|
|
This feature module describes the HSRP Support for ICMP Redirects feature. The document includes the following sections:
This feature enables Internet Control Message Protocol (ICMP) redirection on interfaces configured with the Hot Standby Router Protocol (HSRP).
HSRP provides network redundancy in a way that ensures that user traffic will immediately and transparently recover from "first hop" failures in network edge devices. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single "virtual router" to the hosts on a LAN. The HSRP group may consist of an active router, a standby router to replace the active router should it fail, and one or more listening routers. The active and standby routers periodically exchange status messages in order to detect when a router goes down. The address of this HSRP group is referred to as the "virtual IP address."
ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides many diagnostic functions and can send and redirect error packets to hosts.
When running HSRP, it is important to prevent hosts from discovering the interface (or real) MAC addresses of routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router, and that router later fails, then packets from the host will be lost. Previously, ICMP redirect messages were automatically disabled on interfaces configured with HSRP.
The HSRP Support for ICMP Redirects feature now enables ICMP redirects on interfaces configured with HSRP. This functionality works by filtering outgoing ICMP redirect messages through HSRP, where the next hop IP address may be changed to an HSRP virtual IP address.
The next hop IP address is compared to the list of active HSRP routers on that network; if a match is found, then the real next-hop IP address is replaced with a corresponding virtual IP address and the redirect message is allowed to continue.
If no match is found, then the ICMP redirect message is sent only if the router corresponding to the new next hop IP address is not running HSRP. Redirects to passive HSRP routers are not allowed (a passive HSRP router is a router running HSRP, but which contains no active HSRP groups on the interface).
For optimal operation, every router in a network that is running HSRP should contain at least one active HSRP group on an interface to that network. Every HSRP router need not be a member of the same group. Each HSRP router will snoop on all HSRP packets on the network to maintain a list of active routers (virtual IP addresses versus real IP addresses).
Consider the network shown in Figure 1, which supports the HSRP ICMP redirection filter.
If the host wants to send a packet to another host on Net D, then it first sends it to its default gateway, the virtual IP address of HSRP group 1.
Packet from host:
dest MAC = HSRP group 1 virtual MAC source MAC = Host MAC dest IP = host-on-netD IP source IP = Host IP
Router R1 receives this packet and determines that router R4 can provide a better path to Net D, so it prepares to send a redirect message that will redirect the host to the real IP address of router R4 (because only real IP addresses are in its routing table):
Initial ICMP redirect message:
dest MAC = Host MAC source MAC = router R1 MAC dest IP = Host IP source IP = router R1 IP gateway to use = router R4 IP
Before this redirect occurs, the HSRP process of router R1 determines that router R4 is the active HSRP router for group 3, so it changes the next hop in the redirect message from the real IP address of router R4 to the virtual IP address of group 3.
Furthermore, it determines from the destination MAC address of the packet that triggered the redirect message that the host used the virtual IP address of group 1 as its gateway, so it changes the source IP address of the redirect message to the virtual IP address of group 1.
The modified ICMP redirect message showing the two modified fields (*) is as follows:
dest MAC = Host MAC source MAC = router R1 MAC dest IP = Host IP source IP* = HSRP group 1 virtual IP gateway to use* = HSRP group 3 virtual IP
This second modification is necessary because hosts compare the source IP address of the ICMP redirect message with their default gateway. If these addresses do not match, the ICMP redirect message is ignored. The routing table of the host now consists of the default gateway, virtual IP address of group 1, and a route to Net D through the virtual IP address of group 3.
Redirects to passive HSRP routers are not permitted. Redundancy may be lost if hosts learn the real IP addresses of HSRP routers.
In the previous example, redirects to router R8 are not allowed because R8 is a passive HSRP router. In this case, packets from the host to Net D will first go to router R1 and then be forwarded to router R4, that is, they will traverse the network twice.
A network configuration with passive HSRP routers is considered a misconfiguration. For HSRP ICMP redirection to operate optimally, every router on the network that is running HSRP should contain at least one active HSRP group.
Redirects to routers not running HSRP on their local interface are permitted. No redundancy is lost if hosts learn the real IP address of non-HSRP routers.
In the example, redirection to router R7 is allowed because R7 is not running HSRP. In this case, the next hop IP address is unchanged. The source IP address is changed dependent upon the destination MAC address of the original packet.
Passive HSRP routers send out HSRP advertisement messages both periodically, and when entering or leaving the passive state. Thus, all HSRP routers can determine the HSRP group state of any HSRP router on the network. These advertisements inform other HSRP routers on the network of the HSRP interface state:
If the HSRP router cannot uniquely determine the IP address used by the host when it sent the packet that caused the redirect, the redirect message will not be sent. The router uses the destination MAC address in the original packet to make this determination. In certain configurations, such as the use of the standby use-bia command specified on an interface, redirects cannot be sent. In this case, the HSRP groups use the interface MAC address as their virtual MAC address. The router now cannot determine if the default gateway of the host is the real IP address or one of the HSRP virtual IP addresses that are active on the interface.
The following is sample output from the debug standby events icmp command if HSRP could not uniquely determine the gateway used by the host:
10:43:08: SB: ICMP redirect not sent to 20.0.0.4 for dest 30.0.0.2 10:43:08: SB: could not uniquely determine IP address for mac 00d0.bbd3.bc22
The HSRP Support for ICMP Redirects feature ensures that the optimal routing path is used with a fault-tolerant HSRP group.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified standards are supported by this feature. For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
None.
Step 2 Examine the state of your HSRP groups.
| Command | Purpose |
|---|---|
Router#debug standby events icmp | Displays debug messages for HSRP-filtered ICMP redirect messages. |
Router#debug ip icmp | Displays information on ICMP transactions. |
The following is a configuration example for two HSRP groups that allow the filtering of ICMP redirect messages:
Router A - Active for group 1 and Standby for group 2
interface Ethernet1 ip address 1.0.0.10 255.0.0.0 standby redirects standby 1 priority 120 standby 1 preempt delay 20 standby 1 ip 1.0.0.1 standby 2 priority 100 standby 2 preempt delay 20 standby 2 ip 1.0.0.2
Router B - Standby for group 1 and Active for group 2
interface Ethernet1 ip address 1.0.0.11 255.0.0.0 standby redirects standby 1 priority 100 standby 1 preempt delay 20 standby 1 ip 1.0.0.1 standby 2 priority 120 standby 2 preempt delay 20 standby 2 ip 1.0.0.2
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS IP and IP Routing Command Reference, Release 12.1.
Syntax Description
type number (Optional) Interface type and number for which output is displayed. group (Optional) Group number on the interface for which output is displayed. active (Optional) Displays HSRP groups in active state. init (Optional) Displays HSRP groups in initial state. listen (Optional) Displays HSRP groups in listen or learn state. standby (Optional) Displays HSRP groups in standby or speak state. brief (Optional) A single line of output summarizes each standby group.
Command Modes
Privileged EXEC
Command History
10.0 This command was introduced. 12.1(3)T The following keywords were added:
Release
Modification
Usage Guidelines
If you want to specify a group, you must also specify an interface type and number.
Examples
The following is sample output from the show standby command with a specific interface and the brief and init keywords:
Router# show standby ethernet0 init brief Interface Grp Prio P State Active addr Standby addr Group addr Et0 0 120 Init 20.0.0.1 unknown 20.0.0.12
Table 1 describes the significant fields in the display.
| Field | Description |
|---|---|
Interface | Interface type and number for the interface. |
Grp | Hot standby group number for the interface. |
prio | Priority value of the router based on the standby priority command. |
State | State of local router; can be one of the following:
|
may preempt | Indicates that the router will attempt to assume control as the active router if its priority is greater than the current active router. |
Active addr | Value can be "local," "unknown," or an IP address. Address of the current active hot standby router. |
Standby addr | Value can be "local," "unknown," or an IP address. Address of the "standby" router (the router that is next in line to be the hot standby router). |
Group addr | Virtual IP address of the HSRP group. |
Related Commands
standby authentication Configures an authentication string for the HSRP. standby ip Activates the HSRP. standby mac-address Specifies the virtual MAC address for the virtual router. standby mac-refresh Refreshes the MAC cache on the switch by periodically sending packets from the virtual MAC address. standby name Configures a name string for the HSRP group. This is used by IP redundancy clients. standby preempt Configures HSRP preemption and preemption delay. standby priority Configures HSRP priority. standby timers Configures the time between hello messages and the time before other routers declare the active router or standby router to be down. standby track Configures an interface so that the HSRP priority changes based on the availability of other interfaces. standby use-bia Configures HSRP to use the burned-in address of the interface as its virtual MAC address, instead of the preassigned MAC address (on Ethernet and FDDI) or the functional address (on Token Ring).
Command
Description
To enable Internet Control Message Protocol (ICMP) redirect messages to be sent when the Hot Standby Router Protocol (HSRP) is configured on an interface, use the standby redirects interface configuration command. To disable the standby redirect filter, use the no form of this command.
standby redirects [enable | disable]
Syntax Description
enable Allows the filtering of ICMP redirect messages on interfaces configured with HSRP, where the next hop IP address may be changed to an HSRP virtual IP address. disable Disables the filtering of ICMP redirect messages on interfaces configured with HSRP.
Defaults
HSRP ICMP redirects are enabled by default.
Command Modes
Interface configuration
Command History
12.1(3)T This command was introduced.
Release
Modification
Usage Guidelines
The standby redirects command can be configured globally or on a per-interface basis. When HSRP is first configured on an interface, the setting for that interface will inherit the global value. If ICMP redirects have been explicitly disabled on an interface, then the global command cannot reenable the functionality.
The no standby redirects command is the same as the standby redirects disable command. However, it is not desirable to save the no form of this command to NVRAM. Because the command is enabled by default, it is preferable to use the standby redirects disable command to disable the functionality.
Examples
The following example allows HSRP to filter redirect messages on interface Ethernet 0:
interface ethernet 0 ip address 20.0.0.1 255.0.0.0 standby redirects standby 1 ip 20.0.0.11
Related Commands
show standby Displays the HSRP information.
Command
Description
This section documents the new debug standby events icmp command related to the HSRP Support for ICMP Redirects feature.
To display debug messages for the Hot Standby Router Protocol (HSRP) Internet Control Message Protocol (ICMP) redirects filter, use the debug standby events icmp privileged EXEC command. To disable debugging output, use the no form of this command.
debug standby events icmpSyntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(3)T This command was introduced.
Release
Modification
Usage Guidelines
This command helps you determine whether HSRP is filtering an outgoing ICMP redirect message.
Examples
The following is sample output from the debug standby events icmp command:
Router# debug standby events icmp 10:35:20: SB: changing ICMP redirect sent to 20.0.0.4 for dest 30.0.0.2 10:35:20: SB: gw 20.0.0.2 -> 20.0.0.12, src 20.0.0.11 10:35:20: SB: Use HSRP virtual address 20.0.0.11 as ICMP src
If the router being redirected to is passive (HSRP enabled but no active groups), the following debug message is displayed:
10:41:22: SB: ICMP redirect not sent to 20.0.0.4 for dest 40.0.0.3 10:41:22: SB: 20.0.0.3 does not contain an active HSRP group
If HSRP could not uniquely determine the gateway used by the host, then the following message is displayed:
10:43:08: SB: ICMP redirect not sent to 20.0.0.4 for dest 30.0.0.2 10:43:08: SB: could not uniquely determine IP address for mac 00d0.bbd3.bc22
The following messages are also displayed if debug ip icmp is enabled, in which case the message prefix is changed:
10:39:09: ICMP: HSRP changing redirect sent to 20.0.0.4 for dest 30.0.0.2 10:39:09: ICMP: gw 20.0.0.2 -> 20.0.0.12, src 20.0.0.11 10:39:09: ICMP: Use HSRP virtual address 20.0.0.11 as ICMP src 10:39:09: ICMP: redirect sent to 20.0.0.4 for dest 30.0.0.2, use gw 20.0.0.12
Related Commands
debug ip icmp Displays information on ICMP transactions.
Command
Description
HSRP—Hot Standby Router Protocol. Protocol used among a group of routers for selecting an active router and a standby router. (An active router is the router of choice for routing packets; a standby router is a router that takes over the routing duties when an active router fails, or when preset conditions are met.)
HSRP group—A set of routers using HSRP that act as a single "virtual" router to the hosts on the LAN.
ICMP—Internet Control Message Protocol. A network-layer Internet protocol that provides message packets to report errors and other information relevant to IP packet processing. ICMP provides many diagnostic functions and can send error packets to hosts.
virtual ip address—The address of the HSRP group.
Posted: Tue Sep 19 17:30:17 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.