface are permitted. No redundancy is lost if hosts learn the real IP address of non-HSRP routers.

In the example, redirection to router R7 is allowed because R7 is not running HSRP. In this case, the next hop IP address is unchanged. The source IP address is changed dependent upon the destination MAC address of the original packet.

Passive HSRP Router Advertisements

Passive HSRP routers send out HSRP advertisement messages both periodically, and when entering or leaving the passive state. Thus, all HSRP routers can determine the HSRP group state of any HSRP router on the network. These advertisements inform other HSRP routers on the network of the HSRP interface state:

Dormant—interface has no HSRP groups, single advertisements sent once when last group is removed

Passive—interface has at least one non-active group and no active groups, advertisements sent out periodically

Active—interface has at least one active group, single advertisement sent out when first group becomes active

Redirects Not Sent

If the HSRP router cannot uniquely determine the IP address used by the host when it sent the packet that caused the redirect, the redirect message will not be sent. The router uses the destination MAC address in the original packet to make this determination. In certain configurations, such as the use of the standby use-bia command specified on an interface, redirects cannot be sent. In this case, the HSRP groups use the interface MAC address as their virtual MAC address. The router now cannot determine if the default gateway of the host is the real IP address or one of the HSRP virtual IP addresses that are active on the interface.

The following is sample output from the debug standby events icmp command if HSRP could not uniquely determine the gateway used by the host: 

10:43:08: SB: ICMP redirect not sent to 20.0.0.4 for dest 30.0.0.2

10:43:08: SB: could not uniquely determine IP address for mac 00d0.bbd3.bc22

Benefits

The HSRP Support for ICMP Redirects feature ensures that the optimal routing path is used with a fault-tolerant HSRP group.

Related Documents

Cisco IOS IP and IP Routing Configuration Guide, Release 12.1

Cisco IOS IP and IP Routing Command Reference, Release 12.1

Supported Platforms

Cisco Catalyst 5000 family switches with an installed Route Switch Module

Cisco 1700 series

Cisco 2600 series

Cisco 4700 family routers

Cisco 7100 series

Cisco 7200 series

Cisco 7500 series

Cisco 12000 series

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified standards are supported by this feature. For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

RFC 792, Internet Control Message Protocol

RFC 2281, Cisco Hot Standby Router Protocol

Configuration Tasks

None.

Verifying the State of HSRP Groups

Step 1 Enter the show standby [type number [group]] [active | init | listen | standby] [brief] EXEC command

Step 2 Examine the state of your HSRP groups.

Monitoring and Maintaining ICMP Redirects

Command
Purpose

Router# debug standby events icmp

Displays debug messages for HSRP-filtered ICMP redirect messages.

Router# debug ip icmp

Displays information on ICMP transactions.


Configuration Examples

The following is a configuration example for two HSRP groups that allow the filtering of ICMP redirect messages:

Router A - Active for group 1 and Standby for group 2 

interface Ethernet1

  ip address 1.0.0.10 255.0.0.0

  standby redirects

  standby 1 priority 120 

  standby 1 preempt delay 20

  standby 1 ip 1.0.0.1

  standby 2 priority 100 

  standby 2 preempt delay 20

  standby 2 ip 1.0.0.2

Router B - Standby for group 1 and Active for group 2 

interface Ethernet1

  ip address 1.0.0.11 255.0.0.0

  standby redirects

  standby 1 priority 100 

  standby 1 preempt delay 20

  standby 1 ip 1.0.0.1

  standby 2 priority 120 

  standby 2 preempt delay 20

  standby 2 ip 1.0.0.2

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS IP and IP Routing Command Reference, Release 12.1.

show standby

standby redirects

show standby

To display Hot Standby Router Protocol (HSRP) information, use the show standby privileged EXEC command.

show standby [type number [group]] [active | init | listen | standby] [brief]

Syntax Description

type number

(Optional) Interface type and number for which output is displayed.

group

(Optional) Group number on the interface for which output is displayed.

active

(Optional) Displays HSRP groups in active state.

init

(Optional) Displays HSRP groups in initial state.

listen

(Optional) Displays HSRP groups in listen or learn state.

standby

(Optional) Displays HSRP groups in standby or speak state.

brief

(Optional) A single line of output summarizes each standby group.


Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.1(3)T

The following keywords were added:

active

init

listen

standby


Usage Guidelines

If you want to specify a group, you must also specify an interface type and number.

Examples

The following is sample output from the show standby command with a specific interface and the brief and init keywords: 

Router# show standby ethernet0 init brief


Interface   Grp Prio P State    Active addr     Standby addr    Group addr     

Et0         0   120    Init     20.0.0.1        unknown         20.0.0.12


Table 1 describes the significant fields in the display.

Table 1 show standby Field Descriptions 

Field
Description

Interface

Interface type and number for the interface.

Grp

Hot standby group number for the interface.

prio

Priority value of the router based on the standby priority command.

State

State of local router; can be one of the following:

Active—Current Hot Standby router

Standby—Router next in line to be the Hot Standby router

Speak—Router is sending packets to claim the active or standby role.

Init—Router is not yet ready to participate in HSRP, possibly because the associated interface is not up. HSRP groups configured in other routers on the network that are learned via snooping are displayed as being in the Init state. In these cases, an IP address is displayed in the "Active addr" field. Locally configured groups with an interface that is down or groups without a specified interface IP address appear in the Init state. For these cases, the Active addr and Standby addr will show "unknown."

Listen—Router is in neither active nor standby state, but if no messages are received from the active or standby router, it will start to speak.

Learn—Router is in neither active nor standby state, nor does it have enough information to attempt to claim the active or standby roles.

may preempt
(indicated by P in the brief output)

Indicates that the router will attempt to assume control as the active router if its priority is greater than the current active router.

Active addr

Value can be "local," "unknown," or an IP address. Address of the current active hot standby router.

Standby addr

Value can be "local," "unknown," or an IP address. Address of the "standby" router (the router that is next in line to be the hot standby router).

Group addr

Virtual IP address of the HSRP group.


Related Commands

Command
Description

standby authentication

Configures an authentication string for the HSRP.

standby ip

Activates the HSRP.

standby mac-address

Specifies the virtual MAC address for the virtual router.

standby mac-refresh

Refreshes the MAC cache on the switch by periodically sending packets from the virtual MAC address.

standby name

Configures a name string for the HSRP group. This is used by IP redundancy clients.

standby preempt

Configures HSRP preemption and preemption delay.

standby priority

Configures HSRP priority.

standby timers

Configures the time between hello messages and the time before other routers declare the active router or standby router to be down.

standby track

Configures an interface so that the HSRP priority changes based on the availability of other interfaces.

standby use-bia

Configures HSRP to use the burned-in address of the interface as its virtual MAC address, instead of the preassigned MAC address (on Ethernet and FDDI) or the functional address (on Token Ring).


standby redirects

To enable Internet Control Message Protocol (ICMP) redirect messages to be sent when the Hot Standby Router Protocol (HSRP) is configured on an interface, use the standby redirects interface configuration command. To disable the standby redirect filter, use the no form of this command.

standby redirects [enable | disable]

no standby redirects

Syntax Description

enable

Allows the filtering of ICMP redirect messages on interfaces configured with HSRP, where the next hop IP address may be changed to an HSRP virtual IP address.

disable

Disables the filtering of ICMP redirect messages on interfaces configured with HSRP.


Defaults

HSRP ICMP redirects are enabled by default.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(3)T

This command was introduced.


Usage Guidelines

The standby redirects command can be configured globally or on a per-interface basis. When HSRP is first configured on an interface, the setting for that interface will inherit the global value. If ICMP redirects have been explicitly disabled on an interface, then the global command cannot reenable the functionality.

The no standby redirects command is the same as the standby redirects disable command. However, it is not desirable to save the no form of this command to NVRAM. Because the command is enabled by default, it is preferable to use the standby redirects disable command to disable the functionality.

Examples

The following example allows HSRP to filter redirect messages on interface Ethernet 0: 

interface ethernet 0

 ip address 20.0.0.1 255.0.0.0

 standby redirects

 standby 1 ip 20.0.0.11

Related Commands

Command
Description

show standby

Displays the HSRP information.


Debug Commands

This section documents the new debug standby events icmp command related to the HSRP Support for ICMP Redirects feature.

debug standby events icmp

To display debug messages for the Hot Standby Router Protocol (HSRP) Internet Control Message Protocol (ICMP) redirects filter, use the debug standby events icmp privileged EXEC command. To disable debugging output, use the no form of this command.

debug standby events icmp

no debug standby events icmp

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.1(3)T

This command was introduced.


Usage Guidelines

This command helps you determine whether HSRP is filtering an outgoing ICMP redirect message.

Examples

The following is sample output from the debug standby events icmp command: 

Router# debug standby events icmp

10:35:20: SB: changing ICMP redirect sent to 20.0.0.4 for dest 30.0.0.2

10:35:20: SB:   gw 20.0.0.2 -> 20.0.0.12, src 20.0.0.11

10:35:20: SB: Use HSRP virtual address 20.0.0.11 as ICMP src

If the router being redirected to is passive (HSRP enabled but no active groups), the following debug message is displayed: 

10:41:22: SB: ICMP redirect not sent to 20.0.0.4 for dest 40.0.0.3

10:41:22: SB:  20.0.0.3 does not contain an active HSRP group

If HSRP could not uniquely determine the gateway used by the host, then the following message is displayed: 

10:43:08: SB: ICMP redirect not sent to 20.0.0.4 for dest 30.0.0.2

10:43:08: SB: could not uniquely determine IP address for mac 00d0.bbd3.bc22

The following messages are also displayed if debug ip icmp is enabled, in which case the message prefix is changed: 

10:39:09: ICMP: HSRP changing redirect sent to 20.0.0.4 for dest 30.0.0.2

10:39:09: ICMP:   gw 20.0.0.2 -> 20.0.0.12, src 20.0.0.11

10:39:09: ICMP: Use HSRP virtual address 20.0.0.11 as ICMP src

10:39:09: ICMP: redirect sent to 20.0.0.4 for dest 30.0.0.2, use gw 20.0.0.12




Related Commands

Command
Description

debug ip icmp

Displays information on ICMP transactions.


Glossary

HSRP—Hot Standby Router Protocol. Protocol used among a group of routers for selecting an active router and a standby router. (An active router is the router of choice for routing packets; a standby router is a router that takes over the routing duties when an active router fails, or when preset conditions are met.)

HSRP group—A set of routers using HSRP that act as a single "virtual" router to the hosts on the LAN.

ICMP—Internet Control Message Protocol. A network-layer Internet protocol that provides message packets to report errors and other information relevant to IP packet processing. ICMP provides many diagnostic functions and can send error packets to hosts.

virtual ip address—The address of the HSRP group.