CiscoCCNPEnterprise NetworkingIntermediate25 min read

What Is HSRP vs VRRP vs GLBP in Networking?

Also known as: HSRP, VRRP, GLBP, first hop redundancy protocol, Cisco high availability

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

HSRP, VRRP, and GLBP are protocols that make a group of routers act like one virtual router. If the main router fails, a backup router automatically takes over, so devices on the network keep working without interruption. HSRP is Cisco proprietary, VRRP is an open standard, and GLBP adds load balancing across multiple routers. All three are used to provide redundancy and high availability in enterprise networks.

Must Know for Exams

For the Cisco CCNP Enterprise exam (350-401 ENCOR), HSRP, VRRP, and GLBP are explicitly listed in the exam blueprint under the topic of high availability and first-hop redundancy protocols. The exam expects you to know the differences between these protocols, including whether they are proprietary or open standard, how many routers can be active in a group, the virtual MAC address formats, timer values, and the election and failover processes. You must also understand GLBP's load-balancing algorithms (round-robin, weighted, and host-dependent).

Scenario-based questions are common, such as 'Which protocol should you use in a multivendor environment?' or 'Which protocol allows multiple routers to forward traffic simultaneously?' Configuration and troubleshooting questions may ask you to identify misconfigurations, such as mismatched HSRP group numbers or incorrect priority settings that prevent failover.

The ENCOR exam also tests your knowledge of preemption, object tracking, and interface tracking, which are features that interact with these protocols. You should be able to interpret show commands like 'show standby brief' for HSRP, 'show vrrp brief' for VRRP, and 'show glbp brief' for GLBP. You may also see questions that ask you to compare the three protocols in a table format, or to choose the best protocol for a given scenario based on requirements like vendor interoperability, load balancing, or maximum number of routers in a group.

Because the exam emphasizes network assurance and automation, you might also be asked how these protocols integrate with technologies like EtherChannel, Spanning Tree Protocol, or IP Service Level Agreements (IPSLA) for more intelligent failover decisions. Understanding the nuances of each protocol will help you answer both multiple-choice and simulation-based questions confidently.

Simple Meaning

Imagine you are in a large office building with a single reception desk. Everyone who enters the building goes to that desk to get a visitor badge. Now what happens if the receptionist steps away for a break?

People queue up, waiting, and no one gets a badge until the receptionist returns. This is like a network with only one router handling all the traffic. If that router fails, every device loses its connection to the internet or other parts of the network.

To avoid this, you install a second reception desk with another receptionist. But now a visitor walks in and has to decide which desk to approach. They might pick one, but if that receptionist is busy, they might have to wait even though the other desk is free.

This is like having two routers but no coordination between them. The protocols HSRP, VRRP, and GLBP solve this by making the two reception desks appear as one. The visitor sees a single sign that says Reception, and they walk to that single point.

Behind the scenes, the two receptionists communicate. One is the active receptionist, and the other is on standby. If the active one steps away, the standby instantly takes over. The visitor never sees the swap.

In networking terms, these protocols create a virtual IP address and a virtual MAC address that devices on the network use as their default gateway. The group of routers shares this virtual address, but only one router is active at a time (or more in the case of GLBP). When the active router fails, another router in the group assumes the virtual address and continues forwarding traffic with almost no delay.

The devices on the network never need to change their configuration because the virtual gateway address stays the same. The difference between the three protocols is how they choose the active router and whether they can share the traffic load. HSRP is Cisco's own protocol, VRRP is an industry standard that works with any vendor, and GLBP goes a step further by allowing multiple routers to forward traffic at the same time, sharing the load rather than having one active and the rest idle.

This makes the network not only highly available but also more efficient.

Full Technical Definition

HSRP (Hot Standby Router Protocol), VRRP (Virtual Router Redundancy Protocol), and GLBP (Gateway Load Balancing Protocol) are first-hop redundancy protocols (FHRPs) designed to eliminate the single point of failure inherent in a default gateway configuration. In a typical IP network, every host is configured with a default gateway IP address pointing to a single router. If that router fails, all hosts lose connectivity to other networks. FHRPs solve this by allowing two or more routers to share a virtual IP address and virtual MAC address, so that a failure of the active router triggers an automatic failover to a standby router, with minimal disruption.

HSRP is a Cisco proprietary protocol defined in RFC 2281. It runs between 2 and 16 routers in an HSRP group. One router is elected as the active router, another as standby, and the rest are in a listening state. HSRP uses a priority value (1 to 255) and preemption (optional) to determine active status. Routers exchange hello messages every 3 seconds by default over UDP port 1985, using the multicast address 224.0.0.2. The active router sends periodic hello messages; if the standby router misses three consecutive hellos (10 seconds by default), it assumes the active router is down and becomes active. HSRP provides a single virtual MAC address (0000.0c07.acXX, where XX is the group number in hex) that the active router uses. Multiple HSRP groups can be configured on a single interface for load sharing on different VLANs or subnets, but each group has only one forwarding router.

VRRP is an open standard protocol defined in RFC 3768 (later RFC 5798). It is vendor-neutral and works with routers from any manufacturer. VRRP operates similarly to HSRP but uses different timers and addressing. VRRP routers use the multicast address 224.0.0.18 and IP protocol number 112. The virtual MAC address is 0000.5e00.01XX, where XX is the VRRP group number. VRRP uses an election process based on priority (1 to 254, with 100 as default). The router with the highest priority becomes the master; if a tie occurs, the router with the highest primary IP address wins. Preemption is enabled by default. VRRP has a key advantage over HSRP in that it supports the use of the real IP address of a router as the virtual IP address, which simplifies some scenarios. VRRP does not have a concept of a standby router that is explicitly tracked; instead, it simply has one master and one or more backups. VRRP advertises every 1 second by default, and the master down timer is typically 3 seconds.

GLBP is a Cisco proprietary protocol that provides both redundancy and load balancing. Unlike HSRP and VRRP, where only one router actively forwards traffic at a time, GLBP allows up to four routers in a group to share the forwarding load. GLBP elects one router as the active virtual gateway (AVG). The AVG assigns a virtual MAC address to each member router in the group, and it responds to ARP requests from hosts with the virtual MAC of a specific forwarding router, using a round-robin or weighted algorithm. Each forwarding router is called an active virtual forwarder (AVF). GLBP uses hello messages sent to multicast address 224.0.0.102 over UDP port 3222, with a default hello interval of 3 seconds. The virtual MAC format is 0007.b4XX.XXYY, where XX.XX is the group number and YY identifies the forwarder. GLBP supports up to 1024 virtual routers per physical interface and can be configured with weighted load balancing based on interface capacity. This makes GLBP ideal for environments where maximizing link utilization is critical.

Real-Life Example

Think of a busy hospital emergency room with multiple doctors on duty. Patients arriving at the ER are triaged at a single check-in desk. The hospital ensures that at least one doctor is always available to handle incoming cases.

This setup is like using HSRP or VRRP: one doctor is on duty (active), and a second doctor is in the break room (standby). If the duty doctor becomes unavailable, the standby doctor instantly takes over, and patients continue to receive care without interruption. Only one doctor is working at any given time.

Now imagine a hospital that uses a different system: a lead physician (the AVG) assigns incoming patients to one of several doctors on duty based on who is least busy. Each doctor has their own treatment room. When a patient arrives, the lead physician directs them to a specific doctor.

All doctors are actively treating patients simultaneously, and if one doctor finishes a case, the lead physician sends the next patient to that doctor. This is how GLBP works. In this analogy, the patients are data packets, the doctors are routers, and the lead physician is the AVG.

The hospital achieves both redundancy and efficient use of all doctor resources. The key mapping is: the check-in desk is the virtual IP address that devices use as their default gateway. In the HSRP/VRRP model, only one doctor (router) ever treats patients (forwards traffic) at a time, so the other doctor's skills are wasted.

In the GLBP model, all doctors work, so the hospital treats more patients per hour without buying more equipment. This analogy shows how GLBP provides load sharing while HSRP and VRRP do not. For network professionals, this difference matters when planning for high traffic volumes and cost efficiency.

Why This Term Matters

In real IT work, network downtime directly costs money, productivity, and sometimes even safety. A hospital, a stock exchange, or an e-commerce website cannot afford to lose connectivity for even a few minutes. HSRP, VRRP, and GLBP are core tools for building a resilient network architecture that can survive hardware failures, link outages, or planned maintenance without users noticing.

When a network engineer configures a router as a default gateway for hundreds or thousands of devices, they are creating a single point of failure. If that router goes down, every single device loses internet access. By implementing a first-hop redundancy protocol, the engineer eliminates that single point of failure.

In practice, most enterprise networks use VRRP because it is an open standard and works with mixed-vendor environments. Cisco shops often use HSRP or GLBP depending on whether they need load balancing. GLBP is especially useful in data centers where bandwidth utilization is under constant scrutiny.

Without GLBP, half the router capacity remains idle during normal operation. With GLBP, all routers carry traffic, potentially delaying or avoiding a hardware upgrade. For cloud infrastructure and virtualized environments, these protocols are also important.

Virtual routers in platforms like VMware NSX or AWS can use VRRP-like mechanisms to ensure high availability for virtual networks. Understanding these protocols is foundational for anyone pursuing a career in networking, because redundancy is not a luxury it is a requirement for any production network. In cybersecurity terms, a single outage can be exploited by attackers as a diversion or can cause data loss if sessions are dropped.

HSRP, VRRP, and GLBP minimize that risk.

How It Appears in Exam Questions

In certification exams like Cisco ENCOR, you will see several types of questions regarding HSRP, VRRP, and GLBP. Multiple-choice questions often ask you to compare features, for example: 'Which protocol is an open standard?' or 'Which protocol supports load balancing across multiple routers?'

or 'What is the default hello timer for HSRP?' Another common pattern is a scenario where you must select the appropriate protocol. For instance, 'A company has a mix of Cisco and Juniper routers.

Which first-hop redundancy protocol should they use?' The correct answer is VRRP, because it is vendor-neutral. You might also see configuration questions that present a partial configuration and ask you to identify the missing command or the error.

For example: 'R1 is configured as the active HSRP router for group 10 with a priority of 150. R2 has a priority of 100. When R1 fails, R2 becomes active. After R1 recovers, it remains in the standby state.

Why?' The answer would be that preemption is not enabled. Troubleshooting questions are also frequent. They might give you output from show commands and ask why failover did not occur as expected.

Common issues include mismatched authentication strings, mismatched HSRP version, or incorrect virtual IP addresses. Architecture questions may ask about the design implications, such as: 'You are designing a network with two routers and 200 hosts. You need to use both routers to forward traffic to increase throughput.

Which protocol should you choose?' The answer is GLBP, because it is the only one that allows multiple routers to forward traffic simultaneously using the same virtual IP address. Some questions may also probe your understanding of the virtual MAC addresses, especially in a switched environment where the switch MAC table must learn the virtual MAC.

For example: 'Which MAC address does an HSRP group with number 10 use?' You should know it is 0000.0c07.ac0a.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small company called NovaTech has 150 employees working in a single office. They have two Cisco routers connecting to the internet through a single ISP. Router A is the main gateway, and Router B is a spare.

The IT manager configured all employee computers with the default gateway IP 192.168.1.1, which is Router A's interface. This works fine until Router A crashes due to a power supply failure.

Suddenly, no one at NovaTech can access email, cloud applications, or the internet. The IT manager quickly swaps cables to Router B, but the employees have to either change their gateway IP or wait for a DHCP lease renewal. This is a classic single point of failure problem.

The manager decides to implement HSRP between the two routers. They create an HSRP group with the virtual IP address 192.168.1.254. Both routers are configured to use this virtual IP.

All employee computers are reconfigured to use 192.168.1.254 as their default gateway. Router A is elected as the active router with a priority of 120, and Router B is the standby with priority 100.

Six months later, Router A fails again. This time, within 10 seconds, Router B detects the loss of hello messages and takes over as the active router, using the virtual IP 192.168.1.

254. The employees do not notice any outage because their gateway address never changed. The IT manager replaces Router A, and after it comes back online, it stays in standby mode because preemption was not enabled.

Later, the manager enables preemption so that Router A automatically resumes its role as the active router after recovery, ensuring the preferred hardware handles the main traffic load.

Common Mistakes

Thinking that HSRP, VRRP, and GLBP are interchangeable and always behave the same way.

These protocols have fundamental differences in standards, load balancing capabilities, and operational behavior. Using HSRP in a multivendor environment will fail because HSRP is Cisco proprietary. Assuming GLBP is just like VRRP with a different name leads to incorrect design choices.

Learn the key differentiators: HSRP is Cisco proprietary, VRRP is open standard, and GLBP provides load balancing. Always choose the protocol that matches the vendor environment and traffic requirements.

Configuring the active and standby routers with different virtual IP addresses.

For the redundancy to work, all routers in the group must be configured with the same virtual IP address. The virtual IP is the address that hosts use as their default gateway. If they differ, failover will not function correctly.

On each router in the group, configure the same virtual IP address using the standby ip, vrrp ip, or glbp ip command, depending on the protocol.

Assuming that HSRP and VRRP provide load balancing by default across multiple routers in the group.

In HSRP and VRRP, only one router actively forwards traffic at any given time. All other routers are idle, waiting for the active router to fail. They do not share the load. Only GLBP allows multiple routers to forward simultaneously.

If load balancing is required, choose GLBP. Alternatively, you can use multiple HSRP groups on different subnets or VLANs, but that is not true per-packet load balancing.

Forgetting to enable preemption when you want a higher-priority router to resume active status after recovering from a failure.

Without preemption, once a router becomes active (for example, after a failover), it stays active even if the original primary router comes back online with a higher priority. This can cause suboptimal traffic flow if the original router has better performance or connectivity.

Use the standby preempt command (HSRP), vrrp preempt command, or glbp preempt command on the routers that should reclaim the active role after recovery.

Mismatching the authentication string or method among routers in the same group.

HSRP and VRRP support plaintext or MD5 authentication. If the authentication strings or types do not match across all routers in the group, they will not form a neighbor relationship, and failover will not work.

Configure identical authentication settings on all participating routers. Use the same key string and authentication mode (text or md5).

Confusing the multicast addresses used by the protocols.

HSRP uses 224.0.0.2 (all routers), VRRP uses 224.0.0.18, and GLBP uses 224.0.0.102. Using the wrong multicast address in a configuration or troubleshooting can lead to confusion, especially when looking at packet captures or ACL definitions.

Memorize the multicast addresses: HSRP: 224.0.0.2, VRRP: 224.0.0.18, GLBP: 224.0.0.102. This is a common exam detail.

Exam Trap — Don't Get Fooled

The exam may present a scenario where VRRP is used and ask about the concept of 'owner' or 'IP address owner'. Study the VRRP standard carefully. Remember that VRRP has a special case: if one of the routers has the virtual IP configured as its own real IP address, that router is the IP address owner and will always be the master when it is up, regardless of priority values.

This is a key difference from HSRP, which does not have this concept. In HSRP, priority always decides the active router, and preemption must be enabled for a higher-priority router to take over after a failure.

Commonly Confused With

HSRP vs VRRP vs GLBPvsSpanning Tree Protocol (STP)

STP prevents loops in a switched network by blocking redundant links, while HSRP/VRRP/GLBP provide router redundancy by making multiple routers appear as one gateway. STP works at Layer 2 and deals with bridge loops; FHRPs work at Layer 3 and deal with default gateway availability.

STP ensures that if you connect two switches with two cables, only one path is active to avoid broadcast storms. HSRP ensures that if you have two routers connected to the same subnet, one takes over if the other fails.

HSRP vs VRRP vs GLBPvsEtherChannel (Link Aggregation)

EtherChannel combines multiple physical links between two switches into one logical link for increased bandwidth and redundancy. HSRP/VRRP/GLBP combine multiple routers into one virtual router for gateway redundancy. EtherChannel is a Layer 1/2 technology, while FHRPs are Layer 3.

EtherChannel is like having multiple lanes on a highway between two cities. HSRP is like having a backup driver in the same car who can take the wheel if the first driver falls asleep.

HSRP vs VRRP vs GLBPvsServer Load Balancing (SLB)

Server load balancing distributes incoming traffic across multiple servers to balance the load and provide redundancy. GLBP does something similar but for routers and at Layer 3, not for servers. SLB typically uses a virtual IP address and distributes connections based on algorithms like round-robin, but it operates on whole TCP/UDP flows, not on packets to the default gateway.

SLB is like a restaurant host seating customers at different tables. GLBP is like a traffic cop directing cars to different lanes on a bridge.

Step-by-Step Breakdown

1

Step 1: Define the Virtual IP and Virtual MAC.

An HSRP, VRRP, or GLBP group is assigned a virtual IP address that will serve as the default gateway for hosts on that subnet. The protocol also defines a virtual MAC address. For HSRP, this MAC is 0000.0c07.acXX. For VRRP, it is 0000.5e00.01XX. For GLBP, it is 0007.b4XX.XXYY. This virtual MAC is used by the active router (or forwarder) to respond to ARP requests and forward traffic.

2

Step 2: Routers Exchange Hello Messages.

All routers in the group send periodic hello messages to a specific multicast address. HSRP uses 224.0.0.2 on UDP port 1985. VRRP uses 224.0.0.18 on IP protocol 112. GLBP uses 224.0.0.102 on UDP port 3222. These hellos advertise each router's priority and state, allowing routers to monitor each other's health.

3

Step 3: Election of Active Router (or Master/AVG).

Based on the priority values received in hello messages, the routers elect a single active router (in HSRP/VRRP) or an Active Virtual Gateway (in GLBP). The router with the highest priority wins. If priorities are equal, the router with the highest IP address is elected. In VRRP, the IP address owner automatically becomes master regardless of priority.

4

Step 4: The Active Router Assumes the Virtual IP and MAC.

The elected active router (or master) begins using the virtual IP and virtual MAC address. It responds to ARP requests for the virtual IP with its virtual MAC. Hosts send all traffic destined for other networks to this virtual IP, and the active router forwards that traffic.

5

Step 5: Standby Routers Monitor the Active Router.

The standby routers (or backup routers) continue to listen for hello messages from the active router. They do not forward traffic for the virtual IP. They track the hold timer, which is typically three times the hello interval. If the timer expires without receiving a hello, the standby router assumes the active router has failed.

6

Step 6: Failover Occurs.

When a standby router detects that the active router is no longer sending hellos, it transitions to the active state (or master state). It starts using the virtual IP and virtual MAC addresses. It sends gratuitous ARP messages to update the switches and hosts about the new MAC address for the virtual IP. Traffic flow resumes with minimal interruption.

7

Step 7: (Optional) Preemption and Object Tracking.

If preemption is enabled, a router that recovers from a failure or that has a higher priority can take over the active role from the current active router. Object tracking allows the router to monitor other conditions, such as an uplink interface going down, and adjust its priority or initiate a failover proactively.

8

Step 8: In GLBP, Additional Load Balancing Occurs.

After the AVG is elected, it assigns virtual MAC addresses to up to four AVFs. When a host sends an ARP request for the virtual IP, the AVG responds with the virtual MAC of a specific AVF, using a round-robin or weighted algorithm. Each AVF then forwards the traffic it receives, distributing the load.

Practical Mini-Lesson

In a real-world network, configuring a first-hop redundancy protocol requires careful planning. Start by deciding which protocol suits your environment. For a pure Cisco shop, HSRP is simple and widely supported.

For a multivendor environment, use VRRP. If you need to maximise link utilization, GLBP is the best choice. The configuration steps are similar across protocols. On each router interface that will participate, you define the virtual IP address and set a priority.

For HSRP, the command is 'standby group-number ip virtual-ip-address'. For VRRP, it is 'vrrp group-number ip virtual-ip-address'. For GLBP, it is 'glbp group-number ip virtual-ip-address'.

Priority is set with 'standby group-number priority value', 'vrrp group-number priority value', or 'glbp group-number priority value'. Enabling preemption is critical if you want a specific router to always be the active one when it is online. Use 'standby preempt', 'vrrp preempt', or 'glbp preempt'.

You should also configure authentication to prevent rogue routers from joining the group. Use 'standby authentication string', 'vrrp authentication string', or 'glbp authentication string'. For HSRP and VRRP, you can use MD5 or plaintext.

For troubleshooting, use 'show standby brief', 'show vrrp brief', or 'show glbp brief'. These commands display the group number, priority, state (active/standby/master/backup), virtual IP, and timers. Common issues include mismatched virtual IPs, differing authentication keys, and firewalls blocking the multicast traffic.

If failover does not happen, check that hello packets are being received by using debug commands like 'debug standby events' or 'debug vrrp events'. Remember that these protocols rely on a shared subnet. All routers in the group must be in the same VLAN and connected to the same Layer 2 domain.

Also, consider the impact on switch MAC tables. When a failover occurs, the new active router sends a gratuitous ARP, which updates the switch's CAM table. This process is fast, typically under a few seconds.

For a more robust solution, combine these protocols with interface tracking. For example, you can use 'standby track' to lower the HSRP priority of a router if its WAN interface goes down, making the other router take over. This prevents the router from being active but unable to send traffic to the next hop.

GLBP also supports weighted tracking, where the weight of a router determines how many connections it receives. Practically, you can configure an IP SLA probe to track a remote destination and adjust the priority based on reachability. This makes the failover more intelligent.

For exam success, focus on memorizing default timers, multicast addresses, MAC addresses, and the key differences. Also practice interpreting show command output so you can quickly identify which router is active and why. Understanding these protocols at a practical level will also help you in job interviews and real network deployments, where high availability is often a critical requirement.

Memory Tip

Remember the multicast addresses by the last octet: HSRP uses .2 (two routers in a pair), VRRP uses .18 (18 is the age of adulthood, VRRP is the mature open standard), GLBP uses .102 (one hundred and two is 'get load balancing done'). For MAC addresses: HSRP starts with 0000.0c07 (Cisco's OUI), VRRP starts with 0000.5e00 (IANA's OUI), GLBP starts with 0007.b4 (b4 as in 'before' you need load balancing).

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Can I use HSRP with non-Cisco routers?

No. HSRP is a Cisco proprietary protocol and is not supported on routers from other vendors. For multivendor environments, use VRRP, which is an open standard.

How many routers can participate in an HSRP group?

An HSRP group can have up to 16 routers, but only one router is active and one is standby at a time. The remaining routers are in a listening state.

Does VRRP support authentication?

Yes, VRRP supports plaintext and MD5 authentication. It is important to configure the same authentication type and key on all routers in the group.

What is the main advantage of GLBP over HSRP?

GLBP allows multiple routers to forward traffic simultaneously, providing load balancing across up to four routers. HSRP only permits one active router at a time.

What happens to live sessions during a failover?

The failover process is transparent to hosts because the virtual IP address remains the same. However, live sessions may be disrupted if the newly active router does not have the same state table. For stateful failover, you need additional technologies like stateful switchover (SSO) or session synchronization.

What is the default hello timer for HSRP?

The default hello timer for HSRP is 3 seconds. The hold timer is 10 seconds by default, meaning a standby router will declare the active router dead after missing three consecutive hellos.

How do I make a specific router always be the active router in VRRP?

Set the priority of that router to the highest value in the group (up to 254). Additionally, if the virtual IP is the real IP of that router, it becomes the IP address owner and will always be the master when online, regardless of priority.

Can I run HSRP and VRRP on the same interface?

No, you cannot run both protocols on the same interface for the same purpose. They would conflict over the virtual IP and MAC addresses. You can run multiple HSRP groups on the same interface for different VLANs, but mixing HSRP and VRRP is not recommended.

Summary

HSRP, VRRP, and GLBP are all first-hop redundancy protocols that eliminate the single point of failure in a default gateway configuration. They enable multiple routers to work together as a single virtual router, ensuring that if one router fails, another takes over automatically. The choice between them depends on your environment: HSRP is Cisco proprietary and simple to set up, VRRP is the open standard ideal for multivendor networks, and GLBP adds the powerful benefit of load balancing across multiple active routers.

For certification exams like Cisco ENCOR, you must know the default timers, multicast addresses, virtual MAC addresses, election processes, and configuration commands for each protocol. Common exam traps include confusing the IP address owner concept in VRRP, forgetting about preemption, and assuming HSRP and VRRP provide load balancing. By understanding these protocols thoroughly, you will be prepared to design resilient networks, troubleshoot failover issues, and answer exam questions with confidence.

Remember that redundancy is not just about failover it is about maintaining business continuity, and these protocols are fundamental tools in any network engineer's toolkit.