HSRP — First Hop Redundancy Configuration

End devices — PCs, servers, phones — are configured with a single default gateway. If that gateway router fails, the host loses all connectivity to remote networks regardless of how many redundant paths exist in the network core. HSRP (Hot Standby Router Protocol) solves this by making two physical routers appear as a single virtual router to hosts. The virtual router has its own IP address and MAC address — hosts use this as their default gateway and remain unaware of which physical router is currently active. For an overview of HSRP see HSRP Overview.

HSRP is a Cisco-proprietary First Hop Redundancy Protocol (FHRP). One router is elected Active — it forwards all traffic from hosts. The other is Standby — it monitors the Active router and takes over within seconds if the Active fails. Hosts never need to update their ARP cache or default gateway configuration during a failover. For alternatives see VRRP & GLBP.

Before starting, complete Inter-VLAN Routing — Router-on-a-Stick and Static Route Configuration to understand default gateways and router redundancy context. For Layer 3 switch deployments see Inter-VLAN Routing — Layer 3 Switch. For VLAN segmentation context see VLANs. For DHCP delivery of the HSRP VIP as the default gateway see DHCP Server Configuration and DHCP Relay Agent.

1. HSRP — Core Concepts

The Problem HSRP Solves

Without HSRP, a network with two routers provides no automatic failover for end hosts:

  Without HSRP:
  PC1 default gateway = 192.168.10.1 (R1)
  If R1 fails → PC1 is unreachable until an admin manually changes the gateway

  With HSRP:
  PC1 default gateway = 192.168.10.254 (Virtual IP — shared by R1 and R2)
  If R1 (Active) fails → R2 (Standby) takes over 192.168.10.254 automatically
  PC1 never changes its gateway — it just starts reaching R2 instead of R1

HSRP Roles and Virtual Addresses

Element	Description	Notes
Virtual IP (VIP)	The shared IP address that hosts use as their default gateway	Must be in the same subnet as the real router interfaces. Hosts ARP for this IP.
Virtual MAC	A shared MAC address generated from the HSRP group number	Format: `0000.0C07.ACxx` where xx = HSRP group in hex (group 1 = 0x01)
Active Router	The router currently forwarding traffic for the virtual IP	Responds to ARPs for the VIP, forwards all host traffic
Standby Router	The backup router monitoring the Active via Hello packets	Takes over the VIP and virtual MAC if the Active fails
HSRP Group	A number (0–255) that identifies the HSRP instance on an interface	Both routers must use the same group number on the same subnet

HSRP Election — Priority and Preempt

The Active router is elected based on priority (higher wins, default 100). If priorities are equal, the router with the higher IP address on that interface becomes Active. The preempt option allows a higher-priority router to reclaim the Active role after recovering from a failure — without it, the current Active keeps the role even if a higher-priority router comes back online.

Parameter	Default	Effect
Priority	100	Higher value wins the Active election. Range: 1–255.
Preempt	Disabled	When enabled, the higher-priority router forces itself Active as soon as it comes online — even if another router is currently Active
Hello timer	3 seconds	How often the Active sends Hello packets to the Standby
Hold timer	10 seconds	How long the Standby waits for a Hello before declaring the Active failed and taking over

HSRP States

State	Meaning	Normal?
Initial	HSRP has just started — interface recently came up	Transitional
Learn	Waiting to hear the virtual IP from the Active router	Transitional
Listen	Knows the VIP — monitoring but neither Active nor Standby	Normal for a third router in the group
Speak	Sending Hello packets and participating in Active/Standby election	Transitional during election
Standby	Backup router — monitoring Active, ready to take over	✅ Normal goal state for the backup router
Active	Currently forwarding traffic for the virtual IP	✅ Normal goal state for the primary router

FHRP Comparison — HSRP vs VRRP vs GLBP

Protocol	Standard	Load Balancing	Active Routers	Virtual MAC Format
HSRP v1	Cisco proprietary	❌ No (one Active at a time)	1 Active, 1 Standby	0000.0C07.ACxx
HSRP v2	Cisco proprietary	❌ No (one Active at a time)	1 Active, 1 Standby	0000.0C9F.Fxxx
VRRP	IEEE 802.1 (open standard)	❌ No (one Master at a time)	1 Master, multiple Backup	0000.5E00.01xx
GLBP	Cisco proprietary	✅ Yes — multiple AVFs forward simultaneously	1 AVG + multiple AVFs	0007.B400.xxyy

HSRP version 2 differences: HSRPv2 extends the group number range from 0–255 to 0–4095, uses a different multicast address (224.0.0.102 vs 224.0.0.2 for v1), and uses a different virtual MAC format. Both versions on the same interface must use the same version number — mixing v1 and v2 on the same group prevents the HSRP relationship from forming. For VRRP and GLBP details see VRRP & GLBP.

2. Lab Topology & Scenario

Two routers (R1 and R2) share a LAN segment serving PC1. Both routers connect to the upstream network for internet and inter-site routing. R1 is the intended primary (higher priority). R2 is the standby. Hosts use the virtual IP 192.168.10.254 as their default gateway.

                         Upstream Network
                         (10.0.0.0/30 links)
                          |           |
                       Gi0/1       Gi0/1
                    ┌──────────┐ ┌──────────┐
                    │  R1      │ │  R2      │
                    │ HSRP     │ │ HSRP     │
                    │ Active   │ │ Standby  │
                    │Pri: 110  │ │Pri: 100  │
                    └──────────┘ └──────────┘
                       Gi0/0       Gi0/0
                    192.168.10.1  192.168.10.2
                          |           |
                    ══════════════════════════
                         192.168.10.0/24
                         LAN Switch
                              |
                           [PC1]
                    Default GW: 192.168.10.254
                    (HSRP Virtual IP — Group 10)

  Virtual IP  : 192.168.10.254
  Virtual MAC : 0000.0C07.AC0A  (group 10 = 0x0A)

Device	Interface	Real IP	HSRP Role	Priority
NetsTuts_R1	Gi0/0	192.168.10.1 /24	Active (intended)	110
NetsTuts_R2	Gi0/0	192.168.10.2 /24	Standby	100 (default)
Virtual Router	—	192.168.10.254 /24	Shared virtual gateway	—

3. Step 1 — Configure HSRP on NetsTuts_R1 (Active)

HSRP is configured at the interface level — not under a routing process. All HSRP commands are applied directly to the LAN interface that faces the hosts.

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#description LAN-HSRP-Primary
NetsTuts_R1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-if)#no shutdown

! ── HSRP Group 10 — Virtual IP ───────────────────────────
NetsTuts_R1(config-if)#standby 10 ip 192.168.10.254

! ── Set higher priority to become Active ─────────────────
NetsTuts_R1(config-if)#standby 10 priority 110

! ── Preempt — reclaim Active role after recovering ───────
NetsTuts_R1(config-if)#standby 10 preempt

! ── Optional: Tune Hello and Hold timers ─────────────────
NetsTuts_R1(config-if)#standby 10 timers 3 10

! ── Optional: Use HSRPv2 ─────────────────────────────────
NetsTuts_R1(config-if)#standby version 2

NetsTuts_R1(config-if)#exit
NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 10 state Speak -> Active

The syslog message STATECHANGE: state Speak → Active confirms R1 has won the election and is now the Active HSRP router for group 10. Since R2 is not yet configured (or has lower priority), R1 takes Active by default. After completing both routers save the configuration with write memory.

HSRP Command Breakdown

Command	What It Does	Notes
`standby [group] ip [VIP]`	Defines the HSRP group number and virtual IP address	Group must match on both routers. VIP must be in the same subnet as the interface IP.
`standby [group] priority [value]`	Sets the HSRP priority for this router in this group (default 100)	Higher priority wins. Range 1–255. Both routers have default 100 if not set — IP address breaks the tie.
`standby [group] preempt`	Allows this router to forcibly reclaim the Active role when it comes online with a higher priority	Without preempt, a recovering router stays Standby even if it has higher priority
`standby [group] timers [hello] [hold]`	Customises Hello and Hold timers in seconds (default 3/10)	Must match on all routers in the group. Shorter timers = faster failover but more Hello traffic
`standby version 2`	Enables HSRPv2 on the interface	Must match version on both routers. HSRPv1 and v2 cannot coexist on the same group

4. Step 2 — Configure HSRP on NetsTuts_R2 (Standby)

R2 uses the same group number (10) and the same virtual IP (192.168.10.254). Its priority is left at the default (100) — lower than R1's 110 — ensuring R2 becomes Standby. Preempt is also configured on R2 so it can reclaim the Active role if R1 fails and later recovers while R2 is already Active.

NetsTuts_R2>en
NetsTuts_R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

NetsTuts_R2(config)#interface GigabitEthernet0/0
NetsTuts_R2(config-if)#description LAN-HSRP-Secondary
NetsTuts_R2(config-if)#ip address 192.168.10.2 255.255.255.0
NetsTuts_R2(config-if)#no shutdown

! ── Same group number and virtual IP as R1 ───────────────
NetsTuts_R2(config-if)#standby 10 ip 192.168.10.254

! ── Default priority 100 — lower than R1's 110 ───────────
NetsTuts_R2(config-if)#standby 10 priority 100

! ── Preempt so R2 can reclaim Active if R1 fails ─────────
NetsTuts_R2(config-if)#standby 10 preempt

NetsTuts_R2(config-if)#standby 10 timers 3 10
NetsTuts_R2(config-if)#standby version 2

NetsTuts_R2(config-if)#exit
NetsTuts_R2(config)#end
NetsTuts_R2#wr
Building configuration...
[OK]
NetsTuts_R2#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 10 state Speak -> Standby

R2 transitions to Standby — it hears R1's Hello packets, sees R1's priority of 110 is higher than its own 100, and settles into the backup role. The Standby router monitors the Active's Hellos on multicast 224.0.0.102 (HSRPv2).

5. Step 3 — Interface Tracking (HSRP Object Tracking)

A critical limitation of basic HSRP: R1 may remain Active even if its upstream interface fails — hosts continue sending traffic to R1, which cannot forward it upstream. Interface tracking solves this by automatically decrementing R1's HSRP priority when a tracked interface goes down, triggering a failover to R2:

! ── Step 1: Define a tracking object for R1's WAN interface
NetsTuts_R1(config)#track 1 interface GigabitEthernet0/1 line-protocol

! ── Step 2: Link the track object to HSRP ────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#standby 10 track 1 decrement 20
NetsTuts_R1(config-if)#exit

If Gi0/1 (WAN/uplink) goes down on R1, the tracking object triggers and R1's HSRP priority drops by 20 — from 110 to 90. Since R2's priority (100) is now higher than R1's adjusted priority (90), and R2 has preempt enabled, R2 takes over as Active. When Gi0/1 recovers, R1's priority returns to 110 and preempt on R1 reclaims the Active role. For IP SLA as an alternative tracking mechanism see IP SLA Configuration & Tracking.

Tracking Logic Example

Condition	R1 Priority	R2 Priority	HSRP Active
Normal — all links up	110	100	✅ R1
R1's Gi0/1 (WAN) goes down	110 − 20 = 90	100	✅ R2 (preempts R1)
R1's Gi0/1 recovers	90 + 20 = 110	100	✅ R1 (preempts back)
R1 completely fails (power/crash)	—	100	✅ R2 (Hold timer expires)

6. HSRP Load Balancing — Multiple Groups

While HSRP only allows one Active router per group, you can create two HSRP groups on the same interface — making R1 Active for one group and R2 Active for the other. Half the hosts use one VIP and half use the other, effectively distributing load across both routers:

! ══ R1: Active for Group 10, Standby for Group 20 ════════
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#standby 10 ip 192.168.10.254
NetsTuts_R1(config-if)#standby 10 priority 110
NetsTuts_R1(config-if)#standby 10 preempt
NetsTuts_R1(config-if)#standby 20 ip 192.168.10.253
NetsTuts_R1(config-if)#standby 20 priority 90
NetsTuts_R1(config-if)#standby 20 preempt

! ══ R2: Standby for Group 10, Active for Group 20 ════════
NetsTuts_R2(config)#interface GigabitEthernet0/0
NetsTuts_R2(config-if)#standby 10 ip 192.168.10.254
NetsTuts_R2(config-if)#standby 10 priority 90
NetsTuts_R2(config-if)#standby 10 preempt
NetsTuts_R2(config-if)#standby 20 ip 192.168.10.253
NetsTuts_R2(config-if)#standby 20 priority 110
NetsTuts_R2(config-if)#standby 20 preempt

PC1 and PC2 use default gateway 192.168.10.254 (Group 10 — Active: R1). PC3 and PC4 use default gateway 192.168.10.253 (Group 20 — Active: R2). Both routers are simultaneously Active for different hosts — providing true load distribution. Each group still provides full redundancy: if R1 fails, R2 takes over Group 10 as well.

7. Verification

show standby — R1 (Active)

NetsTuts_R1#show standby
GigabitEthernet0/0 - Group 10 (version 2)
  State is Active
    6 state changes, last state change 00:03:21
  Virtual IP address is 192.168.10.254
  Active virtual MAC address is 0000.0C9F.F00A
    Local virtual MAC address is 0000.0C9F.F00A (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.568 secs
  Preemption enabled
  Active router is local
  Standby router is 192.168.10.2, priority 100 (expires in 8 sec)
  Priority 110 (configured 110)
  Group name is "hsrp-Gi0/0-10" (default)

Key fields: State is Active — R1 is forwarding. Virtual IP address is 192.168.10.254 — confirmed. Active virtual MAC is 0000.0C9F.F00A — HSRPv2 MAC for group 10. Standby router is 192.168.10.2 — R2 is the backup. Priority 110 — matches configured value. Preemption enabled — R1 will reclaim Active after failover.

show standby — R2 (Standby)

NetsTuts_R2#show standby
GigabitEthernet0/0 - Group 10 (version 2)
  State is Standby
    4 state changes, last state change 00:03:15
  Virtual IP address is 192.168.10.254
  Active virtual MAC address is 0000.0C9F.F00A
    Local virtual MAC address is 0000.0C9F.F00A (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.312 secs
  Preemption enabled
  Active router is 192.168.10.1, priority 110 (expires in 9 sec)
  Standby router is local
  Priority 100 (configured 100)
  Group name is "hsrp-Gi0/0-10" (default)

State is Standby — R2 is in backup mode. Active router is 192.168.10.1, priority 110 — R2 can see R1 is Active with priority 110 and its Hello expires in 9 seconds. Standby router is local — R2 acknowledges its own Standby role.

show standby brief — Quick Summary

NetsTuts_R1#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State    Active          Standby         Virtual IP
Gi0/0       10   110 P Active   local           192.168.10.2    192.168.10.254

show standby brief is the quickest HSRP status check. One line per group per interface. The P in the Pri column confirms preempt is enabled. Active: local means this router is currently forwarding for the VIP.

Simulating a Failover — Shutdown R1's Interface

! ── Simulate R1 failure ───────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#shutdown

! ── On R2: observe state change ──────────────────────────
NetsTuts_R2#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 10 state Standby -> Active

NetsTuts_R2#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State    Active          Standby         Virtual IP
Gi0/0       10   100 P Active   local           unknown         192.168.10.254

R2 transitions to Active after R1's Hold timer expires (10 seconds). PC1 continues forwarding traffic to 192.168.10.254 — now answered by R2. Hosts experience a brief outage equal to the Hold timer (10 seconds by default, 3 seconds with tuned timers).

Simulating Recovery — Restore R1

! ── Restore R1's interface ───────────────────────────────
NetsTuts_R1(config-if)#no shutdown

! ── R1 reclaims Active due to preempt + higher priority ──
NetsTuts_R1#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 10 state Speak -> Active

Because standby 10 preempt is configured on R1, it reclaims the Active role as soon as it comes back online with a higher priority (110 vs R2's 100). Without preempt, R2 would remain Active even after R1 returned.

show track — Verify Interface Tracking

NetsTuts_R1#show track 1
Track 1
  Interface GigabitEthernet0/1 Line Protocol
  Line protocol is Up
  1 change, last change 00:05:12
  Tracked by:
    HSRP GigabitEthernet0/0 10

Track object 1 monitors Gi0/1 (the WAN/uplink). Status shows Line protocol is Up — currently healthy. The "Tracked by" line confirms it is linked to HSRP group 10 on Gi0/0.

Verification Command Summary

Command	What It Shows	Primary Use
`show standby`	Full HSRP status — state, VIP, virtual MAC, timers, priority, preempt, Active/Standby addresses	Primary HSRP verification command
`show standby brief`	One-line summary per group — state, Active IP, Standby IP, VIP, preempt flag	Quick health check across multiple groups
`show track [number]`	Status of tracked objects and which HSRP groups are linked to them	Verify interface tracking is working correctly
`show standby [int] [group]`	Filtered to a specific interface and group	Multi-group environments — check one group at a time
`show logging`	HSRP state change events with timestamps — STATECHANGE syslog messages	Post-incident analysis of failover timing
`show ip route` / `show ip route`	Confirm upstream routing is intact on the Active router	Verify the Active router can actually reach upstream networks

8. Troubleshooting HSRP Issues

Problem	Symptom	Cause	Fix
Both routers show Active state	`show standby` on both R1 and R2 says "State is Active"	HSRP Hello packets are not reaching between routers — Layer 2 connectivity issue, or different HSRP versions (v1 vs v2 on same group) preventing communication	Verify L2 connectivity with `ping 192.168.10.2` from R1. Check HSRP version matches on both routers with `show standby`. See show interfaces for L2 errors and Troubleshooting Layer 2 VLANs & Trunks
Higher-priority router stays Standby	R1 has priority 110 but R2 (priority 100) remains Active after R1 comes back	`preempt` is not configured on R1 — it cannot force itself Active even with higher priority	Add `standby [group] preempt` on R1. Verify with `show standby` — "Preemption enabled" must appear
Failover not occurring when WAN fails	R1's Gi0/1 (WAN) is down but R1 remains Active — traffic black hole	Interface tracking not configured — HSRP only monitors Hello packets, not upstream reachability	Configure tracking: `track 1 interface Gi0/1 line-protocol` and `standby 10 track 1 decrement 20` on R1
VIP not responding to ARP	Hosts cannot reach the virtual IP — ARP for 192.168.10.254 gets no reply	No HSRP group is in Active state — both routers may be in Speak or Listen state	Check `show standby brief` on both routers — at least one must show Active. Check IP addresses and group numbers match
HSRP version mismatch	Both routers configured with correct parameters but neither reaches Active/Standby	One router uses `standby version 2` and the other uses default (version 1) — they communicate on different multicast addresses	Ensure both routers use the same HSRP version: either both use `standby version 2` or both leave version at default (v1). Check with `show standby` — version shown in parentheses
Frequent HSRP flapping	STATECHANGE syslog messages cycling rapidly — Active and Standby keep switching	Hello packets being dropped — high CPU, congested link, or mismatched timers between routers	Verify timer settings match on both routers. Check CPU load with `show processes cpu`. Consider increasing Hold timer to reduce sensitivity to occasional Hello delays

Key Points & Exam Tips

HSRP creates a virtual router with a shared virtual IP and virtual MAC. Hosts use the virtual IP as their default gateway — they never need to know which physical router is currently Active.
The Active router forwards all traffic. The Standby router monitors via Hello packets and takes over when the Active's Hold timer expires (default 10 seconds).
HSRP priority determines which router becomes Active — higher wins (default 100). Equal priorities cause the router with the higher interface IP to win.
Preempt must be explicitly configured to allow a higher-priority router to reclaim the Active role after recovering. Without preempt, the current Active keeps the role regardless of priority.
HSRP virtual MAC format for version 1: 0000.0C07.ACxx. For version 2: 0000.0C9F.Fxxx. The last bytes encode the group number in hex.
Interface tracking (track + standby track decrement) is essential in production — it triggers a failover when the Active router's uplink fails, not just when the router itself fails.
HSRP uses multicast 224.0.0.2 (v1) or 224.0.0.102 (v2) for Hello packets. Both routers must use the same version or communication fails.
Multiple HSRP groups on the same interface enable load balancing — R1 is Active for Group 10, R2 is Active for Group 20. Different hosts are configured with different VIPs.
show standby brief is the fastest verification — one line per group showing state, Active IP, Standby IP, VIP, and preempt flag (P).
On the CCNA exam: know HSRP is Cisco proprietary (VRRP is the open standard), the Active/Standby roles, priority and preempt behaviour, and the O*E2 default route is separate from HSRP — HSRP is Layer 2/3 gateway redundancy, not routing protocol redundancy.

Next Steps: With default gateway redundancy in place, continue to DHCP Server Configuration to ensure hosts receive the HSRP virtual IP as their default gateway automatically, combined with DHCP Relay Agent for multi-subnet deployments. For routing protocol redundancy on the upstream links, revisit OSPF Single-Area Configuration, OSPF Multi-Area Configuration, and Default Route Redistribution into OSPF. For redundant Layer 2 uplinks to complement HSRP see EtherChannel LACP. For open-standard alternatives see VRRP & GLBP.

TEST WHAT YOU LEARNED

1. R1 and R2 are both configured with HSRP group 10. R1 has priority 120, R2 has priority 100. Neither has preempt configured. R2 came online first and is currently Active. What happens when R1 comes online?

A. R1 immediately takes over as Active because its priority (120) is higher than R2's (100) B. R1 and R2 negotiate and split the Active role between them C. R1 becomes Standby and a new election is forced after 30 seconds D. R1 becomes Standby and R2 remains Active — without preempt, the current Active keeps its role regardless of priority. R1 must have preempt configured to forcibly reclaim the Active role

Correct answer is D. HSRP elections only occur when no Active router is present. Once an Active router is elected, it keeps that role until its Hold timer expires or a higher-priority router with preempt configured comes online. Without standby [group] preempt on R1, it sees R2 is already Active and simply becomes Standby — even though R1 has higher priority. Preempt is the key: with it, R1 would send a coup Hello and force R2 to become Standby.

2. What is the HSRP virtual MAC address for group 10 using HSRPv1?

A. 0000.0C9F.F00A — the HSRPv1 MAC for group 10 B. 0000.0C07.AC0A — HSRPv1 MAC format is 0000.0C07.ACxx where xx is the group number in hex (10 decimal = 0x0A) C. 0007.B400.000A — this is a GLBP virtual MAC format D. 0000.5E00.010A — this is the VRRP virtual MAC for group 10

Correct answer is B. HSRPv1 virtual MAC addresses follow the format 0000.0C07.ACxx where the last byte (xx) is the HSRP group number in hexadecimal. Group 10 decimal = 0x0A, so the virtual MAC is 0000.0C07.AC0A. HSRPv2 uses a different format: 0000.0C9F.Fxxx where the last 12 bits represent the group number. VRRP uses 0000.5E00.01xx and GLBP uses 0007.B400.xxyy — knowing these MAC formats is a common CCNA exam question.

3. R1 is the HSRP Active router for group 10 on Gi0/0 (facing the LAN). R1's WAN uplink (Gi0/1) goes down. Hosts complain they cannot reach the internet. What configuration would have prevented this?

A. Interface tracking — track 1 interface GigabitEthernet0/1 line-protocol linked to standby 10 track 1 decrement 20. This decrements R1's priority when Gi0/1 fails, causing R2 (with preempt) to take over as Active B. Configuring OSPF on R1's LAN interface — OSPF would detect the uplink failure and reroute automatically C. Setting R1's HSRP priority to 255 — maximum priority forces a faster failover D. Using HSRPv2 instead of v1 — v2 monitors all interfaces automatically

Correct answer is A. HSRP by default only monitors Hello packets on the LAN interface — it has no awareness of whether the Active router can actually reach upstream networks. If R1's WAN uplink fails, R1 remains Active (its LAN interface is still up) but cannot forward traffic to the internet. Interface tracking with the track command creates a link between the WAN interface health and HSRP priority. When Gi0/1 goes down, the decrement reduces R1's priority below R2's, triggering R2 (which has preempt) to take over as Active.

4. Both R1 and R2 show "State is Active" in `show standby`. What is this condition called and what is the most likely cause?

A. HSRP split-brain — occurs when both routers have preempt enabled simultaneously B. Dual Active — a normal HSRP load balancing state C. HSRP split-brain — both routers think they are Active because Hello packets are not reaching between them. Each router's Hold timer expired without hearing the other, so each claimed the Active role independently D. Priority tie — both routers have identical priority and are both forwarding to achieve ECMP

Correct answer is C. When HSRP Hello multicast packets cannot travel between R1 and R2 (due to a switch misconfiguration, VLAN mismatch, or failed link), each router's Hold timer eventually expires without hearing the other's Hello. Without a Standby router's Hellos, each router independently claims the Active role — this is HSRP split-brain. Both routers respond to ARP for the virtual IP, causing MAC address flapping on the switch and unpredictable traffic forwarding. Fix the L2 connectivity issue and both routers will re-elect correctly.

5. An engineer configures two HSRP groups on the same interface — Group 10 (VIP: .254) and Group 20 (VIP: .253). R1 is Active for Group 10 and R2 is Active for Group 20. PC1 uses .254 and PC2 uses .253 as their gateway. What is the purpose of this design?

A. It provides faster failover — two groups converge twice as fast as one B. It allows HSRP to support more than 255 hosts on the subnet C. It is required for HSRPv2 — v2 mandates two groups per interface D. Load balancing — both routers are simultaneously active for different hosts. PC1's traffic goes through R1 and PC2's through R2, utilising both uplinks at once while still providing full redundancy if either router fails

Correct answer is D. HSRP only allows one Active router per group — meaning one physical router handles all traffic for that VIP. To use both routers simultaneously, the network admin creates two groups with different VIPs and configures half the hosts to use each VIP. R1 is Active for Group 10 and Standby for Group 20; R2 is Active for Group 20 and Standby for Group 10. This distributes load across both routers. If either fails, the other's preempt kicks in and takes over both groups, providing full redundancy with simultaneous load distribution.

6. What is the default HSRP Hold timer and what does it determine?

A. 10 seconds — the Standby router waits 10 seconds after the last received Hello from the Active before declaring it failed and taking over. This defines the maximum failover time under normal circumstances B. 30 seconds — the Hold timer matches the RIP update interval for consistency C. 3 seconds — same as the Hello interval to ensure immediate detection D. 40 seconds — same as OSPF Dead timer so both protocols fail over simultaneously

Correct answer is A. HSRP default timers are Hello = 3 seconds and Hold = 10 seconds. The Hold timer is the maximum time the Standby router waits without receiving a Hello from the Active before declaring it dead and transitioning to Active itself. With default timers, worst-case failover is approximately 10 seconds (one Hold timer expiry). Tuning to 1/3 seconds reduces this to 3 seconds. Both timers must match between all routers in the HSRP group.

7. What is the key difference between HSRP and VRRP?

A. VRRP supports preempt and HSRP does not B. HSRP supports more than 2 routers per group but VRRP is limited to 2 C. HSRP is Cisco-proprietary (only works on Cisco devices). VRRP (RFC 5798) is an open IEEE standard that works across multiple vendors — HSRP and VRRP also use different virtual MAC formats and multicast addresses D. VRRP uses hop count as its election metric while HSRP uses priority values

Correct answer is C. The most fundamental difference is standards compliance: HSRP is a Cisco-proprietary protocol — it only works between Cisco devices. VRRP (RFC 5798, formerly RFC 3768) is an open IEEE standard implemented by virtually all network vendors, making it the choice for multi-vendor environments. Functionally they are similar — both provide virtual IP/MAC redundancy with Active/Master and Standby/Backup roles. Key differences: HSRP uses 224.0.0.2/224.0.0.102, VRRP uses 224.0.0.18. VRRP virtual MAC: 0000.5E00.01xx. VRRP preempts by default (unlike HSRP where it must be explicitly enabled).

8. R1 (HSRP Active, priority 110) has interface tracking configured with `decrement 20`. R1's tracked WAN interface goes down. What is R1's new effective priority and what happens next if R2 has priority 100 and preempt enabled?

A. R1's priority drops to 0 and R2 becomes Active immediately B. R1's priority becomes 110 − 20 = 90. Since R2's priority (100) is now higher and R2 has preempt, R2 sends a coup Hello and takes over as Active. Traffic shifts to R2 within one Hold timer interval C. R1's priority drops to 90 but the change only takes effect at the next HSRP election cycle — no immediate failover D. R1's priority drops to 90 but R2 cannot preempt unless R1's Hold timer also expires

Correct answer is B. When the tracked interface goes down, R1's HSRP priority is immediately decremented by the configured value (20), dropping from 110 to 90. R1 advertises this new priority in its next Hello packet. R2 receives the Hello, compares priorities (R2: 100 > R1: 90), and since R2 has preempt enabled, it sends a coup Hello claiming the Active role. R1 accepts the coup and transitions to Standby. The entire failover happens within one Hold timer period after the priority change is communicated.

9. A PC is configured with default gateway 192.168.10.254 (the HSRP VIP). The Active router fails and R2 takes over. Does the PC need to send a new ARP request for 192.168.10.254?

A. Yes — the PC must ARP again because the MAC address behind 192.168.10.254 has changed from R1's to R2's MAC B. Yes — the PC detects the failover and automatically sends a gratuitous ARP to update its cache C. No — but the PC must reload its TCP sessions because the forwarding path has changed D. No — the virtual MAC address (0000.0C07.ACxx) stays the same regardless of which physical router is Active. R2 takes ownership of the same virtual MAC when it becomes Active. The PC's ARP cache entry for 192.168.10.254 remains valid

Correct answer is D. This is the core value of HSRP's virtual MAC address. The PC's ARP cache maps 192.168.10.254 to the virtual MAC (e.g., 0000.0C07.AC0A for group 10). When R2 takes over as Active, it immediately begins responding to traffic destined for this same virtual MAC — R2 "owns" the virtual MAC address now. The PC has no awareness that the physical router has changed. It continues sending frames to 0000.0C07.AC0A which are now received and forwarded by R2 instead of R1. No ARP re-request is needed.

10. Which command provides the fastest single-line-per-group summary of HSRP state, showing Active/Standby IP addresses, VIP, and whether preempt is configured?

A. show standby B. show track C. show standby brief D. show ip interface brief

Correct answer is C. show standby brief produces a compact table — one row per HSRP group per interface — showing interface, group number, priority, preempt flag (P), current state (Active/Standby/Listen), Active router IP, Standby router IP, and virtual IP. It is the go-to command for a rapid health check, especially on routers with multiple HSRP groups. show standby (without brief) provides much more detail per group but is harder to read quickly across multiple groups.

Back to Home