CCIE Wireless · CCIEW Lab · CCIEW Written

CCIEW – 2.1.e HSRP

N.B. All configurations are based off the lab build seen in the introduction post.

Hot Standby Router Protocol (HSRP) is one of three First Hop Redundancy Protocols covered in the CCNP R&S and, fortunately for our memories, is the only one required for the CCIE Wireless lab. In a nutshell this Cisco proprietary protocol allows two or more layer 3 devices to share an IP Address such as a gateway in an active/standby setup for redundancy. The devices do this by creating a virtual MAC address and either router will respond to ARP requests using that layer 2 MAC address.

Each interface requires a unique entry in the same subnet as the gateway IP so that is a minimum of 3 address (gateway + 1 unique IP per device) to setup HSRP.

HSRP Setup
HSRP Setup

Priority and Preemption

Each interface has a priority with the default being 100. If they are both left at default, the interface with the highest IP Address becomes the Active one. If different, the higher priority wins out and that interface will be the Active one.

Preemption permits the devices to ‘seize control’ of the Active role should their interface be the highest priority. For example, Routers A and B may be configured with HSRP; A as the active router with a priority of 100 and B as the default with a priority of 90. If Router A goes down, B will takeover but once A comes back the preempt command will allow it to take control of the Active role once again. Without preemption, B would remain active until another disruption/outage caused a change of role.

Enabling preemption is common as you will always know which interface is supposed to be Active but in a scenario like above this can sometimes be detrimental if Spanning-Tree and Routing Paths haven’t converged yet. To give time for this it is also common to put a delay timer on the preemption so the devices can re-calculate Layer 2/3 paths prior to an Active role change.


Using the above scenario, Routers A and B might also have a dedicated link out to the Internet which doesn’t have any redundancy like HSRP or a routing protocol on it e.g. Serial 0/0/0. To ensure minimum disruption, you may want to have Router A track whether its link goes down to the Internet and, if so, decrement the priority on its HSRP link enough so Router B will immediately seize the Active role and all traffic will flow through the most appropriate path.

Once Router A’s serial interface connectivity is restored and assuming preemption is enabled, it will then re-take the Active role.


This is simply to protect the network from any malicious attacks from the inside, which is the most common source of successful attacks and data breaches. You can apply clear text or MD5 encryption to each HSRP group.


There are two versions (1+2) of HSRP and backwards compatibility is not an option as they differ in particular ways that make this  impossible. That said, you can run both version on the same device by applying a per-interface version command.

I don’t think it is critical to know these features in detail but a version discrepancy may come up as part of troubleshooting. Here are the Version 2 features:

  1. Extends the group numbers from 0-255 to 0-4095.
  2. Uses a different multicast address ( instead fo to ensure no conflic with Cisco CGMP Protocol.
  3. Has different packet format that contains additional information such as the physical interface MAC that is communicating on behalf of the virtual MAC. This is ideal for troubleshooting.
  4. Allows for millisecond hello timers which were previously limited to seconds. This allows for fine tuning in extremely low latency environments like modern day data centres.
  5. Supports IPv6


HSRP Version Comparison

Configuring HSRP

HSRP is enabled at the interface level. For this lab I’ll make VLAN 20

Note: I’ve had to enable IP Routing on Rip-3560-2 to allow multiple SVIs on this switch. Most of the lab switches will be setup like this so that’s not an issue.

Enable IP Routing
Enable IP Routing


Currently the only interfaces with IPs are on Rip-3560-1 and for VLAN 20 it holds the gateway address of I’m concerned this switch may go down at some point and I want to build in some resiliency. To this I will build a config with the following characteristics:

  1. Configure HSRP for VLAN 20 on both switches
  2. Setup Rip-3560-1 as the active and Rip-3560-2 as the standby
  3. Basic authentication between the devices
  4. Hello timers in milliseconds
  5. Enable preemption with a delay of 5 minutes
  6. Enable tracking on VLAN 30 with a failover if it goes down
  7. Ensure Rip-3560-1 is always active if it is available

Rip-3560-1 Config

As no group number was specified I am going to use the same as the VLAN number (20). Most commands must then reference this number or they will apple to a default standby group of 0. This could cause confusion later on when troubleshooting as well as having two different standby configs on the same interface.

interface Vlan20
ip address –  This is required so the gateway IP can be used later and must be in the same subnet.
standby version 2 – Enable the version to use for this interface only
standby 20 ip – Setting the shared gateway IP
standby 20 timers msec 50 msec 100 – Enabling sub-second timers
standby 20 preempt delay minimum 300 – Enabling preemption with a 5 minute delay
standby 20 authentication md5 key-string hsrpkey – Enabling MD5 auth
standby 20 track vlan 30 50 – Enabling a track on vlan 30 with a priority decrement of 50 if it goes down
standby 20 priority 110 Setting a high priority so it is the active interface

Active Device Config (Rip-3560-1)
Active Device Config (Rip-3560-1)

Rip-3560-2 Config

Almost identical with a few differences:

interface Vlan20
ip address  Must be unique but still in the same subnet
standby version 2
standby 20 ip
standby 20 timers msec 50 msec 100
standby 20 priority 90
standby 20 preempt – No delay required here
standby 20 authentication md5 key-string hsrpkey

Standby Config (Rip-3560-2)
Standby Config (Rip-3560-2)


The switch will immediately inform of the HSRP interface  going active via logging and this can be verified with the show standby brief command.

show standby brief
show standby brief

For a more in-depth verify use show standby all.

Show standby all
Show standby all

Testing Tracking

I’ll shutdown interface VLAN 30 on Rip-3560-1 to see if this affects the HSRP priority. In theory it should decrement by 50 as per the config. This can then be verified via one of the above commands if you aren’t logging to your terminal/console session. In the config below we can see an immediate HSRP change after the interface is shutdown and a subsequent verification shows the Active has become the Standby and now has a priority of 60 as a result of the decrement applied by VLAN 30 going down.



If I re-enable VLAN30 Rip-3560-1 should become the active after 300 seconds / 5 minutes.


debug standby events
show standby all
show standby brief

Anticipated Questions

  1. Configure HSRP with a group of 300.
  2. Configure HSRP with encrypted authentication.
  3. Configure HSRP so only one failover occurs during an incident even if the failed device recovers.
  4. Configure HSRP so Switch A is active for VLANs 10, 20 and Switch B is active for Vlans 30,40.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.