[c-nsp] Quick question on HSRP...

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 31 10:59:18 EST 2013 

On 30/12/2013 23:27, Jeff Kell wrote:

> terribly disruptive.  Not sure if we want to leave the HSRP in place
> (thinking yes) or remove it (and the old router) after the migration,
> but will cross that bridge when we get there.

If you plan on retaining it, remember you'll now be seeing HSRP packets 
on the wire continuously. Most times that doesn't matter, but in some 
cases e.g. wireless networks it can cause issues.

Generally though, we do HSRP everywhere, even in single-router cases. 
It's good future-proofing, and the presence of a predictable vMAC can be 
handy for some operational/monitoring concerns ("every VLAN FDB should 
have this MAC in it").


>
> So just how "disruptive" will introducing HSRP really be?

As someone else has mentioned, IOS issues a gratuitous ARP for the new 
vMAC, but even if it didn't, the old interface MAC should remain 
unchanged and will still forward IP traffic sent to it. So introducing 
it should be non-disruptive, subject to a few caveats.

(Note that changing the HSRP version does not have this property; the 
old vMAC will be removed from the FDB, and the box won't forward traffic 
destined to it)

First, the default HSRP timers are 3/10 sec IIRC, so after pasting in 
the commands there will be a 10-second window when the gateway won't be 
responding to ARPs and the vMAC won't be installed. So I would put the 
commands in like this:

standby 0 timers msec 100 350
ip address <new>
standby 0 ip <gw>

...to get a fast transition to "Active", the either default or up the 
timers later (generally, very aggressive msec timers are a bit risky on 
IOS boxes, due to most CPUs being a bit weak).

Second, after introducing it, mosts hosts will have responded to the 
g-ARP, but some may not (very very rare in my experience), so you'll 
want to wait until they're all updated before moving the gateway, if you 
want them all to move together so you can remove the old router.

HTH - we've done this many hundreds of times, and if it's a comfort, it 
is almost always trouble-free; I can't recall having a "HSRP enabled" 
problem in the last few years.

More information about the cisco-nsp mailing list