If you've ever wondered how two routers can share a single IP address to keep your network running when one fails, you've entered the world of First Hop Redundancy Protocols (FHRPs). This topic is critical for the CCNA 200-301 exam (objective 3.8) and for real-world network engineering because it ensures default gateway availability—a fundamental requirement for any IP network. We'll dissect HSRP, VRRP, and GLBP, comparing their mechanisms, states, and configuration so you can choose the right tool for the job and ace the exam questions.
Jump to a section
Imagine a band performing on stage. The lead singer (the active router) is the one the audience hears through the main microphone. But what if the lead singer loses their voice? The band can't stop—the show must go on. So there's a backup singer (the standby router) standing by, ready to take over instantly. In HSRP, the backup singer listens to the lead singer's monitor feed (hello messages). If the backup doesn't hear the lead for a few seconds (hold timer), they step up to the main mic and take over the lead vocals. The audience never notices the switch because the same song (virtual IP address) is being sung. In VRRP, it's similar, but the lead singer is the 'master' and the backup is the 'backup'—they share the same mic (virtual IP) and the backup can even sing along if the master is silent for too long. GLBP is like having multiple backup singers who can all take turns singing lead, sharing the workload so no one gets tired. The audience still hears the same song, but different singers handle different verses (load balancing). This analogy captures the core idea of a virtual IP address that is always reachable, with routers electing who handles traffic and who waits in the wings.
What are First Hop Redundancy Protocols?
First Hop Redundancy Protocols (FHRPs) allow two or more routers to share a single virtual IP address (VIP) and virtual MAC address, providing redundancy for the default gateway on a subnet. Hosts configure the VIP as their default gateway; if the active router fails, another router takes over transparently. The three main FHRPs are:
HSRP (Hot Standby Router Protocol) – Cisco proprietary, uses an active/standby model with one active router handling traffic and one or more standby routers waiting.
VRRP (Virtual Router Redundancy Protocol) – Industry standard (RFC 5798), similar to HSRP but with an owner concept, and it uses the physical MAC address of the active router by default.
GLBP (Gateway Load Balancing Protocol) – Cisco proprietary, provides active/active load balancing across multiple routers, all forwarding traffic while providing redundancy.
HSRP – Hot Standby Router Protocol
HSRP operates with a group of routers sharing a virtual IP and virtual MAC (0000.0c07.acXX, where XX is the group number in hex). Routers elect an active router and one or more standby routers. The active router responds to ARP requests for the VIP and forwards traffic. The standby router monitors the active via hello messages (default 3 seconds) and takes over after a hold time (default 10 seconds) if hellos stop.
HSRP States: - Initial – Router just started or interface down. - Learn – Router doesn't know the VIP; waits to hear from active. - Listen – Router knows VIP; listens for hellos from active/standby. - Speak – Router participates in election; sends hellos. - Standby – Router is the backup; monitors active. - Active – Router is forwarding traffic for the group.
HSRP Versions: - HSRPv1 – Uses multicast 224.0.0.2, supports up to 255 groups, group numbers 0-255. - HSRPv2 – Uses multicast 224.0.0.102, supports up to 4096 groups, group numbers 0-4095, and adds IPv6 support.
Configuration Example:
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
standby version 2
standby 1 ip 192.168.1.1
standby 1 priority 110
standby 1 preempt
standby 1 timers 1 3Verification Commands:
show standby
show standby briefExample output:
Router# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 1 110 P Active local 192.168.1.3 192.168.1.1VRRP – Virtual Router Redundancy Protocol
VRRP is an open standard (RFC 5798). It uses the concept of a virtual router with a virtual IP that can be the same as the physical IP of one router (the owner). The master router is the one with highest priority (default 100). VRRP uses the virtual MAC 0000.5e00.01XX (XX is group number in hex).
VRRP States: - Initialize – Interface down or router starting. - Master – Router is forwarding traffic and sending VRRP advertisements (default 1 second). - Backup – Router monitors master; if no advertisements for 3 times the advertisement interval (master down interval), it becomes master.
Key Differences from HSRP: - VRRP allows the virtual IP to be the same as the physical IP of the master (owner). HSRP cannot use the physical IP as the virtual IP. - VRRP does not have a separate standby state; the backup is simply backup. - VRRP uses the physical MAC of the master by default, but can also use a virtual MAC.
Configuration Example:
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
vrrp 1 ip 192.168.1.1
vrrp 1 priority 110
vrrp 1 preemptVerification Commands:
show vrrp
show vrrp briefGLBP – Gateway Load Balancing Protocol
GLBP provides load balancing by allowing multiple routers to forward traffic simultaneously while still providing redundancy. It uses a single virtual IP and multiple virtual MAC addresses. One router is elected as the Active Virtual Gateway (AVG), which assigns virtual MAC addresses to the other routers (Active Virtual Forwarders - AVFs). Hosts' ARP requests are answered with different virtual MACs, distributing traffic.
GLBP Components: - AVG (Active Virtual Gateway) – Manages the group, responds to ARP requests, assigns virtual MACs. - AVF (Active Virtual Forwarder) – Forwards traffic for assigned virtual MAC. - Standby – Backup AVG.
GLBP States: - Disabled – Interface down. - Listen – Listening for hello messages. - Speak – Participating in election. - Standby – Backup AVG. - Active – AVG or AVF.
Configuration Example:
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 priority 110
glbp 1 preemptVerification Commands:
show glbp
show glbp briefInteraction with Other Protocols
FHRPs interact with Spanning Tree Protocol (STP) because both provide redundancy at different layers. STP prevents loops in Layer 2, while FHRP provides gateway redundancy at Layer 3. They must be aligned: the active FHRP router should be on the same switch as the STP root bridge to avoid suboptimal traffic paths. Also, FHRP can work with HSRP/VRRP tracking to adjust priority based on uplink status.
Configure HSRP on Two Routers
On Router1 (R1) and Router2 (R2), configure HSRP on the LAN interface. Use the same group number and virtual IP. Set priorities: higher priority becomes active. Enable preempt so the higher priority router reclaims active role after recovery. Set timers for faster convergence (optional). Verify with 'show standby brief'.
Configure VRRP on Two Routers
Similar to HSRP but use 'vrrp' commands. Note that VRRP allows the virtual IP to match the physical IP of one router (owner). Set priority and preempt. Verify with 'show vrrp brief'. Understand that VRRP uses the physical MAC of the master by default, which can cause issues if the master changes.
Configure GLBP for Load Balancing
On both routers, configure GLBP with the same group and virtual IP. Set priorities to influence AVG election. Preempt ensures the highest priority router becomes AVG. Verify with 'show glbp brief'. Note that GLBP assigns multiple virtual MACs; hosts get different MACs via ARP replies.
Test Failover and Preemption
Simulate failure by shutting down the active router's interface. Observe the standby taking over. For HSRP, check that the standby becomes active after hold time. For VRRP, check master down timer. For GLBP, check AVG failover. Then re-enable the interface; with preempt, the original active should reclaim its role.
Use Tracking to Influence Priority
Configure tracking on the active router to reduce priority if an uplink fails. For HSRP: 'standby 1 track interface Serial0/0/0 20'. For VRRP: 'vrrp 1 track interface Serial0/0/0 20'. For GLBP: 'glbp 1 track interface Serial0/0/0 20'. This causes failover when the tracked interface goes down.
Verify and Troubleshoot
Use 'debug standby', 'debug vrrp', or 'debug glbp' to see state changes. Check timers: HSRP default hello 3 sec, hold 10 sec; VRRP default advertisement 1 sec, master down 3 sec; GLBP default hello 3 sec, hold 10 sec. Ensure multicast routing is not blocking FHRP multicast addresses.
In enterprise networks, FHRPs are deployed to ensure that end devices can always reach their default gateway, even if a router fails. A common scenario is a pair of routers connected to a distribution switch. For example, in a campus network, two routers (or Layer 3 switches) are configured with HSRP to provide a virtual IP for each VLAN. The network engineer sets one router as active with a higher priority, and the other as standby. To prevent asymmetric routing, the engineer ensures that the HSRP active router is also the STP root for the corresponding VLAN.
Another scenario uses GLBP to load balance traffic across multiple routers. For instance, in a data center, two routers serve as gateways for a server farm. GLBP distributes traffic based on round-robin ARP replies, increasing throughput without requiring hosts to change configuration. The engineer must monitor the load distribution and adjust weights if needed.
A third scenario involves VRRP in a multi-vendor environment. Since VRRP is an open standard, it can interoperate between Cisco and Juniper routers. The engineer must be careful with the virtual IP: if it matches the physical IP of the owner, the owner always becomes master, which can be a single point of failure if that router fails. The engineer typically uses a separate virtual IP to allow any router to become master.
Common misconfigurations include mismatched timers between routers, lack of preempt causing a router not to reclaim its role after recovery, and forgetting to enable preempt on both sides. Also, tracking is often overlooked: if the active router loses its WAN uplink but remains LAN-connected, it still acts as gateway but cannot reach the internet, causing black-hole traffic. Tracking solves this by reducing priority when the uplink fails, triggering failover.
The CCNA 200-301 exam objective 3.8 focuses on comparing FHRP protocols and understanding their basic operation. You will NOT be asked to configure them in a simulation (config is not in exam), but you must know the key differences, default timers, and virtual MAC addresses.
Common Wrong Answers and Why: 1. "HSRP uses multicast 224.0.0.5" – Wrong. HSRPv1 uses 224.0.0.2; HSRPv2 uses 224.0.0.102. Candidates confuse OSPF's 224.0.0.5 with HSRP. 2. "VRRP is Cisco proprietary" – Wrong. VRRP is an IEEE standard (RFC 5798). HSRP is Cisco proprietary. 3. "GLBP uses a single virtual MAC" – Wrong. GLBP uses multiple virtual MACs for load balancing. 4. "HSRP can use the physical IP as the virtual IP" – Wrong. HSRP requires a virtual IP different from any physical IP. VRRP allows it.
Specific Values to Memorize: - HSRP virtual MAC: 0000.0c07.acXX (XX = group number in hex) - VRRP virtual MAC: 0000.5e00.01XX (XX = group number in hex) - GLBP virtual MAC: 0007.b400.XXYY (XX = group, YY = AVF) - HSRP default hello: 3 sec, hold: 10 sec - VRRP default advertisement: 1 sec, master down: 3 sec - GLBP default hello: 3 sec, hold: 10 sec
Decision Rule for Scenario Questions: If the question asks about load balancing, choose GLBP. If it asks about an open standard, choose VRRP. If it asks about a Cisco-specific protocol with active/standby, choose HSRP. If the question mentions a virtual IP that matches a physical IP, VRRP is the only option. For MAC addresses, HSRP and VRRP have predictable patterns; GLBP uses a different format.
HSRP is Cisco proprietary, uses active/standby, virtual MAC 0000.0c07.acXX.
VRRP is IEEE standard (RFC 5798), allows virtual IP to match physical IP, uses virtual MAC 0000.5e00.01XX.
GLBP is Cisco proprietary, provides load balancing with multiple virtual MACs (0007.b400.XXYY).
HSRPv1 uses multicast 224.0.0.2; HSRPv2 uses 224.0.0.102.
Default timers: HSRP hello 3 sec, hold 10 sec; VRRP advertisement 1 sec, master down 3 sec; GLBP hello 3 sec, hold 10 sec.
Preempt is disabled by default on all protocols; must be enabled for higher priority router to reclaim active role.
Tracking allows priority adjustment based on interface state, preventing black-hole traffic.
These come up on the exam all the time. Here's how to tell them apart.
HSRP
Cisco proprietary
Active/Standby model
Virtual MAC: 0000.0c07.acXX
Multicast: 224.0.0.2 (v1) or 224.0.0.102 (v2)
Default hello 3 sec, hold 10 sec
Virtual IP must be different from physical IP
VRRP
Open standard (RFC 5798)
Master/Backup model
Virtual MAC: 0000.5e00.01XX
Multicast: 224.0.0.18
Default advertisement 1 sec, master down 3 sec
Virtual IP can equal physical IP of master
Mistake
HSRP and VRRP are the same protocol with different names.
Correct
HSRP is Cisco proprietary; VRRP is an open standard (RFC 5798). They have different virtual MACs, timers, and capabilities (VRRP allows virtual IP = physical IP).
Candidates often assume both are proprietary or both are standards because they serve the same purpose.
Mistake
GLBP uses a single virtual MAC like HSRP.
Correct
GLBP uses multiple virtual MACs (one per forwarder) to distribute traffic among routers.
Candidates may not realize GLBP's load-balancing feature requires multiple MACs.
Mistake
HSRP uses multicast address 224.0.0.5.
Correct
HSRPv1 uses 224.0.0.2; HSRPv2 uses 224.0.0.102. 224.0.0.5 is used by OSPF.
Candidates often confuse multicast addresses of routing protocols.
Mistake
Preempt is enabled by default in HSRP and VRRP.
Correct
Preempt is disabled by default. You must configure 'standby preempt' or 'vrrp preempt' to enable it.
Many assume that a higher priority router automatically takes over, but without preempt it only becomes active if the current active fails.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HSRP is Cisco proprietary, while VRRP is an open standard (RFC 5798). HSRP uses an active/standby model with a virtual MAC 0000.0c07.acXX; VRRP uses master/backup with virtual MAC 0000.5e00.01XX. VRRP allows the virtual IP to match the physical IP of the master, which HSRP does not. Default timers differ: HSRP hello 3 sec, hold 10 sec; VRRP advertisement 1 sec, master down 3 sec. For the exam, know that VRRP is the standard, HSRP is Cisco-only.
Technically yes, but they are separate protocols and cannot interoperate. You can run HSRP on one subnet and VRRP on another, or even on the same router but different interfaces. However, they cannot form a single redundancy group together. In a multi-vendor environment, use VRRP for interoperability.
Without preempt, if the active router fails and a standby takes over, when the original active comes back online, it will not automatically reclaim the active role even if it has higher priority. Preempt allows a router with higher priority to become active immediately, ensuring the most preferred router is always active. Disabled by default.
GLBP uses an Active Virtual Gateway (AVG) that responds to ARP requests with different virtual MAC addresses for different hosts. Each virtual MAC is assigned to a different router (Active Virtual Forwarder). Thus, hosts get different default gateway MACs, distributing traffic among routers. The AVG can use round-robin, weighted, or host-dependent algorithms.
HSRP: hello 3 seconds, hold 10 seconds. VRRP: advertisement interval 1 second, master down interval 3 seconds (3 * advertisement). GLBP: hello 3 seconds, hold 10 seconds. These timers can be adjusted with the 'timers' command.
0000.5e00.0101. VRRP virtual MAC is 0000.5e00.01XX where XX is the group number in hex. Group 1 in hex is 01, so the MAC is 0000.5e00.0101.
Tracking monitors an interface (e.g., WAN uplink) and adjusts the router's priority if that interface goes down. This prevents a router that has lost its upstream connectivity from remaining the active gateway, which would black-hole traffic. For example, if the active router's WAN link fails, tracking reduces its priority, causing a failover to a router with a working uplink.
You've just covered FHRP: HSRP vs VRRP vs GLBP — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?