Imagine your network's default gateway goes down, and every device on that subnet loses connectivity to the rest of the network. That's a single point of failure. HSRP (Hot Standby Router Protocol) solves this by allowing two or more routers to share a virtual IP and MAC address, providing seamless gateway redundancy. For the CCNA 200-301 exam (objective 3.8), you must understand HSRP operation, configuration, and verification—it's a core high-availability topic that appears in both multiple-choice and simulation questions.
Jump to a section
Think of a commercial airplane flight. The captain (Active router) is responsible for flying the plane and making all critical decisions. The first officer (Standby router) is fully trained, sits in the right seat, and constantly monitors the captain's actions. They both have identical access to the controls and instruments. The plane itself (the virtual IP/MAC) is the entity that passengers and air traffic control interact with—they don't know who is actually flying at any given moment. If the captain becomes incapacitated (fails), the first officer immediately takes over control without any interruption to the flight. The transition is seamless because the first officer was already 'hot'—synchronized with the captain's state. In HSRP terms, the Active router forwards packets for the virtual IP, while the Standby listens for Hello messages. If Hellos stop, the Standby assumes the Active role. The virtual IP and MAC never change, so end devices continue sending traffic to the same gateway address. Just as a plane has two pilots but presents a single flight deck to the world, HSRP creates a single virtual router from multiple physical routers.
What is HSRP and Why Was It Created?
HSRP (Hot Standby Router Protocol) is a Cisco-proprietary First Hop Redundancy Protocol (FHRP) that provides default gateway redundancy. In a typical LAN, hosts are configured with a single default gateway IP address. If that router fails, hosts lose connectivity to remote networks. HSRP solves this by creating a virtual router—a combination of a virtual IP address and virtual MAC address—that is shared among a group of physical routers. One router is elected as Active and forwards packets for the virtual IP; another is elected as Standby and takes over if the Active fails. This allows hosts to use a single gateway IP while enjoying redundancy.
HSRP Operation: Step by Step
1. HSRP Group – A group of routers that share a virtual IP and MAC. Group number ranges from 0 to 255 (0-4095 for HSRPv2).
2. Virtual MAC Address – For HSRPv1: 0000.0c07.acXX where XX is the group number in hex. For HSRPv2: 0000.0c9f.fXXX where XXX is the group number in hex.
3. Hello Messages – Routers send Hellos every 3 seconds (default) to UDP port 1985 (HSRPv1) or 1986 (HSRPv2), destination IP 224.0.0.2 (all-routers multicast).
4. State Transitions – Each router goes through states: Initial → Learn → Listen → Speak → Standby → Active.
- Initial: Router just started HSRP.
- Learn: Router doesn't know virtual IP, waiting to hear from Active.
- Listen: Router knows virtual IP, monitoring Hellos.
- Speak: Router sends Hellos, participating in election.
- Standby: Router is next in line to become Active.
- Active: Router forwards packets for the virtual IP.
5. Election – The router with the highest priority (default 100) becomes Active. If tie, highest IP wins. Priority can be configured from 0 to 255 (0 means router will never become Active).
6. Preemption – By default, a router with higher priority will not take over an already Active router. Preemption must be enabled to allow it.
7. Timers – Hello timer: 3 seconds (default). Hold timer: 10 seconds (default). The Standby router declares Active dead if no Hello is received within the Hold time.
HSRP Versions
HSRPv1 – Group numbers 0-255, uses 224.0.0.2, virtual MAC 0000.0c07.acXX.
HSRPv2 – Group numbers 0-4095, uses 224.0.0.102, virtual MAC 0000.0c9f.fXXX, supports IPv6 and MD5 authentication.
Configuration Example
Below is a typical HSRP configuration on two routers (R1 and R2) for VLAN 10.
R1 Configuration:
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.2 255.255.255.0
standby 10 ip 10.0.10.1
standby 10 priority 110
standby 10 preempt
standby 10 authentication md5 key-string CISCOR2 Configuration:
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
standby 10 ip 10.0.10.1
standby 10 priority 100
standby 10 preempt
standby 10 authentication md5 key-string CISCOVerification Commands
`show standby` – Displays HSRP status for all groups.
R1# show standby
GigabitEthernet0/0.10 - Group 10
State is Active
2 state changes, last state change 00:01:23
Virtual IP address is 10.0.10.1
Active virtual MAC address is 0000.0c9f.f00a
Local virtual MAC address is 0000.0c9f.f00a (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.456 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.0.10.3, priority 100 (expires in 9.456 sec)
Priority 110 (configured 110)
Group name is "hsrp-Gi0/0.10-10" (default)`show standby brief` – Compact view.
R1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0.10 10 110 P Active local 10.0.10.3 10.0.10.1Interaction with Other Protocols
HSRP and STP – In a switched network, STP must be considered. If HSRP Active is on a different switch than STP Root for that VLAN, suboptimal traffic flow may occur. Best practice is to align HSRP Active with STP Root.
HSRP and VRRP – VRRP is an open standard (RFC 5798) that functions similarly. Cisco routers support both. Key difference: VRRP uses the physical IP of the Active router as the virtual IP by default, and the Standby does not send Hellos; the Master sends Hellos.
HSRP and GLBP – GLBP (Gateway Load Balancing Protocol) allows multiple routers to forward traffic simultaneously, unlike HSRP which has only one Active.
Configure interface IP addresses
Assign IP addresses to the interfaces that will participate in HSRP. These are the physical IPs of the routers, not the virtual IP. For example, on R1: `interface GigabitEthernet0/0` then `ip address 10.0.10.2 255.255.255.0`. On R2: `ip address 10.0.10.3 255.255.255.0`. Ensure both interfaces are in the same VLAN and subnet. Use `no shutdown` to enable the interface.
Enable HSRP and set virtual IP
On each router, enter interface configuration mode and use `standby <group-number> ip <virtual-ip>`. The group number must be the same on both routers. The virtual IP must be in the same subnet as the physical IPs but not assigned to any real interface. Example: `standby 10 ip 10.0.10.1`. This command creates an HSRP group and assigns the virtual IP. The virtual MAC is automatically generated.
Adjust priority for Active election
By default, all routers have priority 100. To influence which router becomes Active, use `standby <group> priority <value>`. Higher priority wins. Example: `standby 10 priority 110` on R1 makes it the Active router. The Standby router will have default priority 100. If priorities are equal, the highest IP address wins. Priority values range 0-255; 0 means the router will never become Active.
Enable preemption
Without preemption, if a higher-priority router comes online after an election, it will not take over the Active role. Use `standby <group> preempt` to allow this. This is critical for maintenance scenarios where you want to force a specific router to be Active. Example: `standby 10 preempt` on both routers. Preemption is disabled by default.
Configure authentication (optional)
To prevent unauthorized routers from joining the HSRP group, configure authentication. Use `standby <group> authentication md5 key-string <key>` for HSRPv2 or `standby <group> authentication <text>` for plaintext. MD5 is recommended. The key must match on all routers. Example: `standby 10 authentication md5 key-string CISCO`. If keys mismatch, routers will not form adjacency.
Verify HSRP operation
Use `show standby` and `show standby brief` to verify the HSRP state, virtual IP, active and standby routers, timers, and authentication. Also use `show ip interface brief` to confirm interfaces are up. Test failover by shutting down the Active router's interface (`shutdown`) and then checking that the Standby becomes Active (`show standby`). The transition should take roughly the hold time (10 seconds default).
In enterprise networks, HSRP is commonly deployed at the distribution layer where two routers (or multilayer switches) provide redundant Layer 3 access to users. For example, in a campus network with multiple VLANs, each VLAN may have its own HSRP group. A typical design is to load-balance by making one switch Active for half the VLANs and Standby for the other half. This is achieved by configuring different priorities per group.
Another scenario is at the WAN edge, where two routers connect to different ISPs. HSRP provides a virtual gateway for internal hosts, while each router handles its own ISP link. If one router fails, the other takes over all traffic. In this case, you might use HSRP with tracking—where the router's priority is reduced if its uplink goes down, forcing failover to the other router.
Misconfigurations are common. One frequent issue is forgetting to enable preemption—after a failure, the original Active router may come back but not reclaim its role, leading to suboptimal routing. Another is mismatched authentication keys, which silently prevents HSRP adjacency. Also, if the virtual IP is accidentally assigned to a physical interface (e.g., as a secondary IP), it can cause IP address conflicts.
In production, you should also consider HSRP timers. The default 3-second hello and 10-second hold may be too slow for some applications. You can adjust them with standby <group> timers <hello> <hold>. However, setting them too low can cause flapping. A common production setting is 1 second hello / 3 second hold for faster convergence.
Finally, remember that HSRP operates at Layer 3—it requires IP connectivity between the routers. If the link between them goes down, they can't exchange Hellos, and both may become Active (split-brain). To prevent this, use a separate management VLAN or configure interface tracking to reduce priority when a critical interface fails.
On the CCNA 200-301 exam, objective 3.8 covers "Configure and verify HSRP." Expect questions on HSRP operation, states, timers, and configuration verification. The exam may present a topology with two routers and ask you to identify the Active router based on priority and IP, or to choose the correct configuration commands.
Common Wrong Answers:
"HSRP uses UDP port 1986 for all versions." – Wrong. HSRPv1 uses 1985, HSRPv2 uses 1986. Candidates often mix them up.
"The Standby router sends Hellos every 10 seconds." – Wrong. Both Active and Standby send Hellos every 3 seconds (default). Only the Hold timer is 10 seconds.
"Preemption is enabled by default." – Wrong. Preemption must be explicitly configured. Without it, a higher-priority router will not take over.
"The virtual IP must be the same as the physical IP of the Active router." – Wrong. The virtual IP is a separate address in the same subnet. It can be any unused IP.
Specific Values to Memorize:
Default priority: 100
Default Hello timer: 3 seconds
Default Hold timer: 10 seconds
Virtual MAC (HSRPv1): 0000.0c07.acXX (XX = group in hex)
Virtual MAC (HSRPv2): 0000.0c9f.fXXX (XXX = group in hex)
Multicast address HSRPv1: 224.0.0.2
Multicast address HSRPv2: 224.0.0.102
Elimination Strategy:
For scenario questions, first identify which router has higher priority. If priorities are equal, the higher IP wins. Check if preemption is enabled—if not, the current Active stays. Also check if authentication is configured and matches. If the question involves tracking, remember that tracking reduces priority by a configured amount (default 10) when the tracked object goes down.
Trap: If a router's priority is set to 0, it can never become Active. This is often used to force a router to always be Standby.
HSRP is Cisco-proprietary, provides default gateway redundancy using a virtual IP and MAC.
Default Hello timer = 3 seconds, Hold timer = 10 seconds.
Active router election: highest priority wins; tie = highest IP address.
Preemption is disabled by default; must be enabled with 'standby <group> preempt'.
HSRPv1 uses UDP 1985, multicast 224.0.0.2; HSRPv2 uses UDP 1986, multicast 224.0.0.102.
Virtual MAC: HSRPv1 = 0000.0c07.acXX; HSRPv2 = 0000.0c9f.fXXX (XX/XXX = group in hex).
Verification commands: 'show standby' and 'show standby brief'.
These come up on the exam all the time. Here's how to tell them apart.
HSRP (Cisco Proprietary)
Uses virtual MAC 0000.0c07.acXX (v1) or 0000.0c9f.fXXX (v2)
Default timers: Hello 3s, Hold 10s
Both Active and Standby send Hellos
Preemption disabled by default
Supports MD5 authentication (v2)
VRRP (Open Standard RFC 5798)
Uses virtual MAC 0000.5e00.01XX (XX = group in hex)
Default timers: Advertisement 1s, Master Down 3s
Only Master sends advertisements; Backup listens
Preemption enabled by default
Supports simple text and MD5 authentication
Mistake
HSRP uses the physical MAC address of the Active router.
Correct
HSRP uses a virtual MAC address (0000.0c07.acXX for v1, 0000.0c9f.fXXX for v2) that is shared among group members. The virtual MAC is used in ARP replies for the virtual IP.
Candidates assume the virtual IP maps to a real interface MAC, but HSRP generates a unique virtual MAC.
Mistake
The Standby router does not send Hello messages.
Correct
Both Active and Standby routers send Hello messages every 3 seconds (default) to maintain the group. The Standby sends Hellos to announce its status.
Many think only the Active sends Hellos, but the Standby must also send them so the Active knows it is alive.
Mistake
HSRP can load-balance traffic across multiple routers.
Correct
HSRP has only one Active router forwarding traffic. For load balancing, use GLBP or multiple HSRP groups (one per VLAN) with different Active routers.
The word 'standby' implies backup, but some candidates think multiple routers can be active simultaneously.
Mistake
The virtual IP must be the same as the physical IP of one of the routers.
Correct
The virtual IP is a separate IP address in the same subnet. It must not be assigned to any physical interface. It is configured only via the 'standby ip' command.
Candidates confuse virtual IP with the physical IP used by VRRP (which can use the physical IP as virtual IP).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HSRP is Cisco proprietary; VRRP is an open standard. Key differences: HSRP uses a virtual MAC (0000.0c07.acXX for v1, 0000.0c9f.fXXX for v2), while VRRP uses 0000.5e00.01XX. HSRP has both Active and Standby sending Hellos; VRRP only the Master sends advertisements. HSRP default timers are Hello 3s/Hold 10s; VRRP default is Advertisement 1s/Master Down 3s. Preemption is disabled by default in HSRP, enabled in VRRP. For CCNA, know that both provide gateway redundancy but HSRP is more commonly tested.
Yes, HSRPv2 supports IPv6. The configuration uses `standby <group> ipv6 <ipv6-address>`. The virtual MAC for IPv6 HSRPv2 is the same as for IPv4 HSRPv2 (0000.0c9f.fXXX). However, for CCNA 200-301, IPv6 HSRP is not a major focus; stick to IPv4.
HSRP and STP are independent but can cause suboptimal traffic flow. If the HSRP Active router is not the STP Root for that VLAN, traffic from hosts to the gateway may traverse extra switch hops. Best practice is to align HSRP Active with STP Root by configuring priorities accordingly. For example, set the STP priority lower on the switch that hosts the HSRP Active.
Object tracking allows HSRP to adjust a router's priority based on the state of a tracked object (e.g., an uplink interface). If the tracked object goes down, the router's priority is reduced by a configured amount (default 10), causing it to relinquish the Active role. Configuration: `standby <group> track <object-number> decrement <value>`. This is used for WAN link redundancy.
Yes, you can configure multiple HSRP groups on the same interface, each with a different group number and virtual IP. This is commonly used for load balancing: one group uses one router as Active, another group uses the other router as Active. Each group has its own virtual MAC.
If both have the same priority, the router with the higher IP address becomes Active. Preemption only triggers when a router with higher priority comes online; it does not break ties. The election is deterministic based on priority then IP.
Use `show standby` to check the authentication field. If authentication fails, the routers will not form adjacency, and you may see "Authentication mismatch" in logs. You can also use `debug standby` to see authentication errors. Ensure the key-string matches exactly on all routers.
You've just covered Lab: Configure HSRP for Gateway Redundancy — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?