Thursday, January 1, 2009

HSRP and Redirects

HSRP is fairly easy to understand and configure but the more you dig into something there is always something new you are bound to find. This goes for me today with HSRP redirection. Honestly, I never really bothered to look into the topic too much but reading through the DocCD today kind of piqued my curiosity.

Here is the topology for this lab which I borrowed from the configuration guide. I would post a link but that would be too easy, I figured I'd let you practice finding it :)


The topology is big but my focus is on what R1 does based on what it knows about the HSRP status of all the other routers. Since all routers are doing OSPF, R1 learns about 172.16.34.0/24 from R3 and R4 and it learns about 172.16.8.0/24 from R8.

R9 is NOT doing OSPF and using the standby group 1 address of 192.168.1.100 as its default gateway. In normal operation R1 would send redirects to R9 if it received packets for the R8 or the R3/R4 network. When HSRP is in use (with a default config), it only sends redirects for the R8 network.

Before we test, enable "debug ip icmp" on all routers as well as "debug standby events" on R1. Let's see what happens when R9 pings 172.168.8.8:

R9#ping 172.16.8.8 re 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.16.8.8, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 124/124/124 ms
R9#
*Mar 1 01:29:20.207: ICMP: redirect rcvd from 192.168.1.100- for 172.16.8.8 use gw 192.168.1.8
*Mar 1 01:29:20.263: ICMP: echo reply rcvd, src 172.16.8.8, dst 192.168.1.9


This is what we see on R1:

R1#
*Mar 1 01:30:15.771: ICMP: Use HSRP virtual address 192.168.1.100 as ICMP src
*Mar 1 01:30:15.775: ICMP: redirect sent to 192.168.1.9 for dest 172.16.8.8, use gw 192.168.1.8


Now look what happens when we ping 172.16.34.3:

R9#ping 172.16.34.3 re 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.16.34.3, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 112/112/112 ms
*Mar 1 01:30:54.407: ICMP: echo reply rcvd, src 172.16.34.3, dst 192.168.1.9


The ping succeeded of course but we did not get a redirect. The packet actually hops from R1 to R4, then the reply goes to R9. On R1 we see this:

R1#
*Mar 1 01:30:56.187: ICMP: redirect not sent to 192.168.1.9 for dest 172.16.34.3
*Mar 1 01:30:56.191: ICMP: 192.168.1.4 does not contain an active HSRP group


The reason R1 does not send a redirect is because R4 is not active for any groups. For all R1 knows, R4 is not active for a reason and thus should not send redirects for it. But how does R1 know this? It keeps track of all the HSRP messages it hears. We can view this as follows:

R1#sho standby redirect
Interface Redirects Unknown Adv Holddown
FastEthernet0/0 enabled enabled 30 180

Active Hits Interface Group Virtual IP Virtual MAC
local 0 FastEthernet0/0 1 192.168.1.100 0000.0c07.ac01
192.168.1.3 0 FastEthernet0/0 3 192.168.1.200 0000.0c07.ac03

Passive Hits Interface Expires in
192.168.1.2 0 FastEthernet0/0 179.856
192.168.1.4 4 FastEthernet0/0 162.824
R1#


Notice that R3 is an Active router for a group. R1 would send a redirect if R3 was listed as the next hop, but in this case R3 and R4 are equal costs and R4 is being picked. In spite of all this we can trick R1 into sending redirects by making R4 Active for a group. Let's enable group 4 only on R4 to ensure it becomes Active, then ping again from R9:

R4(config)#int f0/0
R4(config-if)#standby 4 ip 192.168.1.204


R1#sho stan re active
Active Hits Interface Group Virtual IP Virtual MAC
local 0 FastEthernet0/0 1 192.168.1.100 0000.0c07.ac01
192.168.1.3 0 FastEthernet0/0 3 192.168.1.200 0000.0c07.ac03
192.168.1.4 0 FastEthernet0/0 4 192.168.1.204 0000.0c07.ac04

R9#ping 172.16.34.3 re 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.16.34.3, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 80/80/80 ms
R9#
*Mar 1 01:35:44.703: ICMP: redirect rcvd from 192.168.1.100- for 172.16.34.3 use gw 192.168.1.204
*Mar 1 01:35:44.739: ICMP: echo reply rcvd, src 172.16.34.3, dst 192.168.1.9


We got a redirect! What's interesting about this behavior is that R1 knows the difference between a network behind HSRP routers and a network behind a non-HSRP router. It knows this by learning which routers are sending HSRP messages and comparing them to the next hops in its route table. So if you every get a tricky task about HSRP and redirects, I hope this helps shed some light on it.

Before I go, here is some more food for thought:

R1(config-if)#standby redirect ?
advertisement Redirect advertisement messages
timers Adjust redirect timers
unknown Redirect to non-HSRP routers

1 comment:

  1. There's an extra facet here that you didn't clearly spell out.

    After enabling standby group 4, R1's route is via R4's physical interface address, but the ICMP redirect indicates that the host should use the standby address.

    You haven't 'tricked' R1 into sending redirects - rather, you've made R1 decide that it is *safe* to send redirects.

    ReplyDelete

Note: Only a member of this blog may post a comment.