Solved: HSRP Groups with multiple IP Addresses

haidar_alm · ‎06-26-2012

Hello,

Would using the same group number on multiple vlan interfaces in HSRP configuration have any negative effects on the configuration?

I did some reading on this in here and some engineers stated that this shouldn't cause any issues even though the group numbering plays a major factor in deciding the MAC address of the Active Virtual IP address?

And what happens if you have 3rd party equipment on your network, and what will be the behaviour of the issues that you'll be having? Would it be constant state changes in HSRP?

Many thanks,

H

John Blakley · ‎06-26-2012

It doesn't look like it causes an issue in this configuration. I labbed this up really quick, and looked at the arp table:

Internet 192.168.1.1 - 0000.0c07.ac01 ARPA FastEthernet0/0

Internet 192.168.1.3 - c400.2f46.0000 ARPA FastEthernet0/0

Internet 192.168.2.1 - 0000.0c07.ac01 ARPA FastEthernet0/1

Obviously, the 2 mac addresses are the same because they're both in group 1 but they're on different interfaces. There is apparently a hash table that gets created although I'm not sure it can be seen:

Fa0/1 Added 192.168.2.1 to hash table

This may be the way that it helps keep the 2 "same group / different virtuals" separate.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎06-26-2012

H,

3rd party equipment wouldn't support hsrp since it's Cisco proprietary. As far as groups are concerned, the standby groups need to be different for each virtual address that you have. The mac address is created with a well known address of 0000.0c07.acxx (xx is the group number in hex). Your groups are what defines your configurations. For example, if you wanted 2 virtual addresses you could do:

standby 1 ip 192.168.1.1

standby 1 preempt

standby 1 priority 105

standby 2 ip 192.168.2.1

standby 2 preempt

On the other router, you could do the opposite and get a load balancing effect:

standby 1 ip 192.168.1.1

standby 1 preempt

standby 2 ip 192.168.2.1

standby 2 preempt

standby 2 priority 105

So, the groups help the routers not only know what mac address to assign, but you assign your options to the group in question. If you only have 1 group between 2 routers, then by all means you would continue to use the same group number in order to identify that all of the options belong to the same group. Another reason for using the same group between 2 routers is to help identify that they are part of the same HSRP group. If you have standby 1 on Router A and standby 2 on Router B, then both routers are going to become active for their particular group. I could see this becoming a problem, especially if you have the same virtual IP attached to different groups. HSRP packets are multicast to 224.0.0.2 for version 1 which is the default. So when an hsrp router comes up, it will multicast it's group number, priority, and virtual address waiting for hellos from other members of the hsrp group. If it hears any other hellos, they then compare packets to see who has the higher priority and if the other router is preempting or not.

In short, the groups do much more than just assign a mac address but they obviously do play a part in it. They're primarily for use with helping the router determine if they're part of the same group. Also, and last but not least, you can only have 1 primary virtual IP assigned to a particular group just like a physical interface. You can assign secondaries, but this again forces you to use different groups for different primary virtual IPs.

HTH,

John

HTH, John *** Please rate all useful posts ***

haidar_alm · ‎06-26-2012

Hi John,

Many thanks for your reply.

We have the following config on the same router:

interface Vlan332

ip address x.x.67.2 255.255.255.240

standby 33 ip x.x.67.1

standby 33 priority 120

standby 33 preempt

end

interface Vlan333

ip address x.x.60.4 255.255.255.128

standby 33 ip x.x.60.1

standby 33 priority 120

standby 33 preempt

end

Obviousley the second router is configured with a different IP interface address and a different a priority, but same groups and standby IP address.

Would this cause an issue because this has been configured and working for more than 5 years without any issues. Only now that I'm studying for my certification I have identified this.

Also, when I said 3rd party devices i meant it as in them connecting to the Vlans that share the same Virtual Mac addresses and not as in configuring HSRP on 3rd party devices.

many thanks for your reply and patiance with me.

KR

H

John Blakley · ‎06-26-2012

It doesn't look like it causes an issue in this configuration. I labbed this up really quick, and looked at the arp table:

Internet 192.168.1.1 - 0000.0c07.ac01 ARPA FastEthernet0/0

Internet 192.168.1.3 - c400.2f46.0000 ARPA FastEthernet0/0

Internet 192.168.2.1 - 0000.0c07.ac01 ARPA FastEthernet0/1

Obviously, the 2 mac addresses are the same because they're both in group 1 but they're on different interfaces. There is apparently a hash table that gets created although I'm not sure it can be seen:

Fa0/1 Added 192.168.2.1 to hash table

This may be the way that it helps keep the 2 "same group / different virtuals" separate.

HTH,

John

HTH, John *** Please rate all useful posts ***

haidar_alm · ‎06-26-2012

Many thanks again, what if the 3rd party device (Internet) is accessing 192.168.1.1, and 192.168.2.1 through the same interface?

KR

H

John Blakley · ‎06-26-2012

I'm not sure I understand this question. If you're referring to the public addresses that are on your vlans, the traffic from the outside should work fine. ARP only works on the local lan. Any hosts that are coming into your vlan from the Internet perspective are being routed and won't have an arp entry in their table, so theoretically I wouldn't think this would affect their connection at all. Now as far as local lan hosts are concerned, they'd arp for their default gateway which would be the vIP that you've configured for the standby address. Each host would have an arp entry for their default gateway with the same mac of 0000.0c07.ac01. Is that what you mean?

Sorry if I misunderstood your question...

HTH, John *** Please rate all useful posts ***

haidar_alm · ‎06-26-2012

Yes. I just cannot understand how can this not be an issue when we have two different IPs with the same MAC on the network!

What will happen for example if a pc is trying to access 192.168.1.1 which is the active virtual HSRP address in group 1, and then treis to access 192.168.2.1 which again is the active virtual HSRP address in group 1 for a different Vlan?

Different IPs but the same MAC adress table. Will it constantly try to update its ARP and Mac address tables then, or would it complain?

Really sorry if i cannot explain myelf correctly!