First-hop redundancy protocols (FHRPs) like HSRP and VRRP are essential for ensuring high availability of the default gateway in a network. This guide walks through configuring HSRP on a pair of Cisco IOS routers, then covers VRRP as an alternative. You'll learn how to set virtual IPs, priorities, preemption, and authentication, and verify the configuration with show commands. These skills are tested in both the CCNA (200-301) and ENCOR (350-401) exams, where you must demonstrate understanding of FHRP operation and configuration.
Configure Interface IPs and Enable HSRP
On each router, assign an IP address to the interface that will participate in HSRP. Then configure HSRP using the 'standby' command. The virtual IP address must be the same on both routers. Use a group number (e.g., 10) to identify the HSRP group. The active router is elected based on priority (default 100).
RouterA(config)# interface GigabitEthernet0/0
RouterA(config-if)# ip address 192.168.1.2 255.255.255.0
RouterA(config-if)# standby 10 ip 192.168.1.1
RouterA(config-if)# standby 10 priority 110
RouterA(config-if)# standby 10 preempt
RouterA(config-if)# no shutdownAlways set a higher priority on the router you want to be the active gateway. Preempt ensures it resumes active role after a failure.
Ensure both routers are in the same VLAN and can reach each other via the interface IPs before enabling HSRP.
Configure the Standby Router (RouterB)
On the second router, configure the same HSRP group with a lower priority. This router will become the standby and take over if the active fails. Use the same virtual IP and group number. Preempt is optional on the standby but recommended for consistency.
RouterB(config)# interface GigabitEthernet0/0
RouterB(config-if)# ip address 192.168.1.3 255.255.255.0
RouterB(config-if)# standby 10 ip 192.168.1.1
RouterB(config-if)# standby 10 priority 90
RouterB(config-if)# standby 10 preempt
RouterB(config-if)# no shutdownUse 'standby 10 authentication md5 key-string YOURKEY' to prevent unauthorized HSRP updates. This is required in some exam scenarios.
Verify HSRP Operation
Use 'show standby' to verify the HSRP state, virtual IP, active/standby roles, and timers. The output should show one router as Active and the other as Standby. Also check that the virtual IP is reachable from end devices.
RouterA# show standby
GigabitEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:02:15
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.280 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.3, priority 90 (expires in 8.256 sec)
Priority 110 (configured 110)
Group name is "hsrp-Gi0/0-10" (default)Use 'show standby brief' for a quick overview of all HSRP groups and their states.
Configure VRRP as an Alternative
VRRP is an open standard FHRP (RFC 5798) that works similarly to HSRP. On Cisco IOS, use the 'vrrp' command. The virtual IP is configured with 'vrrp group ip'. Priority and preemption are configured similarly. Note that VRRP uses the actual interface MAC as the virtual MAC unless configured otherwise.
RouterA(config)# interface GigabitEthernet0/0
RouterA(config-if)# vrrp 10 ip 192.168.1.1
RouterA(config-if)# vrrp 10 priority 110
RouterA(config-if)# vrrp 10 preempt
RouterA(config-if)# endVRRP allows the virtual router to use the physical MAC of the active router, which can simplify troubleshooting. HSRP always uses a virtual MAC.
Do not enable both HSRP and VRRP on the same interface for the same virtual IP — they will conflict.
Test Failover and Preemption
Simulate a failure by shutting down the active router's interface or reloading it. Verify that the standby takes over as active within the hold time (default 10 seconds). Then restore the original active and confirm preemption returns it to the active role. Use extended ping from a client to verify no packet loss during failover.
RouterA(config)# interface GigabitEthernet0/0
RouterA(config-if)# shutdown
RouterB# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 10 90 P Active local 192.168.1.2 192.168.1.1
RouterA(config-if)# no shutdown
RouterA# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 10 110 P Active local 192.168.1.3 192.168.1.1Adjust HSRP timers with 'standby group timers msec hello hold' for faster convergence in critical networks. Use msec values carefully to avoid flapping.
Configure HSRP with Authentication
To secure HSRP updates, configure MD5 authentication. This prevents rogue routers from joining the group. The key string must match on all routers in the group. Use 'standby group authentication md5 key-string <key>'.
RouterA(config)# interface GigabitEthernet0/0
RouterA(config-if)# standby 10 authentication md5 key-string MySecretKey
RouterB(config)# interface GigabitEthernet0/0
RouterB(config-if)# standby 10 authentication md5 key-string MySecretKeyUse 'show standby' to verify authentication is configured — it will show 'Authentication MD5' in the output.
If authentication keys mismatch, HSRP will not form — check with 'debug standby' if needed.
Key tips
Always use preempt on both routers to ensure the highest-priority router becomes active after a failure recovery.
Set HSRP hello and hold timers to match on all routers in the group — mismatched timers can cause flapping.
Use 'standby track' to decrement priority if an uplink fails, forcing failover to the other router.
For VRRP, remember that the virtual router IP can be the same as the physical interface IP of the master router.
In exam scenarios, remember that HSRP uses UDP port 1985 and multicast address 224.0.0.2; VRRP uses IP protocol 112 and multicast 224.0.0.18.
Test failover by disconnecting the active router's uplink rather than shutting the interface to simulate real-world conditions.
Frequently asked questions
What is the difference between HSRP and VRRP?
HSRP is Cisco proprietary and uses a virtual MAC (0000.0c07.acXX). VRRP is an open standard (RFC 5798) and can use the physical MAC of the active router. Both provide first-hop redundancy, but HSRP requires an active and standby router, while VRRP has a master and backup. HSRP uses UDP 1985, VRRP uses IP protocol 112.
Can I use HSRP and VRRP together on the same interface?
No, you should not configure both HSRP and VRRP on the same interface for the same virtual IP. They will conflict and cause instability. Choose one protocol per interface. You can use different protocols on different interfaces if needed.
How does HSRP elect the active router?
HSRP elects the active router based on priority (higher is better, default 100). If priorities are equal, the router with the highest IP address becomes active. Preemption must be enabled for the router to take over when it has a higher priority after a failure.
What is the default hello and hold time for HSRP?
The default hello time is 3 seconds, and the hold time is 10 seconds. This means the standby router declares the active dead after 10 seconds without a hello. You can adjust these with the 'standby timers' command for faster convergence.
Do I need a license to use HSRP on Cisco routers?
HSRP is included in most Cisco IOS software images without additional licensing. However, some advanced features like HSRP for IPv6 or HSRP with BFD may require a specific license level. Check your IOS feature set for details.
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Bash script
A Bash script is a text file containing a sequence of commands for the Unix shell Bash, allowing users to automate repetitive tasks and streamline system administration on Linux and macOS.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.