Home / Network / Routing / NHR / Cisco HSRP in detail (RFC 2281)

Cisco HSRP in detail (RFC 2281)

By
No Comments
September 15, 2025 8:49 pm

HSRP is one of the most know FHRP (First Hop Routing) protocols proposed by Cisco to help secure (in terms of redundancy) the gateway (for hosts or servers) in a LAN. The objective is simple: configure one gateway address and provision as many real routers (gateways) to serve it.

To understand how it works let’s first read the RFC and write down all information that may hint on how HSRP handle IP traffic. We’ll try next to check our understanding of the RFC by setting up a lab and test those features. This understanding is crucial if we want troubleshoot efficiently its normal operation.

A walk by the RFC 2281

What does RFC 2281 says about Cisco HSRP that may affect the IP traffic flow process?

  • A single router elected from the group is responsible for forwarding the packets that hosts send to the virtual router. Thus no effective loadbalacing!
  • In the event that the active router fails, the standby assumes the packet forwarding duties of the active router.
  • Although an arbitrary number of routers may run HSRP, only the active router forwards the packets sent to the virtual router.
  • For each standby group, a single well-known (for HSRP usage) MAC address is allocated to the group, as well as an IP address (not physical?).
  • The following information MUST be known to each router in the standby group : Standby group number, Virtual MAC address, Priority, Authentication Data, Hellotime, Holdtime (The mechanisms used to determine this information are outside of the scope of this document (RFC)).
  • Send Gratuitous APR Message: The router broadcasts an ARP response packet advertising the group’s virtual IP address and virtual MAC address. The packet is sent using the virtual MAC address as the source MAC address in the link layer header, as well as within the ARP packet.
  • Routers which implement HSRP SHOULD use well-known HSRP MAC addresses as the group’s virtual MAC address whenever possible.
  • The active router MUST accept and forward traffic that is destined for the group’s virtual MAC address.
  • It MUST stop accepting or forwarding such traffic when the router leaves the Active state.
  • If and only if the router is in the Active state, the router MUST use the group’s virtual MAC address as the source MAC address for its Hello messages.
  • As noted, routers currently emulating a virtual router adopt their group’s MAC and IP addresses.
  • MAC addresses are typically provided in an address filter or ‘list’ of MAC addresses in a router’s interface controller.
  • It is desirable for routers to be able to add one or more virtual MAC addresses to their controllers’ MAC address filter while maintaining their primary MAC addresses.
  • In these cases (address filtering for only on unicast MAC address), such routers can still implement HSRP, but the protocol must change the interface’s primary MAC address when assuming or relinquishing control as the active router.
  • Thus, routers participating in HSRP on an interface MUST NOT send ICMP redirects on that interface.

Lab setup… to show the least accurate case!

Let us analyze the IP traffic forwarding process in our lab setup (physical topology):

The logical topology is presented in the next figure. You may notice that the logical topology shows two redundant (independent) paths whereas the physical, only one!

Our test is simple: PC-1 @ip:192.168.1.1 tries to reach PC-2 @ip:192.168.2.1. In our network design, PC-1 have three possibilities:

  • Forward traffic to Rtr-1,
  • Rtr-2,
  • or virtual router (FHRP-HSRP implemented by Rtr-1 and 2 in the subnet facing Pc-1)

What would be the most accurate gateway configuration? in those cases?

Configured
gateway		Rtr-1Rtr-2Virtual Rtr
Rtr-1
fails 		Ko,
Rtr1 fails 		Ko,
because no alternate path 		Ko,
because no alternate path
Rtr-1
Link1 fails at L3 		Ko Ok,
via link1 and link 2 		Ok,
Rtr-2 active
Rtr-1
Link1 fails at L2 		Ko Ko,
because no alternate path 		Ko,
because no alternate path
Rtr-1 or Rtr-2
Link2 fails at L2 		Ok,
via link1 		Ko,
because no alternate path 		Ok,
Rtr-1 active

Even in such bad design (physical topology), the virtual router as a gateway, is the most accurate configuration.

The HSRP Active Router,

On the active router, what are the changes after the new HSRP configuration? New ip aliases (dynamic) are added to the ip aliases tables, new arp entries (not aging) are added to the arp table, but the structure of the svi interface has not changed! Or at least the change is invisible…

The new alias enables the router to respond to ARP requests destined for the virtual ip addresses.

Pages: 1 2 3 4

atlink'admin

Related Posts

How is it NAT-friendly your Transit Network?
September 24, 2025
Routing from scratch… Part 1
September 24, 2025
An IPv6 home network is possible
September 21, 2025

Leave a Reply

802.11 (4) application (2) architecture (4) asm (4) automatisation (2) cagd (3) chd (2) cisco (6) command (5) controller (1) cost (6) coverage (5) debug (10) distance (6) dtls (2) dynamic rrm (5) firewall (2) fortinet (2) ieee (4) igmp (5) igp (8) interference (2) internet (3) ip (2) logique (2) loop (5) mac (3) machine learning (3) meraki (1) model (2) mpls (3) mroute (4) multicast (5) nat (2) ndp (2) network (3) next-hop (5) nurbs (3) osi (6) pat (2) pim (4) poisoning (6) projet (2) qos (2) radio (5) rib (5) rip (5) route (6) router (6) routing (15) rpf (4) rrm (10) security (3) show (5) simulation (2) sla (2) snr (2) solution (2) split-horizon (5) sql (1) ssl (2) ssm (4) static (6) stp (2) summarization (5) tcp (2) translation (1) travail (2) udp (2) vpn (3) vrf (3) wifi (11) wireshark (2) wlan (7) wlc (5)

October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Table of Contents

Table of Contents
Copied!