Overview
When a host sends traffic to any destination outside its local subnet, it forwards packets to its default gateway โ a single IP address configured statically or via DHCP. That single IP represents a single point of failure. If the router serving that IP goes down, every host on the segment loses connectivity instantly, even if a backup router is sitting right next to it with a perfectly healthy uplink.
First-Hop Redundancy Protocols (FHRPs) solve this by creating a virtual gateway IP and virtual MAC that is shared between two or more physical routers. Hosts never know which physical router is forwarding โ they always send to the same VIP. If the active router fails, the standby takes over within seconds, and because the virtual MAC stays the same, hosts do not even need to flush their ARP caches.
Three major FHRPs exist in enterprise deployments:
- HSRP (Hot Standby Router Protocol) โ Cisco proprietary, v1 and v2
- VRRP (Virtual Router Redundancy Protocol) โ IETF standard RFC 5798
- GLBP (Gateway Load Balancing Protocol) โ Cisco proprietary, adds true load balancing
HSRP v2 Deep Dive
Active/Standby Election
HSRP elects one Active router and one Standby router per group. The election is straightforward:
- The router with the highest priority wins (default 100, range 1โ255)
- If priorities are equal, the router with the highest interface IP address breaks the tie
- The Active router forwards traffic for the VIP; the Standby monitors and is ready to take over immediately
The Standby router sends periodic hello messages to verify the Active is still alive. If the Active misses enough consecutive hellos that the hold timer expires, the Standby transitions to Active and begins forwarding.
Virtual IP and Virtual MAC
HSRP group members share a Virtual IP (VIP) configured identically on all participants. The VIP is never assigned to any physical interface โ it exists only as the group's shared identity.
The Virtual MAC is derived deterministically from the group number:
- HSRP v1:
0000.0C07.ACxx where xx = group number in hex (groups 0โ255) - HSRP v2:
0000.0C9F.Fxxx where xxx = group number in hex (groups 0โ4095)
The Active router responds to ARP requests for the VIP using this virtual MAC. When the Active fails and the Standby takes over, it immediately starts answering ARP with the same virtual MAC โ hosts experience no ARP disruption because the MAC never changed.
Preemption
By default, preemption is disabled in HSRP. This means if R1 (priority 110) goes down and R2 (priority 100) becomes Active, R1 coming back up will not automatically reclaim the Active role. It will sit in Standby even though it has higher priority.
This is intentional โ routers often come up before their routing protocols have fully converged. If R1 preempted immediately on interface-up, traffic would black-hole for several seconds while OSPF or BGP reconverges. The preempt delay minimum timer solves this:
R1(config-if)# standby 1 preempt delay minimum 30
# Wait 30 seconds after interface up before attempting preemption
# This allows OSPF/BGP to reconverge before R1 takes over forwarding
# 'delay reload' waits after a device reload specifically
R1(config-if)# standby 1 preempt delay reload 60 minimum 30MD5 Authentication
HSRP v2 supports MD5 key-string authentication to prevent rogue routers from injecting HSRP hellos and claiming the Active role:
R1(config-if)# standby 1 authentication md5 key-string HSRPkey2026
# Both routers must use an identical key-string
# For key rotation in production, use a key-chain:
R1(config)# key chain HSRP-KEYS
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string HSRPkey2026
R1(config-if)# standby 1 authentication md5 key-chain HSRP-KEYSHSRP State Machine
A router cycles through six states before reaching Active or Standby:
Timer Tuning
Default timers (hello 3s, hold 10s) mean failover can take up to 10 seconds. For faster convergence:
R1(config-if)# standby 1 timers 1 3
# Hello every 1s, hold time 3s โ failover in ~3 seconds
# Minimum on most platforms: hello 1s, hold 3s
# Sub-second timers require the msec keyword:
R1(config-if)# standby 1 timers msec 200 msec 750
# Best practice: use BFD for sub-second detection instead
R1(config-if)# standby 1 bfdProduction note: Sub-second HSRP timers cause excessive CPU load on software-forwarding platforms. Use BFD with HSRP (
standby 1 bfd) for fast detection without hammering the control plane CPU.
Diagram 1 โ HSRP Active/Standby Topology
HSRP Object Tracking
Object tracking lets HSRP react to upstream failures โ not just local interface failures. Without tracking, R1 stays Active even if its uplink to the ISP goes down. Traffic from hosts reaches R1 but goes nowhere. With tracking, the failure triggers a priority decrement, causing R2 to preempt.
How It Works
- Define a track object monitoring an interface or an IP SLA probe
- Link the track object to the HSRP group with a decrement value
- When the tracked object goes down, HSRP subtracts the decrement from the router's priority
- If the resulting priority drops below the Standby router's priority and preemption is enabled, the Standby takes over
R1(config)# track 1 interface GigabitEthernet0/0 line-protocol
# Tracks the line-protocol state of the WAN uplink
R1(config)# track 2 ip sla 10 reachability
# Alternative: track IP SLA probe reachability โ more reliable
R1(config)# interface GigabitEthernet0/1
R1(config-if)# standby 1 priority 110
R1(config-if)# standby 1 preempt delay minimum 30
R1(config-if)# standby 1 track 1 decrement 20
# If Gi0/0 goes down: priority drops 110 โ 90
# R2 holds priority 100 โ R2 becomes ActiveIP SLA Tracking (More Reliable)
Line-protocol tracking only detects physical link failures. A misconfigured upstream router or a BGP withdrawal won't trigger it. IP SLA probes test actual end-to-end reachability:
R1(config)# ip sla 10
R1(config-ip-sla)# icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
R1(config-ip-sla-echo)# frequency 5
R1(config)# ip sla schedule 10 life forever start-time now
R1(config)# track 2 ip sla 10 reachability
R1(config)# interface GigabitEthernet0/1
R1(config-if)# standby 1 track 2 decrement 20
# Tracks actual internet reachability โ not just physical link state
# ICMP probe every 5 seconds to 8.8.8.8 via the uplinkDiagram 2 โ Object Tracking Failover Scenario
VRRP Configuration
VRRP (Virtual Router Redundancy Protocol) is the IETF-standard equivalent of HSRP, defined in RFC 5798. VRRPv3 adds IPv6 support. Because it is an open standard, VRRP works across multi-vendor environments โ Cisco, Juniper, Arista, Palo Alto, Linux โ making it the preferred choice for vendor-diverse deployments.
Key Differences from HSRP
Terminology: VRRP uses Master and Backup instead of Active and Standby.
Preemption: VRRP enables preemption by default โ the opposite of HSRP. A returning higher-priority router will immediately take the Master role. Disable with vrrp X preempt disable if you want HSRP-like behaviour.
IP Owner concept: In VRRP, a router that holds the actual VIP as a real interface address is the IP Owner and has an implicit priority of 255. It always becomes Master regardless of configured priority. This concept does not exist in HSRP.
Virtual MAC: VRRP uses 0000.5E00.01xx where xx is the VRRP group number in hex. This is the IANA-assigned VRRP MAC prefix, standardized across all vendors implementing RFC 5798.
Authentication: VRRPv3 removed built-in authentication (it existed in v2). In mixed environments, protect VRRP multicast packets with IPsec AH if needed.
Cisco IOS VRRPv3 Configuration
! Enable VRRPv3 globally โ required on IOS-XE
R1(config)# fhrp version vrrp v3
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 192.168.10.2 255.255.255.0
R1(config-if)# vrrp 1 address-family ipv4
R1(config-if-vrrp)# address 192.168.10.1 primary
R1(config-if-vrrp)# priority 120
R1(config-if-vrrp)# preempt delay minimum 20
R1(config-if-vrrp)# timers advertise 1
! VRRPv3 also supports IPv6 in the same group:
R1(config-if)# vrrp 1 address-family ipv6
R1(config-if-vrrp)# address FE80::1 primary
R1(config-if-vrrp)# address 2001:db8:10::1
R1(config-if-vrrp)# priority 120! Backup router R2:
R2(config)# fhrp version vrrp v3
R2(config)# interface GigabitEthernet0/1
R2(config-if)# ip address 192.168.10.3 255.255.255.0
R2(config-if)# vrrp 1 address-family ipv4
R2(config-if-vrrp)# address 192.168.10.1 primary
R2(config-if-vrrp)# priority 100GLBP Deep Dive
GLBP (Gateway Load Balancing Protocol) addresses a fundamental limitation of HSRP and VRRP: only one router forwards traffic at a time. In HSRP and VRRP, the Standby/Backup router sits completely idle, consuming power and capital while contributing nothing to throughput. GLBP allows up to 4 routers to actively forward traffic simultaneously.
GLBP Roles
AVG (Active Virtual Gateway): One router elected per GLBP group. The AVG owns the VIP and responds to all ARP requests โ but instead of returning the same MAC every time, it cycles through different virtual MACs, distributing hosts across all forwarders. The AVG is elected by highest priority (then highest IP as tiebreaker), same as HSRP.
AVF (Active Virtual Forwarder): Up to 4 routers per group. Each AVF is assigned a unique virtual MAC in the format 0007.B400.xxyy where xx = group number and yy = forwarder number (01โ04). Each AVF actively forwards traffic for whichever hosts received its virtual MAC in an ARP reply.
Load Balancing Methods
GLBP Configuration
! R1 โ elected AVG due to higher priority, also serves as AVF1
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 192.168.10.2 255.255.255.0
R1(config-if)# glbp 1 ip 192.168.10.1
R1(config-if)# glbp 1 priority 120
R1(config-if)# glbp 1 preempt delay minimum 30
R1(config-if)# glbp 1 load-balancing round-robin
R1(config-if)# glbp 1 authentication md5 key-string GLBPsecret
R1(config-if)# glbp 1 timers 1 3
! R2 โ AVF2
R2(config)# interface GigabitEthernet0/1
R2(config-if)# ip address 192.168.10.3 255.255.255.0
R2(config-if)# glbp 1 ip 192.168.10.1
R2(config-if)# glbp 1 priority 100
R2(config-if)# glbp 1 load-balancing round-robin
R2(config-if)# glbp 1 authentication md5 key-string GLBPsecret
R2(config-if)# glbp 1 timers 1 3Diagram 3 โ GLBP Load Balancing
Full Configuration Examples
HSRP v2 with Object Tracking โ Both Routers
! ============================================================
! R1 โ HSRP v2 Active with IP SLA Object Tracking
! ============================================================
R1(config)# ip sla 10
R1(config-ip-sla)# icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
R1(config-ip-sla-echo)# frequency 5
R1(config)# ip sla schedule 10 life forever start-time now
R1(config)# track 1 interface GigabitEthernet0/0 line-protocol
R1(config)# track 2 ip sla 10 reachability
R1(config)# interface GigabitEthernet0/1
R1(config-if)# description LAN โ HSRP Group 1
R1(config-if)# ip address 192.168.10.2 255.255.255.0
R1(config-if)# standby version 2
R1(config-if)# standby 1 ip 192.168.10.1
R1(config-if)# standby 1 priority 110
R1(config-if)# standby 1 preempt delay minimum 30
R1(config-if)# standby 1 timers 1 3
R1(config-if)# standby 1 track 1 decrement 20
R1(config-if)# standby 1 track 2 decrement 15
R1(config-if)# standby 1 authentication md5 key-string HSRPkey2026
! If both tracks fail: 110 - 20 - 15 = 75 โ well below R2's 100
!
! ============================================================
! R2 โ HSRP v2 Standby
! ============================================================
R2(config)# interface GigabitEthernet0/1
R2(config-if)# description LAN โ HSRP Group 1
R2(config-if)# ip address 192.168.10.3 255.255.255.0
R2(config-if)# standby version 2
R2(config-if)# standby 1 ip 192.168.10.1
R2(config-if)# standby 1 priority 100
R2(config-if)# standby 1 preempt delay minimum 20
R2(config-if)# standby 1 timers 1 3
R2(config-if)# standby 1 authentication md5 key-string HSRPkey2026VRRP Full Config
! R1 โ VRRPv3 Master
R1(config)# fhrp version vrrp v3
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 192.168.10.2 255.255.255.0
R1(config-if)# vrrp 1 address-family ipv4
R1(config-if-vrrp)# address 192.168.10.1 primary
R1(config-if-vrrp)# priority 120
R1(config-if-vrrp)# preempt delay minimum 20
R1(config-if-vrrp)# timers advertise 1
! R2 โ VRRPv3 Backup
R2(config)# fhrp version vrrp v3
R2(config)# interface GigabitEthernet0/1
R2(config-if)# ip address 192.168.10.3 255.255.255.0
R2(config-if)# vrrp 1 address-family ipv4
R2(config-if-vrrp)# address 192.168.10.1 primary
R2(config-if-vrrp)# priority 100GLBP with Weighted Load-Balance
! R1 โ AVG + AVF1, weight 100 (gets ~67% of ARP load)
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 192.168.10.2 255.255.255.0
R1(config-if)# glbp 1 ip 192.168.10.1
R1(config-if)# glbp 1 priority 120
R1(config-if)# glbp 1 preempt delay minimum 30
R1(config-if)# glbp 1 load-balancing weighted
R1(config-if)# glbp 1 weighting 100 lower 80 upper 95
R1(config-if)# glbp 1 authentication md5 key-string GLBPsecret
R1(config-if)# glbp 1 timers 1 3
! R2 โ AVF2, weight 50 (gets ~33% of ARP load)
R2(config)# interface GigabitEthernet0/1
R2(config-if)# ip address 192.168.10.3 255.255.255.0
R2(config-if)# glbp 1 ip 192.168.10.1
R2(config-if)# glbp 1 priority 100
R2(config-if)# glbp 1 load-balancing weighted
R2(config-if)# glbp 1 weighting 50 lower 40 upper 45
R2(config-if)# glbp 1 authentication md5 key-string GLBPsecret
R2(config-if)# glbp 1 timers 1 3Protocol Comparison Table
Troubleshooting
Verification Commands
! HSRP โ detailed and brief
R1# show standby
R1# show standby brief
R1# show standby GigabitEthernet0/1 1
! VRRP
R1# show vrrp
R1# show vrrp brief
! GLBP
R1# show glbp
R1# show glbp brief
! Object tracking and IP SLA
R1# show track
R1# show track 1
R1# show ip sla statistics 10
! Debug โ use carefully in production
R1# debug standby events
R1# debug standby packets
R1# terminal monitorCommon Issues and Resolutions
Issue: Both routers stuck in SPEAK state (dual-Active)
Both routers claim to be Active simultaneously. Causes ARP instability and traffic black-holes for hosts whose frames are forwarded by the wrong router.
Root causes:
- Authentication mismatch โ one router has MD5, the other has none or a different key-string
- HSRP version mismatch โ one running v1, the other running v2 (different multicast addresses)
- Duplicate VIP โ another device on the segment has the VIP assigned as a real interface address
R1# show standby | include State|Auth|Virtual IP
R1# debug standby packets
! Look for "Authentication mismatch" in debug output
! Confirm both routers run: standby version 2
! Confirm identical: standby 1 authentication md5 key-string SAMEIssue: Preemption not working after R1 recovers
R1 has higher priority but remains in Standby after its interface comes back up.
Root causes:
preemptkeyword not configured (default off for HSRP and GLBP)preempt delaytimer has not yet expired- Track object on R1 is still reporting Down (uplink not fully recovered)
R1# show standby | include Preempt|Priority|Track
! Verify preempt is configured and delay has expired
R1# show track brief
! Confirm all tracked objects show Up before expecting preemptionIssue: Virtual MAC not in host ARP cache after failover
Hosts still have the old real MAC in their ARP cache. Traffic goes to the failed router.
Root cause: The new Active sends a gratuitous ARP, but hosts with very long ARP cache timeouts (Windows default: up to 4 hours under some conditions) may ignore it or not refresh promptly.
R2# show standby | include virtual MAC
! Confirm new Active sent gratuitous ARP after taking over
R2# debug standby events
! Look for "Gratuitous ARP sent for 192.168.10.1"
! Manually clear ARP on a Windows host:
# arp -d 192.168.10.1Issue: GLBP not distributing load evenly
All hosts using the same AVF despite round-robin configuration.
Root cause: Round-robin applies per-ARP-request, not per-packet. Hosts that cached their initial ARP reply will stick to one forwarder until their cache expires. This is expected GLBP behaviour, not a misconfiguration.
R1# show glbp detail
! Check ARP request counts under each Forwarder section
R1# show glbp 1 | include requests|Forwarder|activeIssue: HSRP timers flapping โ Active role bouncing
The Active role alternates between routers every few seconds.
Root causes:
- Hold timer set too aggressively โ a single dropped hello triggers failover
- CPU overload causing hello packets to be delayed or dropped
- Asymmetric timers โ one router uses 1/3, the other uses default 3/10
R1# show standby | include Timers
! Ensure identical timers on all group members
! If seeing false failovers, increase hold timer:
R1(config-if)# standby 1 timers 2 6
! Better: use BFD for detection, keep HSRP timers at defaults
R1(config-if)# standby 1 bfdKey Takeaway: HSRP is the workhorse of Cisco enterprise campus networks. Use HSRP v2 for new deployments โ it supports more groups and millisecond-level timers. Use VRRP when you have multi-vendor hardware or need an IETF-standard protocol for compliance reasons. Use GLBP when you want active/active load balancing across your gateway routers without the operational complexity of adjusting ECMP routing. In all cases, always pair FHRP with object tracking and IP SLA probes โ line-protocol tracking alone is insufficient for production environments where upstream failures are the most common cause of gateway loss.