This chapter covers First Hop Redundancy Protocols (FHRPs)—specifically HSRP, VRRP, and GLBP—which are essential for providing high availability at the default gateway in IP networks. On the N10-009 exam, FHRP concepts appear in roughly 5–8% of questions under Objective 1.5 (compare and contrast routing technologies and bandwidth management concepts). You must understand how each protocol elects an active forwarder, how virtual MACs are generated, and the key differences in their operation. Mastery of FHRP is critical for troubleshooting network redundancy and for designing resilient campus networks.
Jump to a section
Imagine a luxury hotel with a single front desk (the default gateway). Guests (end devices) know to go to the front desk to reach the outside world. But what if the concierge steps away? The hotel can't have guests wandering around. So the hotel hires three concierges (routers) but only one is active at a time. They share a single phone number (virtual IP) and a single name tag (virtual MAC). When the active concierge is busy or leaves, the others sense the silence (hello timers expire) and one takes over, wearing the same name tag and answering the same number. In HSRP, the concierges elect a leader and a standby; guests never know which one is helping them. In VRRP, the active router is called the master, and backups wait silently. In GLBP, all three concierges can answer calls simultaneously—each directs different guests to a different active concierge, sharing the load. The key is that the guests (hosts) always use the same virtual IP and MAC, so failover or load balancing is transparent to them. The concierges communicate among themselves to decide who does what, using hello messages every few seconds. If the active fails, the standby takes over in under 10 seconds, ensuring continuous service.
What is a First Hop Redundancy Protocol?
A First Hop Redundancy Protocol (FHRP) allows two or more routers to share a single virtual IP address and virtual MAC address, acting as a single default gateway for hosts on a LAN. If the active router fails, another router automatically takes over, ensuring uninterrupted connectivity. Without FHRP, hosts configured with a static default gateway would lose connectivity until the gateway IP is manually changed or DHCP renews. FHRP solves this by making the gateway itself redundant.
Why FHRP Exists
In a typical IP subnet, hosts are configured with a default gateway—usually a single router interface. If that router fails, all hosts lose off-subnet connectivity. Dynamic routing protocols can reroute traffic around the failed router, but hosts do not participate in routing protocols; they only know their configured gateway. FHRP provides a virtual gateway that is always available, transparent to the hosts.
The Three Main FHRPs
CompTIA Network+ N10-009 focuses on three FHRPs: - HSRP (Hot Standby Router Protocol) – Cisco proprietary, defined in RFC 2281. - VRRP (Virtual Router Redundancy Protocol) – IEEE standard 376, defined in RFC 5798. - GLBP (Gateway Load Balancing Protocol) – Cisco proprietary, defined in RFC 2281-like but with load balancing.
HSRP – Hot Standby Router Protocol
HSRP is Cisco's original FHRP. It creates a virtual router with a virtual IP and virtual MAC (0000.0c07.ac where is the HSRP group number in hex). HSRP routers elect one Active router and one Standby router; the rest are listening. The Active forwards traffic for the virtual IP. The Standby monitors the Active and takes over if it fails.
Key HSRP values: - Hello timer: 3 seconds - Hold timer: 10 seconds (3 × hello + skew) - Active/Standby election: Higher priority (default 100) wins; if tie, higher IP wins. - Preemption: Disabled by default (a higher-priority router that comes up later will not take over). - Virtual MAC: 0000.0c07.acXX (XX = group number in hex)
HSRP States: 1. Initial – router not yet configured 2. Listen – router knows virtual IP but not active/standby 3. Speak – router sends hello messages and participates in election 4. Standby – candidate to become active 5. Active – currently forwarding traffic for the virtual IP
Configuration example (Cisco IOS):
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 110
standby 1 preemptVRRP – Virtual Router Redundancy Protocol
VRRP is an open standard (RFC 5798). It is very similar to HSRP but with some differences. VRRP uses the term Master instead of Active, and Backup instead of Standby. The virtual MAC is 0000.5e00.01XX where XX is the VRRP group number in hex.
Key VRRP values: - Advertisement interval: 1 second (default) - Master down interval: 3 × advertisement interval + skew time (based on priority) - Priority: 0-255 (default 100); 255 is reserved for the IP address owner - Preemption: Enabled by default - Virtual MAC: 0000.5e00.01XX
Key differences from HSRP: - VRRP allows the router that owns the virtual IP (IP address owner) to have priority 255 automatically. - VRRP uses a single multicast address (224.0.0.18) vs HSRP's 224.0.0.2 (HSRPv1) or 224.0.0.102 (HSRPv2). - VRRP supports authentication (simple text or MD5) – HSRP also supports authentication. - VRRP preempts by default; HSRP does not.
Configuration example (Cisco IOS):
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
vrrp 1 ip 192.168.1.1
vrrp 1 priority 110GLBP – Gateway Load Balancing Protocol
GLBP is Cisco proprietary and provides load balancing among multiple routers in addition to redundancy. Instead of a single active router, GLBP allows up to four routers to forward traffic simultaneously. GLBP introduces the concept of an Active Virtual Gateway (AVG) and multiple Active Virtual Forwarders (AVFs).
How GLBP works: - One router is elected as AVG. The AVG assigns a virtual MAC address to each member router (AVF). - When a host sends an ARP request for the virtual IP, the AVG responds with one of the virtual MACs based on a load-balancing algorithm (round-robin, weighted, or host-dependent). - Each AVF forwards traffic for its assigned virtual MAC. - If an AVF fails, the AVG redistributes its virtual MAC to another AVF. - GLBP uses a virtual MAC range: 0007.b400.XXYY where XX is the GLBP group number and YY is the AVF number.
Key GLBP values: - Hello timer: 3 seconds - Hold timer: 10 seconds - AVG election: Higher priority (default 100) wins; if tie, higher IP wins. - Preemption: Disabled by default for AVG; can be enabled. - Load balancing methods: round-robin (default), weighted, host-dependent. - Maximum of 4 AVFs per group.
Configuration example (Cisco IOS):
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 priority 110
glbp 1 preempt
glbp 1 load-balancing round-robinHow FHRP Interacts with Other Technologies
Spanning Tree Protocol (STP): FHRP operates at Layer 3, while STP operates at Layer 2. Both can be used together. However, if the active router is connected to a blocked STP port, traffic may be affected. This is a common design consideration.
DHCP: Hosts obtain the virtual IP as their default gateway via DHCP. The DHCP server should be configured to hand out the virtual IP, not the physical IP of any router.
PortFast and BPDUguard: On access ports connecting to hosts, enable PortFast to avoid STP delays. FHRP convergence is independent of STP.
EtherChannel: FHRP can run over EtherChannel links. The virtual MAC is used for forwarding decisions.
Timers and Convergence
HSRP and GLBP have default hello of 3 seconds and hold of 10 seconds. VRRP has a default advertisement of 1 second, giving faster convergence (3 seconds). Sub-second timers can be configured for faster failover but increase CPU load.
Virtual MAC Addresses
Each FHRP uses a specific OUI for virtual MACs:
HSRP: 0000.0c07.acXX (Cisco OUI)
VRRP: 0000.5e00.01XX (IANA OUI)
GLBP: 0007.b400.XXYY (Cisco OUI)
The XX is the group number in hex (0-255). For GLBP, YY is the AVF number (1-4).
Election Process
All three protocols use priority (1-255) to determine the active/master/AVG. Higher priority wins. If priorities are equal, the highest IP address wins. HSRP and GLBP have preemption disabled by default; VRRP has it enabled by default.
Authentication
HSRP and VRRP support simple text and MD5 authentication. GLBP does not support authentication in most implementations. Authentication prevents unauthorized routers from participating in the group.
Object Tracking
FHRPs can track an interface or route. If the tracked object goes down, the router's priority is reduced, causing a failover. This is critical for detecting upstream failures.
Example:
interface GigabitEthernet0/0
standby 1 ip 192.168.1.1
standby 1 track GigabitEthernet0/1 20If G0/1 goes down, priority decreases by 20, triggering a new election.
Summary of Protocol Numbers and Ports
HSRP uses UDP port 1985 and multicast 224.0.0.2 (v1) or 224.0.0.102 (v2).
VRRP uses IP protocol 112 (not UDP/TCP) and multicast 224.0.0.18.
GLBP uses UDP port 3222 and multicast 224.0.0.102.
Common Exam Traps
Virtual IP vs physical IP: The virtual IP is not configured as a secondary IP on the interface; it is configured via the FHRP command. The physical IP of the interface must be on the same subnet.
Preemption: HSRP and GLBP do not preempt by default; VRRP does. Many candidates assume all FHRPs preempt by default.
Virtual MAC: HSRP uses 0000.0c07.acXX, VRRP uses 0000.5e00.01XX, GLBP uses 0007.b400.XXYY. Know which belongs to which.
Number of routers: HSRP and VRRP support multiple routers but only one active/master forwards traffic. GLBP supports up to 4 forwarders.
Authentication: VRRP and HSRP support authentication; GLBP does not (in standard implementations).
Configure Virtual IP on Each Router
On each router that will participate in the FHRP group, configure the same virtual IP address on the interface that connects to the LAN. This is done using the `standby` (HSRP), `vrrp`, or `glbp` command. The physical IP of the interface must be in the same subnet as the virtual IP. The virtual IP is not assigned as a secondary IP; it is managed by the FHRP process. For example, in HSRP: `standby 1 ip 192.168.1.1`. This step creates the virtual gateway that hosts will use as their default gateway.
Set Priority and Preemption
Assign a priority to each router to influence the election of the active/master/AVG. Priority ranges from 1 to 255; default is 100. Higher priority wins. Optionally enable preemption so that a router with higher priority can take over from a lower-priority active router. In HSRP and GLBP, preemption is disabled by default; in VRRP, it is enabled. Use `standby 1 priority 110` and `standby 1 preempt` for HSRP. This step determines which router will be the primary forwarder under normal conditions.
Enable Object Tracking (Optional)
To detect upstream failures, configure object tracking. Track an interface or a route (e.g., a default route). If the tracked object fails, the router's priority is decremented, potentially causing a failover. For example: `track 1 interface GigabitEthernet0/1 line-protocol` then `standby 1 track 1 decrement 20`. This ensures that if the router loses its upstream connection, it steps down as the active gateway, allowing another router to take over.
Verify FHRP Operation
Use show commands to verify the FHRP state. For HSRP: `show standby` displays the group state (Active/Standby/Listen), virtual IP, local priority, and hello/hold timers. For VRRP: `show vrrp`. For GLBP: `show glbp`. Verify that the active router is the expected one and that the virtual MAC is present in the ARP cache of hosts. Also verify that the standby router is in the correct state. This step confirms that the FHRP is functioning correctly.
Configure Hosts with Virtual IP Gateway
Configure hosts (end devices) to use the virtual IP as their default gateway. This is typically done via DHCP. The DHCP server should hand out the virtual IP (e.g., 192.168.1.1) as the default gateway option. Hosts send ARP requests for the virtual IP, and the active/master router responds with the virtual MAC. This step ensures that hosts always send traffic to the virtual gateway, regardless of which physical router is currently active.
Test Failover and Convergence
Simulate a failure by shutting down the active router's interface or disconnecting its uplink. Observe the failover time (typically 10 seconds for HSRP/GLBP, 3 seconds for VRRP). Verify that the standby router becomes active and starts forwarding traffic. Use continuous ping from a host to an off-subnet destination to measure downtime. This step validates that redundancy works as expected and that convergence meets network requirements.
In enterprise campus networks, FHRP is deployed at the distribution layer to provide gateway redundancy for each VLAN. A typical design uses two distribution switches (e.g., Cisco 4500s) in a VSS or stack, but for physical redundancy, each switch runs its own routing engine. Each VLAN is configured with an FHRP group (HSRP or VRRP). The two switches are connected to multiple access switches via L2 trunks. The active router for VLAN 10 might be Distribution-1, while for VLAN 20 it might be Distribution-2, achieving load sharing. This is called 'gateway load balancing' even with HSRP/VRRP by using multiple groups with different active routers.
In data center environments, FHRP is often replaced by more advanced technologies like VPC (Virtual Port Channel) or FabricPath, but many legacy designs still use HSRP/VRRP. For example, a pair of Nexus 7000 switches running VRRP for each VLAN. The key consideration is convergence time—VRRP with sub-second timers can achieve failover under 1 second, which is critical for latency-sensitive applications.
A common misconfiguration is forgetting to enable preemption. If the primary router fails and later recovers, it will not reclaim its active role, leaving a lower-priority router as active. This can cause suboptimal traffic flows. Another issue is mismatched virtual IPs across routers—if one router has a different virtual IP, the group will not form. Also, if the physical IPs are not in the same subnet as the virtual IP, FHRP will not work.
In cloud environments (AWS, Azure), FHRP is not used because the hypervisor provides gateway redundancy natively. However, for on-premises hybrid cloud, FHRP may still be used for the on-premises segment.
Performance considerations: FHRP adds minimal overhead—hello packets are small (about 40 bytes). The main performance impact is during failover when the new active router must populate its ARP cache for all active flows. This can cause brief packet loss. Using preemption and object tracking helps maintain deterministic behavior.
Troubleshooting: Use debug standby (HSRP), debug vrrp, or debug glbp to see hello messages and state changes. Common issues include ACLs blocking multicast traffic (224.0.0.2, 224.0.0.18, 224.0.0.102), authentication mismatch, and duplicate virtual IPs.
The N10-009 exam tests FHRP under Objective 1.5 (compare and contrast routing technologies and bandwidth management concepts). Specifically, you must be able to:
Identify the purpose of FHRP (providing default gateway redundancy).
Compare HSRP, VRRP, and GLBP in terms of standards (proprietary vs open), election process, load balancing, and virtual MAC addresses.
Understand basic configuration concepts (priority, preemption, virtual IP).
Recognize the multicast addresses and protocol numbers used by each.
Common wrong answers on exam questions: 1. 'All FHRPs preempt by default.' Wrong – HSRP and GLBP do not; VRRP does. Candidates often assume preemption is standard. 2. 'HSRP uses the virtual MAC 0000.5e00.01XX.' Wrong – that is VRRP. HSRP uses 0000.0c07.acXX. 3. 'GLBP supports up to 8 forwarders.' Wrong – GLBP supports up to 4. 4. 'FHRP operates at Layer 2.' Wrong – it is a Layer 3 redundancy protocol, though it uses Layer 2 multicast.
Specific numbers/values that appear on the exam: - Default HSRP hello: 3 seconds, hold: 10 seconds. - Default VRRP advertisement: 1 second. - HSRP multicast: 224.0.0.2 (v1) or 224.0.0.102 (v2). - VRRP multicast: 224.0.0.18. - GLBP multicast: 224.0.0.102. - VRRP IP protocol number: 112. - HSRP UDP port: 1985. - GLBP UDP port: 3222.
Edge cases: - If all routers have the same priority, the one with the highest IP address becomes active (or master/AVG). - If the virtual IP is the same as the physical IP of one router (IP address owner), VRRP gives that router priority 255 automatically. - HSRP version 2 supports more groups (4096 vs 256) and uses a different multicast address.
How to eliminate wrong answers: - If the question mentions 'load balancing among multiple routers simultaneously', it's GLBP. - If it mentions 'open standard', it's VRRP. - If it mentions 'Cisco proprietary and no load balancing', it's HSRP. - If a virtual MAC starts with 0000.0c07.ac, it's HSRP. - If a virtual MAC starts with 0000.5e00.01, it's VRRP. - If a virtual MAC starts with 0007.b400, it's GLBP. - Remember that VRRP has preemption enabled by default; HSRP and GLBP do not.
FHRP provides default gateway redundancy by allowing multiple routers to share a virtual IP and virtual MAC.
HSRP is Cisco proprietary; VRRP is an open standard; GLBP is Cisco proprietary with load balancing.
Default HSRP hello timer is 3 seconds; hold timer is 10 seconds.
Default VRRP advertisement interval is 1 second; master down interval is 3 seconds.
HSRP virtual MAC: 0000.0c07.acXX; VRRP: 0000.5e00.01XX; GLBP: 0007.b400.XXYY.
Preemption is enabled by default only in VRRP.
GLBP allows up to four routers to forward traffic simultaneously using different virtual MACs.
FHRP operates at Layer 3 but uses Layer 2 multicast for communication.
Object tracking can be used to decrement priority on upstream failure, triggering failover.
HSRP uses UDP port 1985; VRRP uses IP protocol 112; GLBP uses UDP port 3222.
These come up on the exam all the time. Here's how to tell them apart.
HSRP
Cisco proprietary (RFC 2281)
Virtual MAC: 0000.0c07.acXX
Multicast: 224.0.0.2 (v1) or 224.0.0.102 (v2)
Uses UDP port 1985
Preemption disabled by default
VRRP
Open standard (RFC 5798)
Virtual MAC: 0000.5e00.01XX
Multicast: 224.0.0.18
Uses IP protocol 112
Preemption enabled by default
HSRP
Only one active forwarder per group
No load balancing within group
Virtual MAC: 0000.0c07.acXX
Cisco proprietary
Supports up to 255 groups (v1) or 4096 (v2)
GLBP
Up to 4 active forwarders per group
Load balancing (round-robin, weighted, host-dependent)
Virtual MAC: 0007.b400.XXYY
Cisco proprietary
Supports up to 1024 groups
VRRP
Open standard
Only one master forwarder per group
Virtual MAC: 0000.5e00.01XX
Preemption enabled by default
Supports authentication (text/MD5)
GLBP
Cisco proprietary
Up to 4 forwarders per group
Virtual MAC: 0007.b400.XXYY
Preemption disabled by default
No authentication support
Mistake
HSRP, VRRP, and GLBP all preempt by default.
Correct
Only VRRP has preemption enabled by default. HSRP and GLBP require explicit configuration of the `preempt` command.
Mistake
FHRP operates at Layer 2.
Correct
FHRP is a Layer 3 redundancy protocol. It provides a virtual Layer 3 gateway and uses Layer 2 multicast to communicate between routers, but its purpose is to ensure Layer 3 connectivity.
Mistake
All FHRPs support load balancing across multiple routers simultaneously.
Correct
Only GLBP supports true load balancing where multiple routers forward traffic at the same time. HSRP and VRRP have only one active forwarder; load balancing can be achieved by using multiple groups with different active routers for different VLANs, but not within a single group.
Mistake
The virtual IP must be a secondary IP on the interface.
Correct
The virtual IP is configured via the FHRP command (e.g., `standby 1 ip 192.168.1.1`) and is not added as a secondary IP. The physical interface must have an IP in the same subnet, but the virtual IP is managed by the FHRP process.
Mistake
VRRP uses UDP port 1985.
Correct
VRRP uses IP protocol number 112, not UDP. HSRP uses UDP port 1985. GLBP uses UDP port 3222.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HSRP is Cisco proprietary, while VRRP is an open standard (RFC 5798). HSRP uses a virtual MAC of 0000.0c07.acXX, VRRP uses 0000.5e00.01XX. HSRP uses UDP port 1985 and multicast 224.0.0.2 (v1) or 224.0.0.102 (v2); VRRP uses IP protocol 112 and multicast 224.0.0.18. HSRP has preemption disabled by default; VRRP has it enabled. VRRP also allows the router owning the virtual IP to have priority 255 automatically.
No, GLBP does not support authentication in standard Cisco implementations. HSRP and VRRP support both simple text and MD5 authentication. This is a common exam point: if a question mentions authentication, GLBP is not the answer.
The HSRP virtual MAC is 0000.0c07.acXX, where XX is the HSRP group number in hexadecimal (00-FF). For example, group 1 uses 0000.0c07.ac01. This MAC is used by the active router to respond to ARP requests for the virtual IP.
GLBP uses an Active Virtual Gateway (AVG) that assigns different virtual MAC addresses to each member router (Active Virtual Forwarders). When a host sends an ARP request for the virtual IP, the AVG responds with one of these virtual MACs using a load-balancing algorithm (round-robin by default). Thus, different hosts are directed to different routers, distributing the traffic load.
The standby router detects the failure when it stops receiving hello messages from the active router for the hold time (default 10 seconds). The standby then transitions to the active state and begins forwarding traffic for the virtual IP. It sends gratuitous ARP to update the switch MAC table. Convergence time is typically around 10 seconds with default timers.
Yes, but they are independent protocols. You could run HSRP for one VLAN and VRRP for another on the same pair of routers. However, you cannot mix them for the same virtual IP group. Each protocol has its own election and state machine.
Object tracking allows the router to monitor an interface or a route (e.g., a default route). If the tracked object fails, the router's priority is decremented, potentially causing it to step down as active/master. This ensures that the router with a working upstream link remains the active gateway, providing true redundancy.
You've just covered FHRP: HSRP, VRRP, and GLBP Concepts — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?