Explains HSRP concepts, including topology operation, protocol benefits, and supported device information, to establish foundational understanding and practical application.
Hot Standby Router Protocol (HSRP) is a First Hop Redundancy Protocol (FHRP) that allows transparent failover of the first-hop IP device and provides high network availability. HSRP offers first-hop routing redundancy for IP hosts on networks configured with a default-gateway IP address. It identifies active and standby devices, supports multiple groups for load sharing, and uses virtual addresses for gateway redundancy. HSRP includes version 2 enhancements for stability and management, provides MD5 authentication for security, and enables dynamic-priority changes through object tracking.
HSRP version 2 support
Following are the HSRP version 2 (HSRPv2) features:
-
HSRPv2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.
-
HSRPv2 expands the group number range from 0 to 4095.
-
HSRPv2 provides improved management and troubleshooting. The HSRPv2 packet format includes a 6-byte identifier. This field is typically populated with the interface MAC address.
-
HSRPv2 uses the IP multicast address 224.0.0.102 to send hello packets. This multicast address allows Cisco Group Management Protocol (CGMP) leave processing to be enabled concurrently with HSRP.
-
HSRPv2 has a different packet format that uses a type–length–value (TLV) format.
HSRP MD5 authentication
HSRP supports two authentication schemes for protocol packets: simple plain-text strings and Message Digest 5 (MD5). HSRP MD5 authentication is an advanced authentication method that generates a Message Digest 5 (MD5) digest for the HSRP portion of the multicast HSRP protocol packet. This functionality provides added security and protects against the threat from HSRP-spoofing software.
MD5 authentication provides greater security than plain text authentication. MD5 authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash, which is part of the outgoing packet. A keyed hash of an incoming packet is generated; if the hash in the incoming packet does not match the generated hash, the packet is ignored.
You can provide the MD5 hash key directly in the configuration using a key string or supply it indirectly through a key chain.
HSRP packets will be rejected if one or more of the following conditions occur:
-
Authentication schemes differ on the device and in the incoming packets.
-
MD5 digests differ on the device and in the incoming packets.
-
Text authentication strings differ on the device and in the incoming packets.
HSRP object tracking
Object tracking separates the tracking mechanism from HSRP and creates a stand-alone tracking process. Other processes and HSRP can use this tracking process. The priority of a device can change dynamically when it has been configured for object tracking, and the object that is being tracked goes down. Examples of objects that can be tracked are the line protocol state of an interface or the reachability of an IP route. If the specified object goes down, the HSRP priority is reduced.