Don't cheat on HSRP/VRRP addressing

By stretch | Saturday, May 24, 2008 at 4:43 a.m. UTC

Hot Standby Routing Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) are used to provide redundant routed paths out of a subnet, presented as a single address. This is most useful to provide redundant default gateway connectivity for end hosts. Consider a common scenario:

hsrp.jpg

The active router will answer for all traffic sent to 192.168.0.1, and the standby router will take over should the active router fail; the switch is transparent to the end hosts. While certainly advantageous, one drawback of this setup is the apparent waste of two IP addresses (the addresses assigned to the physical interfaces). Since only the HSRP address is needed by end hosts, can we assign the physical interfaces to a separate subnet?

Observe what happens when we configure Fa0/0 on RouterA with a physical and virtual address in separate subnets:

RouterA(config)# interface fa0/0
RouterA(config-if)# ip address 10.0.0.1 255.255.255.0
RouterA(config-if)# standby 1 ip 192.168.0.1
% Warning: address is not within a subnet on this interface

Upon further inspection we can see that the router does not like this setup at all, as the HSRP group never transitions out of the Init state:

RouterA# show standby 
FastEthernet0/0 - Group 1
  State is Init (virtual IP in wrong subnet)
  Virtual IP address is 192.168.0.1 (wrong subnet for this interface)
  Active virtual MAC address is unknown
  Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
  Preemption disabled
  Active router is unknown
  Standby router is unknown
  Priority 200 (configured 200)
  IP redundancy name is "hsrp-Fa0/0-1" (default)

In fact, the router will not generate HSRP hellos out of the interface, because it does not have routed access into the 192.168.0.0/24 subnet. Similar behavior is observed with VRRP. As such, we will need to use the proper subnet addresses for the physical interfaces. But hey, it's a small price to pay for such convenient redundancy.

About the Author

Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.

Posted in Design

Comments

Aaron Conaway (guest) commented on Wednesday, May 28, 2008 at 1:04 p.m. UTC

The old implementations of VRRP on the Cisco (Altiga) VPN 3000 series concentrators actually don't have a standby IP like IOS implementations of VRRP or HSRP. If the primary fails, the standby actually takes the IP of the primary. I don't know if it's still like that (I hope not), but it's worth mentioning.

Dufd (guest) commented on Tuesday, March 9, 2010 at 7:53 a.m. UTC

Thanks for the helpful hint! I just hit "% Warning: address is not within a subnet on this interface" and wondering why my HSRP was in INIT!

Krik commented on Thursday, March 10, 2011 at 8:34 a.m. UTC

As far as I remember, in old IOS (12.0 or 11.7) adding a static route pointing to the interface for the HSRP's subnet was making this kind of setup to work... Apparenlty it is not the case anymore.

fiberconx (guest) commented on Sunday, May 5, 2013 at 2:15 p.m. UTC

Jeremy,

is there a way to have a virtual router with a single IP address for the virtual IP and instead of using 2 additional IPs for the physical interfaces to do the heartbeat, could the heartbeat be sent between the two routers using different interfaces?

I have an ISP that only assigns a single IPv4 address.

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
The _____ TCP flag is used to initiate a connection.