Is HSRP Resilient?
Hot Standby Router Protocol1 (HSRP) frequently provides aerial availability in an access
network area hosts await alone on a absence changeless route. This affiliate explains HSRP’s
vulnerabilities. Also, this affiliate describes acknowledgment techniques to accomplish HSRP a real
high-availability band-aid instead of a abnegation of account (DoS) target.
HSRP Mechanics
HSRP’s role is to accomplish a accumulation of Layer 2 adjoining routers arise as a distinct basic router.
One concrete router, accepted as the alive router, absolutely works and assiduously IP packets.
The added concrete routers, accepted as standby routers, basically do annihilation but accumulate the
HSRP states. Back the alive router fails, a standby router automatically takes over the
active role; that is, it starts forwarding the hosts’ packets.
NOTE HSRP is not a acquisition protocol. Its capital appliance is for hosts who await on a changeless default
route (for example, abstruse by DHCP).
Each concrete router has its own MAC and IP addresses, but it additionally shares one MAC and
one IP abode for the basic router. Figure 9-1 depicts such a cartography back the HSRP
group consists of two routers.
In Figure 9-1, the altered IP addresses are as follows:
• 192.168.0.7. IP abode of interface FastEthernet 0/0 of concrete router A.
• 192.168.0.9. IP abode of interface FastEthernet 0/0 of concrete router B.
• 192.168.0.8. IP abode of the interface of the basic router. This is the aggregate IP
address.
146 Affiliate 9: Is HSRP Resilient?
Figure 9-1 Typical HSRP Topology
An added IP multicast abode is acclimated as the destination of all HSRP messages. In
version 1 of HSRP, this multicast abode was 224.0.0.2 (all routers in the LAN) and, in
version 2, it is 224.0.0.102 (all HSRP routers in the LAN). These two addresses are within
the articulation bounded ambit 224.0.0.0/24 of multicast addresses.
Link Bounded Scope
By definition, all accumulation addresses in the articulation bounded ambit are accurate alone aural a link; that
is, aural the LAN. Packets destined to such a articulation bounded abode are never baffled outside
the LAN. This additionally agency that no antagonist can anytime accelerate a artificial HSRP packet to a target
on a alien LAN because all routers in the aisle artlessly bead this packet.
The Time to Live (TTL) acreage of all HSRP letters is set to 1, so they are never forwarded
outside of the bounded Ethernet segment.
NOTE Routers sending HSRP with a TTL of 1 does not anticipate a alien antagonist from sending
HSRP with a TTL college than 1. But the IP accumulation multicast abode has alone a articulation local
scope, so an attacker’s HSRP packets addressed to the HSRP accumulation abode will never reach
the target.
Normal Hosts with a Absence Avenue to 192.168.0.8
Router A
IP: 192.168.0.7
MAC: From Hardware
Virtual Router
IP: 192.168.0.8
MAC: 0000.0C07.AC01
Router B
IP: 192.168.0.9
MAC: From Hardware
HSRP Group
HSRP Mechanics 147
In Figure 9-1, three altered MAC addresses are used:
• Absolute MAC abode of concrete router A
• Absolute MAC abode of concrete router B
• MAC abode of the basic router (in this specific configuration, 0000.0C07.AC01)
NOTE The basic MAC abode is consistently in this form:
• 0000.0C07.ACxx for HSRP adaptation 1
• 0000.0C9F.Fxxx for HSRP adaptation 2 for IPv4
• 0005.73A0.0xxx for HSRP adaptation 2 for IPv6
xx is the HSRP accumulation number. The accumulation cardinal is appropriate to abstain MAC abode conflict
when assorted HSRP basic routers abide on the aforementioned LAN or back a router participates
in assorted HSRP groups (for example, back it has assorted VLAN interfaces and acts as
HSRP routers in all VLANs).
All hosts and routers not accommodating in the HSRP brace never use the concrete IP or MAC
addresses of routers A and B. Instead, all Layer 2–adjacent hosts and routers use the virtual
IP abode and basic MAC address. Because alone the alive router is sending the HSRP
message by application the basic MAC address, all switches accept a content-addressable
memory (CAM) access for this MAC abode already in place.
As anon as a standby router becomes active, it sends HSRP letters with the basic MAC
address as its source; therefore, all switches can anon amend their CAM tables.
NOTE The Abode Resolution Agreement (ARP) tables of the hosts do not charge to change because
neither the IP abode nor the MAC abode of the router has changed. They are still the
virtual IP abode and MAC address. The aberration back the standby router takes over is
noticeable alone by the switch: It sees the basic MAC abode on the anchorage of the new active
router. (This acquirements is again reflected in its CAM table.)
Digging into HSRP
This area provides abundant advice on HSRP (as declared in RFC 2281 and
extensions implemented by Cisco). HSRP is absolutely simple. Routers accommodating in
148 Affiliate 9: Is HSRP Resilient?
HSRP barter HSRP letters to ascertain anniversary other, to accept the alive router, and to
check the alive router’s health. A standby router becomes alive when
• It receives no added HSRP accost letters from the alive router.
• The alive router absolutely wants to become standby. (For example, it aloof absent its
WAN connectivity.)
There is the achievability for a standby router to anon booty over the role of the active
router. The HSRP bulletin indicates this coup.
HSRP runs on top of User Datagram Agreement (UDP) on anchorage cardinal 1985 for IPv4 and on
port 2029 for IPv6. Packets are beatific to multicast abode 224.0.0.2 or 224.0.0.102 with TTL
1. Routers use their absolute IP abode as the antecedent abode for agreement packets, not the
virtual IP address. This is so that the HSRP routers can analyze anniversary other. Standby routers
use their own MAC addresses as antecedent MAC, while the alive router uses the basic MAC
address. Figure 9-2 shows the HSRP packet format.
Figure 9-2 HSRP Adaptation 1 Packet Format
The Affidavit Data acreage is acclimated for authentication. In RFC 2281, affidavit is
simply a countersign beatific in the clear. The absence countersign is 63 69 73 63 6F 00 00 00. (This
spells cisco with three abaft 0s.)
The Antecedence acreage elects the alive and standby routers. Back comparing the priorities of
two altered routers, the router with the numerically college antecedence wins. In the case of
routers with according priority, the router with the college IP abode wins.
Version
Holdtime
Op code
Priority Group
State
Reserved
Hellotime
Authentication Data
Authentication Data
Virtual IP Address