Back
Lesson 5 of 5

HSRP Failover Challenge

Lab Objectives

  • Configure and validate a multigroup HSRP (Hot Standby Router Protocol) deployment between R1 and R2.
  • Implement interface tracking and preemption so HSRP failover occurs automatically when a critical link fails.
  • Test failover behavior and interpret verification outputs to confirm correct operation.

Topology (exact IPs on every router interface)

                          [Internet]
                         203.0.113.1
                              |
                           R1 (Gateway)
          Gi0/0: 10.10.10.1  Gi0/1: 10.10.20.1  Gi0/2: 10.10.30.1
                 |              |               |
               R2              R3              R4
    Gi0/0: 10.10.10.2    Gi0/0: 10.10.20.2    Gi0/0: 10.10.30.2
    Gi0/1: 10.10.40.1
             /  \
           S1    S2
          /  \    |
        PC1  PC2 PC3  (VLANs: 192.168.1.0/24, .2.0/24, .3.0/24)

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to discover exact syntax and verify behavior.

Task 1: Configure HSRP Group 1 (Primary)

Configure HSRP Group 1 on the R1–R2 link (10.10.10.0/24):

  • Virtual IP: 10.10.10.254
  • R1 Priority: 105 (should be Active)
  • R2 Priority: default (100)
  • Enable preemption on both devices
  • Use MD5 authentication with key: Lab@123
  • Use HSRP version 2

Task 2: Add Tracking for Failover

Create a tracking object (Track ID 11) that monitors R1's Gi0/1 (10.10.20.1) line-protocol. Configure both HSRP Group 1 to decrement the priority by 20 when that tracked interface goes down. This ensures the active router relinquishes Active state when its uplink fails.

Task 3: Configure HSRP Group 2 (Secondary)

Configure a second HSRP group on the same link:

  • Group ID: 2
  • Virtual IP: 10.10.10.253
  • R2 Priority: 105 (make R2 Active for this group)
  • R1 Priority: default (100)
  • Enable preemption on both
  • Use MD5 authentication with key: Lab@123
  • Tie Group 2 to the same tracking object (Track ID 11) with decrement 20

Think About It: If R1 is Active for Group 1 and R2 is Active for Group 2, why is multigroup HSRP useful for a production environment with multiple VLANs or services?

Lab Solution

Task 1 Solution: Configure HSRP Group 1 (Primary)

What we are doing: Create an HSRP virtual gateway on the R1–R2 segment so hosts (or downstream routers/switches) can use a single virtual IP. R1 will be the Active router for Group 1 because its priority is higher.

! On R1
interface GigabitEthernet0/0
 standby version 2
 standby 1 ip 10.10.10.254
 standby 1 priority 105
 standby 1 preempt
 standby 1 authentication md5 key-string Lab@123

! On R2
interface GigabitEthernet0/0
 standby version 2
 standby 1 ip 10.10.10.254
 standby 1 preempt
 standby 1 authentication md5 key-string Lab@123
  • interface GigabitEthernet0/0 — enter the interface connected to the 10.10.10.0 network.
  • standby version 2 — sets HSRP to use version 2 (needed for larger group IDs and for modern interoperability).
  • standby 1 ip 10.10.10.254 — configures the virtual IP for HSRP group 1; hosts will use this as their gateway.
  • standby 1 priority 105 — raises R1’s priority above the default 100 so R1 becomes Active for group 1.
  • standby 1 preempt — allows a higher-priority router that comes online to take over the Active role.
  • standby 1 authentication md5 key-string Lab@123 — secures HSRP messages with MD5; both routers must use the same key.

Verify:

! Run on R1 (and on R2 to compare)
show standby brief

Expected output (example from R1):

Interface   Grp  Pri  P State   Active        Standby       Virtual IP
Gi0/0       1    105  Y Active  10.10.10.1    10.10.10.2    10.10.10.254

Expected output (example from R2):

Interface   Grp  Pri  P State   Active        Standby       Virtual IP
Gi0/0       1    100  Y Standby 10.10.10.1    10.10.10.2    10.10.10.254

Tip: Run show standby (without brief) for more detail including timers and authentication method.

Task 2 Solution: Add Tracking for Failover

What we are doing: Create a Track object (#11) that watches the line-protocol state of Gi0/1 on each router; bind it to HSRP Group 1 so that if R1’s uplink fails, R1’s HSRP priority drops by 20 and R2 becomes Active.

! On both routers (global config)
track 11 interface GigabitEthernet0/1 line-protocol

! Tie the track to HSRP group 1
interface GigabitEthernet0/0
 standby 1 track 11 decrement 20
  • track 11 interface GigabitEthernet0/1 line-protocol — creates track object 11 that is UP when Gi0/1 line-protocol is up; DOWN when the interface or its line-protocol fails.
  • standby 1 track 11 decrement 20 — tells HSRP to subtract 20 from the router’s priority if track 11 goes DOWN. This forces a failover when the tracked uplink fails.

Verify:

! Verify track state
show track

Expected output (when Gi0/1 is up):

Track 11
  Interface GigabitEthernet0/1 line-protocol is up
  Object state: Up

! Verify HSRP priority binding and state
show standby brief

Expected output example (R1):

Interface   Grp  Pri  P State   Active        Standby       Virtual IP
Gi0/0       1    105  Y Active  10.10.10.1    10.10.10.2    10.10.10.254
  Tracked by 11 (Gi0/1) -> state Up

Test the failover: On R1, simulate uplink failure:

! On R1
interface GigabitEthernet0/1
 shutdown

Then re-run:

show standby brief
show track

Expected outcome: Track 11 shows DOWN, R1’s effective priority is 85 (105 - 20) and R2 becomes Active for Group 1.

Task 3 Solution: Configure HSRP Group 2 (Secondary)

What we are doing: Add a second HSRP group so R2 will be Active for a different virtual gateway. This is useful in multitenant or multi-VLAN scenarios where you want different Active routers for different services.

! On R1
interface GigabitEthernet0/0
 standby 2 ip 10.10.10.253
 standby 2 preempt
 standby 2 authentication md5 key-string Lab@123
 standby 2 track 11 decrement 20

! On R2
interface GigabitEthernet0/0
 standby 2 ip 10.10.10.253
 standby 2 priority 105
 standby 2 preempt
 standby 2 authentication md5 key-string Lab@123
 standby 2 track 11 decrement 20
  • standby 2 ip 10.10.10.253 — creates virtual IP for group 2.
  • standby 2 priority 105 (on R2) — makes R2 the preferred Active router for group 2.
  • standby 2 track 11 decrement 20 — ensures the same tracked link influences group 2 failover as well.

Verify:

show standby brief

Expected output (R2 showing Active for group 2):

Interface   Grp  Pri  P State    Active        Standby       Virtual IP
Gi0/0       2    105  Y Active   10.10.10.2    10.10.10.1    10.10.10.253

Troubleshooting Scenario

Scenario: R1 never relinquishes Active for Group 1 after Gi0/1 is shut down

Symptom: You shut down Gi0/1 on R1, but show standby brief still shows R1 as Active for Group 1.

Your task: Find and fix the issue.

Hint: Check the track object and the HSRP binding to the track.

Solution:

  • Verify show track to confirm the track object is DOWN.
  • If the track object is still UP, confirm you created the track for the correct interface name (GigabitEthernet0/1). Correct the track command if mistyped.
  • Ensure standby 1 track 11 decrement 20 exists under the interface. If not, add it.
  • If preempt is missing on R2, R2 may not seize Active even when R1's priority drops — add standby 1 preempt on R2.

Example fix (on R2, if missing):

! On R2
interface GigabitEthernet0/0
 standby 1 preempt

Verification Checklist

  • show standby brief on R1 and R2 shows expected Active/Standby for groups 1 and 2.
  • show track shows Track 11 reflects Gi0/1 line-protocol state.
  • Simulated Gi0/1 down on R1 causes R2 to become Active for groups where priority was decremented.

Common Mistakes

SymptomCauseFix
HSRP groups stuck in INIT or LISTENstandby version mismatch or incorrect authenticationEnsure standby version 2 and identical standby ... authentication md5 key-string Lab@123 on both routers
Failover does not occur when tracked interface goes downTrack object tied to wrong interface or not bound to HSRP groupVerify show track and add standby <grp> track 11 decrement 20 under the interface
Active router does not change back when it shouldpreempt missing on the preferred routerAdd standby <grp> preempt so higher-priority router can resume Active when it returns

Challenge Task

Configure multigroup HSRP for three VLANs (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24) such that:

  • R1 is Active for VLAN 1,
  • R2 is Active for VLAN 2,
  • R1 is Active for VLAN 3,
  • Each VLAN uses its own virtual IP (.254/.253/.252) and the same MD5 key Lab@123,
  • Track the appropriate uplinks so a single link failure causes only the expected groups to fail over.

(Design and implement the VLAN gateway interfaces on the routers or SVIs on switches as required; no step-by-step given.)

Important: Always document the reason behind each command and verify with show standby and show track. In production, predictable HSRP behavior prevents unnecessary outages and keeps client default gateways stable.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security