Introduction
HSRP stands for Hot Standby Router Protocol. It is a first hop redundancy protocol for LAN and VLAN gateways. HSRP works by creating a shared gateway identity where two or more routers share one virtual IP and one virtual MAC, so hosts keep one default gateway. It is used on access VLANs, routed LAN segments, and SVI gateways in enterprise and data center networks. It is used because a single default gateway is a single point of failure, so HSRP keeps the gateway available by allowing a standby router to take over if the active router or its uplink fails.
This guide explains HSRP, how it provides a virtual default gateway, how elections and failover work, and key benefits, limits, and troubleshooting checks.
What is HSRP in Networking?
HSRP in Networking or Hot Standby Router Protocol is a Cisco proprietary redundancy protocol for default gateway configuration in a network and fault tolerance. In order to maintain network connection even when one of the routers fails, HSRP enables several routers to cooperate and provide a single virtual router to the linked hosts.
A group of routers share:
- A virtual IP address that hosts use as the default gateway
- A virtual MAC address used on the LAN
Hosts keep using the same default gateway IP, so they do not need any change during failover.
In an HSRP, routers in a group speak to one another via User Datagram Protocol (UDP) port 1985 using the multicast address 224.0.0.2. One router is chosen to serve as the group’s “active” router, which is in charge of forwarding traffic, and another is chosen to serve as the group’s “standby” or “backup” router, which assumes control in the event that the active router fails.
The Need for Hot Standby Router Protocol
A device either has a static IP address or asks a DHCP server for a dynamic one. The device will always have an IP address, a subnet address, and the address of its default gateway. Unfortunately, the default gateway IP address can only be stored on a small number of devices. As a side effect, they will just point to a black hole if that gateway malfunctions. Outside of their subnet, they won’t be able to communicate with one another.
You will experience significant downtime if the default gateway fails. As a result of this, the router faces a Single Point of Failure (SPoF). As you can see in the image below, if the router fails, then the network will be isolated.
HSRP is commonly used on:
- Enterprise VLAN interfaces and SVIs
- Routed access segments
- Data center access and distribution layers
- Any network where gateway uptime matters
Also, if we take the case of the switch, the device that is connected to it will not be able to access the internet. But a switch is not SPoF; it will not impact the whole infrastructure of the company. Learn the difference between Switch and Router.
Now, the question that arises is how to overcome this issue.
For this type of scenario where SPoF occurs, we do this by setting up HSRP on the two routers. Instead of informing the customers, we set up the backup gateway to pass as the main one in the event of a primary gateway failure.
You must add a Virtual IP Address (VIP) to both routers in order to complete that setup. It will only be used by the main router by default. However, the backup router will begin utilizing that IP if the main one fails. For better understanding, we have taken an example.
Let’s now understand the different states of Hot Standby Router Protocol.
Hot Standby Router Protocol States
The various HSRP states are listed below:
Active
The router sends periodic hello messages and forwards packets for the HSRP group.
Init
The router doesn’t send or receive HSRP messages and is not an HSRP participant.
Learn
The router is learning the HSRP group’s virtual MAC address and IP address.
Listen
The router monitors both the active and standby routers’ HSRP hello messages.
Speak
The router is participating in the election of the active and standby routers and transmitting HSRP hello messages.
Standby
The router periodically sends hello signals and waits to take over as the active router.
How does HSRP work?
Below, we have explained the working of HSRP in detail.
Configuration
HSRP is set up on routers connected to the same local area network (LAN) by network administrators. They allocate routers to an HSRP group with a certain group number.
Additionally, a priority value is given to each router in the group (the default is 100), which establishes that router’s place in the group.
Election process
When routers have HSRP enabled, they communicate using HSRP hello messages to find one another and choose which routers are active and standby depending on priority settings. The router with the greatest priority is made active, and the router with the next-highest priority is made available as a standby. The router with the higher IP address prevails in cases when both have the same priority value.
MAC address and virtual IP address
A virtual IP address and virtual MAC address are shared by all group members in a HSRP group. The end devices’ default gateway address is typically specified as the virtual IP address. The virtual MAC address has the following format: 0000.0C07.ACxx, where xx is the hexadecimal representation of the HSRP group number.
Active router role
The virtual IP address’s active router relays traffic on its behalf. In order to keep its position and update the other routers in the group on its status, it also regularly broadcasts HSRP hello messages (the default interval is 3 seconds).
Standby router role
When the active router sends an HSRP hello message, the standby router waits for it. If it doesn’t get any hello messages from the current router for a certain amount of time (the default is 10 seconds), it is ready to take over as the active router.
Failover process
The standby router takes over as the active router if the current router fails or becomes inaccessible. Starting the traffic forwarding process, it adopts the virtual IP and MAC addresses. A new standby router is chosen in the meantime from among the group’s remaining routers using priority values.
Recovery
Depending on its priority value and preemption settings, the failed active router either rejoins the HSRP group as a standby router or assumes its previous active function.
High availability and redundancy are provided by HSRP, which ensures network traffic keeps moving even if a router malfunctions.
HSRP Configuration
In this lab you’ll configure and test HSRP (Hot Standby Router Protocol) for a small campus network to ensure the
recovery of user traffic transparently and immediately from first hop router failures.
Create a topology like shown below:
Configure the IP addresses on R1, R2 and R3. Then configure the virtual IP address 192.168.10.254 /24 using the
commands given below.
R1:
R1(config)#int fa 0/0
R1(config-if)#standby ip 192.168.10.254
R1(config-if)#ex
Now, configure the same IP address on R2’s interface.
R2(config)#int fa 0/0
R2(config-if)#standby ip 192.168.10.254
R2(config-if)#ex
Let’s check which router out of R1 and R2 is in active state. Use the command ‘show standby’ in the enable mode to
check the details.
In this topology, R1 is in active state.
Configure DHCP pool on R1 and R2 with the default gateway as 192.168.10.254 and R3 with 192.168.30.3
R1:
R1(config)#ip dhcp pool a
R1(dhcp-config)#network 192.168.10.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.10.254
R1(dhcp-config)#ex
R2:
R2(config)#ip dhcp pool a
R2(dhcp-config)#network 192.168.10.0 255.255.255.0
R2(dhcp-config)#default-router 192.168.10.254
R2(dhcp-config)#ex
R3:
R3(config)#ip dhcp pool a
R3(dhcp-config)#network 192.168.30.0 255.255.255.0
R3(dhcp-config)#default-router 192.168.30.3
R3(dhcp-config)#ex
Now, the last step is to configure routing on the devices. We are configuring EIGRP 1 here.
R1:
R1(config)#router eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#network 192.168.10.0
R1(config-router)#network 192.168.20.0
R1(config-router)#ex
R2:
R2(config)#router eigrp 1
R2(config-router)#no auto-summary
R2(config-router)#network 192.168.10.0
R2(config-router)#network 192.168.20.0
R2(config-router)#ex
R3:
R3(config)#router eigrp 1
R3(config-router)#no auto-summary
R3(config-router)#network 192.168.20.0
R3(config-router)#network 192.168.30.0
R3(config-router)#ex
After configuring the end devices with the IP address let’s test the working of HSRP.
Run a continuous ping from PC0 to PC1 using command ‘ping -t 192.168.30.1’ and shutdown the interface fa 0/0 of R1.
R1(config)#interface fa 0/0
R1(config-if)#shutdown
You’ll observe that PC0’s will recover from the R1’s route failure and will start transmitting through R2.
Reply from 192.168.30.1: bytes=32 time<1ms TTL=126
Reply from 192.168.30.1: bytes=32 time<1ms TTL=126
Request timed out.
Request timed out.
Reply from 192.168.30.1: bytes=32 time<1ms TTL=126
Reply from 192.168.30.1: bytes=32 time<1ms TTL=126
Now, if you check the HSRP details on R2 using command ‘show standby’ you’ll find it in the active state.
We have a detailed understanding of how HSRP functions, so let’s discuss the advantages and disadvantages of using HSRP.
How HSRP Chooses the Active Router (Priority and Preemption)?
Priority decides which router should be active. The default priority is usually 100, and higher values are preferred.
Preemption decides what happens after recovery. If a higher priority router comes back online, preemption allows it to take back the active role.
This matters because different networks want different behavior.
- Some networks want the best router to always be active
- Some networks prefer stability and do not want role changes after recovery
If you enable preemption, also use a preempt delay in real networks so the router does not take over before its uplinks and routing are stable.
How HSRP Detects Failure (Hello and Hold Timers)?
HSRP failover speed depends on timers.
- Hello timer is how often the active router sends hellos
- Hold timer is how long the standby waits before declaring the active router down
Common defaults are:
- Hello 3 seconds
- Hold 10 seconds
Lower timers can reduce failover time. But very aggressive timers can also cause false failovers during congestion or CPU spikes. So timer tuning should be done carefully and tested under load.
How HSRP Handles Uplink Failure (Tracking)?
HSRP can fail in a subtle way. A router can stay up but lose its upstream path. Hosts still use it as the default gateway, but traffic fails beyond the first hop. Tracking fixes this problem.
Tracking ties HSRP priority to a real condition such as:
- An uplink interface state
- A route in the routing table
- An IP SLA reachability check
If the tracked item fails, the router reduces its priority. This allows the other router to become active if it has the better path. This is one of the most important real world features in HSRP design.
How HSRP Prevents Wrong Routers Joining (Authentication)
HSRP supports authentication so that only trusted routers participate in the group. Authentication helps protect the default gateway role from:
- Misconfiguration
- Accidental cross connections
- Rogue devices attempting to claim active role
Common options include plain text authentication and MD5 authentication, depending on platform support.
HSRP Version 1 vs HSRP Version 2
| Parameter | HSRP Version 1 | HSRP Version 2 |
| Purpose | Original HSRP format | Updated format for larger scale and newer behavior |
| Group range | Smaller group range | Larger group range |
| Control traffic multicast | 224.0.0.2 | 224.0.0.102 |
| Virtual MAC format | 0000.0C07.ACxx | 0000.0C9F.Fxxx |
| Practical impact | Works fine for basic use, but limited scale | Better for larger deployments with more groups |
Note: Do not mix v1 and v2 for the same HSRP group on the same VLAN, or adjacency and role election can fail.
How to verify HSRP?
Verification should be simple and repeatable. Check the below discussed points.
- Which router is active and which is standby
- Current state on each router
- Priority and effective priority
- Timers and whether they match
- Tracking status and any priority decrement
- ARP entry for the virtual IP and the virtual MAC on hosts or switches
If the virtual IP works and the role is stable, the design is usually correct.
HSRP vs VRRP: The Basic Difference
Below, we have discussed the basic difference between HSRP (Hot Standby Router Protocol) and VRRP (Virtual Router Redundancy Protocol).
| Parameter | HSRP | VRRP |
| Type | Vendor-based FHRP (commonly used in Cisco networks) | Standards-based FHRP (common in multi-vendor networks) |
| Typical environment | Cisco-focused enterprise networks | Mixed vendor enterprise and service provider networks |
| Gateway model | One virtual IP with one active forwarder per group | One virtual IP with one active forwarder per group |
| Election method | Priority based election | Priority based election |
| Preemption behavior | Depends on configuration and platform defaults | Depends on implementation and platform defaults |
| Best fit | When your environment is standardized on Cisco | When you need a standards approach across vendors |
Note: For most teams, the choice is not about which is better. It depends on what your platform supports and what your network is standardized on.
Benefits of Hot Standby Router Protocol
- Keeps the default gateway available during router failure
- Avoids host side changes during failover
- Improves uptime on access VLANs and routed segments
- Supports controlled failover during maintenance
- Becomes much more reliable with tracking
Limitations of Hot Standby Router Protocol
Although HSRP provides advantages, there are a number of disadvantages to take into account:
- Proprietary protocol – Since HSRP is a Cisco-specific protocol, only Cisco-branded hardware may use it. In a network setting with several vendors, this may restrict interoperability.
- Scalability – Large or sophisticated networks are not intended for HSRP. It is appropriate for small and medium-sized networks, but bigger settings with many routers and subnets could not scale effectively.
- Active/standby model – One router serves as the active router in HSRP, while another serves as the backup router. The backup router is inactive until a failure occurs, which implies that only one router actively sends traffic. This might lead to the underutilization of the backup router and the wasteful use of resources.
Now, we have understood everything related to HSRP in networking. Let’s wrap this article.
Frequently Asked Questions
Q1. Why HSRP is used in networking?
HSRP is a Cisco proprietary protocol that enables two or more routers to work together to offer a network with redundancy and load balancing.
Q2. Does HSRP provide load balancing?
Not by default in a single group. You can design load sharing by using multiple HSRP groups and splitting VLAN gateways across routers
Q3. Is HSRP a layer 2 or 3 network?
HSRP is a layer 3, i.e., network layer protocol.
Q4. Is HSRP and VRRP the same?
HSRP and VRRP are both protocols that provide redundancy for routers in a network. HSRP is specially developed for Cisco devices, whereas VRRP supports various vendors.
Q5. What is preemption in HSRP?
Preemption allows a higher priority router to take back the active role when it comes back online. It should be used carefully to avoid unnecessary role flips.
Q6. Why is tracking important in HSRP?
Tracking protects you from upstream failures. It can lower priority when an uplink or tracked object fails, so the router with the better path becomes active.
Conclusion
HSRP is a first hop redundancy protocol that keeps the default gateway stable for hosts. It works by using a shared virtual IP and virtual MAC while routers decide who forwards.
In this blog, we have explained what is HSRP in networking, how it works, different HSRP states, the need for Hot Standby Router Protocol, advantages and disadvantages. If you want to learn HSRP in detail, you can join PyNet Labs’ CCNA Course.
If you have any suggestions or queries, feel free to comment below.
