This chapter covers Virtual IP (VIP) and First-Hop Redundancy Protocols (FHRPs), including HSRP, VRRP, and GLBP. These technologies are critical for providing high availability for the default gateway in a LAN, and they appear regularly on the N10-009 exam, typically in 2-4 questions. Understanding the differences, election processes, and failover behavior is essential for passing the Network+ exam.
Jump to a section
A building has a primary electrical feed from the utility company and a backup diesel generator. The generator is always running but idling, and an Automatic Transfer Switch (ATS) monitors the primary feed. When the primary feed fails, the ATS detects the loss within milliseconds, signals the generator to take over, and switches the building's load to generator power. During this transition, there is a brief interruption (e.g., 10-20 milliseconds) while the ATS changes state. The generator uses a virtual IP address? No, but it provides a single point of contact for the building's power: the ATS presents a single 'service' address. If the primary feed comes back, the ATS waits a stable period (e.g., 30 seconds) before switching back to avoid flapping. In FHRP, the virtual IP is like the building's service address, and the active router is the primary feed; the standby router is the idling generator. The ATS is the protocol (like VRRP) that decides which feed is active. If the primary fails, the standby takes over with minimal disruption, and when primary returns, it may preempt or wait based on configuration.
What is First-Hop Redundancy?
In a typical IP network, each host is configured with a default gateway IP address to reach subnets beyond its local segment. If that gateway router fails, all hosts lose connectivity to remote networks. First-Hop Redundancy Protocols (FHRPs) solve this by allowing two or more routers to share a virtual IP (VIP) and virtual MAC address. Hosts are configured with the VIP as their default gateway. One router is active and forwards traffic; the others are standby. If the active fails, a standby takes over transparently, with minimal or no packet loss.
Virtual IP and Virtual MAC
The virtual IP is an IP address that is not assigned to any physical interface but is shared among the FHRP group members. The virtual MAC is a specially formatted MAC address that the active router uses to respond to ARP requests for the VIP. For example, HSRP uses the format 0000.0c07.acXX where XX is the group number in hex. VRRP uses 0000.5e00.01XX. GLBP uses a different scheme (0007.b400.XXYY). The virtual MAC ensures that when the active router fails, the new active router can start using the same MAC, so the ARP cache of hosts does not need to update.
HSRP (Hot Standby Router Protocol)
HSRP is a Cisco proprietary protocol defined in RFC 2281. It operates on UDP port 1985 and uses multicast address 224.0.0.2 (all routers) with TTL 1. HSRP has an active/standby model. The active router forwards traffic for the virtual IP. The standby router monitors the active via hello messages every 3 seconds by default (hold time 10 seconds). HSRP supports up to 255 groups per interface, and each group has a priority (default 100). The router with the highest priority becomes active. If priorities are equal, the highest IP address wins. HSRP has two versions: version 1 uses group numbers 0-255 and virtual MAC 0000.0c07.acXX; version 2 increases group numbers to 0-4095, uses multicast 224.0.0.102, and supports IPv6. HSRP also supports preemption (disabled by default) and interface tracking to decrement priority if a tracked interface goes down.
VRRP (Virtual Router Redundancy Protocol)
VRRP is an open standard (RFC 5798) that is very similar to HSRP. It uses IP protocol 112 and multicast address 224.0.0.18. VRRP has an active/standby model where the active is called the master, and the standby are backups. The virtual MAC is 0000.5e00.01XX. VRRP default hello interval is 1 second (master advertisement interval), and the backup dead interval is 3 seconds (3 x advertisement interval). VRRP supports preemption by default (unlike HSRP). Priority range is 1-254 (default 100). The router with the highest priority becomes master; if equal, the highest IP wins. VRRP can track objects to adjust priority. VRRP is preferred in multi-vendor environments due to its open standard nature.
GLBP (Gateway Load Balancing Protocol)
GLBP is another Cisco proprietary protocol that provides both redundancy and load balancing. Unlike HSRP/VRRP where only one router forwards traffic, GLBP allows multiple routers to forward traffic simultaneously. GLBP uses a single virtual IP and multiple virtual MACs. One router is elected as the Active Virtual Gateway (AVG) and assigns virtual MAC addresses to other routers (Active Virtual Forwarders, AVFs). The AVG responds to ARP requests with different virtual MACs in a round-robin fashion, distributing the load. GLBP uses multicast 224.0.0.102 and UDP port 3222. It supports up to 4 forwarders per group. GLBP has a hello interval of 3 seconds and hold time of 10 seconds. Preemption is disabled by default. GLBP is useful when you want to utilize all available gateway bandwidth, not just for failover.
Election Process and Timers
In HSRP and VRRP, the election of the active/master router occurs when the group is first configured or when the current active fails. The router with the highest priority wins. If priorities are equal, the highest IP address is used as a tiebreaker. In VRRP, the master sends advertisements every 1 second. If a backup does not receive an advertisement for 3 seconds, it declares itself master. In HSRP, hello interval is 3 seconds, hold time 10 seconds. These timers are configurable. GLBP election is similar for AVG, but AVFs are assigned by the AVG.
Failover and Convergence
When the active router fails, the standby router detects the failure (via missed hellos) and takes over the virtual IP and MAC. In HSRP, the new active router sends a gratuitous ARP to update the switch MAC table. In VRRP, the master sends an ARP reply. The failover time is typically 3-10 seconds depending on timers. Subsecond failover can be achieved with features like HSRP Fast Hello (200ms hello, 700ms hold) or VRRP with millisecond timers. Convergence also depends on the switch learning the new MAC location. In GLBP, if an AVF fails, the AVG reassigns its virtual MAC to another AVF.
Configuration Examples
HSRP (Cisco IOS):
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 110
standby 1 preempt
standby 1 track GigabitEthernet0/1 20VRRP (Juniper):
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 vrrp-group 1 virtual-address 192.168.1.1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 vrrp-group 1 priority 110
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 vrrp-group 1 preemptGLBP (Cisco IOS):
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 priority 110
glbp 1 preemptVerification Commands
show standby – displays HSRP status, priority, and state.
show vrrp – displays VRRP status.
show glbp – displays GLBP status.
debug standby – debugs HSRP events.
debug vrrp – debugs VRRP events.
Interaction with Other Technologies
FHRPs often interact with STP (Spanning Tree Protocol). If the active router's uplink fails, STP may cause a topology change, but FHRP can track interfaces to failover faster. FHRPs also interact with DHCP: the virtual IP should be used as the default gateway in DHCP scopes. In cloud environments, FHRPs are often replaced by cloud-native load balancers or floating IPs (e.g., AWS Elastic IP).
Common Timers and Defaults
| Protocol | Hello Interval | Hold/Dead Interval | Preemption Default | Multicast Address | |----------|----------------|--------------------|--------------------|-------------------| | HSRP v1 | 3 seconds | 10 seconds | Disabled | 224.0.0.2 | | HSRP v2 | 3 seconds | 10 seconds | Disabled | 224.0.0.102 | | VRRP | 1 second | 3 seconds | Enabled | 224.0.0.18 | | GLBP | 3 seconds | 10 seconds | Disabled | 224.0.0.102 |
Exam Tip: The exam loves to test the default preemption settings: HSRP and GLBP have preemption disabled by default; VRRP has preemption enabled. Also, remember that VRRP is the only open standard among the three (HSRP and GLBP are Cisco proprietary).
Host sends ARP for gateway
A host on the LAN needs to send a packet to a remote subnet. It checks its routing table and finds the default gateway (the virtual IP). It sends an ARP request for the virtual IP. The active router (or AVG in GLBP) responds with the virtual MAC address. The host caches this MAC in its ARP table and sends the frame to that MAC.
Active router forwards traffic
The active router receives frames destined to the virtual MAC. It decapsulates the Layer 2 header, performs a routing lookup, and forwards the packet out the appropriate interface. It also sends periodic hello messages (every 3 seconds for HSRP) to the standby routers to announce its health.
Standby router monitors hellos
The standby router listens for hello messages from the active router. It maintains a hold timer (10 seconds default for HSRP). As long as hellos arrive within the hold time, the standby remains in standby state. If the hold timer expires without a hello, the standby assumes the active has failed.
Standby detects failure
When the hold timer expires (e.g., 10 seconds without a hello from HSRP active), the standby router transitions to active state. It begins using the virtual IP and virtual MAC on its interface. It sends a gratuitous ARP to update the switch's MAC table and any hosts that might have stale ARP entries.
New active takes over forwarding
The new active router now forwards traffic for the virtual IP. Hosts continue sending frames to the virtual MAC, which is now associated with the new router. The switch learns the new MAC location via the gratuitous ARP. The failover is complete, typically within 3-10 seconds depending on timers.
Enterprise Data Center with Dual Routers
A large enterprise has a data center with two Cisco routers acting as default gateways for hundreds of servers in a VLAN. They use HSRP with preemption disabled to avoid flapping. The virtual IP is 10.0.0.1. The primary router has priority 110, the secondary has priority 100. Interface tracking is configured: if the primary's uplink to the WAN fails, its priority drops by 20, causing the secondary to take over. This setup provides automatic failover within 10 seconds. The network team monitors HSRP state via SNMP and logs. Misconfiguration often occurs when preemption is enabled but not desired: if the primary comes back after a brief outage, it preempts and causes a second failover, disrupting traffic. Another common issue is mismatched authentication strings (HSRP supports MD5 authentication) causing group members to ignore each other.
Multi-Vendor Campus with VRRP
A university campus uses switches from different vendors (Cisco, Juniper, HP) in the distribution layer. They deploy VRRP because it is an open standard and works across vendors. Each building has two distribution switches with VRRP group 1. The virtual IP is the default gateway for the building's access VLANs. Preemption is left enabled (default) so that the primary router with higher priority always resumes forwarding after a failure. This is acceptable because the failover is fast (3 seconds). The network team uses show vrrp to verify state. A common pitfall is forgetting that VRRP uses IP protocol 112, which must be allowed in any ACLs between the routers. Also, the virtual MAC 0000.5e00.01XX must not be blocked by switch port security.
Cloud Migration with GLBP for Load Balancing
A company migrating to a hybrid cloud uses GLBP in their on-premises network to distribute outbound traffic across two routers. The AVG assigns virtual MACs to both routers. Hosts receive different default gateway MACs via ARP, so traffic is load-balanced. This maximizes WAN link utilization. The network engineer configures GLBP with weighted load balancing instead of round-robin. A misconfiguration occurs when the AVG fails: the new AVG reassigns virtual MACs, but if the routers have different forwarding capabilities, the load balance becomes uneven. The solution is to use GLBP with host-dependent load balancing if needed.
N10-009 Objective 1.5: Explain common networking protocols and their uses.
This objective includes FHRP as a high-availability protocol. The exam tests your ability to:
Identify the purpose of FHRP (providing redundant default gateway).
Distinguish between HSRP, VRRP, and GLBP.
Know default timers and preemption behavior.
Understand virtual IP and virtual MAC concepts.
Common Wrong Answers and Why Candidates Choose Them
"HSRP and VRRP are both open standards." Wrong – HSRP is Cisco proprietary; VRRP is open standard. Candidates often assume because both are common, they are both open.
"VRRP has preemption disabled by default." Wrong – VRRP has preemption enabled. HSRP and GLBP have it disabled. The exam tests this default difference.
"GLBP uses a single virtual MAC." Wrong – GLBP uses multiple virtual MACs for load balancing. Candidates confuse GLBP with HSRP/VRRP.
"The virtual IP is assigned to the standby router." Wrong – The virtual IP is shared; the active router owns it. The standby only uses it upon failover.
Specific Numbers and Terms on the Exam
HSRP default hello: 3 seconds, hold: 10 seconds.
VRRP default advertisement: 1 second, dead: 3 seconds.
HSRP multicast: 224.0.0.2 (v1), 224.0.0.102 (v2).
VRRP multicast: 224.0.0.18.
HSRP virtual MAC: 0000.0c07.acXX.
VRRP virtual MAC: 0000.5e00.01XX.
Priority range: 1-255 (HSRP), 1-254 (VRRP).
Edge Cases
HSRP version mismatch: Version 1 and 2 are incompatible; both routers must use the same version.
VRRP with IPv6: VRRPv3 supports IPv6.
GLBP with multiple groups: Each group has its own AVG and virtual MACs.
Authentication: HSRP and VRRP support simple text or MD5 authentication; mismatched authentication breaks the group.
How to Eliminate Wrong Answers
If the question mentions "Cisco proprietary" and "load balancing", the answer is GLBP.
If it mentions "open standard" and "preemption enabled by default", the answer is VRRP.
If it asks for the default hold timer for HSRP, it's 10 seconds (not 3).
If it asks which protocol uses multiple virtual MACs, it's GLBP.
By understanding the underlying mechanisms and default values, you can eliminate distractor answers that contradict these facts.
FHRPs provide default gateway redundancy using a virtual IP and virtual MAC.
HSRP is Cisco proprietary; VRRP is open standard; GLBP is Cisco proprietary with load balancing.
HSRP default hello: 3s, hold: 10s; VRRP default advertisement: 1s, dead: 3s.
HSRP and GLBP have preemption disabled by default; VRRP has preemption enabled.
GLBP uses multiple virtual MACs for load balancing; HSRP and VRRP use a single virtual MAC.
Virtual MAC formats: HSRP 0000.0c07.acXX, VRRP 0000.5e00.01XX, GLBP 0007.b400.XXYY.
FHRP authentication can be simple text or MD5; mismatched authentication breaks the group.
Interface tracking allows priority adjustment based on uplink status.
HSRP version 1 and 2 are incompatible on the same interface.
VRRPv3 supports IPv6; HSRPv2 also supports IPv6.
These come up on the exam all the time. Here's how to tell them apart.
HSRP
Cisco proprietary
Uses UDP port 1985
Multicast 224.0.0.2 (v1) or 224.0.0.102 (v2)
Default hello 3s, hold 10s
Preemption disabled by default
Virtual MAC: 0000.0c07.acXX
VRRP
Open standard (RFC 5798)
Uses IP protocol 112
Multicast 224.0.0.18
Default advertisement 1s, dead 3s
Preemption enabled by default
Virtual MAC: 0000.5e00.01XX
Mistake
HSRP and VRRP are functionally identical.
Correct
While similar, key differences exist: HSRP is Cisco proprietary, VRRP is open standard; HSRP uses UDP port 1985, VRRP uses IP protocol 112; HSRP preemption disabled by default, VRRP enabled; HSRP hello 3s, VRRP 1s.
Mistake
The virtual IP is assigned to the standby router's interface.
Correct
The virtual IP is not assigned to any physical interface. It is shared among the group and only the active router responds to ARP for it. The standby router does not use the virtual IP until it becomes active.
Mistake
FHRP provides load balancing by default.
Correct
Only GLBP provides load balancing by distributing traffic across multiple routers. HSRP and VRRP are active/standby; only one router forwards traffic at a time.
Mistake
All FHRPs use the same virtual MAC format.
Correct
Each protocol uses a specific virtual MAC: HSRP: 0000.0c07.acXX; VRRP: 0000.5e00.01XX; GLBP: 0007.b400.XXYY. They are not interchangeable.
Mistake
Preemption is always desirable in FHRP.
Correct
Preemption can cause unnecessary failovers when the primary router recovers, disrupting traffic. In many designs, preemption is disabled to avoid flapping. VRRP enables it by default, but it can be disabled.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HSRP is Cisco proprietary, uses UDP 1985, multicast 224.0.0.2, default hello 3s, hold 10s, preemption disabled. VRRP is open standard, uses IP protocol 112, multicast 224.0.0.18, default advertisement 1s, dead 3s, preemption enabled. Both provide active/standby gateway redundancy.
Yes, GLBP allows multiple routers to forward traffic simultaneously using multiple virtual MACs. The Active Virtual Gateway (AVG) assigns virtual MACs to Active Virtual Forwarders (AVFs) and responds to ARP requests in a round-robin or weighted manner.
HSRP has preemption disabled by default. This means that if a higher-priority router comes back online after a failure, it will not automatically become active again unless preemption is configured.
No, HSRP and VRRP are different protocols and cannot interoperate. They use different multicast addresses, virtual MACs, and packet formats. You must choose one protocol for a given VLAN.
The VRRP virtual MAC address is 0000.5e00.01XX, where XX is the VRRP group number in hexadecimal (e.g., group 1 uses 0000.5e00.0101).
FHRP and STP operate independently but can affect convergence. If the active router's uplink fails, STP may reconverge, but FHRP interface tracking can trigger a failover faster. Ensure the virtual MAC is not blocked by STP.
The standby router detects the failure when the hold timer expires (default 10s without hello). It then transitions to active state, starts using the virtual IP and MAC, and sends a gratuitous ARP to update the switch.
You've just covered Virtual IP and First-Hop Redundancy Protocols — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?