Introduction
First Hop Redundancy Protocols (FHRPs) ensure default-gateway availability when a Layer 3 switch or router fails. Cisco supports three main FHRPs: Hot Standby Router Protocol (HSRP) — a Cisco-proprietary protocol, Virtual Router Redundancy Protocol (VRRP) — an IETF standard (RFC 5798), and Gateway Load Balancing Protocol (GLBP). This run book focuses on the two most widely deployed: HSRP and VRRP, with production configurations, verification, and troubleshooting for IOS and IOS-XE.
1 — HSRP vs VRRP: Key Differences at a Glance
| Feature | HSRP | VRRP |
|---|---|---|
| Standard | Cisco proprietary | IETF RFC 5798 |
| Virtual MAC (v2/v3) | 0000.0c9f.fXXX | 0000.5e00.01XX |
| Default Priority | 100 | 100 |
| Preemption Default | Disabled | Enabled |
| Hello / Hold Timers | 3 s / 10 s | 1 s / 3× hello |
| Multicast Address (IPv4) | 224.0.0.2 (v1) / 224.0.0.102 (v2) | 224.0.0.18 |
| Group Range | 0-255 (v1), 0-4095 (v2) | 0-255 (v2), 1-255 (v3) |
| IPv6 Support | HSRPv2 | VRRPv3 |
2 — Lab Topology
All examples use the following topology:
+--- sw-infrarunbook-01 (Active / Master) ---+
| Gi1/0/1 — Uplink |
Clients ------+ VLAN 10: 10.10.10.0/24 +---- Core / WAN
| Gi1/0/1 — Uplink |
+--- sw-infrarunbook-02 (Standby / Backup) ---+
Virtual IP: 10.10.10.1
sw-infrarunbook-01 real IP: 10.10.10.2
sw-infrarunbook-02 real IP: 10.10.10.3
3 — HSRP Version 1 — Basic Configuration
3.1 — sw-infrarunbook-01 (Active)
hostname sw-infrarunbook-01
!
interface Vlan10
description infrarunbook-prod gateway
ip address 10.10.10.2 255.255.255.0
standby version 1
standby 10 ip 10.10.10.1
standby 10 priority 110
standby 10 preempt
standby 10 timers 3 10
standby 10 authentication infrarunbook
no shutdown
3.2 — sw-infrarunbook-02 (Standby)
hostname sw-infrarunbook-02
!
interface Vlan10
description infrarunbook-prod gateway
ip address 10.10.10.3 255.255.255.0
standby version 1
standby 10 ip 10.10.10.1
standby 10 priority 90
standby 10 preempt
standby 10 timers 3 10
standby 10 authentication infrarunbook
no shutdown
Key points:
- priority 110 on sw-infrarunbook-01 wins the election (default is 100).
- preempt allows the higher-priority router to reclaim Active when it recovers.
- authentication uses plain-text in v1 — for production, prefer HSRPv2 with MD5.
4 — HSRP Version 2 — Recommended Production Config
HSRPv2 supports groups 0-4095, IPv6, and MD5 authentication. Always prefer v2 unless you have a legacy constraint.
4.1 — sw-infrarunbook-01 (Active)
interface Vlan10
description infrarunbook-prod gateway
ip address 10.10.10.2 255.255.255.0
standby version 2
standby 10 ip 10.10.10.1
standby 10 priority 110
standby 10 preempt delay minimum 30 reload 60
standby 10 timers msec 250 msec 750
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
standby 10 name INFRARUNBOOK-GW
no shutdown
4.2 — sw-infrarunbook-02 (Standby)
interface Vlan10
description infrarunbook-prod gateway
ip address 10.10.10.3 255.255.255.0
standby version 2
standby 10 ip 10.10.10.1
standby 10 priority 90
standby 10 preempt delay minimum 30 reload 60
standby 10 timers msec 250 msec 750
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
standby 10 name INFRARUNBOOK-GW
no shutdown
Configuration notes:
- preempt delay minimum 30 reload 60 — after a failover or reload, wait 30 s (or 60 s after reload) before preempting back. This allows routing protocols time to converge.
- timers msec 250 msec 750 — sub-second hello (250 ms) and hold (750 ms) for faster failover.
- MD5 key-string — prevents spoofed HSRP peers.
5 — HSRP Interface Tracking
Track an uplink or a remote destination so that when a tracked object goes down, the priority decrements and failover occurs.
5.1 — Track an Interface
! Track uplink interface on sw-infrarunbook-01
track 1 interface GigabitEthernet1/0/1 line-protocol
!
interface Vlan10
standby 10 track 1 decrement 30
If Gi1/0/1 goes down, the effective priority becomes 110 − 30 = 80, which is lower than 90, so sw-infrarunbook-02 takes over.
5.2 — Track a Remote IP via IP SLA
ip sla 1
icmp-echo 203.0.113.1 source-ip 10.10.10.2
frequency 5
threshold 1000
ip sla schedule 1 life forever start-time now
!
track 2 ip sla 1 reachability
delay down 10 up 30
!
interface Vlan10
standby 10 track 2 decrement 30
This pings the upstream gateway 203.0.113.1 every 5 seconds. If it becomes unreachable for 10 seconds, the priority drops by 30.
6 — HSRP Load Balancing with Multiple Groups
True active/active load sharing uses two HSRP groups, each with a different Active router. Clients are split across two gateways (or use two DHCP pools).
! sw-infrarunbook-01
interface Vlan10
standby version 2
! Group 10 — Active on sw-infrarunbook-01
standby 10 ip 10.10.10.1
standby 10 priority 110
standby 10 preempt delay minimum 30
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
! Group 20 — Standby on sw-infrarunbook-01
standby 20 ip 10.10.10.4
standby 20 priority 90
standby 20 preempt delay minimum 30
standby 20 authentication md5 key-string 0 Infr@RunB00k!2026
! sw-infrarunbook-02
interface Vlan10
standby version 2
! Group 10 — Standby on sw-infrarunbook-02
standby 10 ip 10.10.10.1
standby 10 priority 90
standby 10 preempt delay minimum 30
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
! Group 20 — Active on sw-infrarunbook-02
standby 20 ip 10.10.10.4
standby 20 priority 110
standby 20 preempt delay minimum 30
standby 20 authentication md5 key-string 0 Infr@RunB00k!2026
DHCP pool A hands out 10.10.10.1; pool B hands out 10.10.10.4. Traffic is balanced across both switches.
7 — HSRPv2 with IPv6
! sw-infrarunbook-01
interface Vlan10
ipv6 address 2001:db8:10::2/64
standby version 2
standby 10 ipv6 2001:db8:10::1/64
standby 10 priority 110
standby 10 preempt
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
! sw-infrarunbook-02
interface Vlan10
ipv6 address 2001:db8:10::3/64
standby version 2
standby 10 ipv6 2001:db8:10::1/64
standby 10 priority 90
standby 10 preempt
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
8 — HSRP Verification and Troubleshooting
8.1 — Show Commands
show standby
show standby brief
show standby vlan 10
show standby vlan 10 10
show track
show track brief
8.2 — Sample Output: show standby brief
sw-infrarunbook-01# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl10 10 110 P Active local 10.10.10.3 10.10.10.1
8.3 — Debug Commands
debug standby
debug standby events
debug standby packets
debug standby errors
debug standby terse
Warning: Never leave debugs running on production switches for extended periods. Always useterminal monitorfrom a VTY session and disable promptly:undebug all.
8.4 — Common HSRP Issues Checklist
- Both routers show Active: Authentication mismatch, ACL blocking multicast 224.0.0.102, or VLAN pruning.
- Failover not occurring: Preempt not configured on standby, or track decrement too low.
- Version mismatch: v1 and v2 on same group do NOT interoperate — both peers must match.
- Duplicate IP warning: Ensure the virtual IP is not assigned to any physical interface.
- Flapping: Check for STP convergence issues or unstable uplink causing track objects to bounce.
9 — VRRP Version 2 — Basic Configuration
VRRP is the standards-based alternative (RFC 3768 for v2, RFC 5798 for v3). Useful in multi-vendor environments.
9.1 — sw-infrarunbook-01 (Master)
interface Vlan10
description infrarunbook-prod gateway
ip address 10.10.10.2 255.255.255.0
vrrp 10 ip 10.10.10.1
vrrp 10 priority 110
vrrp 10 preempt delay minimum 30
vrrp 10 timers advertise 1
vrrp 10 authentication md5 key-string Infr@RunB00k!2026
no shutdown
9.2 — sw-infrarunbook-02 (Backup)
interface Vlan10
description infrarunbook-prod gateway
ip address 10.10.10.3 255.255.255.0
vrrp 10 ip 10.10.10.1
vrrp 10 priority 90
vrrp 10 preempt delay minimum 30
vrrp 10 timers advertise 1
vrrp 10 authentication md5 key-string Infr@RunB00k!2026
no shutdown
Key differences from HSRP:
- VRRP preempt is enabled by default.
- Only the Master sends advertisements; Backup routers listen.
- The virtual IP can be the same as a real interface IP (the owner router always has priority 255).
10 — VRRPv3 (Unified for IPv4 and IPv6)
VRRPv3 uses the
fhrp version vrrp v3global command on IOS-XE and provides a unified address family model.
10.1 — sw-infrarunbook-01
fhrp version vrrp v3
!
interface Vlan10
ip address 10.10.10.2 255.255.255.0
ipv6 address 2001:db8:10::2/64
!
vrrp 10 address-family ipv4
address 10.10.10.1 primary
priority 110
preempt delay minimum 30
timers advertise 100
track 1 decrement 30
exit-vrrp
!
vrrp 10 address-family ipv6
address 2001:db8:10::1/64 primary
priority 110
preempt delay minimum 30
timers advertise 100
exit-vrrp
10.2 — sw-infrarunbook-02
fhrp version vrrp v3
!
interface Vlan10
ip address 10.10.10.3 255.255.255.0
ipv6 address 2001:db8:10::3/64
!
vrrp 10 address-family ipv4
address 10.10.10.1 primary
priority 90
preempt delay minimum 30
timers advertise 100
exit-vrrp
!
vrrp 10 address-family ipv6
address 2001:db8:10::1/64 primary
priority 90
preempt delay minimum 30
timers advertise 100
exit-vrrp
Note: VRRPv3
timers advertiseis in milliseconds (100 = 100 ms). VRRPv3 does not support authentication natively per RFC 5798.
11 — VRRP Interface Tracking
track 1 interface GigabitEthernet1/0/1 line-protocol
!
interface Vlan10
vrrp 10 track 1 decrement 30
For VRRPv3, tracking is configured inside the
vrrp 10 address-family ipv4block as shown in section 10.1.
12 — VRRP Verification and Troubleshooting
show vrrp
show vrrp brief
show vrrp interface vlan 10
show vrrp all
12.1 — Sample Output
sw-infrarunbook-01# show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 10 110 3218 Y Master 10.10.10.2 10.10.10.1
12.2 — Debug Commands
debug vrrp all
debug vrrp events
debug vrrp packets
13 — Security Hardening for FHRP
- Always enable authentication. For HSRP, use MD5 key-string or key-chain. VRRP v2 supports MD5; VRRPv3 does not (use ACLs instead).
- Filter FHRP traffic on access ports. Prevent rogue devices from injecting HSRP/VRRP hellos:
! Example: ACL on access-facing L3 interface
ip access-list extended BLOCK-FHRP-FROM-ACCESS
deny udp any host 224.0.0.102 eq 1985
deny udp any host 224.0.0.18 eq 112
permit ip any any
!
interface Vlan20
ip access-group BLOCK-FHRP-FROM-ACCESS in
- Use CoPP (Control Plane Policing) to rate-limit HSRP/VRRP to the CPU.
- Enable BFD (Bidirectional Forwarding Detection) for sub-second failure detection alongside FHRP:
interface Vlan10
bfd interval 50 min_rx 50 multiplier 3
standby 10 bfd
14 — FHRP Delay on Boot
Prevent a switch from becoming Active/Master before routing adjacencies are fully formed after a reload:
! Global FHRP delay (IOS-XE 16.x+)
fhrp delay minimum 30 reload 120
This delays FHRP initialization by 30 seconds (or 120 seconds after a full reload).
15 — Choosing Between HSRP and VRRP
| Criteria | Use HSRP | Use VRRP |
|---|---|---|
| All-Cisco environment | ✅ Preferred — tighter integration, ISSU support | Works, but no extra benefit |
| Multi-vendor environment | ❌ Proprietary | ✅ Standards-based |
| Need >255 groups per interface | ✅ HSRPv2 supports 0-4095 | ❌ Max 255 |
| Sub-second failover | ✅ With BFD or msec timers | ✅ With BFD or msec timers |
| IPv6 support | ✅ HSRPv2 | ✅ VRRPv3 |
16 — Full Production Template: HSRPv2 with Tracking and BFD
! ============================================
! sw-infrarunbook-01 — HSRPv2 Production Config
! ============================================
!
fhrp delay minimum 30 reload 120
!
ip sla 1
icmp-echo 203.0.113.1 source-ip 10.10.10.2
frequency 5
ip sla schedule 1 life forever start-time now
!
track 1 interface GigabitEthernet1/0/1 line-protocol
track 2 ip sla 1 reachability
delay down 10 up 30
!
track 10 list boolean and
object 1
object 2
!
interface Vlan10
description infrarunbook-prod | HSRP Active
ip address 10.10.10.2 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
standby version 2
standby 10 ip 10.10.10.1
standby 10 priority 110
standby 10 preempt delay minimum 30 reload 60
standby 10 timers msec 250 msec 750
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
standby 10 track 10 decrement 30
standby 10 bfd
standby 10 name INFRARUNBOOK-GW
no shutdown
! ============================================
! sw-infrarunbook-02 — HSRPv2 Production Config
! ============================================
!
fhrp delay minimum 30 reload 120
!
ip sla 1
icmp-echo 203.0.113.1 source-ip 10.10.10.3
frequency 5
ip sla schedule 1 life forever start-time now
!
track 1 interface GigabitEthernet1/0/1 line-protocol
track 2 ip sla 1 reachability
delay down 10 up 30
!
track 10 list boolean and
object 1
object 2
!
interface Vlan10
description infrarunbook-prod | HSRP Standby
ip address 10.10.10.3 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
standby version 2
standby 10 ip 10.10.10.1
standby 10 priority 90
standby 10 preempt delay minimum 30 reload 60
standby 10 timers msec 250 msec 750
standby 10 authentication md5 key-string 0 Infr@RunB00k!2026
standby 10 track 10 decrement 30
standby 10 bfd
standby 10 name INFRARUNBOOK-GW
no shutdown
17 — Frequently Asked Questions (FAQ)
Q1: What is the default HSRP priority and how does election work?
The default HSRP priority is 100. The router with the highest priority becomes Active. If priorities are equal, the router with the highest IP address on the HSRP interface wins.
Q2: Why do I see both routers as HSRP Active?
This is a "split-brain" scenario, usually caused by HSRP hellos not reaching the peer. Common causes: VLAN not trunked between switches, mismatched HSRP version, mismatched authentication, or an ACL/firewall blocking multicast 224.0.0.2 (v1) or 224.0.0.102 (v2) UDP port 1985.
Q3: Does VRRP preempt by default?
Yes. Unlike HSRP, VRRP has preemption enabled by default. You must explicitly configure
no vrrp 10 preemptif you want to disable it.
Q4: Can I use the virtual IP as the real interface IP in VRRP?
Yes. In VRRP, if a router's real IP matches the virtual IP, it becomes the "owner" with an automatic priority of 255 and always wins the election. This is not possible with HSRP — the virtual IP must be different from any real IP.
Q5: What is the preempt delay and why should I use it?
Preempt delay introduces a waiting period before a recovered router takes back the Active/Master role. This ensures routing tables (OSPF, EIGRP, BGP) have converged before the router starts forwarding traffic. A typical value is 30-60 seconds for minimum and 60-120 seconds for reload delay.
Q6: Can HSRP and VRRP run on the same interface?
Technically yes — they are independent protocols. However, this creates unnecessary complexity and potential confusion. Best practice: choose one FHRP per interface and be consistent across the network.
Q7: How fast can HSRP failover be?
With millisecond timers (e.g., hello 250 ms, hold 750 ms), failover can occur in under 1 second. With BFD integration (
standby 10 bfd), detection can be as fast as 150 ms (50 ms × 3 multiplier).
Q8: Does VRRPv3 support authentication?
No. RFC 5798 explicitly removed authentication from VRRPv3, stating it provided a false sense of security. Protect VRRPv3 with infrastructure ACLs, CoPP, and securing access to the Layer 2 domain.
Q9: How do I achieve active/active load balancing with HSRP?
Create two (or more) HSRP groups on the same interface, each with a different virtual IP. Assign different groups as Active on different routers. Distribute clients across the virtual IPs via DHCP pools or DNS round-robin.
Q10: What happens if the tracked interface flaps rapidly?
Without dampening, HSRP/VRRP priority will fluctuate, causing repeated failovers. Use
track delay down 10 up 30to require the tracked object to be down for 10 seconds before decrementing and up for 30 seconds before restoring priority.
18 — Quick Reference: All Commands at a Glance
! HSRP Show
show standby
show standby brief
show standby vlan 10 10
show track
show track brief
! VRRP Show
show vrrp
show vrrp brief
show vrrp interface vlan 10
! HSRP Debug
debug standby events
debug standby packets
! VRRP Debug
debug vrrp events
debug vrrp packets
! Clear
clear standby vlan 10 10
! BFD Verify
show bfd neighbors
show bfd neighbors details
Revision: 2026-02-17 — Initial publication for IOS 15.x and IOS-XE 16.x/17.x platforms.