HSRP with SLA Protections
A constant struggle in networking is to build designs that don’t require manual intervention to function. In this scenario we look at two routers each with their own outbound circuit. The design calls for the circuits to function in a Active/Hot Standby configuration. Router 1 is our primary using ISP A, while Router 2 and ISP B are our standby. This could be a common configuration when one circuit is preferred over another due to bandwidth, reliability, or cost considerations.
By default, HSRP is really only going to protect us from a hardware redundancy standpoint. Router 1 will have to entirely fail for Router 2 to come online. Hardware failures happen but far less that circuits going down. Monitoring outside ports doesn’t always work a lot of times on an L3 circuit the outside link and stay up while the neighbor is down. To overcome the issue we can use SLAs in the form of ICMP packets. Simply put, if Router 1 fails to ping it’s next hop we are going to force HSRP to fail over to the failover option.
To do this we need to start by configuring our SLAs and scheduling them:
Router 1
ip sla 1
icmp-echo 74.254.48.1
frequency 5
ip sla schedule 1 life forever start-time now
Router 2
ip sla 1
icmp-echo 65.145.5.1
frequency 5
ip sla schedule 1 life forever start-time now
Here we want to create and SLA ‘1’, then specify the target of our pings. The frequency specifies how often in seconds these pings will send out.
Our scheduling ensures SLA 1 will start immediately and continue to run forever.
With our ISA’s created we can move on to tracking our SLA object with the track command. To do this we are simply going to look if the remote side is available. If the remote side goes down, the track will report the link as being down. To do this we simply need to as a track # command to both routers.
track 5 ip sla 1 reachability
Our last step is to add a line to our hsrp configuration so that it can consider the results of the track command when deciding on which router will be considered preferred.
Router 1
interface Port-channel10 description to Internal Network ip address 10.10.10.2 255.255.255.248 standby 5 ip 10.10.10.1 standby 5 priority 110 standby 5 preempt standby 5 track 5 decrement 20
Router 2
interface Port-channel10 description to Internal Network ip address 10.10.10.2 255.255.255.248 standby 5 ip 10.10.10.1 standby 5 priority 100 standby 5 preempt standby 5 track 5 decrement 20
At this point we add the command standby # track # decrement #. This will cause the priority value of our HSRP to be reduced by the specified value if SLA pings fail. Our decrement value needs to be large enough to force the priority value of Router 1 to become lower that Router 2.
It should be noted that we need to have the preempt command on both routers. Without the command, despite Router 1 having a lower priority value, it will not automatically failover.
With this in place, HSRP will be able to monitor the status of the routers connection to it’s ISP next-hop. There are additional options that can be used to prevent immediate failover in the event that that ICMP pings drop. The SLA can be tuned to reduce the pings it sends out. Additionally the preempt command can have a timer put on it to allow the SLA to have time to recover before a failover.
While there are a number of benefits to putting this into place depending on the network design there are cons as well. The two large drawbacks are, there is no load balancing, and the use of SLAs can potentially cause overhead on the routers. Load balancing is helpful if you have balanced circuit or an increased need for bandwidth. The SLA’s generally shouldn’t cause an issue, however on older devices could over utilize resources.