[c-nsp] HSRP issues on Cisco3550

Phil Mayers p.mayers at imperial.ac.uk
Wed Nov 8 19:09:33 EST 2006 

Sam Stickland wrote:
>>
>> Due to the inefficientness of the routing (flooding) of the stanby 
>> router, we've just avoided setting it up this way, and changed the cost.
>>
> I'm not sure I understand this - wouldn't the standby router populate 
> it's CAM table from the ARP replies? And it has to send out and ARP 
> reply (and get a response), or the router can't populate the destination 
> MAC address in frame.

ARP replies are layer2 unicast, so no the CAM on slave would not be 
populated by them.

As for the 2nd point, default ARP timeout on ciscos is 4 hours. Default 
timeout on CAM is 300 seconds. Hence, after 300 seconds the packet will 
be unicast-flooded to the MAC which remains in the ARP table (or dropped 
if unicast flooding is disabled)

In one of the more common HSRP deployment strategies, that doesn't 
matter because you have:

  route            route
    |                |
  master ----P---- slave
    \                /
     A              B
      \-- switch --/

Link B will be STP-blocked, so a packet unicast-flooded out of "slave" 
will only travel down one link - no flooding.

This is a pretty well documented shortcoming of HSRP. See:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml#cause1
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml#t8


Sadly, the route cost increase will only get you so far e.g.

  route            route
    |                |
  master ----P---- slave -- wanlink -- remotesite
    \                /
     A              B
      \-- switch --/

Packets from remotesite will ALWAYS be routed by slave since slave has a 
connected route which cannot be overridden.

The route cost trick is also tedious because of the static nature of the 
route map or prefix-list you must use to designate a subnet master or 
slave. "match hsrp status [standby | active]" would be nice.

Extreme ESRP and Foundry VSRP are "superior" in that respect since the 
protocol shuts down the SVI, not the outbound gateway.

I have toyed with the idea of using event manager to execute "shut" and 
"no shut" commands in response to leaving and becoming STP root status, 
but it seems like asking for trouble...

If Cisco could do the work to remove the connected route whilst still 
sending and receiving the control traffic, HSRP would be a lot more 
useful to a lot more people IMHO.

More information about the cisco-nsp mailing list