Hot Standby Router Protocol (HSRP) is one of the most popular First Hop Redundancy Protocols (FHRP) and it is a Cisco proprietary. The FHRP allows a router on a LAN segment to automatically take over if another one fails. Today, in this lesson we will learn how to configure HSRP on Cisco IOS.

We will be following below network topology to implement our HSRP.

Basic HSRP configuration
How to configure HSRP on Cisco

First of all, let’s configure IP address on WAN interfaces. In this case, “interface gigabitEthernet 0/0” is the WAN interface for both routers.

RTR-01#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
RTR-01(config)#
RTR-01(config)#interface gigabitEthernet 0/0
RTR-01(config-if)#ip address 103.21.40.2 255.255.255.252
RTR-01(config-if)#no shutdown  
RTR-01(config-if)#exit
RTR-01(config)#
RTR-02#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
RTR-02(config)#
RTR-02(config)#interface gigabitEthernet 0/0
RTR-02(config-if)#ip add 59.152.100.2 255.255.255.0
RTR-02(config-if)#no shutdown 
RTR-02(config-if)#exit
RTR-02(config)#

Before configuring the LAN interface, make sure you have minimum 3 available IP addresses and they are same network IP.

Here is the ip addressing on LAN interface.

RTR-01(config)#interface gigabitEthernet 0/1
RTR-01(config-if)#ip address 10.1.1.2 255.255.255.248
RTR-01(config-if)#no shutdown
RTR-02(config)#interface gigabitEthernet 0/1
RTR-02(config-if)#ip add 10.1.1.3 255.255.255.248
RTR-02(config-if)#no shutdown

In the final HSRP configuration section we need to specify the virtual IP address and its priority. We need to configure it on the LAN interfaces.

RTR-01(config)#interface gigabitEthernet 0/1
RTR-01(config-if)#standby 1 ip 10.1.1.1
RTR-01(config-if)#standby 1 priority 250
RTR-01(config-if)#
RTR-02(config)#interface gigabitEthernet 0/1
RTR-02(config-if)#standby 1 ip 10.1.1.1
RTR-02(config-if)#standby 1 priority 150
RTR-02(config-if)#

We can verify our HSRP using “show standby” command.

RTR-01#show standby 
GigabitEthernet0/1 - Group 1
  State is Active
    2 state changes, last state change 00:02:42
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.656 secs
  Preemption disabled
  Active router is local
  Standby router is 10.1.1.3, priority 150 (expires in 11.440 sec)
  Priority 250 (configured 250)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-01#
RTR-02#show standby 
GigabitEthernet0/1 - Group 1
  State is Standby
    1 state change, last state change 00:00:48
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.056 secs
  Preemption disabled
  Active router is 10.1.1.2, priority 250 (expires in 8.928 sec)
  Standby router is local
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-02#

Let’s trace from our user PC.

C:\>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1   123 ms     1 ms     1 ms  10.1.1.2
  2   227 ms     1 ms     1 ms  103.21.40.1
  3     1 ms     1 ms     3 ms  ***********
  4     3 ms     4 ms     6 ms  ***********
  5     3 ms     3 ms     2 ms  8.8.8.8

To fall back test, we need to shutdown gigabitEthernet 0/1 interface in RTR-01. And then trace again.

C:\>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1   165 ms     1 ms     1 ms  10.1.1.3
  2   227 ms     2 ms     1 ms  59.152.100.1
  3     1 ms    <1 ms     5 ms  ***********
  4     2 ms     2 ms     2 ms  ***********
  5     3 ms     2 ms     3 ms  8.8.8.8

In RTR-02, “show standby” command also shows HSRP status change –

RTR-02#show standby
GigabitEthernet0/1 - Group 1
  State is Active
    2 state changes, last state change 00:02:10
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.672 secs
  Preemption disabled
  Active router is local
  Standby router is unknown
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-02#

So, this is the basic configuration. Let’s move to advance.

Advanced configuration

HSRP Preempt:

If you want to make a Router always active whenever it is UP and Functional. To do so, we need to enable preemption mechanism.

RTR-01(config)#interface gigabitEthernet 0/1
RTR-01(config-if)#standby 1 preempt 
RTR-01(config-if)#exit
RTR-01(config)#
RTR-02(config)#interface gigabitEthernet 0/1
RTR-02(config-if)#standby 1 preempt 
RTR-02(config-if)#exit
RTR-02(config)#

If you want to wait some time before preempting, you can do that by following command-

RTR-01(config-if)#standby 1 preempt delay minimum 60

RTR-02(config-if)#standby 1 preempt delay minimum 60
RTR-01#show standby 
GigabitEthernet0/1 - Group 1
  State is Init (interface down)
    3 state changes, last state change 02:50:43
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is unknown
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
  Preemption enabled
  Active router is unknown
  Standby router is unknown
  Priority 250 (configured 250)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-01#

Standby Track Configuration:

We want to switch our traffic to the second router (RTR-02) whenever our wan interface (gig-0/0) is down. So we need to track it. It needs to be configured on first router (RTR-01).

RTR-01#configure terminal 
RTR-01(config)#track 1 interface gigabitEthernet 0/0 ip routing 
RTR-01(config-track)#exit
RTR-01(config)#

Here we have created a track named “1” to track gigabitEthernet 0/0 interface. Now, time to implement it.

RTR-01(config)#interface gigabitEthernet 0/1 
RTR-01(config-if)#standby 1 track 1 decrement 150
RTR-01(config-if)#exit
RTR-01(config)#

Whenever the link is down, the HSRP priority will be 100 (250-150=100), because we already set our priority for RTR-01 is 250.

RTR-01#show standby
GigabitEthernet0/1 - Group 1
  State is Init (interface down)
    3 state changes, last state change 03:27:46
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is unknown
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
  Preemption enabled, delay min 60 secs
  Active router is unknown
  Standby router is unknown
  Priority 250 (configured 250)
    Track object 1 state Up decrement 150
  Group name is "hsrp-Gi0/1-1" (default)
RTR-01#

Load-Balancing with HSRP:

To do the load balance, we need to configure two HSRP groups (number of group depends on number of routers). Here for HSRP group 1, RTR-01 is active which has higher priority and for HSRP group 2, RTR-02 is the active which has a higher priority.

RTR-01#configure terminal
RTR-01(config)#interface gigabitEthernet 0/1 
RTR-01(config-if)#ip address 10.1.1.2 255.255.255.0
RTR-01(config-if)#standby 1 ip 10.1.1.1
RTR-01(config-if)#standby 1 priority 150
RTR-01(config-if)#standby 1 preempt
RTR-01(config-if)#standby 2 ip 10.1.1.4
RTR-01(config-if)#standby 2 priority 110
RTR-01(config-if)#standby 2 preempt
RTR-01(config-if)#exit
RTR-01(config)#end
RTR-01#
RTR-02#configure terminal
RTR-02(config)#interface gigabitEthernet 0/1 
RTR-02(config-if)#ip address 10.1.1.3 255.255.255.0
RTR-02(config-if)#standby 1 ip 10.1.1.1
RTR-02(config-if)#standby 1 priority 110
RTR-02(config-if)#standby 1 preempt
RTR-02(config-if)#standby 2 ip 10.1.1.4
RTR-02(config-if)#standby 2 priority 150
RTR-02(config-if)#standby 2 preempt
RTR-02(config-if)#exit
RTR-02(config)#end
RTR-02#

We can use “show standby” command to verify it.

RTR-01#show standby 
GigabitEthernet0/1 - Group 1
  State is Active
    4 state changes, last state change 00:00:24
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.080 secs
  Preemption enabled
  Active router is local
  Standby router is 10.1.1.3, priority 110 (expires in 11.808 sec)
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/1-1" (default)
GigabitEthernet0/1 - Group 2
  State is Standby
    1 state change, last state change 00:00:16
  Virtual IP address is 10.1.1.4
  Active virtual MAC address is 0000.0c07.ac02
    Local virtual MAC address is 0000.0c07.ac02 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.080 secs
  Preemption enabled
  Active router is 10.1.1.3, priority 150 (expires in 11.360 sec)
  Standby router is local
  Priority 110 (configured 110)
  Group name is "hsrp-Gi0/1-2" (default)
RTR-01#

HSRP Timers

If you want to lower down the shifting timer, then you need to modify the HSRP timer. By default, it will be shifted after 10s.

RTR-01#show standby 
GigabitEthernet0/1 - Group 1
  State is Active
    1 state change, last state change 00:01:18
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.088 secs
  Preemption enabled
  Active router is local
  Standby router is 10.1.1.3, priority 110 (expires in 9.248 sec)
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-01#

So, let’s change it –

RTR-01(config)#interface gigabitEthernet 0/1 
RTR-01(config-if)#standby 1 timers 1 3
RTR-01(config-if)#end
RTR-01#

We can verify it –

RTR-01#show standby 
GigabitEthernet0/1 - Group 1
  State is Active
    1 state change, last state change 00:04:07
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.368 secs
  Preemption enabled
  Active router is local
  Standby router is 10.1.1.3, priority 110 (expires in 3.120 sec)
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-01#

HSRP Authentication:

If we want to authenticate our HSRP, then we need to do the following –

Plain text –

RTR-02#configure terminal
RTR-02(config)#interface gigabitEthernet 0/1
RTR-01(config-if)#standby 1 authentication cisco
RTR-01(config-if)#

RTR-02#configure terminal
RTR-02(config)#interface gigabitEthernet 0/1
RTR-02(config-if)#standby 1 authentication cisco
RTR-02(config-if)#

MD5 –

RTR-02#configure terminal
RTR-02(config)#interface gigabitEthernet 0/1
RTR-01(config-if)#standby 1 authentication md5 key-string cisco
RTR-01(config-if)#

RTR-02#configure terminal
RTR-02(config)#interface gigabitEthernet 0/1
RTR-02(config-if)#standby 1 authentication md5 key-string cisco
RTR-02(config-if)#

“Show standby” is the command to verify it.

RTR-01#show standby 
GigabitEthernet0/1 - Group 1
  State is Active
    1 state change, last state change 00:19:46
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.752 secs
  Authentication MD5, key-string
  Preemption enabled
  Active router is local
  Standby router is 10.1.1.3, priority 110 (expires in 2.432 sec)
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/1-1" (default)
RTR-01#

Troubleshooting

If there is any issue in HSRP, then following command may help to identify it.

  • debug standby errors
  • debug standby events
  • debug standby packets
  • debug standby terse

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *