Configuring HSRP

Published by Joe Conklin on

What is HSRP and why to use it?

Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway. The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway becomes inaccessible, in close association with a rapid-converging routing protocol like EIGRP or OSPF. HSRP routers send multicast Hello messages to other routers to notify them of their priorities (which router is preferred) and current status (Active or Standby).

In regards to using HSRP with dynamic routing protocols, routers do not use the virtual IP addresses of HSRP to form adjacencies. HSRP is designed to provide end-users devices and servers default gateway/router redundancy. For instance, EIGRP neighbor relationship are not formed with the HSRP Virtual IP Address but with the physical interface IP address. As such if you are using HSRP along with a dynamic routing protocol you should ensure your routes prefer the active router unless offline to avoid issues as only the active HSRP router for a group will forward packets.

In the network below there are a total of two routers, two end-user computers and one server. In the example below we will configure three HSRP groups, two for the LAN and one for the WAN network. R1 will be the primary gateway for PC1, and R2 the primary gateway for PC2. This will make use of both routers to prevent network capacity from being underutilized. R1 will be the active router for the 1.1.1.0/29 network and failover and failback must occur automatically. HSRP groups will also make use of authentication to prevent any rogue routers from interfering with HSRP operations.

Steps to configure HSRP

Step 1: Configure all applicable router interfaces on the routers R1 and R2, respectively.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.248
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 10.1.0.1 255.255.255.0
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 1.1.1.2 255.255.255.248
!
R2(config)#interface FastEthernet0/1
R2(config-if)#ip address 10.1.0.2 255.255.255.0

Step 2: On Router R1 configure HSRP groups using the standby command, set the group virtual IP, priority 105 for HSRP groups 1 and 2 only, and the preempt command. This will be repeated for both interfaces but each interface will participate in a separate HSRP group.

R1(config)#interface FastEthernet0/0
R1(config-if)#standby 2 ip 1.1.1.3
R1(config-if)#standby 2 priority 105
R1(config-if)#standby 2 preempt
!
R1(config)#interface FastEthernet0/1
R1(config-if)#standby 1 ip 10.1.0.3
R1(config-if)#standby 1 priority 105
R1(config-if)#standby 1 preempt
R1(config-if)#standby 3 ip 10.1.0.4
R1(config-if)#standby 3 preempt

Step 3: On Router R2 configure a HSRP group using the standby command, set the group virtual IP, priority 105 for HSRP group 3 only, and the preempt command. This will be repeated for both interfaces but each interface again will participate in separate HSRP groups.

R2(config)#interface FastEthernet0/0
R2(config-if)#standby 2 ip 1.1.1.3
R2(config-if)#standby 2 preempt
!
R2(config)#interface FastEthernet0/1
R2(config-if)#standby 1 ip 10.1.0.3
R2(config-if)#standby 1 preempt
R2(config-if)#standby 3 ip 10.1.0.4
R2(config-if)#standby 3 priority 105
R2(config-if)#standby 3 preempt

NOTE: The standby 1 priority 105 is used to specify a higher priority for R1 ensuring it is always the active HSRP router. The default priority for HSRP routers is 100 and the default decrement is 10. The preempt command is used to overthrow lower priority Active routers. This is the mechanism for R1 to enforce the higher priority and fail back from R2 to R1 when R1 comes back online.

Step 4: Configure HSRP tracking on R1 to decrement the routers priority when it sees any interface down. This is important because if one interface on either side of the router is down any traffic coming into the router will be unable to reach the desired destination.

R1(config)#interface FastEthernet0/1
R1(config-if)#standby 1 track fa0/0 10
R1(config-if)#standby 1 track fa0/1 10
R1(config-if)#standby 3 track fa0/0 10
R1(config-if)#standby 3 track fa0/1 10
!
R1(config)#interface FastEthernet0/0
R1(config-if)#standby 2 track fa0/0 10
R1(config-if)#standby 2 track fa0/1 10

Step 5: Repeat the steps again to configure HSRP tracking on R2.

R2(config)#interface FastEthernet0/1
R2(config-if)#standby 1 track fa0/0 10
R2(config-if)#standby 1 track fa0/1 10
R2(config-if)#standby 3 track fa0/0 10
R2(config-if)#standby 3 track fa0/1 10
!
R2(config)#interface FastEthernet0/0
R2(config-if)#standby 2 track fa0/0 10
R2(config-if)#standby 2 track fa0/1 10

Step 6: Configure HSRP authentication on R1 to prevent any unintended routers from joining the HSRP groups and causing unexpected results.

R1(config)#key chain HSRP-Keychain1
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string hsrp-password-here
!
R1(config)#interface FastEthernet0/0
R1(config-if)#standby 2 authentication md5 key-chain HSRP-Keychain1
!
R1(config)#interface FastEthernet0/1
R1(config-if)#standby 3 authentication md5 key-chain HSRP-Keychain1
R1(config-if)#standby 1 authentication md5 key-chain HSRP-Keychain1

Step 7: Repeat the steps again to configure HSRP authentication on R2.

R2(config)#key chain HSRP-Keychain1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string hsrp-password-here
!
R2(config)#interface FastEthernet0/0
R2(config-if)#standby 2 authentication md5 key-chain HSRP-Keychain1
!
R2(config)#interface FastEthernet0/1
R2(config-if)#standby 3 authentication md5 key-chain HSRP-Keychain1
R2(config-if)#standby 1 authentication md5 key-chain HSRP-Keychain1

Verify the configuration

Now that the configuration is finished lets verify our HSRP deployment. Using the ping, traceroute and show ip route on PC1 we can verify connectivity, the path used to reach the destination and default gateway. You will find ping is successful from PC1 to Server and the path is PC1 to R1 to Server. On PC2 you will find ping is also successful but the path PC2 takes to reach Server is PC2 to R2 to Server.


On R1 issue the show standby command to verify the active HSRP routers. This will confirm R1 is the active router for groups 1 and 2, and R2 is the active router for group 3.

Now let's shutdown an interface on R1 and perform the same steps from PC1. As you can see everything functions the same with the only exception your default gateway, 10.1.0.3, is routed through the backup router R2 which is now the active HSRP router for HSRP groups 1, 2, and 3.

For the last verification step turn R1 back on and repeat the steps again. Your default gateway, 10.1.0.3, will again be routed through tR1 and is once again the active router for groups 1 and 2.

Categories: Cisco NetworkingCisco Routing

Related Posts

Cisco Networking

BGP Load Sharing

Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP paths that are learned from different ASs, which Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that are known as Provider Edge routers (PEs), as they sit on Read more…