The premiere source of truth powering network automation. Open and extensible, trusted by thousands.

NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.

Don't cheat on HSRP/VRRP addressing

By stretch | Saturday, May 24, 2008 at 4:43 a.m. UTC

Hot Standby Routing Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) are used to provide redundant routed paths out of a subnet, presented as a single address. This is most useful to provide redundant default gateway connectivity for end hosts. Consider a common scenario:

hsrp.jpg

The active router will answer for all traffic sent to 192.168.0.1, and the standby router will take over should the active router fail; the switch is transparent to the end hosts. While certainly advantageous, one drawback of this setup is the apparent waste of two IP addresses (the addresses assigned to the physical interfaces). Since only the HSRP address is needed by end hosts, can we assign the physical interfaces to a separate subnet?

Observe what happens when we configure Fa0/0 on RouterA with a physical and virtual address in separate subnets:

RouterA(config)# interface fa0/0
RouterA(config-if)# ip address 10.0.0.1 255.255.255.0
RouterA(config-if)# standby 1 ip 192.168.0.1
% Warning: address is not within a subnet on this interface

Upon further inspection we can see that the router does not like this setup at all, as the HSRP group never transitions out of the Init state:

RouterA# show standby 
FastEthernet0/0 - Group 1
  State is Init (virtual IP in wrong subnet)
  Virtual IP address is 192.168.0.1 (wrong subnet for this interface)
  Active virtual MAC address is unknown
  Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
  Preemption disabled
  Active router is unknown
  Standby router is unknown
  Priority 200 (configured 200)
  IP redundancy name is "hsrp-Fa0/0-1" (default)

In fact, the router will not generate HSRP hellos out of the interface, because it does not have routed access into the 192.168.0.0/24 subnet. Similar behavior is observed with VRRP. As such, we will need to use the proper subnet addresses for the physical interfaces. But hey, it's a small price to pay for such convenient redundancy.

Posted in Design

Comments

Aaron Conaway
May 28, 2008 at 1:04 p.m. UTC

The old implementations of VRRP on the Cisco (Altiga) VPN 3000 series concentrators actually don't have a standby IP like IOS implementations of VRRP or HSRP. If the primary fails, the standby actually takes the IP of the primary. I don't know if it's still like that (I hope not), but it's worth mentioning.

Dufd
March 9, 2010 at 7:53 a.m. UTC

Thanks for the helpful hint! I just hit "% Warning: address is not within a subnet on this interface" and wondering why my HSRP was in INIT!

Krik
March 10, 2011 at 8:34 a.m. UTC

As far as I remember, in old IOS (12.0 or 11.7) adding a static route pointing to the interface for the HSRP's subnet was making this kind of setup to work... Apparenlty it is not the case anymore.

fiberconx
May 5, 2013 at 2:15 p.m. UTC

Jeremy,

is there a way to have a virtual router with a single IP address for the virtual IP and instead of using 2 additional IPs for the physical interfaces to do the heartbeat, could the heartbeat be sent between the two routers using different interfaces?

I have an ISP that only assigns a single IPv4 address.

koenigworks9
July 19, 2013 at 10:26 a.m. UTC

The answer to use ONE IP is here:

https://supportforums.cisco.com/thread/2130942

Cheers!

Comments have closed for this article due to its age.