Home > HSRP & VRRP Questions

HSRP & VRRP Questions

January 29th, 2021 Go to comments

If you are not sure about HSRP, please read our HSRP tutorial (on 9tut.com).

Quick VRRP overview:

+ is IETF RFC 3768 standard
+ supports maximum 255 groups
+ 1 active and some backups
+ Use multicast address 224.0.0.18
+ Tracking via objects
+ 1 sec hello timer, 3 sec hold time
+ Authentication: plaintext or MD5 authentication
+ Preemption is enabled by default
+ Virtual IP address can be the same as physical IP address (which is running VRRP)
+ Default priority is 100
+ Only VRRPv3 supports both IPv4 and IPv6

Question 1

Explanation

When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new virtual MAC address. HSRP version 1 uses the MAC address range 0000.0C07.ACxx while HSRP version 2 uses the MAC address range 0000.0C9F.F0xx.

HSRP supports interface tracking which allows to specify another interface on the router for the HSRP process to monitor in order to alter the HSRP priority for a given group.

Question 2

Explanation

If you change the version for existing groups, Cisco NX-OS reinitializes HSRP for those groups because the virtual MAC address changes.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/unicast/503_A1_1/l3_nx-os/l3_hsrp.html

Question 3

Question 4

Explanation

The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it supports load balancing among members in a GLBP group.

Note: Although GLBP is not a topic for this exam but not sure why we still have this question!

Question 5

Explanation

HSRP consists of 6 states:

State Description
Initial This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on
Learn The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router.
Listen The router knows both IP and MAC address of the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby state will remain in listen state.
Speak The router sends periodic HSRP hellos and participates in the election of the active or standby router.
Standby In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)
Active The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages

Please notice that not all routers in a HSRP group go through all states above. In a HSRP group, only one router reaches active state and one router reaches standby state. Other routers will stop at listen state.

Question 6

Explanation

A VRRP router receiving a packet with the TTL not equal to 255 must discard the packet (only one possible hop) -> B is correct.

Currently there are three VRRP versions which are versions 1, 2 and 3 -> E is correct.

VRRP uses multicast address 224.0.0.18 and supports plaintext or MD5 authentication.

Question 7

Question 8

Explanation

The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it supports load balancing among members in a GLBP group.

Question 9

Explanation

SSO HSRP alters the behavior of HSRP when a device with redundant Route Processors (RPs) is configured for stateful switchover (SSO) redundancy mode. When an RP is active and the other RP is standby, SSO enables the standby RP to take over if the active RP fails.

The SSO HSRP feature enables the Cisco IOS HSRP subsystem software to detect that a standby RP is installed and the system is configured in SSO redundancy mode. Further, if the active RP fails, no change occurs to the HSRP group itself and traffic continues to be forwarded through the current active gateway device.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-s/fhp-15-s-book/fhp-hsrp-sso.html

Question 10

Explanation

In fact, VRRP has the preemption enabled by default so we don’t need the “vrrp 10 preempt” command. The default priority is 100 so we don’t need to configure it either. But notice that the correct command to configure the virtual IP address for the group is “vrrp 10 ip {ip-address}” (not “vrrp group 10 ip …”) and this command does not include a subnet mask.

Question 11

Explanation

The “preempt” command enables the HSRP router with the highest priority to immediately become the active router. We need to configure “preempt” on the standby router so that it would take the active role when the current active router goes down.

Question 12

Comments
  1. thatonedude
    March 25th, 2020

    Question 2

    Which behavior can be expected when the HSRP versions is changed from 1 to 2?
    A. Each HSRP group reinitializes because the virtual MAC address has changed
    B. No changes occur because version 1 and 2 use the same virtual MAC OUI
    C. Each HSRP group reinitializes because the multicast address has changed
    D. No changes occur because the standby router is upgraded before the active router

    Answer: C

    Explanation

    When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new virtual MAC address. HSRP version 1 uses the MAC address range 0000.0C07.ACxx while HSRP version 2 uses the MAC address range address range 0000.0C9F.F0xx.

    Shouldn’t the answer be “A” as the MAC is changing?

  2. Gentao
    April 3rd, 2020

    @that one dude i would agree the answer might be A

  3. nico
    April 6th, 2020

    224.0.0.2
    HSRP version 1 uses the multicast address 224.0. 0.2. HSRP version 2 uses multicast address 224.0. 0.102 for its communication.Sep

  4. Gentao
    April 6th, 2020

    Question answer should be A

    When you change the HSRP version, Cisco NX-OS reinitializes the group because it now has a new
    virtual MAC address.

    https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/unicast/503_A1_1/l3_nx-os/l3_hsrp.pdf

  5. Gre47
    May 19th, 2020

    Question 2 is 100% A. The Mac address changes when you change versions:

    “When the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.”

    source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-v2.html

  6. Nhardz
    June 3rd, 2020

    @Digitaltut,

    Q6 is not added in the composite i believe

  7. alex
    June 17th, 2020

    Question 6.
    VRRP Limitations
    The switch supports either HSRP or VRRP, but not both. The switch cannot join a stack that has both HSRP and VRRP configured.
    The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
    The VRRP implementation on the switch supports only text -based authentication.
    The switch supports VRRP only for IPv4.

  8. ss
    July 11th, 2020

    Which statement about VRRP is true?
    A. It supports load balancing
    B. It can be configured with HSRP on a switch or switch stack
    C. It supports IPv4 and IPv6
    D. It supports encrypted authentication
    Answer is D
    ?
    vrrp group authentication md5 key-string [0 | 7] key-string [timeout seconds]
    Specifying 7 means the key will be encrypted. The key-string authentication key will automatically be encrypted if the service password-encryption global configuration command is enabled.
    anyone can confirm ?
    VRRP Limitations
    The switch supports either HSRP or VRRP, but not both. The switch cannot join a stack that has both HSRP and VRRP configured.
    The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
    The VRRP implementation on the switch supports only text -based authentication.
    The switch supports VRRP only for IPv4.
    what would be the correct answer ?

  9. Joe
    September 16th, 2020

    Hi Digital Tut, Can you please explain Qn.6 please ? as to how B is the answer.

  10. bnt
    October 5th, 2020

    QN 6 please update

  11. Milf-Hunter
    October 6th, 2020

    Why is the corret answer ?

    Which statement about VRRP is true?
    A. It supports load balancing
    B. It can be configured with HSRP on a switch or switch stack
    C. It supports IPv4 and IPv6
    D. It supports encrypted authentication
    Answer is D

  12. Yosh
    November 25th, 2020

    Question 6a ;)
    Which statement about VRRP is true?
    A. It supports load balancing
    B. It can be configured with HSRP on a switch or switch stack
    C. It supports IPv4 and IPv6
    D. It supports encrypted authentication

    B is correct on all routing devices, D is correct only on routers, not on Multilayer-Switches.
    result: B is correct

  13. magic
    January 10th, 2021

    Question 5 (HSRP states)

    IMO correct answers are: A,E,F (INIT, listen, speak)
    See example debug (standby router)
    debug output (standby router):
    *Jan 8 19:20:10.095: HSRP: Et0/1 Grp 1 Disabled -> Init
    *Jan 8 19:20:11.101: HSRP: Et0/1 Grp 1 Init -> Listen
    *Jan 8 19:20:23.013: HSRP: Et0/1 Grp 1 Listen -> Speak
    *Jan 8 19:20:33.672: HSRP: Et0/1 Grp 1 Speak -> Standby

    Even though some cisco documentation lists Learning state – it is not present in ENCOR Student Learnig Guide.

  14. Anonymous
    February 10th, 2021

    Question 7:

    C. It supports IPv4 and IPv6

    Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6
    https://tools.ietf.org/html/rfc5798

  15. digitaltut
    February 11th, 2021

    @Anonymous: This question does not mention which VRRP version so B is still the better answer.

  16. Anonymous
    February 15th, 2021

    digitaltut – Yes, Question 7, Answer B still the best answer :)

  17. BNNY
    March 19th, 2021

    Question 11: Refer to the exhibit. Edge-01 is currently operational as the HSRP primary with priority 110. Which command on Edge-02 causes it to take over the forwarding role when Edge-01 is down?

    A. standby 10 priority
    B. standby 10 timers
    C. standby 10 track
    D. standby 10 preempt

    Is A the better answer? I think D will make Edge-2 the HSRP primary immediately instead of waiting until Edge-1 is down.

  18. Razor
    March 28th, 2021

    Question 11 doesn’t make much sense. Edge-01 is a higher priority of 110. When it becomes unavailable Edge-02 would take over with Answer A. standby 10 priority (Default priority of 100)

    Answer D would make more sense if we want Edge-01 to resume activity after recovering from failure.

    @digitaltut – maybe this question is worded incorrectly?

  19. olegius
    April 5th, 2021

    Q7
    Configured the HSRP on switch cisco 3750.
    When trying to create a VRRP group, the switch issues a message.

    interface FastEthernet1/0/24
    no switchport
    ip address 172.16.199.100 255.255.255.0
    standby 11 ip 172.16.199.200
    !
    interface FastEthernet1/0/25
    no switchport
    ip address 172.16.99.99 255.255.255.0
    (config-if)#vrrp 10 ip 172.16.99.200
    %FHRP group not consistent with already configured groups on the switch stack
    % Cannot create new VRRP group

  20. klingacik
    April 6th, 2021

    @digitaltut,

    I believe the correct answer could be answer D?

    Question 7
    Which statement about VRRP is true?

    B. It can be configured with HSRP on a switch or switch stack – can be configured HSRP or VRRP but not both.

    D. It supports encrypted authentication – from Cisco book:
    Step 4. (Optional) Establish VRRP authentication by using
    the command vrrp instance-id authentication {textpassword | text text-password | md5 {key-chain
    key-chain | key-string key-string}}.

    from my lab cisco 3725
    Router(config-if)#vrrp 1 authentication ?
    md5 Use MD5 authentication
    text Plain text authentication

    but Cisco IOS XE Software, Version 17.03.02 only supports text authentication:

    R1(config-if)#vrrp 1 authentication ?
    text TEXT authentication

    R1(config-if)#vrrp 1 authentication

    Router(config-if)#vrrp 1 authentication

    Still not completely sure. If someone could confirm and advise, please?

    Thank you

  21. cert
    April 8th, 2021

    ADMIN…………………. Q 6 ????

    What sort of silly answer is this dear.. how can both vrrp and hsrrp be supported together .

    You guys should be 200 % not 100 % sure about the answers here since people rely on you guys.

    You should hire experts to check the answers and verify before posting.

  22. cert
    April 8th, 2021

    i would not mind paying 20 $ more if my answers are being verified by an expert CCIE .. instead of failing the exam because of wrong answers ….

  23. cert
    April 8th, 2021

    Correction… my above query is about Q 7 not Q 6……………………

  24. HM
    April 9th, 2021

    Q7 should be C????
    It supports IPv4 and IPv6

    Scroll down here:
    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swhsrp.html

    VRRP Limitations

    The switch supports either HSRP or VRRP, but not both. The switch cannot join a stack that has both HSRP and VRRP configured.
    The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
    The VRRP implementation on the switch supports only text -based authentication.
    The switch supports VRRP only for IPv4.

    BUT it looks like these are limitations of this switch.

    If you look here:
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhrp-vrrpv3.html

    The VRRP version 3 (v3) Protocol Support feature provides the capability to support IPv4 and IPv6 addresses while VRRP version 2 (v2) only supports IPv4 addresses.

  25. HM
    April 13th, 2021

    Q7

    Could it be that D (Encrypted Authentication) is wrong, because you can store the key encrypted in the config, but the authentication process itself between the VRRP units only supports:
    -> No authentication
    -> Plain text authentication
    -> MD5 authentication
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-vrrp.html
    From what I know, MD5 is only a hash and a hash isn’t an encryption, because you can’t get the orginal value back out of the hash.

  26. bob
    April 14th, 2021

    Q7: I think C is correct:

    C. It supports IPv4 and IPv6

    If they said, Which statement about VRRP v1 or v2 are true, then that is a different story

    From Cicco:

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhrp-vrrpv3.html

    VRRPv3 supports usage of IPv4 and IPv6 addresses while VRRPv2 only supports IPv4 addresses

  27. Talal
    June 2nd, 2021

    Dear All,

    Please someone share the latest dumps at (suffianmanzoor at gmail dot com).
    many thanks in advance.

  28. Engineer2021
    June 17th, 2021

    I took my test and passed 901. questions here are legit

  29. Werewolf
    July 20th, 2021

    Question 11: Refer to the exhibit. Edge-01 is currently operational as the HSRP primary with priority 110. Which command on Edge-02 causes it to take over the forwarding role when Edge-01 is down?

    A. standby 10 priority
    B. standby 10 timers
    C. standby 10 track
    D. standby 10 preempt

    In this situation Edge-2 will forward a traffic when Edge-1 stops to send “hello”. We don’t need to enter the command “preemt”! Answer “C” doesn’t have a sence!

  1. No trackbacks yet.