routingnetworkingnetwork-plusIntermediate25 min read

What Is Hot Standby Router Protocol in Networking?

Also known as: Hot Standby Router Protocol, HSRP, first hop redundancy protocol, CCNA routing, Network+ redundancy

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

HSRP is a way to make sure network traffic keeps flowing even if one router breaks. It groups two or more routers together so they act like a single virtual router. If the main router stops working, a backup router automatically takes over with no interruption. This keeps computers on the network connected to the internet or other networks without losing the connection.

Must Know for Exams

HSRP appears heavily in the Cisco CCNA exam and the CompTIA Network+ exam. In the CCNA exam, HSRP is part of the network access and IP connectivity domains. Candidates must know how to configure, verify, and troubleshoot HSRP.

The CCNA exam objectives specifically include configuring and verifying first-hop redundancy protocols, with HSRP as the primary example. Exam questions ask about the hello timer, hold timer, priority, preemption, and virtual MAC address format. You may be given a scenario where multiple routers are part of an HSRP group, and you must determine which router will become active based on priority and IP address.

You also need to know the difference between HSRP version 1 and version 2. Version 2 is important for IPv6 support and larger group numbers. The exam may show a configuration and ask you to identify a missing command or an incorrect parameter.

Troubleshooting questions present a network that is not converging correctly. You might see that neither router is becoming active because authentication is mismatched. Or you might see that the standby router never takes over because preemption is disabled and the active router has a lower priority but keeps winning.

In Network+, HSRP is less detailed but still tested. Network+ expects you to understand the concept of first-hop redundancy and know HSRP as the most common example. The exam may ask you to identify which protocol provides automatic failover for a default gateway.

You might also see questions comparing HSRP to VRRP and GLBP. Network+ focuses more on the high-level purpose and features rather than configuration syntax. Both exams emphasize the importance of redundancy and high availability.

You should be ready to explain why HSRP is needed and how it works in a multi-router topology. Scenarios often involve a branch office with two routers connected to an ISP. The exam might ask what happens to network traffic when the primary router fails.

The correct answer is that HSRP ensures the secondary router takes over without any change to the end device configuration.

Simple Meaning

Imagine you live in a large apartment building with a single front door that leads to the outside world. Every day, you leave through that door to go to work, school, or the store. One morning, you walk down to the door and find it is locked and the handle is broken.

You cannot get out. You are stuck. This is exactly what happens on a network when the default gateway router fails. Computers on the local network send all their traffic to that router.

If it stops working, those computers cannot reach the internet or other networks. HSRP fixes this problem by creating a safety net. Think of it as having a second front door that is hidden and locked but ready to open instantly if the main door breaks.

The building management sets up two doors, but only one is active at a time. Everyone in the building knows the address of the main door. That address never changes. But behind the scenes, the building has a second door that can swing open the moment the first one fails.

The residents do not need to learn a new address. They just keep using the same one. HSRP does the same on a network. It creates a virtual router with its own IP address and MAC address.

The computers on the network use that virtual IP address as their default gateway. Two or more physical routers belong to the same HSRP group. One router is the active router and handles all traffic.

The others are standby routers. The active router sends periodic hello messages to tell the standby routers it is still working. If the active router stops sending hello messages, the standby routers know it has failed.

After a short timer, one standby router becomes the new active router. The virtual IP address and MAC address move to the new router. The computers on the network do not notice anything changed because they are still sending traffic to the same virtual gateway address.

This is the core of HSRP. It provides transparent failover for first-hop routing.

Full Technical Definition

HSRP is a Cisco-proprietary first-hop redundancy protocol (FHRP) defined in RFC 2281. It allows two or more routers to work together as a single virtual router, providing high availability for the default gateway on a subnet. The protocol creates a virtual IP address and a virtual MAC address that are shared among the routers in the HSRP group.

The virtual MAC address follows the format 0000.0c07.acXX, where XX is the HSRP group number in hexadecimal. In an HSRP group, exactly one router is elected as the active router. The active router forwards packets sent to the virtual IP address and responds to Address Resolution Protocol (ARP) requests for that virtual IP.

The other routers in the group are standby routers. They monitor the active router by listening for hello messages. Hello messages are sent every 3 seconds by default. If the standby routers do not receive a hello message for 10 seconds, the hold timer expires, and an election process begins.

The election of the active router is based on priority. Priority is a configurable number from 0 to 255. The router with the highest priority becomes the active router. If priorities are equal, the router with the highest IP address on the interface wins the election.

By default, the priority is 100. You can configure HSRP to use preemption, which means that if a higher-priority router comes back online, it can take over the active role again. Without preemption, the current active router stays active until it fails.

HSRP operates on UDP port 1985. Routers exchange HSRP messages using multicast address 224.0.0.2. The protocol supports authentication to prevent spoofed HSRP messages. Authentication can be plain text or MD5.

HSRP version 2 improves upon version 1 by supporting IPv6 and increasing the group number range from 0 to 4095, up from 0 to 255 in version 1. Version 2 also uses a different multicast address 224.0.

0.102 and a different virtual MAC format 0000.0c9f.fXXX. In real IT environments, HSRP is configured on layer 3 switches and routers that connect to end-user VLANs. It is commonly used in enterprise campus networks, data center access layers, and service provider edge networks.

Configuration involves setting the standby group number, virtual IP address, priority, preemption, and authentication on the router interfaces. HSRP can also be configured with interface tracking, where the router monitors the status of an upstream interface. If that interface goes down, the router lowers its HSRP priority, forcing the standby router to take over.

Real-Life Example

Think about an office building with two security guards at the front desk. Every employee knows they must check in at the front desk to get a visitor badge. One guard named Alex is always there.

He welcomes people, checks IDs, and hands out badges. Employees trust Alex completely. But what if Alex gets sick one day or needs to take a lunch break? The office would be in chaos.

Visitors would be lost, and employees might not get their badges. The building manager knows this, so they hire a second guard named Bailey. Bailey also sits at the front desk, but she does not check anyone in unless Alex is unavailable.

The employees do not know Bailey is there. They still look for Alex. If Alex leaves his station, Bailey immediately steps forward, smiles, and says, I can help you. She uses the same badge system, the same computer, the same logbook.

Employees do not need to learn a new process. The only thing that changes is which guard is handing them the badge. HSRP works exactly like this. The active router is Alex. It handles all the traffic from computers on the network.

The standby router is Bailey. It is ready to take over instantly. The computers on the network only know the virtual IP address, which is like the front desk phone number. They do not know which physical router is actually handling their traffic.

When the active router fails, the standby router becomes active. It starts using the same virtual IP and virtual MAC address. This is Bailey using the same computer and logbook. The computers do not see any change.

They keep sending packets to the same gateway address. The failover is seamless and automatic. This analogy also helps explain the election process. If Alex is the more experienced guard, he has a higher priority.

The building manager chooses him to be the primary checker. If Alex steps out and Bailey takes over, but then Alex returns, the manager might let Alex take back the role if preemption is enabled. If preemption is disabled, Bailey stays at the front desk until she cannot work.

This maps directly to HSRP priorities and preemption configuration.

Why This Term Matters

HSRP matters in real IT work because network downtime is expensive and disruptive. In any organization, the default gateway is a single point of failure for an entire subnet. If the router that serves as the default gateway fails, every device on that subnet loses connectivity to other networks and the internet.

This can bring business operations to a halt. Employees cannot access cloud applications, email, or internal servers. In a data center, storage traffic and virtual machine migrations stop.

In a hospital, patient records become inaccessible. HSRP eliminates that single point of failure without requiring changes to end devices. Network administrators can perform maintenance on one router without scheduling a downtime window.

They can make the router standby, update its software or configuration, and then bring it back as active. This is called a hitless upgrade. HSRP also helps with load balancing when combined with multiple HSRP groups.

You can configure two different groups on the same pair of routers. One group makes the first router active for half the VLANs, and the other group makes the second router active for the other half. This splits traffic across both routers while still providing redundancy.

In cybersecurity, HSRP helps with network resilience against denial of service attacks or hardware failures. An attacker who takes down one router does not bring down the entire network because the backup router takes over. HSRP is also a foundational skill for network administrators.

Most enterprise networks use some form of first-hop redundancy. Understanding HSRP makes it easier to learn other redundancy protocols like Virtual Router Redundancy Protocol (VRRP) or Gateway Load Balancing Protocol (GLBP). In cloud environments, the concept of virtual IP addresses and redundancy is used extensively.

HSRP teaches the principles behind those cloud features.

How It Appears in Exam Questions

In certification exams, HSRP questions appear in several formats. The most common type is the scenario question. The examiner describes a network with two routers, Router A and Router B, connected to the same LAN segment.

Both routers are configured in HSRP group 10 with virtual IP 192.168.1.1. Router A has priority 150, and Router B has priority 100 with preemption disabled. Router A fails. The question asks which router becomes active and why.

The answer is Router B, because it is the only router left, and preemption is disabled so Router A cannot reclaim the role if it comes back later. Another variation asks what happens when Router A comes back online after the failure. Without preemption, Router B stays active.

With preemption, Router A takes over again. Another question pattern involves troubleshooting. The configuration shows that both routers have the same priority but Router A has a higher IP address.

Router A should be active, but Router B is active instead. The candidate must identify the missing configuration, such as a mismatch in the virtual IP address, authentication key, or HSRP version. A question might show the output of show standby command and ask which router is active, standby, or in a speaking state.

The output shows fields like State, Active router, Standby router, Virtual IP, and Priority. You must interpret that information correctly. Some questions test the virtual MAC address.

They give you the HSRP group number and ask you to determine the virtual MAC address. For version 1, the format is 0000.0c07.acXX where XX is the group number in hexadecimal. For version 2, it is 0000.

0c9f.fXXX. A question may ask which multicast address HSRP uses. For version 1, it is 224.0.0.2. For version 2, it is 224.0.0.102. Another common trap is the timer values. The default hello interval is 3 seconds, and the hold timer is 10 seconds.

The exam might ask how often the active router sends hello messages or how long the standby router waits before declaring the active router dead. Configuration questions ask you to complete a setup. You might be shown a partial configuration and need to choose the command that sets the priority to 200, enables preemption, or sets the virtual IP address.

For example, standby 10 priority 200 or standby 10 preempt. Less common but still possible are questions about interface tracking. A question might describe a router that tracks its upstream interface.

When that interface fails, the router lowers its HSRP priority so a standby router takes over. The candidate must explain why this is beneficial.

Practise Hot Standby Router Protocol Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small company called TechFlow uses a single router as its default gateway to the internet. That router connects to a switch, which connects to all employee computers. One day, the router overheats and shuts down.

All employees immediately lose internet access. They cannot send emails, access cloud files, or use the company chat system. The IT administrator rushes to the server room, reboots the router, and after five minutes, everything is back online.

Those five minutes cost the company an estimated two thousand dollars in lost productivity. The administrator decides to implement HSRP. They install a second router and connect it to the same switch.

Both routers are configured in HSRP group 1 with virtual IP address 192.168.1.1. Router A is given a priority of 120, making it the active router. Router B has a default priority of 100, making it the standby router.

All employee computers use 192.168.1.1 as their default gateway. Two weeks later, Router A loses power due to a faulty power supply. Router B detects that the hello messages have stopped.

After the hold timer of 10 seconds expires, Router B becomes the active router. It starts forwarding traffic for 192.168.1.1. The employees do not notice any interruption. Their email and cloud files are still accessible.

The administrator receives an alert, goes to the server room, and replaces the power supply on Router A. Router A comes back online but remains in standby mode because preemption is disabled. The administrator decides to set preemption on both routers so that Router A automatically becomes active again since it has the higher priority.

This scenario shows exactly how HSRP provides transparent failover and eliminates downtime caused by a single router failure.

Common Mistakes

Thinking that HSRP provides load balancing by default.

HSRP does not load balance traffic across multiple routers. It uses one active router and one or more standby routers. The standby routers do not forward traffic unless the active router fails. Traffic load balancing requires multiple HSRP groups or a different protocol like GLBP.

Remember that HSRP is for redundancy only, not performance. If you need load balancing, use multiple HSRP groups with different virtual IPs on different routers, or use GLBP or VRRP with load balancing features.

Believing that the virtual IP address must be the same as the physical IP address of one of the routers.

The virtual IP address is separate from the physical IP addresses assigned to the router interfaces. The real physical IPs can be any addresses in the same subnet. The virtual IP is the gateway address that end devices use. The physical IPs are used for management and for HSRP communication.

Always configure a dedicated virtual IP address that is different from the physical interface IPs. The virtual IP is what you assign to the HSRP group using the standby command.

Assuming that the router with the highest IP address always becomes active.

Priority is the primary factor in the election. The router with the highest priority becomes active. The IP address is only a tiebreaker if priorities are equal. A router with a lower IP address but higher priority will always win the election.

Configure a higher priority on the router you want to be active. Use the standby priority command. Only rely on IP address tiebreaker when priorities are the same.

Forgetting to configure preemption and then wondering why a higher-priority router does not become active after it recovers from a failure.

By default, preemption is disabled. This means that once a router becomes active, it stays active even if a router with a higher priority comes back online. The higher-priority router remains in standby mode.

Enable preemption using the standby preempt command on both routers. This ensures that the router with the highest priority always becomes the active router, even after a failure and recovery.

Confusing the hello timer and hold timer values or assuming they can be set to zero.

The hello timer defaults to 3 seconds and the hold timer defaults to 10 seconds. These values cannot be zero. The hold timer must be at least three times the hello timer to prevent unnecessary failovers. Setting them too low can cause flapping.

Keep the default timer values unless you have a specific reason to change them. If you change the hello timer, always adjust the hold timer to at least three times the hello interval.

Exam Trap — Don't Get Fooled

A question shows two routers with the same HSRP priority but different IP addresses. The candidate is asked which router becomes active. Many learners choose the router with the lower IP address because they remember IP address is a tiebreaker but forget the direction.

Memorize the rule: higher priority wins. If priorities are equal, higher IP address wins. Create a mental note that in HSRP, it is the highest in both cases. Write a simple memory rule: In HSRP, the highest everything wins.

Commonly Confused With

Hot Standby Router ProtocolvsVirtual Router Redundancy Protocol (VRRP)

VRRP is an open standard protocol defined in RFC 5798, while HSRP is Cisco proprietary. VRRP uses a virtual IP that can be the same as one of the physical router IPs, which HSRP does not allow. VRRP also has only one standby router that can take over, while HSRP supports multiple standby routers. VRRP uses a different election process and multicast address 224.0.0.18.

If you are using only Cisco equipment, you might choose HSRP. If your network has routers from different vendors, you must use VRRP because it is an open standard. For example, a network with a Juniper router and a Cisco router cannot run HSRP together but can run VRRP.

Hot Standby Router ProtocolvsGateway Load Balancing Protocol (GLBP)

GLBP is also Cisco proprietary but provides load balancing across multiple routers in a group. In HSRP, only one router forwards traffic at a time. In GLBP, multiple routers can forward traffic simultaneously because GLBP uses multiple virtual MAC addresses for the same virtual IP. This allows traffic to be distributed across routers.

In a company with heavy internet traffic, HSRP might leave a second router idle 50 percent of the time. GLBP would use both routers actively, splitting the traffic so no router sits unused. That means better performance and better return on hardware investment.

Hot Standby Router ProtocolvsFirst Hop Redundancy Protocol (FHRP)

FHRP is a general category of protocols that includes HSRP, VRRP, and GLBP. HSRP is one specific implementation of an FHRP. Learners often use FHRP and HSRP interchangeably, but FHRP is the umbrella term. HSRP is a type of FHRP, just as a sedan is a type of car.

If an exam question asks Which protocol provides first-hop redundancy on a Cisco router? the answer could be HSRP. If the question asks Which category of protocols includes HSRP and VRRP? the answer is FHRP.

Step-by-Step Breakdown

1

Configuration of the HSRP group

The network administrator configures two or more routers on the same VLAN subnet. Each router interface that participates in HSRP is assigned an IP address in that subnet. Then the administrator creates an HSRP group by assigning a group number and a virtual IP address. This virtual IP will become the default gateway for all devices on that subnet.

2

Priority assignment and election setup

The administrator sets a priority value on each router. The default priority is 100. The router with the highest priority will become the active router. Preemption can be enabled so that if a higher priority router comes back online, it takes the active role. Without preemption, the current active router stays active until it fails.

3

Hello message exchange begins

Once configured, the routers begin sending HSRP hello messages every 3 seconds by default. These messages are sent to the multicast address 224.0.0.2 (version 1) or 224.0.0.102 (version 2). The hello messages contain the router's priority, the HSRP state, and the timer values. This exchange allows the routers to discover each other and elect an active router.

4

Active router election

The routers compare their priority values. The router with the highest priority becomes the active router. If priorities are equal, the router with the highest IP address on the interface wins. The active router now owns the virtual IP address and virtual MAC address. It responds to ARP requests for the virtual IP and forwards all traffic destined to that address.

5

Standby router monitoring

The standby routers listen for hello messages from the active router. As long as they receive hello messages within the hold timer interval (default 10 seconds), they remain in standby state. They do not forward traffic but are ready to take over. If the active router fails and stops sending hellos, the hold timer expires.

6

Failover and new election

When the hold timer expires, the standby routers initiate an election. The router with the best priority among the standby routers becomes the new active router. It takes ownership of the virtual IP and virtual MAC address. From the perspective of end devices, nothing changes because the gateway address is the same. The new active router then starts sending its own hello messages.

7

Recovery and preemption (optional)

If the original active router recovers and preemption is enabled, it will send hello messages with its higher priority. The current active router sees the higher priority and steps down, becoming a standby router. The recovered router takes over as active. If preemption is disabled, the recovered router remains a standby router until the current active router fails.

Practical Mini-Lesson

To understand HSRP in practice, you must start with the network topology. Imagine a campus network with a core layer and an access layer. Each floor has a switch that connects end user computers.

Those switches connect to two distribution layer switches that act as routers. These two distribution switches serve as the default gateways for all VLANs on that floor. Without HSRP, each VLAN would have to use one of the switches as its gateway.

If that switch fails, the entire VLAN loses connectivity. With HSRP, you create one virtual gateway per VLAN and assign both switches to the HSRP group for that VLAN. The configuration process involves entering interface configuration mode on each switch interface that connects to the VLAN.

For example, on Switch A, you enter the VLAN 10 interface and type standby 10 ip 192.168.10.1 to create HSRP group 10 with virtual IP 192.168.10.1. Then you set a higher priority on the switch you want to be active using standby 10 priority 200.

You also enable preemption with standby 10 preempt. On Switch B, you configure the same HSRP group with the same virtual IP but leave the priority at the default of 100 or set it lower. You also enable preemption.

Now both switches are part of the group. Switch A becomes the active router for VLAN 10. It forwards all traffic and responds to ARP requests. Switch B is standby. The real world gets more interesting when you have multiple VLANs.

You typically create multiple HSRP groups, one per VLAN. On Switch A, you make it active for VLANs 10, 12, 14, and standby for VLANs 11, 13, 15. Switch B does the opposite. This way, both switches actively forward traffic, and each one is the backup for the other.

This is called load sharing. It doubles your throughput because both routers are used simultaneously. A common issue in practice is misconfiguration of the virtual IP address. If you accidentally use a physical interface IP as the virtual IP, the router will reject it.

Another common pitfall is forgetting to configure the HSRP authentication. Without authentication, a rogue router could join the group and disrupt traffic. Always configure at least plain-text authentication on both routers.

Monitoring HSRP is done with the show standby command. This command shows the group state, active and standby routers, virtual IP, priority, and timer values. You can also use debug standby to troubleshoot election issues.

In production, you want to set the hello and hold timers carefully. If you set them too low, a brief spike in CPU utilization might cause the active router to miss sending a hello, triggering an unnecessary failover. This is called flapping.

Keep the default timers unless you have a specific performance requirement. HSRP also interacts with Spanning Tree Protocol (STP). You must ensure that the HSRP active router is also the STP root bridge for that VLAN.

If they are different, traffic might take suboptimal paths. In Cisco networks, this is often coordinated automatically using a feature called Root Guard or by designing the STP root to match the HSRP active. Finally, remember that HSRP is not a routing protocol.

It does not exchange routing tables. It only provides redundancy for the default gateway. The routers still need a routing protocol like OSPF or EIGRP to exchange routes to other networks.

HSRP works in conjunction with those protocols to provide end-to-end connectivity.

Memory Tip

HSRP uses the highest everything: highest priority wins, highest IP address breaks ties. Think H for Highest.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between HSRP and VRRP?

HSRP is Cisco proprietary while VRRP is an open standard. HSRP uses a virtual IP that must be different from any physical interface IP, whereas VRRP can use a physical IP as the virtual IP. VRRP also has a different election process and uses multicast address 224.0.0.18.

How many routers can be in an HSRP group?

There is no hard limit, but in practice, HSRP groups usually have two routers. The protocol supports multiple standby routers, but only one router is active at a time. More than two routers can be used for higher redundancy but add complexity.

Does HSRP work with IPv6?

Yes, HSRP version 2 supports IPv6. It uses a different virtual MAC format and multicast address. IPv6 HSRP is configured similarly to IPv4 but uses the standby ipv6 command instead of standby ip.

What happens if the active HSRP router crashes?

When the active router crashes, it stops sending hello messages. After the hold timer expires (default 10 seconds), the standby router with the highest priority assumes the active role. It takes over the virtual IP and MAC address, and traffic continues without interruption.

Can HSRP be used to load balance traffic?

By itself, HSRP does not load balance. It uses one active router and one or more standby routers that do not forward traffic. To load balance, you can configure multiple HSRP groups on the same routers, making each router active for different groups. This is called load sharing.

What is the default hello interval for HSRP?

The default hello interval is 3 seconds. The default hold timer is 10 seconds. The hold timer must be at least three times the hello interval. These values can be changed, but it is generally recommended to keep the defaults.

Do end devices need to be reconfigured when HSRP failover occurs?

No. End devices use the virtual IP address as their default gateway. They send traffic to that IP regardless of which physical router is active. The virtual MAC address also moves to the new active router, so ARP caches remain valid. No reconfiguration is needed.

Summary

HSRP is a fundamental first-hop redundancy protocol that every network professional should understand. It solves a critical problem: the default gateway router is a single point of failure for an entire subnet. HSRP allows two or more routers to work together as one virtual router.

Only one router is active at a time. If the active router fails, a standby router takes over automatically, using the same virtual IP and MAC address. End devices never notice the change.

For certification exams like CCNA and Network+, you need to know the election process based on priority and IP address, the default timer values, the difference between version 1 and version 2, and the need for preemption. You should also be able to interpret the output of the show standby command. Avoid common mistakes such as thinking HSRP provides load balancing, forgetting to enable preemption, or confusing the tiebreaker direction.

HSRP is a practical tool used in nearly every enterprise network to ensure high availability. Mastering it gives you a strong foundation for understanding redundancy, high availability, and network resilience concepts. Use the memory hook that HSRP uses the highest everything: highest priority wins, highest IP breaks ties.