HSRP Architecture Question - Drawing Attached

Unanswered Question
Dec 30th, 2009

Hi All,

I've attached a sample drawing of an HSRP implementation that I am trying to configure on my network.  I've changed the IP schema for the example for security/policy purposes.

As the drawing shows, I have 2 paths - a Primary and a Secondary.  The red connections are primary, and the green connections are secondary.  I want the green connections to be inactive unless the red connections fail.

I'm using a flat IP space on my local network of /24, with a gateway of

On the Primary 871 Router, I'd like to configure HSRP on interface Fe0 going to the Primary 2950

Int vl1 (Mgmt address)

ip address

Int fe0 (1st HSRP address)

ip address

Standby IP address (VIP/Gateway)

On the Secondary 871 Router, I'd like to configure HSRP on interface Fe0 going to the Primary 2950

Int vl1 (Mgmt address)

ip address

Int Fe0

ip address

Standby IP address (VIP/Gateway)

Now, with that said, here are my questions:

1.  Is it ok that I've configured the HSRP addresses on the same subnet as my IP space on my local network?  Or do I need to trunk off the HSRP IP space into it's own subnet (i.e.  Local network /24  HSRP network /29?)

2.  If it IS ok that I've configured the HSRP addresses on the same subnet as my IP space on my local network, and since my VIP is also my gateway address (fault tolerant gateway, as demonstrated on the HSRP tutorial video), then I should be setting the default gateway on all of my Cisco gear in my network to right?

3. Do my routers need to be directly connected to one another to successfully implement HSRP?

4.  Please correct me if I am wrong, but there is no logical reason to also build HSRP on the secondary paths (green links), correct?  Furthermore, if I did that, it would create IP overlaps/loops if I used the same HSRP IP's for the secondary path and didn't have a blocking protocol in place, correct?  My logic is that, if Fe0 on the Primary Router breaks, then Fe0 on the secondary router will pick it up, and still assume the VIP.  If Fe0 breaks on the Secondary router, then there is no affect because the primary path is still active.

Thank you guys,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Thu, 12/31/2009 - 07:37

hi Dean

from your diagram the first problem you have is that you have fe0 and vlan 1 resdie in the same subnet which is not possiable in a router unles you are using VRFs which is out of the scop of your configurations

you may configure vlan 1 interfaces in your routers as the HSRP interface

or you can use the routed interfaces fe0 in each router but put them in diffrent subnet

and for HSRP in your config you put the routers interface into a switch as long as those pts in that switch in the same vlan you do not need inter router connection for HSRP they can send hello packets through the switch

about the redundant path (green ) i am not sure how you confugred your network to make this path as a back up !!

anyway as long as you have two redundant links in the back up path you may use another hsrp group

but again i need to understand the logic of your redandant path and how will be used if the primary does down is it through routing STP .. etc.

good luck

if helpful Rate

Giuseppe Larosa Thu, 12/31/2009 - 08:34

Hello Dean,

you had already opened another thread on this.

It would have been wise to go on with that.

However, as Marwan has noted there are some aspects that need to be reviewed.

Usually HSRP is used on the client vlan side as we have discussed in the other thread because it is not a real routing protocol but it provides first hop redundancy to be used with end user PCs and workstations.

Using HSRP on the WAN side it is uncommon and implies a layer2 service that may be using different vlan-ids.

I think you should review the address plan and check with service provider what they are going to give you.

A possible approach is that there is a WAN subnet where all remote routers (two per remote site connects).

Each remote site has also a LAN side IP subnet that can be reached using a static route that uses as IP next-hop a VIP ip address

remote site N:

lan side IP subnet: 10.10.N.0

from central site or any other site connected to "WAN" cloud ip subnet

ip route 10.10.N.0 VIP-N-1  10

ip route 10.10.N.0 VIP-N-2 200

where VIP-N-1 and VIP-N-2 are addresses in address space the WAN ip subnet.

Each remote site uses 4 IP addresses: physical ip address of each router, VIP for each HSRP group.

HSRP IP addresses need to be in the same IP subnet of the interface where it is applied because it is a virtual default gateway.

the second is a floating static route that can be used if the first is considered not valid.

However, the problem is that without a dynamic routing protocol remote site is not able to detect that primary link (related to HSRP group N-1) is down and would use until ARP entry for VIP-N-1 is valid.

this would need to use reliable static routing to track reachability of each VIP



Again, the usage of a dynamic routing protocol in this scenario provides the most benefits and simplifies configuration

Hope to help



This Discussion