Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway, and is described fully in RFC 2281.
- Elects the active gateway based on priority
- Default is 100, 256 is the maximum
- Highest IP is the tie-breaker
- Does not preempt by default
- Can be authenticated using clear text or MD5
For this explanation I will be using the simple topology below
R3 is to be used as an end host, but I am more interested in the operation of R1 & R2 for this scenario
All configuration for HSRP is done at the interface level and the minimum configuration required is a standby ip address.
R1(config-if)#standby 1 ip 192.168.1.254 R2(config-if)#standby 1 ip 192.168.1.254
Once this has been configured on each interface an election will occur and the router with the highest IP address will become active, so in this case R2 will become active, as shown below
R1# *Mar 1 02:23:17.887: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
To check the status of HSRP you use the command show standby or show standby brief
R2#sh standby brief P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Fa0/0 1 100 Active local 192.168.1.1 192.168.1.254 R2#sh standby FastEthernet0/0 - Group 1 (version 2) State is Active 2 state changes, last state change 00:03:10 Virtual IP address is 192.168.1.254 Active virtual MAC address is 0000.0c9f.f001 Local virtual MAC address is 0000.0c9f.f001 (v2 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.612 secs Preemption disabled Active router is local Standby router is 192.168.1.1, priority 100 (expires in 8.208 sec) Priority 100 (default 100) Group name is "hsrp-Fa0/0-1" (default) R2#
From this output you can see that R2 is the active router, the Virtual IP is 192.168.1.254, preemption is disabled and the priority is 100 (which is the default)
Preemption means that if I increased the priority of changed the IP to a higher value than R2 that R1 would not overthrow R2 as the active router.
To enable preemption the configuration is at the interface level again with the command standby preempt
If I now change the priority of the hsrp process R1 should become the active device.
R1(config)#int f0/0 R1(config-if)#standby preempt R1(config)#int f0/0 R1(config-if)#standby priority 110
NOTHING HAPPENS? WHY IS THAT?
The reason nothing happened on this time is the preempt command has to be applied to the standby group, if you just apply the standby ip address with the command standby ip then it will use group 0. I specifified standby ip 1 which means all other commands need to reference group 1, this can be seen if we do a sh run int f0/0
interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto standby version 2 standby 0 priority 110 standby 0 preempt standby 1 ip 192.168.1.254
Here you can see the standby ip address using group 1 and the priority and preempt commands using group 0
Let’s fix that
R1(config)#int f0/0 R1(config-if)#no standby 0 pri R1(config-if)#no standby 0 priority 110 R1(config-if)#no standby 0 preempt R1(config-if)#standby 1 priority 110 R1(config-if)#standby 1 preempt R1(config-if)# *Mar 1 02:36:33.339: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active R1(config-if)#
Now you see that R1 becomes the Active router because it has the higher priority set and preemption was enabled.
HSRP can be configured with authentication in clear text and MD5, again this is configured at the interface level.
It has to be configured on both sides.
R1(config-if)#standby 1 authentication ?
WORD Plain text authentication string
md5 Use MD5 authentication
text Plain text authentication
R1(config-if)#standby 1 authentication cisco (cisco is the plain text password)
In production you are going to want to configure the MD5 password.
R1(config-if)#standby 1 authentication md5 key-string cisco R1(config-if)# *Mar 1 02:42:37.455: %HSRP-4-BADAUTH2: Bad authentication from 192.168.1.2
Here you see the log message from R2 as this end does not have MD5 configured.
Finally the HSRP timer are configured as the hello timer and the dead timer.
The default settings are hello 3 seconds and dead time 10 seconds.
The timers can be changed at the interface level again.
R1(config-if)#standby 1 timers ? <1-254> Hello interval in seconds msec Specify hello interval in milliseconds R1(config-if)#standby 1 timers 1 ? <2-255> Hold time in seconds R1(config-if)#standby 1 timers 1 4
In this example I have set the hello timers to 1 second and the dead interval of 4 seconds.
HSRP uses UDP Multicast 184.108.40.206 at port 1985
Group ID is encoded in a Virtual Mac address 0000.0c07.acxx (where X is the group number)
The Cisco Configuration Documentation can be found here: