HSRP (Hot Standby Router Protocol) – Concepts, Configuration, and Best Practices

1. What Is HSRP?

HSRP (Hot Standby Router Protocol) is a Cisco proprietary First Hop Redundancy Protocol (FHRP) that provides transparent gateway failover for hosts on a LAN segment. If the active router fails, a standby router assumes the virtual IP and MAC address automatically — with no reconfiguration required on hosts.

Multiple routers form an HSRP group and share a single virtual IP address. Hosts configure this virtual IP as their default gateway. At any time, exactly one router is Active (forwarding traffic) while one or more remain in Standby (ready to take over).

  Hosts (default gateway = 192.168.1.254)
        │
  ──────┴──────────────────────
        │              │
  ┌─────┴─────┐  ┌─────┴─────┐
  │    R1     │  │    R2     │
  │ ACTIVE    │  │ STANDBY   │
  │ Pri: 110  │  │ Pri: 100  │
  └───────────┘  └───────────┘
  Virtual IP: 192.168.1.254
  Virtual MAC: 00:00:0c:07:ac:01  (HSRP v1, group 1)

2. HSRP Versions

Feature	HSRP v1	HSRP v2
Group number range	0 – 255	0 – 4095
IPv6 support	No	Yes
Virtual MAC format	`00:00:0c:07:ac:XX`	`00:00:0c:9f:fX:XX`
Multicast address	224.0.0.2	224.0.0.102
Millisecond timers	No	Yes
When to use	Legacy IPv4-only networks	Modern networks, IPv6, multiple groups

3. HSRP States and State Machine

Every HSRP router transitions through a defined set of states during startup and after topology changes. Understanding the state machine is critical for troubleshooting stuck or flapping HSRP groups.

State	Description	Sends Hellos?
Initial	HSRP just started; no activity yet	No
Learn	Router has not yet learned the virtual IP; waiting for a hello from the Active router	No
Listen	Virtual IP is known; router monitors hello messages but is neither Active nor Standby	No
Speak	Router participates in the Active/Standby election by sending and receiving hellos	Yes
Standby	Router is the designated backup; monitors Active router via hello messages	Yes
Active	Router is forwarding packets on behalf of the virtual IP/MAC address	Yes

Timers: Hello (default 3 s), Hold (default 10 s). If the Standby router misses three hello messages (hold timer expires), it transitions to Speak and then Active.

4. HSRP Priority and Preemption

The router with the highest priority wins the Active election. If priorities are equal, the router with the higher IP address wins. The default priority is 100.

Priority range: 0 – 255 (higher = preferred)
Preemption: Disabled by default. Without preempt, a higher-priority router that comes back online will not reclaim the Active role — the current Active keeps it.
Enabling preempt forces the router with the highest priority to take the Active role as soon as it is available.

! Set priority and enable preemption
standby [group] priority [value]
standby [group] preempt

5. HSRP Group, Virtual IP, and Virtual MAC

Each HSRP instance is identified by a group number. Multiple groups can coexist on the same interface, enabling load sharing across different VLANs or subnets.

Virtual IP: Shared IP used by hosts as the default gateway
Virtual MAC (v1): 00:00:0c:07:ac:XX where XX = group number in hex
Virtual MAC (v2): 00:00:0c:9f:fX:XX where X:XX = group number in hex

interface GigabitEthernet0/1
 standby 1 ip 192.168.1.254
 standby 1 priority 110
 standby 1 preempt

6. Timers and Convergence

HSRP failover speed is governed by two timers. The defaults provide stability but may be too slow for latency-sensitive environments.

Hello Timer: How often a router sends hello messages (default 3 s). The Active and Standby routers both send hellos.
Hold Timer: How long a router waits before declaring the peer dead (default 10 s). Must be at least 3× the hello timer.

Lowering timers (e.g., hello 1 s / hold 3 s) speeds up failover but increases control-plane traffic. Millisecond timers are available in HSRP v2.

standby [group] timers [hello] [hold]
! Example — aggressive timers:
standby 1 timers 1 3

7. HSRP Interface Tracking

Interface tracking allows HSRP to automatically reduce a router's priority when an upstream interface fails. This causes the Standby router (which still has full connectivity) to become Active, routing traffic through the better path.

! Decrement priority by 20 if GigabitEthernet0/0 goes down
standby 1 track GigabitEthernet0/0 20

Example: R1 has priority 110. Its WAN interface goes down. Tracking decrements by 20 → priority drops to 90. R2 (priority 100) is now higher and, with preemption enabled, takes the Active role.

8. HSRP Authentication

Authentication prevents rogue routers from joining an HSRP group and disrupting gateway redundancy. Two options are available:

Plain-text (not recommended — visible in packet captures):
```
standby [group] authentication [string]
```

MD5 key-string (recommended for production):

standby [group] authentication md5 key-string [string]

All routers in the same HSRP group must use matching authentication credentials, or they will not recognise each other's hello messages.

9. Load Sharing with Multiple HSRP Groups

A single HSRP group provides redundancy but no load sharing — the Standby router sits idle. True load distribution is achieved by configuring multiple HSRP groups on the same interface, with each router being Active for a different group.

! R1 — Active for Group 1, Standby for Group 2
interface GigabitEthernet0/1
 standby 1 ip 192.168.1.254
 standby 1 priority 110
 standby 1 preempt
 standby 2 ip 192.168.1.253
 standby 2 priority 90

! R2 — Active for Group 2, Standby for Group 1
interface GigabitEthernet0/1
 standby 1 ip 192.168.1.254
 standby 1 priority 90
 standby 2 ip 192.168.1.253
 standby 2 priority 110
 standby 2 preempt

Each group has its own virtual IP. Half the hosts use 192.168.1.254 as their gateway; the other half use 192.168.1.253.

10. HSRP vs VRRP vs GLBP

Feature	HSRP	VRRP	GLBP
Vendor	Cisco proprietary	Open standard (RFC 5798)	Cisco proprietary
True load balancing	No (per-group only)	No (per-group only)	Yes — one virtual IP, multiple forwarders
IPv6 support	v2 only	Yes (VRRPv3)	Yes
Virtual MAC per group	1	1	Up to 4 (one per forwarder)
Typical use case	Cisco-only environments	Multi-vendor environments	Load balancing on Cisco gear

11. HSRP over NBMA and Point-to-Point Links

NBMA (e.g., Frame Relay): Multicast may not be delivered correctly. Use static frame-relay map statements that include the broadcast keyword, or consider static HSRP configurations.
Point-to-Point links: HSRP is generally not needed since there is only one next-hop router. Deploy HSRP on the LAN-facing interface instead.

12. Show and Debug Commands

! Core verification commands
show standby              ! Detailed HSRP state for all groups
show standby brief        ! One-line summary per group
show standby GigabitEthernet0/1 detail

! Troubleshooting
debug standby events      ! State transitions and elections
debug standby packets     ! Raw HSRP hello and coup/resign messages

Key fields to check in show standby: local priority, preempt flag, active/standby router address, virtual IP, hello/hold timer values, and coup/resign counters.

13. Troubleshooting HSRP

Symptom	Possible Cause	Resolution
Split-brain (both routers Active)	Layer 2 connectivity lost between routers; authentication mismatch; HSRP version mismatch	Verify L2 path, confirm matching auth and version on both routers
No failover on Active failure	Hold timer too long; preemption not enabled; tracking not configured	Lower hold timer; add `preempt`; verify tracking decrements
High-priority router not taking Active role	Preemption disabled on the high-priority router	Add `standby [group] preempt`
Constant state flapping	Unstable link; hold timer too short relative to hello timer	Stabilise link; ensure hold timer ≥ 3× hello timer
Hosts losing connectivity after failover	ARP cache on hosts/switches pointing to old MAC	Clear ARP cache; verify gratuitous ARP is sent by new Active

14. Advanced Topics

BFD Integration: Bidirectional Forwarding Detection can trigger HSRP failover in milliseconds — far faster than the hello/hold mechanism alone.
Graceful Restart (NSF/SSO): On platforms that support Stateful Switchover, the standby supervisor can take over without dropping HSRP sessions, providing near-zero downtime.
HSRP with Object Tracking (enhanced): Track IP SLA probes rather than just interface state for more intelligent failover decisions.

! Full production example with tracking and BFD
interface GigabitEthernet0/1
 ip address 192.168.10.2 255.255.255.0
 standby version 2
 standby 10 ip 192.168.10.254
 standby 10 priority 110
 standby 10 preempt
 standby 10 timers msec 200 msec 700
 standby 10 authentication md5 key-string Str0ngKey!
 standby 10 track GigabitEthernet0/0 20

15. When to Use HSRP

Enterprise campus networks where Cisco gear is standard and hosts need a resilient default gateway
Data centre access layer connecting server VLANs to distribution routers
Multi-router branch sites with dual WAN or dual-uplink configurations
VLAN gateways on Layer 3 switches running SVIs

HSRP Quiz

1. What is the main purpose of HSRP?

A. Provide gateway redundancy to ensure continuous network access B. Increase bandwidth between routers C. Encrypt routing protocol messages D. Manage routing table updates

Correct answer is A. HSRP provides gateway redundancy by electing an Active and Standby router to maintain network availability.

2. Which of the following is TRUE about HSRP versions?

A. HSRP v1 supports IPv6 natively B. HSRP v2 uses the MAC format 00:00:0c:07:ac:XX C. HSRP v2 is limited to 255 groups D. HSRP v2 supports IPv6 and more group numbers (0–4095)

Correct answer is D. HSRP v2 supports IPv6 and a larger range of group numbers for modern network deployments.

3. What is the default priority value for HSRP routers?

A. 150 B. 100 C. 50 D. 200

Correct answer is B. The default priority in HSRP is 100, used in the election of Active routers.

4. Which HSRP state indicates the router is currently forwarding packets as the default gateway?

A. Standby B. Speak C. Active D. Learn

Correct answer is C. The Active state means the router is forwarding packets as the current default gateway.

5. What command enables a router interface to participate in HSRP group 10 with virtual IP 192.168.10.254?

A. standby 10 ip 192.168.10.254 B. hsrp group 10 ip 192.168.10.254 C. ip hsrp 10 address 192.168.10.254 D. hsrp enable 10 ip 192.168.10.254

Correct answer is A. The standby [group] ip [virtual-ip] command configures the virtual IP address for HSRP group participation.

6. What effect does the `standby [group] preempt` command have?

A. Prevents the router from taking the Active role B. Disables HSRP on the interface C. Forces the router to ignore hello packets D. Allows the router with higher priority to take the Active role if available

Correct answer is D. Preemption enables a router with higher priority to take over the Active role when it becomes available.

7. Which timers control HSRP failover detection?

A. Hello and Dead timers B. Hello and Hold timers C. Start and Stop timers D. Join and Leave timers

Correct answer is B. HSRP uses Hello (default 3 seconds) and Hold (default 10 seconds) timers to detect failures and trigger failover.

8. What is the purpose of HSRP interface tracking?

A. To disable HSRP on an interface B. To increase the priority permanently C. To decrease router priority if a tracked interface goes down D. To monitor CPU usage of the interface

Correct answer is C. Interface tracking reduces the router's priority if the tracked interface fails, enabling failover.

9. Which of the following is a Cisco proprietary alternative to HSRP that supports true load balancing?

A. GLBP (Gateway Load Balancing Protocol) B. VRRP (Virtual Router Redundancy Protocol) C. OSPF (Open Shortest Path First) D. EIGRP (Enhanced Interior Gateway Routing Protocol)

Correct answer is A. GLBP supports true load balancing by allowing multiple routers to forward traffic under a single virtual IP.

10. What show command gives detailed HSRP status on an interface?

A. show standby brief B. show standby C. show hsrp interface D. show standby statistics

Correct answer is B. show standby provides detailed HSRP state, timers, priorities, and virtual addresses for all groups.

← Back to Home