Imagine your network's default gateway goes down. Every device in that subnet loses all connectivity to other networks — a total outage. Hot Standby Router Protocol (HSRP) is Cisco's proprietary First Hop Redundancy Protocol (FHRP) that solves this by allowing two or more routers to share a virtual IP and MAC address, providing seamless failover if the active router fails. For the CCNA 200-301 exam (objective 3.8), you must understand HSRP's states, timers, election process, and how it differs from VRRP and GLBP. This chapter gives you everything you need to master HSRP for the exam and real-world network design.
Jump to a section
Think of a commercial airplane with two pilots: a Captain (Active) and a First Officer (Standby). Both pilots can fly the plane, but only one set of controls is active at a time. The plane has a single call sign (virtual IP) that air traffic control uses to communicate with the aircraft. If the Captain becomes incapacitated, the First Officer immediately takes over the controls without any change in the call sign — the plane continues its flight path seamlessly. In HSRP, the Active router is the Captain, the Standby router is the First Officer, and the virtual IP address is the call sign. The pilots communicate via intercom (Hello messages) every second to confirm each other is alive. If the Captain fails to respond for three seconds (Hold timer), the First Officer assumes control and becomes the new Captain. The transition is transparent to air traffic control (end devices) because the call sign (virtual IP/MAC) never changes. However, unlike a real airplane where both pilots can grab the yoke simultaneously (split-brain), HSRP uses a priority and preemption mechanism to ensure only one router is Active at any time. This analogy captures the essence of HSRP: redundant control with a single, consistent identity.
What is HSRP and Why Does It Exist?
HSRP (Hot Standby Router Protocol) is a Cisco-proprietary FHRP defined in RFC 2281. It provides first-hop redundancy by allowing multiple routers to share a virtual IP (VIP) and virtual MAC address. End hosts configure the VIP as their default gateway. If the Active router fails, the Standby router takes over, and hosts continue sending traffic to the same IP/MAC — no ARP changes needed. This eliminates the single point of failure inherent in using a single router as a default gateway.
How HSRP Works at the Packet/Frame Level
HSRP runs on a per-subnet basis. Each HSRP group has an Active router and a Standby router; other routers are in Listening or Speaking states. The group uses a virtual MAC address: 0000.0c07.acXX where XX is the HSRP group number in hexadecimal. For example, group 10 uses virtual MAC 0000.0c07.ac0a.
Routers exchange HSRP Hello messages (UDP, port 1985, destination 224.0.0.2, source IP is the real interface IP, TTL=1) every 3 seconds by default. The Hold timer is 10 seconds (3x Hello + 1 second skew). If the Standby misses three consecutive Hellos, it transitions to Active.
Active Router: Sends Hellos, forwards traffic for the virtual IP, responds to ARP requests for the VIP.
Standby Router: Monitors Hellos from Active, ready to take over.
Other Routers (Listening): Listen for Hellos, do not participate unless they have higher priority.
When the Active fails, the Standby transitions through states: Listen -> Speak -> Standby -> Active. The new Active sends a gratuitous ARP to update the switch MAC table, but hosts already have the VIP/MAC in their ARP cache, so no change is needed.
Key States, Timers, and Defaults
HSRP has six states: 1. Initial – Router just configured, not yet running HSRP. 2. Learn – Router does not know the VIP; waits for Hello from Active. 3. Listen – Router knows the VIP; monitors Hellos. 4. Speak – Router sends Hellos and participates in election. 5. Standby – Router is the backup; monitors Active. 6. Active – Router forwards traffic for the VIP.
Default timers:
Hello: 3 seconds
Hold: 10 seconds
Priority: 100 (range 1-255, higher is better)
Preemption: Disabled by default (if enabled, a higher-priority router can take over from a lower-priority Active)
IOS CLI Verification Commands
show standby – Displays HSRP status for all interfaces.
Router# show standby
GigabitEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:01:23
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.232 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.3, priority 90 (expires in 8.192 sec)
Priority 110 (configured 110)
Group name "hsrp-Gi0/0-10" (default)show standby brief – Summary of all HSRP groups.
Router# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 10 110 P Active local 192.168.1.3 192.168.1.1
Gi0/1 20 100 Standby 192.168.1.6 local 192.168.2.1show standby delay – Shows interface delay timers for HSRP.
Interaction with Related Protocols
Spanning Tree Protocol (STP): HSRP does not interact directly with STP, but both operate on Layer 2. Ensure STP root bridge aligns with HSRP Active for optimal traffic flow (otherwise, traffic may hairpin).
First Hop Redundancy Protocol (FHRP) family: HSRP is Cisco-proprietary; VRRP is an open standard (RFC 5798); GLBP is Cisco-proprietary with load balancing. The exam tests differences.
DHCP: HSRP does not affect DHCP; the VIP is static. However, DHCP servers can use the VIP as the default gateway option.
ARP: Active router responds to ARP requests for the VIP with the virtual MAC. This is key to transparency.
HSRP Versions
HSRPv1: Group numbers 0-255, virtual MAC 0000.0c07.acXX, uses multicast 224.0.0.2.
HSRPv2: Group numbers 0-4095, virtual MAC 0000.0c9f.fXXX (X=group in hex), uses multicast 224.0.0.102, supports MD5 authentication, and includes IPv6 support. The exam may test version differences.
Configuration Fundamentals
Basic HSRP configuration on an interface:
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
standby 10 ip 192.168.1.1
standby 10 priority 110
standby 10 preempt
standby 10 authentication md5 key-string cisco123standby <group> ip <VIP> – Enables HSRP and sets virtual IP.
standby <group> priority <0-255> – Sets priority (default 100).
standby <group> preempt – Allows router to become Active if it has higher priority.
standby <group> authentication – Optional, prevents unauthorized routers.
Troubleshooting Common Issues
Both routers show Active (split-brain): Usually due to firewall blocking HSRP Hellos. Check ACLs or interface state.
Standby never becomes Active: Verify standby preempt on both sides; check priority values.
Hosts cannot ping VIP: Verify Active router has IP connectivity; check show standby to confirm Active state.
Virtual MAC not learned: Ensure switch ports are trunk or access with correct VLAN; HSRP Hellos use multicast.
Configure HSRP on Active Router
On the router that should be Active (higher priority), enter interface configuration mode for the LAN interface. Set the IP address and then configure HSRP group. Example: ``` RouterA(config)# interface GigabitEthernet0/0 RouterA(config-if)# ip address 192.168.1.2 255.255.255.0 RouterA(config-if)# standby 10 ip 192.168.1.1 RouterA(config-if)# standby 10 priority 110 RouterA(config-if)# standby 10 preempt ``` The `standby 10 ip` command creates HSRP group 10 with virtual IP 192.168.1.1. Priority 110 (higher than default 100) makes this router likely to be Active. Preempt ensures it reclaims Active role if it recovers from a failure.
Configure HSRP on Standby Router
On the backup router, configure the same HSRP group but with a lower priority. Preempt is optional but recommended for consistency. ``` RouterB(config)# interface GigabitEthernet0/0 RouterB(config-if)# ip address 192.168.1.3 255.255.255.0 RouterB(config-if)# standby 10 ip 192.168.1.1 RouterB(config-if)# standby 10 priority 90 RouterB(config-if)# standby 10 preempt ``` Note: Both routers must use the same group number and virtual IP. The interface IPs must be in the same subnet as the VIP.
Verify HSRP State on Both Routers
Use `show standby` to confirm the state. On RouterA, you should see State is Active. On RouterB, State is Standby. ``` RouterA# show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi0/0 10 110 P Active local 192.168.1.3 192.168.1.1 ``` ``` RouterB# show standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Gi0/0 10 90 P Standby 192.168.1.2 local 192.168.1.1 ``` If both show Active, check for connectivity issues or misconfiguration.
Test Active Router Failure
Simulate a failure by shutting down the Active router's interface or the entire router. ``` RouterA(config)# interface GigabitEthernet0/0 RouterA(config-if)# shutdown ``` On RouterB, after the hold timer (10 seconds), it should transition to Active. Verify with `show standby brief`. The Standby router becomes Active and starts forwarding traffic for the VIP.
Test Recovery with Preemption
Re-enable the interface on RouterA: ``` RouterA(config-if)# no shutdown ``` Because preempt is configured, RouterA (priority 110) will take over from RouterB (priority 90) after a short delay. Verify that RouterA returns to Active and RouterB back to Standby. If preempt were not configured, RouterA would remain Standby even with higher priority.
Configure Optional Features
Add authentication to prevent rogue routers: ``` RouterA(config-if)# standby 10 authentication md5 key-string secretkey RouterB(config-if)# standby 10 authentication md5 key-string secretkey ``` Adjust timers for faster convergence (e.g., Hello 1 sec, Hold 3 sec): ``` RouterA(config-if)# standby 10 timers 1 3 RouterB(config-if)# standby 10 timers 1 3 ``` Note: Timers must match on both routers. Use `show standby` to verify.
Enterprise Edge Redundancy
In a typical enterprise, two routers connect to the internet via separate ISPs. HSRP is configured on the LAN side so internal hosts use a single default gateway (virtual IP). The Active router handles all outbound traffic; the Standby is idle until failure. This design ensures internet connectivity remains if one router fails. However, the standby router is underutilized. To overcome this, engineers may use GLBP or configure policy-based routing to split traffic.
Campus Access Layer Redundancy
In a campus network, access switches often have dual uplinks to distribution switches. HSRP is configured on the distribution switches to provide a virtual gateway for each VLAN. The Active distribution switch forwards traffic; the Standby is ready. A common best practice is to align the HSRP Active with the STP root for that VLAN to avoid suboptimal traffic flows (e.g., traffic going from access switch to standby distribution switch, then to active distribution switch). This requires careful VLAN-to-HSRP group mapping.
Data Center Active/Standby Gateway
In a data center, two aggregation switches run HSRP for each server VLAN. Servers point to the virtual IP as their default gateway. If the active aggregation switch fails, the standby takes over within seconds. However, because HSRP does not load balance, the standby switch's bandwidth is wasted. Engineers may use multiple HSRP groups (one active on each switch) for different VLANs to utilize both switches. This is called 'HSRP load balancing' and requires splitting VLANs across groups.
Misconfiguration Consequences
A common misconfiguration is forgetting to enable preempt. If the Active fails and later recovers, it will not reclaim the Active role, leaving the lower-priority router as Active. This can lead to asymmetric routing and confusion. Another mistake is mismatched authentication keys, causing HSRP neighbors to fail to form. Also, timers must match; otherwise, routers may flap between states. In production, always use preempt and document the expected Active router.
What CCNA 200-301 Tests on HSRP
The exam objective 3.8 covers configuring and verifying HSRP. You must know:
HSRP states and their sequence
Default timers (Hello 3 sec, Hold 10 sec)
Virtual MAC format (0000.0c07.acXX for v1)
Priority and preemption behavior
The difference between HSRP, VRRP, and GLBP (especially that HSRP is Cisco-proprietary, VRRP is open standard, GLBP supports load balancing)
How to interpret show standby output
Common Wrong Answers and Why
"HSRP uses multicast address 224.0.0.5" – Wrong; that's OSPF. HSRPv1 uses 224.0.0.2, HSRPv2 uses 224.0.0.102. Candidates confuse multicast addresses.
"The Standby router forwards traffic" – Wrong; only the Active forwards traffic for the virtual IP. The Standby monitors and takes over only after failure.
"Preemption is enabled by default" – Wrong; it is disabled. Candidates assume preemption is automatic because it's common in other protocols.
"HSRP virtual MAC is 0000.5e00.01XX" – That's VRRP. HSRPv1 is 0000.0c07.acXX. Candidates mix up FHRP MAC addresses.
Specific Values and Commands
Memorize:
Hello timer default: 3 seconds
Hold timer default: 10 seconds
Priority default: 100
Virtual MAC HSRPv1: 0000.0c07.acXX (XX = group in hex)
Virtual MAC HSRPv2: 0000.0c9f.fXXX (XXX = group in hex)
show standby and show standby brief are the key verification commands
Decision Rule for Scenario Questions
If a question asks which router becomes Active, compare priorities. Higher priority wins. If equal, higher IP address wins. If preempt is disabled, the first router to come up stays Active until it fails. Always check if preempt is configured; without it, a higher-priority router that comes up later will not take over.
HSRP is Cisco-proprietary, uses virtual IP and MAC for default gateway redundancy.
Default Hello timer is 3 seconds, Hold timer is 10 seconds.
HSRPv1 virtual MAC: 0000.0c07.acXX (XX = group in hex).
Priority range 1-255; default 100; higher priority wins election.
Preemption is disabled by default; must be enabled for automatic recovery.
HSRP states: Initial, Learn, Listen, Speak, Standby, Active.
Only Active router forwards traffic for the virtual IP; Standby monitors.
Verification commands: show standby, show standby brief.
These come up on the exam all the time. Here's how to tell them apart.
HSRP
Cisco proprietary
Active/Standby model
Virtual MAC: 0000.0c07.acXX (v1)
Uses UDP port 1985
Multicast: 224.0.0.2 (v1) or 224.0.0.102 (v2)
VRRP
Open standard (RFC 5798)
Master/Backup model (Master forwards, Backup monitors)
Virtual MAC: 0000.5e00.01XX
Uses IP protocol 112
Multicast: 224.0.0.18
Mistake
HSRP uses the virtual IP as the source IP in Hello messages.
Correct
HSRP Hellos use the router's real interface IP as source, not the virtual IP. The destination is multicast 224.0.0.2 (v1) or 224.0.0.102 (v2).
Candidates think the virtual IP is used for all communication, but HSRP uses real IPs for neighbor discovery.
Mistake
HSRP can load balance traffic across multiple routers.
Correct
HSRP is active/standby; only one router forwards traffic. GLBP provides load balancing. HSRP can achieve load balancing by using multiple groups with different active routers per VLAN.
The word 'standby' implies backup, but some assume multiple active routers can share load.
Mistake
The Standby router responds to ARP requests for the virtual IP.
Correct
Only the Active router responds to ARP requests for the virtual IP. The Standby does not respond until it becomes Active.
Candidates think both routers are ready to serve, but only one is active at a time.
Mistake
HSRPv2 uses the same multicast address as HSRPv1.
Correct
HSRPv1 uses 224.0.0.2; HSRPv2 uses 224.0.0.102. This is to avoid conflicts with IGMPv3 and other protocols.
Version numbers are similar, so candidates assume same multicast address.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HSRP is Cisco proprietary; VRRP is an open standard (RFC 5798). Both provide first-hop redundancy, but there are key differences: HSRP uses an Active/Standby model with a virtual MAC starting with 0000.0c07.ac (v1) or 0000.0c9f.f (v2), while VRRP uses a Master/Backup model with virtual MAC 0000.5e00.01XX. HSRP uses UDP port 1985; VRRP uses IP protocol 112. HSRPv1 multicast is 224.0.0.2; VRRP uses 224.0.0.18. HSRP requires configuration of a virtual IP that must be different from the interface IPs; VRRP can use the interface IP of the Master as the virtual IP. On the CCNA exam, know that VRRP is the open standard alternative.
Yes, HSRP operates at Layer 3 and relies on Layer 2 multicast delivery. The routers must be in the same broadcast domain (same VLAN). A Layer 2 switch forwards HSRP Hello multicast frames between the routers. The switch also learns the virtual MAC from the Active router's gratuitous ARP. Ensure the switch does not filter multicast (default is to flood unknown multicast). HSRP works transparently across switches as long as the routers have IP connectivity at Layer 2.
If priorities are equal, the router with the highest IP address on the interface becomes Active. This is the tiebreaker in HSRP election. For example, if Router A has IP 192.168.1.2 and Router B has 192.168.1.3, Router B (higher IP) becomes Active. This is deterministic, so you can control which router is Active by assigning IP addresses accordingly.
Yes, the virtual IP must be in the same subnet as the interface IPs of the HSRP routers. The virtual IP is used by hosts as their default gateway, so it must be reachable within that subnet. The routers' real IPs are also in that subnet. If the virtual IP is in a different subnet, HSRP will not form because the routers cannot communicate properly.
When the Active router loses power, it stops sending Hellos. The Standby router detects the absence of Hellos after the Hold timer (default 10 seconds). It then transitions to Active state, sends a gratuitous ARP to update the switch's MAC table, and starts forwarding traffic for the virtual IP. The total failover time is typically under 10 seconds. To speed up failover, you can reduce the timers (e.g., Hello 1 sec, Hold 3 sec), but this increases control plane overhead.
Yes, HSRP supports IPv6 via HSRPv2. The configuration is similar: use `standby <group> ipv6 <ipv6-address>`. The virtual MAC for HSRPv2 is 0000.0c9f.fXXX. HSRPv1 only supports IPv4. On the CCNA exam, you may be tested on IPv6 HSRP, so know that HSRPv2 is required.
The `standby preempt` command allows a router with a higher priority to take over the Active role from a lower-priority router that is currently Active. Without preempt, if the Active fails and a Standby takes over, the original Active (with higher priority) will remain Standby when it recovers. Preempt ensures the highest-priority router is always Active, which is often desired for deterministic traffic flow. It is disabled by default.
You've just covered HSRP — Hot Standby Router Protocol — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?