Port 2029: HSRPv6 — The Backup Router That Pretends to Be the Only Router

Every device on a network has one default gateway — one door out to the rest of the Internet. When that door fails, every device behind it goes dark.

HSRPv6 is the protocol that prevents this. It runs on port 2029 and lets multiple physical routers share a single virtual identity, so when one fails, another takes over without anyone noticing.

What HSRPv6 Does

HSRP stands for Hot Standby Router Protocol. The "hot" matters: the standby router isn't dormant or cold. It's running, watching, and ready. The moment the active router stops responding, the standby steps into its role — same virtual IP address, same virtual MAC address, seamless continuity.

Devices on the network are configured to send their traffic to a virtual IP address. They don't know — and don't need to know — which physical router is currently serving that address. That's the whole point.

HSRPv6 is the IPv6 version of this protocol. It sends hello packets to the IPv6 multicast address FF02::66 on UDP port 2029, which is how routers in an HSRP group find each other and elect who's active.¹

How the Handoff Works

HSRP routers in a group elect one active router and one standby router. The active router handles all traffic. The standby watches the active with periodic hello messages.

If the standby stops receiving hellos — typically within three missed intervals — it assumes the active router has failed and promotes itself. It takes over the virtual IP and virtual MAC. From the perspective of every device on the network, nothing changed.

The protocol also supports priority-based elections: you can configure which router should be active by preference, so when the primary router comes back online, it can preempt and reclaim the active role.²

The Cisco Connection

HSRP is a Cisco proprietary protocol. The original version (which runs on UDP port 1985) was documented in RFC 2281 in 1998, but that RFC is informational — it describes the protocol without standardizing it.³ HSRP version 2, which added IPv6 support and the HSRPv6 variant on port 2029, has no corresponding RFC at all. It's Cisco's protocol, on Cisco's terms.

This is common in enterprise networking. Cisco equipment is everywhere, so Cisco protocols become de facto standards even without formal standardization. If you run Cisco routers, you probably run HSRP.

For non-Cisco environments, the open alternatives are VRRP (Virtual Router Redundancy Protocol, RFC 5798) and GLBP (Gateway Load Balancing Protocol, another Cisco proprietary extension). VRRP achieves much of the same goal with actual standardization.

Security Considerations

HSRP has a history of authentication weaknesses. Early versions used a plaintext community string — trivially sniffable. An attacker who could observe HSRP traffic could inject their own HSRP messages with a higher priority, elect themselves as the active router, and intercept all traffic on the segment.

HSRP version 2 supports MD5 authentication, which substantially improves this. If you're running HSRPv6 on port 2029, MD5 authentication should be configured. Unauthenticated HSRP on any network you don't fully control is a significant risk.⁴

Port 2029 also sees regular scanning activity — probes looking for exposed HSRP infrastructure. HSRP is a protocol meant to run between routers inside your network, not exposed to the Internet. Firewall rules should prevent external traffic from reaching UDP 2029 on your routers.

Checking What's Listening on Port 2029

On a Linux or macOS system:

# Show processes listening on port 2029
ss -ulnp | grep 2029

# Or with lsof
lsof -i UDP:2029

On Windows:

netstat -ano | findstr :2029

On a Cisco router, you can inspect the HSRP state directly:

show standby
show standby brief

Unless you're running Cisco routing infrastructure with HSRPv6 configured, nothing should be listening on port 2029. If something unexpected is bound to this port on a server or workstation, that warrants investigation.