Hot Standby Router Protocol (HSRP) provides network redundancy for IP networks, which helps maximum network uptime. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single virtual router. The members of the virtual router group continuously exchange status messages. This way, one router can assume the routing responsibility of another, should the first one go out of commission for either planned or unplanned reasons. Hosts continue to forward IP packets to a consistent IP and MAC address, and the changeover of devices that route is transparent.

A Virtual Router Redundancy Protocol (VRRP) router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails. VRRP enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network. You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple routers, to balance the load on available routers.

HSRP and VRRP ignore unauthenticated protocol messages. The default authentication type is text authentication. HSRP or VRRP authentication protects against false hello packets causing a denial-of-service attack. For example, suppose Router A has a priority of 120 and is the active router. If a host sends spoof hello packets with a priority of 130, then Router A stops being the active router. If Router A has authentication configured such that the spoof hello packets are ignored, Router A remains the active router. Packets are rejected in any of the following cases:

• The authentication schemes differ on the router and in the incoming packets.
• Text authentication strings differ on the router and in the incoming packets.

Preemption occurs when a virtual router backup with a higher priority takes over another virtual router backup that was elected to become a virtual router master, and a preemptive scheme is enabled automatically. When a newly reloaded router becomes active, despite an active router already existent on the network, it may appear that preemption is not functioning but that is not true. The newly active router did not receive any hello packets from the current active router, and the preemption configuration was not factored into the new routers decision making.

In general, we recommend that all HSRP routers have the following configuration:

standby delay minimum 30 reload 60

The standby delay minimum reload interface configuration command delays HSRP groups from initializing for the specified time after the interface comes up.

This command is different from the standby preempt delay interface configuration command, which enables HSRP preemption delay. You can disable the preemptive scheme by using the no vrrp preempt command. If preemption is disabled, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes the master again.

HSRP version 2 is designed to address the following restrictions in HSRP version 1:

• In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.

• In HSRP version 1, group numbers are restricted to the range that is from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095.

• HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, you cannot use HSRP active hello messages to identify the physical device that sends the message because the source MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address.

• The multicast address 224.0.0.2 is used to send HSRP hello messages. This address can conflict with Cisco Group Management Protocol (CGMP) leave processing.

Version 1 is the default version of HSRP.

HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the multicast address of 224.0.0.2, used by HSRP version 1. This new multicast address allows CGMP leave processing to be enabled at the same time as HSRP.

HSRP version 2 permits an expanded group number range, 0 to 4095, and consequently uses a new MAC address range 0000.0C9F.F000 to 0000.0C9F.FFFF. The increased group number range does not imply that an interface can, or should, support that number of HSRP groups. The expanded group number range was changed to allow the group number to match the VLAN number on subinterfaces.

When the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.

HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a type-length-value (TLV) format. HSRP version 2 packets received by an HSRP version 1 device will have the type field mapped to the version field by HSRP version 1 and subsequently ignored.

HSRP version 2 is effective from Cisco IOS Release 15.5(03)s.